I am trying to understand the forward modes [tunnel, bridge, split tunnel and decrypt tunnel] and I have few questions
1.I understand that CPsec should be enabled and APs are required to be whitelisted when you want to configure a Campus AP in bridge mode
But why is CPSec required to configure a Campus AP in bridge mode?
2. By disabling CPsec in a Campus AP will allow us to do the forward mode configuration [tunnel mode]. Am I correct?
3. Captive portal cannot be done in bridge mode because its L3 authentication. Am I correct?
4. Why does a Campus AP doesn't support split tunnel when a RAP does?
5. What is the use of decrypt tunnel? Normally controller will change the wireless packet to wired packet and vice versa during a normal setup but in decrypt tunnel, the AP does the conversion [wireless to wired]. Am I correct or is it wrong? If I am correct then I don't understand the real use of decrypt tunnel. AP is just doing the controller's job so what is real use of decrypt tunnel?
6. Consider that am using a RAP and I am configuring Captive portal with split tunnel.
a. My captive portal's initial role has the following acls
any any svc-dhcp permit
any any svc-dns permit
any any svc-http dst-nat 8080
any any svc-https dst-nat 8081
and for the default role [post auth role] I usually permit everything but when I looked for split tunnel the acls were a bit different
b. So I gave the below acl under captive portal's post auth role
user alias network any permit
any any route src-nat
# netdestination network
# network 10.0.0.0 255.255.255.0
My master controller's IP is 10.0.0.10
The first acl under post auth role is any any svc-dhcp permit. Initial role already permits dhcp service then What is the real use of this acl which permits dhcp service in the post-auth role?
Thank you in advance
1. Bridge mode typically needs to pass the credentials and ACLs (the PSK) to the AP securely. CPSEC makes that possible.
4. That is the way it is.
5. Tunnel decryps the client traffic back at the controller. Decrypt tunnel decrypts that traffic at the AP. The traffic needs to be sent over another secure tunnel to the controller. Decrypt Tunnel also had the advantage of being able to pass jumbo frames without configuring your switches between the AP and the controller for Jumbo.
6. a. "Permit" on a split tunneled SSID tunnels traffic back to the controller. Route src-nat bridges the traffic local to the AP and then source-nats it out the ip address of the AP. IN the captive portal ACL, you would permit anything that you would need to pass to or through the controller. Everything else you can just route src-nat.
b. A client might need to renew a dhcp lease after authentication.
The AP sends it to the controller, and the controller sends it to the radius server.
Aruba suggests that a deployment be Instant APs if the whole deployment requires the traffic to be bridged.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.