Does that BYOD traffic even need access to any assets at the remote site? If not, you can just tunnel all the traffic to the headend, and you can enforce bandwidth shaping right there..
Yes, that's a requirement. Local printing, file servers and so on.
To bridge traffic, you can either go with CPSEC (global knob) or configure each AP as a RAP (fairly straihtforward). To do bridging at remote sites, you have the most functional option which is IAP, on top of the other two.
So I think a RAP in persistent & bridge mode would be about the same functionality, except for the clustering. Each branch has between 2 and 15 IAPs, so IAP definitely has an advantage over RAP there.
When you speak of optimizing traffic, what do you mean specifically? If you have BYOD users whose traffic is being tunneled back to the corporate headend with a CAP and you have a bandwidth contract for 1 meg, that user still will only be able to pass traffic at one meg, because his traffic will be buffered at the controller to meet that requirement.
They are a XenApp shop and use Citrix Repeaters for WAN optimisation, so it's definitely preferred that corporate users are not tunnelled or they would lose most/all benefits. Unless the repeaters are clever enough to optmise xenapp traffic encapsulated in GRE :smileyhappy:
I came up with an alternative to src-nat
routing-profile
route 0.0.0.0 7.255.255.255 10.1.11.11
route 8.0.0.0 1.255.255.255 10.1.11.11
route 11.0.0.0 0.255.255.255 10.1.11.11
route 12.0.0.0 3.255.255.255 10.1.11.11
route 16.0.0.0 15.255.255.255 10.1.11.11
route 32.0.0.0 31.255.255.255 10.1.11.11
route 64.0.0.0 63.255.255.255 10.1.11.11
route 128.0.0.0 127.255.255.255 10.1.11.11
So this would route everything not 10.0.0.0/8 through the tunnel. Kind of an amusing workaround.
We tried this out and it does work - RADIUS traffic to 10.x.x.x is no longer tunnelled, but our DHCP went AWOL and corp client did not get an IP.
ip dhcp Corp
server-type Centralized,L2
server-vlan 52
dhcp-relay
dhcp-server 10.1.10.123
wlan ssid-profile Corp
type employee
essid Corp
opmode wpa2-aes
vlan 52
You would expect the request to be sent onto the branch network like RADIUS. But using 'show datapath session' commands on the VC we see RADIUS but oddly no sign of the DHCP..
Can anyone confirm what source IP address the VC will use when relaying? In this case I would hope it's the virtual controller address or ethernet address of that AP on the local branch network? Unfortunately I have limited access to the other network infrastructure to track this down.