Looking at implementing a branch IAP-VPN setup with the following:
- Locally bridged SSID
- Tunnelled Guest w/ captive portal SSID
- Tunnelled IoT SSID
The tunnelled SSIDs will use Aruba IPSec VPN and terminate on a 7010 controller in two data centres.
The 7010 controller will be placed in a DMZ behind a firewall.
I have two questions:
1) What is the best way to isolate traffic from each SSID so that it can't access the other one - in theory they would be routable 'through' the VPNC?
2) Is it possible to configure VPN routing profiles on the Instant cluster for specific client traffic only? (i.e. only traffic from specific SSIDs should be tunnelled, traffic from the AP itself should egress locally).