Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

221

222

223

224

225

226

227

228

229

230

227 | IAP-VPN Deployment Aruba Instant 6.4.0.2-4.1 | User Guide

l IPSec

l Aruba GRE

l Manual GRE

Configuring Routing Profiles

The routing profile on the IAP determines whether the traffic destined to a subnet must be tunneled through IPSec or

bridged locally. If the routing profile is empty, the client traffic will always be bridged locally. For example, if the

routing profile is configured to tunnel 10.0.0.0 /8, traffic destined to 10.0.0.0 /8 will be forwarded through the IPsec

tunnel and the traffic to all other destinations is bridged locally.

You can also configure a routing profile with 0.0.0.0 as gateway to allow both client and IAP traffic to be routed

through a non-tunnel route. If the gateway is in the same subnet as uplink IP address, it is used as a static gateway

entry. A static route can be added on all master and slave IAPs for these destinations. The VPN traffic from the local

subnet of IAP or the virtual controller IP address in the local subnet is not routed to tunnel, but will be switched to the

relevant VLAN. For example, when a 0.0.0.0/0.0.0.0 routing profile is defined, to bypass certain IPs, you can add a

route to the IP by defining 0.0.0.0 as the destination, thereby forcing the traffic to be routed through the default

gateway of the IAP.

You can configure routing profiles through More>VPN>Controller UI. For step-by-step procedural information on

configuring routing profile, see Configuring Routing Profiles on page 222.

The IAP network has only one active tunnel even when fast failover enabled. At any given time, traffic can be

tunneled only to one VPN host.

Configuring DHCP Profiles

You can create DHCP profiles to determine the IAP-VPN mode of operation. An IAP network can have multiple

DHCP profiles configured for different modes of IAP-VPN. You can configure up to eight DHCP profiles. For more

information on the IAP-VPN modes of operation, see IAP-VPN Forwarding Modes on page 225.

You can create any of the following types of DHCP profiles for the IAP-VPN operations:

l Local

l Local L3

l Distributed L2

l Distributed L3

l Centralized

For more information on configuring DHCP profiles, see Configuring DHCP Scopes on page 202..

A centralized L2 or distributed L2 VLAN or subnet cannot be used to serve APs in a hierarchical mode of

deployment. Ensure that the physical IP of the APs connecting to the master AP in hierarchical mode of

deployment is not on a VLAN or subnet that is in centralized or distributed L2 mode of operation. For information on

hierarchical mode of deployment, see Understanding Hierarchical Deployment on page 119.

Configuring an SSID or Wired Port

For a client to connect to the IAP-VPNnetwork, an SSID or wired port profile on an IAP must be configured with

appropriate IAP-VPN mode of operation. The VLAN configuration in an SSID or wired port profile determines whether

an SSID or wired port is configured for the IAP-VPN operations.

To configure an SSID or wired port for a specific IAP-VPNmode, the VLAN ID defined in the SSID or wired port

profile must match the VLAN ID defined in the DHCP profile configuration. If the VLAN assignment for an SSID or

wired port profile is set to Virtual controller assigned, default, or a static VLAN ID that does not match the VLAN ID