Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Can I redirect application traffic to an ESI?

This thread has been viewed 1 times

  • 1.  Can I redirect application traffic to an ESI?

    Posted Jun 24, 2014 06:31 AM

    We have two internet links, one is the default route out of out network, the other is for guests.  I use the route-to-esi feature to redirect guest traffic out of an interface that connects into a dmz, the gateway of which is the firewall for this link.. all works great.

     

    However, Ive now been asked if we can do this, for BYOD devices that connect to our corporate lan.

     

    By defautl, like our corp pcs, byod devices will use our pirmary internet link, however, Ive been asked if we could redirect traffice to say Dropbox, so it goes out of the ESI interface?  I know the controllers have visitibility of applicaitons, I just dont know if this can be used to create such a policy....

     

    Thought id ask the q to see if technically possible....



  • 2.  RE: Can I redirect application traffic to an ESI?

    EMPLOYEE
    Posted Jun 24, 2014 07:49 AM
    You can use the new AppRF 2.0 features in 6.4 to do this. In your session ACLs, use the application and/or application category source/destination options.

    Note: this will only work on 7000 and 7200 controllers with deep packet inspection and DNS lookups enabled.


  • 3.  RE: Can I redirect application traffic to an ESI?

    Posted Jun 24, 2014 07:53 AM

    Unfortunatley I dont think we can upgrade to 6.4 as I was told support for some of our older APs would not go beyond 6.3!

     

     



  • 4.  RE: Can I redirect application traffic to an ESI?

    EMPLOYEE
    Posted Jun 24, 2014 07:55 AM
    The only other option would be to use DNS names but this will not be reliable due to the heavy use of CDNs these days.


  • 5.  RE: Can I redirect application traffic to an ESI?

    Posted Jun 24, 2014 07:59 AM

    Ok thnks for that.. we will have to look at other options..



  • 6.  RE: Can I redirect application traffic to an ESI?
    Best Answer

    Posted Jun 24, 2014 08:44 AM

    Unfortunately, when setting rules for applications or application categories, you can only permit or drop; you cannot apply other actions.  It may be a limitation of the DPI process; you can try and put this on the Idea Portal. 

     

    (aruba-7210) (config-sess-test)#user any app dropbox ?
    deny                    Specify packets to reject
    permit                  Specify packets to forward

     

    vs.

     

    (arbua-7210) (config-sess-test)#user any svc-http ?
    deny                    Specify packets to reject
    dst-nat                 Perform destination NAT on packets
    dual-nat                Perform both source and destination NAT on packets
    permit                  Specify packets to forward
    redirect                Redirect packets
    route                   Route packets
    src-nat                 Perform source NAT on packets