Generally, the routing table mentioned in the IAP will be applicable to all SSID's. The configuration mentioned in this is considered in use cases, where you you have two or more SSID's and for SSID-1 you wanted the users corporate and internet traffic to get into VPN tunnel towards controller and then to Internet. Whereas, for the SSID-2, you want corporate traffic to get into tunnel and remaining outbound Internet Traffic to bridge locally.
- Any destination / service can be configured to have direct Internet access (bypassing tunnel) via ACL
- Achieved via src-nat for the defined rule in the ACL
- Src-NAT done by Virtual Controller using its uplink IP
- Overrides the routing profile configuration
- Provides functionality of different forwarding policies for different SSIDs
Environment : This article applies to all Aruba Instant Access Points running Aruba InstantOS version 6.2.1.0-3.3.0.0 or later.
Following is the configuration for "SSID2", where the wireless users can access a part of the corporate network via tunnel and the outbound Internet traffic is bridged locally doing Src-Nat and then using IAPs uplink IP address.
-
Login to Web Interface of Instant AP
-
Create a New SSID or edit the existing SSID
-
On the "Access" tab, we would add a new rule to allow any service to specific corporate network.
Add an other rule that would Src-NAT and bridge rest of the outbound Internet traffic. As shown below:
Configuration on a Virtual Controller can be verified with the below commands from IAP console or on SSH connection:
VPN status from IAP to Controller:
-
Show VPN Config
-
Show VPN Status
To verify the SSID configuration:
To verify the Access-Rule and the list of ACL's:
- Show access-rule <rule name>
To verify if the client traffic is getting Src-Natted:
(Filter with the Client IP address and look for Src-Nat flag)