Wireless Access

I've tried to do this once before, but didn't work at the time.  I have to set the VPN host to be the physical address of the controller and in the event of a failure we need to manually change the address in the Instant config.  This is not ideal for a large distributed enterprise.

 

Unfortunately I don't have a chance to test again.

Yes...this should work.  HOWEVER, in the routing table config for VPN on the IAP, you MUST define the physical interfaces for that detination subnet.  

 

For example

 

Consider an organization with 2 datacenters: DC1 and DC2: Each datacenter has a pair of VRRP based redundant controllers.

• • Primary datacenter (DC1)
    • The physical IP of the master controller in the primary datacenter is 10.68.33.6
    • The physical IP of the VRRP backup controller in the primary datacenter is 10.68.33.7
    • The Virtual IP between the master and VRRP backup controller in the primary datacenter is 10.68.33.8
  • Backup datacenter (DC2)
    • The physical IP of the master controller in the backup datacenter is 10.68.48.6
    • The physical IP of the VRRP backup controller in the backup datacenter is 10.68.48.7
    • The Virtual IP between the master and VRRP backup controller in the backup datacenter is 10.68.48.8
  •  In this case the routing profile on a IAP branch that wants to tunnel 10.0.0.0 /8 will be :
    • 10.0.0.0 255.0.0.0 10.68.33.6
    • 10.0.0.0 255.0.0.0 10.68.33.7
    • 10.0.0.0 255.0.0.0 10.68.48.6
    • 10.0.0.0 255.0.0.0 10.68.48.7

excellent, that's great to know. Thanks Seth.

Seth,

 

What about on the controller end for the GRE tunnel?  Can it terminate on the VC address, or does it still need to be the IAP address?

 

 

The tunnel is initiated by the vc. No need to worry about the address of the vc. It is assigned an inner ip from the controller's l2tp pool.

Sent from my iPad

for a GRE?  I didn't think it needs an inner ip for that.

I don't believe so.

Sent from my iPad