Wireless Access

I have IAPs that have L3 distributed subnets that tunnel back to the VPNC and then are advertised to our core. There's no other firewall in between as the controller has been marketed as a stateful firewall

I'm wondering where do I create policies to limit traffic from the core towards the IAPs subnet?

It's Central managed so at least there you can only configure policies for traffic originating from the subnet.

Is there a plance on VPNC where I would configure policies that affect traffic to subnets that are routed on VPNC?

With IAP, the user enforcement takes place at the IAP so the policies would be applied there where the user is authenticated.

Yep, but with Central managed IAP you can not do rules "from outside to IAP". Only rules from IAP.

And with L3 distributed pools they show as routed networks at the VPNC, they don't necessarily have any roles attached to them. At least this is how it shows in Central, I have a switch connected to the L3 distributed pool but it doesn't have any role attached to it.

Also if I have something like 9004 gateway and I've added static route towards some other customer's network, that customer network probably doesn't get any role as it's one hop away and not directly connected.

That's correct, IAP roles are slightly different from controller based/enforced roles.

As the VPNC side of the network is trusted, roles won't come into play per se. That said, policies can still be applied towards an interface to limiting trusted traffic as well. As you mentioned the 9004 with SD-Branch, this is similar to the default policy applied to the trusted Internet uplink interfaces.

As the next hop interface is the VPN tunnel, I'm still not sure where to put the policies

(vpnc1) *#show ip route rapng-vpn
V     10.1.240.0/29  [60/10] via 10.100.38.24

10.1.240.0/29 is the L3 pool behind the IAP, and 10.100.38.24 is the address assigned to the IAPs VPN from General VPN pool.

Currently everyone is able to access 10.1.240.0/29 from anywhere in our network. 

Do you have a network diagram that can be shared? That would help me be more specific with my comment.

Also, take a look at "show crashinfo" on your VPNC to see what crash(es) are being reported and when they occurred, please.

It's like in the diagram, just basic setup.

Not sure how crash logs are related to policy placement?

The presence of crash logs are not related to the placement of policies, but under normal circumstances they should not exist on the system either. There may be other issues going on within the VPNC, or it may be stale info from a problem long ago.

On the link between VPNC1 to the Internal Network depicted as a cloud, an interface policy can be applied to the internal interface that prevents internal users from reaching the VPN pool. This policy would be based on the source IP address from the 10.8.40.7/23 address space, with a destination of 10.1.240.0/29.

Hmm yes interface ACL would be one place to limit traffic. Probably not very scalabe though, so needs a bit thinking how to do the rules to get away with the least amount of them.

This wouldn't prevent people from the branches accessing IAP/branch gateways loopbacks though? I think all the SD-branch users would still have access to those IPs

The interface ACL at the VPNC would be in conjunction with the user role(s) utilized at the branch for users at the remote sites. The interface ACL prevents internal users from reaching into the branch sites where they shouldn't, while the user roles at the branch keep those users from hitting loopback or internal networks they shouldn't reach.

The diagram shows IAP-VPN as the branch VPN connection, but if branch gateways are deployed then there is similar filtering capabilities equal to that of the VPNC. 

For some remote office where we only have couple users and a printer we just send out 303H and 8 port switch so no need for 9004 or anything like that.

Found the interface ACL place for IAPs, I think it's under Security -> IDS/IPS (weird place though) --> Firewall Settings --> Access Rules

Aruba documentation is very much "Aruba documentation like" also in this regard, for example "To AP Network—Traffic to the specified Instant AP network is allowed. After selecting this option, specify the domain name in the IP text box." 

So what domain name am I supposed to enter in a IP text box and what "AP Network" actually is... anything behind the IAP? How does this differ from just specifying destination addresses? If I need to specify IP addresses anyway

I'm wondering as this is inbound rule, do I actually need anything here besides our management network? Isn't the VPNC <-> IAP control traffic specified in the role at the VPNC. Though am I blocking something by adding just management policy here...