That command was introduced after the introduction of IAP VPN to prevent locally managed Instant APs to connect to a controller and connect to any VLAN and any role by modifying the local configuration on the AP.
Can you share with me in a personal reply which guides you used and where you got them from, so I can see if I can have this information added?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Dec 02, 2020 02:43 PM
From: Matan Tal
Subject: IAP-VPN Centralised L2 and Distributed L3 with 3G/4G pre-emption enhancement
Saved my day buddy.
The "iapvpn-trusted-branch-db allow-all" is missing from aruba guides.
I managed to do a PoC with with wifi uplink and cellular as backup.
------------------------------
Matan Tal
Original Message:
Sent: Apr 22, 2019 09:32 PM
From: Ariya Parsamanesh
Subject: IAP-VPN Centralised L2 and Distributed L3 with 3G/4G pre-emption enhancement
This is a short design and configuration guide (35 pages) for configuring IPSEC VPN from Aruba Instant APs (IAP) to an Aruba VPN concentrator (VPNC) in DMZ. The main aim here is to show case two of the most common forwarding modes namely Centralised L2 and Distributed L3.
We'll use an SSID in Centralised L2 mode while using an E1 port of an IAP in Distributed L3 mode.
The document also demonstrate the new feature with Aruba Instant 8.4.x that provides pre-emption enhancement for IAP-VPN. With this feature IAPs can detect the reachability of a primary VPN over the Ethernet uplink without bringing the 3G/4G link down. Here we'll use two failover IP addresses one for each of the uplinks. (Ethernet and 3G/4G).
You should note that IAP-VPN are completely supported on Aruba SD-Branch solution. So you could have micro branches that require just an IAP or small branches that require a few IAPs but still smaller that branches that require a branch gateways, to create VPN tunnels to the same VPNCs which are used for the Branch Gateways. This becomes a very cost effective solution.
Hope you'll find it useful and as always please send through your feedbacks for its improvement.