Controllerless Networks

Contributor II

IAP VPN and Distributed L3 Scope

Hi all,


I am currently working on IAP and VPN tunnel to a mobility controller.

Currently I'm not sure how to get a "Distributed, L3" DHCP scope running so that it would route into the VPN tunnel.

It works well when I follow the tutorials from here using "Distributed, L2".

So, when I turn on a Distributed L3 Scope, my local client gets an IP address from the VC, but no traffic is being passed through the tunnel. When I change the scope back to Distributed, L2, everything works as expected.

Do I need to change anyting in my VPN settings when I want to use Distributed L3 scopes?


Thanks in advance!

Re: IAP VPN and Distributed L3 Scope

You may need to also specify and configure the routing profile as well.


On Distributed L3 mode, The virtual controller acts as both the DHCP server and default gateway.

Corporate traffic (traffic matching routing profile) from clients is routed through the VPN tunnel. All other traffic is src-nat’ed on VC.


ip dhcp l3-dhcp server-type

 Distributed,L3 server-vlan 30

 ip-range  dns-server,  domain-name


routing profile config



VPN primary IP is configured. This IP address is the Public IP address of the IAP.

vpn primary <public IP of controller>


Routing profile is defined to tunnel all traffic through IPSec tunnel

routing-profile route <public IP of controller>


Let me know if that helps.


Thank you,



Contributor II

Re: IAP VPN and Distributed L3 Scope

Thanks, Sriram, I have it working now :smileyhappy:


I did not pay attention to the fact that the VPN traffic is fully routed when usng Distributed,L3 (always expected that it would be source-nat'ed) - so when I created a backward route for the IAP network  in my corporate network pointing to the controller it all worked fine.



Search Airheads
Showing results for 
Search instead for 
Did you mean: