Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

221

222

223

224

225

226

227

228

229

230

server and not the DHCP server on the controller. Client traffic destined to datacenter resources is forwarded by the

master IAP (through the IPsec tunnel) to the client's default gateway in the datacenter.

L3 Routing Mode

In this mode, the traffic destined for the corporate network is routed through the VPN tunnel to the controller. The

traffic destined for the non-corporate network is translated using the IP address of the IAP and is forwarded through

the uplink.

When an IAP registers with the controller and is configured to use the L3 DHCP scope, the Controller adds a route to

enable the routing of traffic from the corporate network to clients on this subnet in the branch.

Distributed L3 mode

The distributed L3 mode contains all broadcast and multicast traffic to a branch. The distributed L3 mode reduces the

cost and eliminates the complexity associated with the classic site-site VPN. However, this mode is very similar to

a classic site-site IPsec VPN where two VPN endpoints connect individual networks together over a public network.

In distributed L3 mode, each branch location is assigned a dedicated subnet. The master AP in the branch manages

the dedicated subnet and acts as the DHCP server and gateway for clients. Client traffic destined to datacenter

resources is routed to the Aruba controller through the IPsec tunnel which then routes the traffic to the appropriate

corporate destinations.

Centralized L3 Mode

For centralized L3 clients, the virtual controller acts as a DHCP relay agent that forwards the DHCP traffic to the

DHCP server located behind the controller in the corporate network and reachable through the IPSec tunnel. The

centralized L3 VLAN IP is used as the source IP. The IP address is obtained from the DHCP server.

Configuring IAP and Controller for IAP-VPN Operations

This section describes the configuration procedures to perform on the IAP and controller for generic use cases. For

information on specific deployment scenarios, see IAP-VPN Deployment Scenarios on page 363.

Configuring an IAP network for IAP-VPN operations

This section describes the configuration procedures to perform on the IAP for generic use cases. For information

on specific deployment scenarios, see IAP-VPN Deployment Scenarios on page 363.

An IAP network requires the following configuration for IAP-VPN operations.

1. Defining the VPN host settings

2. Configuring Routing Profiles

3. Configuring DHCP Profiles

4. Configuring an SSID or Wired Port

5. Enabling Dynamic RADIUS Proxy

6. Configuring Enterprise Domains

Defining the VPN host settings

The VPN endpoint on which a master IAP terminates its VPN tunnel is considered as the host. A master AP in an

IAP network can be configured with a primary and backup host to provide VPN redundancy. You can define VPN

host settings through More>VPN>Controller in the UI.

You can configure the following VPNprofiles for the IAP-VPNoperations. For more information, see Configuring a

Tunnel from an IAP to Aruba Mobility Controller on page 211.

Aruba Instant 6.4.0.2-4.1 | User Guide IAP-VPN Deployment | 226