Special VAP for Campus users to egress via Branch Bridge
09-23-2018 10:16 PM - edited 09-23-2018 10:17 PM
We have a unique situation where we need to use the Branch Office RAP's Local, Public interface for Internet traffic for all users on a shared VLAN between Branch RAP and Campus APs with a special SSID. Is this possible?
We want to create a new VAP on our Campus APs that when joined, places users on the same VLAN (or even different VLAN if necessary) as the Branch RAP in order to route Internet traffic out of the Branch's bridging setup. Aka traffic flowing in the opposite direction as the most common RAP VAP use case.
The problem I face is (partially confusion on my part) that ACLs, when applied to the Campus-side of the VLAN the meaning of "permit" and "bridge" are always seem relative to the device hosting the VAP, in this case the Controller. So, "bridge" ACL statements are done/executed locally and not sent down the tunnel for the RAP to bridge out those packets, but neither does "permit" or "route-srcnat" it seems. I've tried a number of iterations of applying of differnt ACLs with "permit" and "bridge" for the traffic without any luck getting traffic back to the branch.
- We are runing AOS 6.5
- The RAP uplink IP and the VAP clients are on the same VLAN (vlan 40) sharing the same IP space
- The VAPs currently place clients on the same VLAN as RAP and Controller
- Campus controller has an IP on that same VLAN (Controller is .1 and RAP is .2) and reachable/pingable by clients at both locations
- Both the RAP and controller are serving DHCP, using different pool, where the pools do not overlap IP ranges
- Currently both Branch and Campus clients are getting IPs from the Controller DHCP pool and DHCP Server and Router are configured with the RAP's IP address on the common VLAN
- Controller does have PEF License (if that matter in creating special rules/acls to accomplish this)
At this point:
> I don't know if it would help provide grater flexibility to move the clients to a VLAN other than RAP/Controller VLAN
> If we should change tactics and be considering converting the RAP to IAP and just set up as a VPN Tunnel where the traffic can be policy routed to the remote gateway
Any help would be appreciated and open to any proven alternatives that we might try.