Q: How can we send Central traffic outside IAP-VPN tunnel ?
A: Beginning 8.3, we can send traffic destined to Aruba Central outside VPN tunnel in case IAP-VPN is in use.
- Customers would like to send all user generated traffic within the VPN tunnel to their data center, and have the traffic to Activate/Central to be sent outside the tunnel over the internet directly.
- Before 8.3.0.0, if default route is VPN tunnel, IAP traffic to Activate/Central will follow global route setting via tunnel.
- In 8.3.0.0, if default route is VPN tunnel, IAP traffic to Activate/Central will be routed via IAP’s local gateway.
The feature will enable automatically when IAP default route is set to tunnel.
To manage traffic sent to Activate/Central, IAP introduced cloud domain list.
During connection with Central, IAP will add below domain & IP addresses into cloud domain list:
- Activate domain “device.arubanetworks.com” by default.
- Central domain which it receives from Activate.
- Websocket address redirected by Central.
- Additional domain/IP pushed from Central (eg. cloud guest);
Example:
IAP# show ap debug cloud-domain-list
Cloud Domain List
-----------------
cloud-domain
------------
device.arubanetworks.com ------>>>> Activate domain
34.213.76.57 ------>>>> Central websocket IP address
This article applies beginning 8.3 version.
