Thanks for this excellent video & series. Is it possible to have a role based policy configured with this IAP VPN setup to allow normal all traffic tunneled to corporate where as power user traffic to internet will be locally switched?
Yes you can do that! You would change the static route of the VPN tunnel to 0.0.0.0/0.0.0.0. In the Enterprise domain you must define an entry with a '*'. All DNS entries will be sent to your corp DNS server (this is the only option that cannot be offloaded when full-tunnel is used. Your power user's dns traffic will be sent to the DC). After this, the permit all rule for a role will tunnel all traffic to the DC. For your power users you would define an allow statement for entries to the DC, and then an allowallall with action source-nat to any destination; this will offload the heavy duty traffic. For more advanced PBR cases it is advised to use a Gateway, such as the Aruba 9004 Gateway.
@@mpompe2821 Hi, I am trying to follow your steps but not quite sure where you are...would you mind posting a slight walkthrough on these roles and allowalls so I know where to put them? I am trying to funnel all internet traffic to the vpnc too, using the route statement but not sure what is not working. Thank you.
In "IAP-VPN Based MicroBranch Solution Guide" it is instructed to configure L3 authentication server group as 'default'. How does this differ from the 'internal' server you selected in the video?
The solution guide does not mention that the IAPs are not in the same Central Instance. If you do not select "Internal" you will get trust errors in your logs and the VPN will never form. Internal basically says, if you're part of this Central instance, you're trusted.
Hi, does anyone know if is it possible to use single port APs in a Micro Branch solution? I have a lab with an IAP 325, which has two ethernet ports and one is configured as a LAN port for Micro Branch. However, I tried to add a second site with an IAP-305 and wireless clients do not receive a DHCP address from the Distributed L3 DHCP scope. Could this be because there is not a proper LAN wired port available to be used in this model, or in any other single port AP?
You can use any single port AP as micro branch AP and you do not need a second port as LAN port. You need to further investigate if the DL3 scope is really active on the AP and if it is on the right VLAN so the same as where your BSSID is configured.
@@AirheadsBroadcasting Actually I cloned the group in which the IAP 325 is working and just changed the DL3 Scope's subnet (everything else is the same). I've already tried changing the VLAN number to see if that had any effect, but it still doesn't work.
@@AirheadsBroadcasting Output for dhcp-allocation shows only magic vlan 3333, I don't know why DL3 VLAN is not being taken into account, sh network in the VC shows that the SSID is associated with DL3 VLAN number, but it is not working as expected.
@@abdelcastroperpuli161 There must be something wrong with the way the DL3 subnet is handled and there is a whole process involved with the controller running a bid process to decide how to cut up the L3 scope between the branches. You have to dig into that and look at log files and enable debug to see what is going on. Also is the version of code the same on both IAP's?
Thanks! This explanatory video is great.
Hello Excellent video, is possible a example with L2 Extension?, What I need change in the configuration? thank you very much.
Thanks for this excellent video & series. Is it possible to have a role based policy configured with this IAP VPN setup to allow normal all traffic tunneled to corporate where as power user traffic to internet will be locally switched?
Yes you can do that! You would change the static route of the VPN tunnel to 0.0.0.0/0.0.0.0. In the Enterprise domain you must define an entry with a '*'. All DNS entries will be sent to your corp DNS server (this is the only option that cannot be offloaded when full-tunnel is used. Your power user's dns traffic will be sent to the DC). After this, the permit all rule for a role will tunnel all traffic to the DC. For your power users you would define an allow statement for entries to the DC, and then an allowallall with action source-nat to any destination; this will offload the heavy duty traffic. For more advanced PBR cases it is advised to use a Gateway, such as the Aruba 9004 Gateway.
@@mpompe2821 Hi, I am trying to follow your steps but not quite sure where you are...would you mind posting a slight walkthrough on these roles and allowalls so I know where to put them? I am trying to funnel all internet traffic to the vpnc too, using the route statement but not sure what is not working. Thank you.
In "IAP-VPN Based MicroBranch Solution Guide" it is instructed to configure L3 authentication server group as 'default'. How does this differ from the 'internal' server you selected in the video?
The solution guide does not mention that the IAPs are not in the same Central Instance. If you do not select "Internal" you will get trust errors in your logs and the VPN will never form. Internal basically says, if you're part of this Central instance, you're trusted.
Hi, does anyone know if is it possible to use single port APs in a Micro Branch solution? I have a lab with an IAP 325, which has two ethernet ports and one is configured as a LAN port for Micro Branch. However, I tried to add a second site with an IAP-305 and wireless clients do not receive a DHCP address from the Distributed L3 DHCP scope. Could this be because there is not a proper LAN wired port available to be used in this model, or in any other single port AP?
You can use any single port AP as micro branch AP and you do not need a second port as LAN port. You need to further investigate if the DL3 scope is really active on the AP and if it is on the right VLAN so the same as where your BSSID is configured.
@@AirheadsBroadcasting Actually I cloned the group in which the IAP 325 is working and just changed the DL3 Scope's subnet (everything else is the same). I've already tried changing the VLAN number to see if that had any effect, but it still doesn't work.
@@abdelcastroperpuli161 On the IAP try "show dhcp-allocation" and "show clients" and on the controller check "show iap detailed-table"
@@AirheadsBroadcasting Output for dhcp-allocation shows only magic vlan 3333, I don't know why DL3 VLAN is not being taken into account, sh network in the VC shows that the SSID is associated with DL3 VLAN number, but it is not working as expected.
@@abdelcastroperpuli161 There must be something wrong with the way the DL3 subnet is handled and there is a whole process involved with the controller running a bid process to decide how to cut up the L3 scope between the branches. You have to dig into that and look at log files and enable debug to see what is going on. Also is the version of code the same on both IAP's?