What is AutoGRE feature on IAP 4.0?

Aruba Employee
Aruba Employee
By Default, IAP already supports Manual GRE to Aruba controllers and Non-Aruba devices
Administrator has to configure Separate tunnel interfaces for all IAP’s in the cluster. This could be difficult for large IAP cluster deployments.

Advantages of AutoGRE feature
  •  No configuration on the controller w.r.t GRE 
  • Whitelist addition on controller is needed similar to IAP VPN.
  • Control path thru IPsec and Data path thru GRE (no IPsec overhead)
  • AutoGRE feature is perfectly suited in an environment where both IAP and controller are connected via a MPLS network.  
  • Auto GRE feature brings in support for backup controller, Pre-emption and fast-failover making it on par with IPSec.


  • Auto GRE  is only supported on controllers running 6.4 or above.
  • When per-AP tunnel is enabled, GRE tunnels are setup from each IAP.
  • Split tunnel based on routing profile.
  • “controller-ip” is used as GRE end point.
  • In routing profile configuration, the gateway IP should be “controller-ip.

Typical Case scenario of Auto GRE feature:-
IAP and controller are connected via a MPLS network or a Private WAN.
Here we do not need to send the GRE data traffic with IPsec encryption since both IAP and controller are in a private network.
In the topology , there are two IAP’s in a cluster. In a flat topology, user can create GRE tunnel from all the APs instead of only Master with Per-AP-Tunnel feature.
When Per-AP-Tunnel is enabled, All IAP’s in the cluster will have a GRE tunnel to the controller.
So traffic from slave IAP’s going destined to the network behind the datacenter will be sent via l2 GRE tunnel from the slave IAP itself.
This traffic will not reach the master IAP. 


AutoGRE feature also supports creation of GRE tunnel automatically to the backup controller when Primary VPN tunnel fails and tunnel switches to backup controller.
If Preemption is enabled, Current active tunnel will switch to Primary host if it becomes available again.
Preemption Hold on timer can be used to wait for configured interval before the switch.


Configuration from WEBUI



Configuration from CLI
vpn gre-outside             This command will enable GRE Outside IPsec Feature
vpn primary                    primary tunnel ip address
vpn backup                     backup tunnel ip address 

d8:c7:c8:cb:d3:16# show vpn config
Type                        Value
----                        -----
VPN Primary Server
GRE outside vpn             enable
GRE Server
GRE IP Address    
GRE Type                         1
GRE Per AP Tunnel           enable
Reconnect User On Failover  disable
Reconnect Time On Failover  60
Routing Table
Destination  Netmask  Gateway        Type
-----------  -------  -------        ----   Tunnel
Show datapath tunnel output should give us the GRE tunnel been established to the controller.

Version history
Revision #:
1 of 1
Last update:
‎06-29-2014 04:22 PM
Updated by:
Labels (1)

How do I whitelist the iAP-swarm members to allow the Auto-GRE to work?

Search Airheads
Showing results for 
Search instead for 
Did you mean: