You are here: VPN Configuration > VPN Configuration
Previous TopicNext Topic

VPN Configuration

The VPN configuration functionality enables the IAP to create a single VPN tunnel from the Virtual Controller to a Aruba  Mobility Controller in your corporate office. Here, the VPN tunnels from the Instant APs terminate on the Aruba  Mobility Controller. The controller solely acts as a VPN end-point and does not supply the Instant AP with any configuration.

To create a VPN tunnel from the Virtual Controller to the Aruba  Mobility Controller:

Figure 211 - Tunneling— Controller

1. Navigate to the VPN link at the top right corner of the Instant UI. The Tunneling window appears.
2. Select IPSec from the Protocol drop-down list.
3. If you select GRE from the Protocol drop-down list then the packets are sent and received without encryption.
a. GRE type — Enter the value for GRE type parameter.
b. Per-AP tunnel — Select Enabled or Disabled from the Per-AP tunnel drop-down list. The user can create GRE tunnels from all of the APs instead of creating tunnels only from the AP that is acting as the Virtual Controller. The traffic going to the corporate is sent via L2 GRE tunnel from the AP itself and does not have to be forwarded through the Virtual Controller.

 

By default, the Per-AP tunnel option is disabled.

4. Enter the IP address or fully qualified domain name for the main VPN/GRE endpoint in the Primary host field.
5. Enter the IP address or fully qualified domain name for the backup VPN endpoint in the Backup host field. This entry is optional.
6. Select Enabled from the Preemption drop-down list to switch back to the primary host when and if it becomes available again. This step is optional.
7. Select Enabled or Disabled from the Fast failover drop-down list.
8. Enter Connection test frequency at which packets are sent to the controller. The unit is seconds per packet and the default value is 10 seconds which means that every 10 seconds the IAP will send one packet to the controller.

 

This value should be less than L3 user time out value in the Aruba Controller. For example, if L3 user timeout in the Aruba Controller is 5 minutes, the Connection test frequency should be less than 300 seconds.

9. Enter Test packet count which is the number of lost packets and after which the IAP will make the tunnel down. The default value is 2.
10. Click Next to continue.

Fast Failover

Enabling the fast failover feature allows the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnel separately. If the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute.

Routing Profile Configuration

Instant can terminate a single VPN connection on an Aruba Mobility Controller. The Routing profile defines the corporate subnets which need to be tunneled through the IPSec tunnel.

Figure 212 - Tunneling— Routing

Use the Routing Table to specify policy based on routing into the VPN tunnel. Each routing table entry has a destination, network mask, and default gateway.

1. Click New and update the following parameters.
Destination— Specify the destination network to be routed into the VPN tunnel.
Netmask— Specify the network mask of the network to be routed into the VPN tunnel.
Gateway— Specify the gateway to which traffic should be routed. This IP address should be the ‘controller-ip’ of the controller on which the VPN connection is terminated. See Controller Configuration for VPN for more information.
2. Click Next to continue.
3. The DHCP Server window appears. Use this table to define DHCP pools of different types based on your deployment modes as described in the following section.

DHCP Server Configuration

The Virtual Controller (VC) on an Instant AP enables different DHCP pools (various deployment models) in addition to allocating IP subnets to each branch. The following modes of DHCP server are supported:

Local Subnet— In this mode, the VC assigns an IP address from a configured subnet and forwards traffic to both corporate and non-corporate destinations. This is achieved by appropriately translating the network address (NAT) and forwarding the packet through the IPSec tunnel or through the uplink.
L2 Switching Mode— In this mode, Instant supports the following two types to support L2 switching mode of connection to corporate:
Distributed L2— In this mode, the VC assigns an IP address from a configured subnet and forwards traffic to both corporate and non-corporate destinations. The VC adds the VLAN configured in this subnet to the controller VLAN multicast table enabling the L2 subnet to act as an extension of the VLAN on the controller. Corporate traffic is sent on the IPSec tunnel and non-corporate traffic is sent on the uplink.
Centralized L2— In this mode, the VC does not assign an IP address to the client, but the DHCP traffic is directly forwarded to the controller over the IPSec tunnel and obtains an IP address from either the controller or a DHCP server behind the controller serving the VLAN of the client. However, Instant AP does forward client traffic in the same way as the Distributed L2 mode.
L3 Routing Mode— In this mode, Instant supports L3 routing mode of connection to corporate. VC assigns an IP addresses from the configured subnet and forwards traffic to both corporate and non-corporate destinations. Instant AP takes care of routing on the subnet and also adds a route on the controller after the VPN tunnel is set up during the registration of the subnet.

Figure 213 - Tunneling— DHCP Server

 

NAT DHCP Configuration

In NAT mode, the scope of the subnet is local to the IAP and forwards traffic through the IPSec tunnel or through the uplink.

1. Click New in the DHCP Server window and select Local to configure the following parameters for NAT mode DHCP pool.
Name— Name of the subnet (must be unique).
Type— Indicates the type of DHCP server. Available options are Local, Distributed L3, Distributed L2, Centralized L2. Local implies that this is a NAT mode DHCP subnet.
VLAN— VLAN ID of the subnet. This needs to be referenced in the SSID configuration to make use of this subnet.
Network— Network to be used for this subnet.
Netmask— Net mask of the subnet. This along with Network determines the size of the subnet.
DNS server— An optional field which defines the DNS server.
Domain name— An optional field which defines the domain name.
Lease time— An optional field which defines the lease time for client.

Figure 214 - NAT DHCP Configuration

 

2. Click OK to apply these changes.

Distributed L2 DHCP Configuration

In Distributed L2 mode, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.

1. Click New in the DHCP Server window and select Distributed, L2 to configure the following parameters for Distributed L2 mode DHCP pool:
Name— Name of the subnet (must be unique).
Type— Indicates the type of DHCP server. Available options are Local, Distributed L3, Distributed L2, Centralized L2. Distributed, L2 implies that this is a Distributed mode L2 DHCP subnet.
VLAN— VLAN ID of the subnet. This needs to be referenced in the SSID configuration to make use of this subnet.
Network— Network to be used for this subnet.
Netmask— Net mask of the subnet. This along with Network determines the size of the subnet.
Excluded address— This determines the exclusion range of the subnet. Based on the size of the subnet and value configured here (location within the subnet scope), this is used to either exclude IP addresses before this IP or after this IP. This is an optional field.
Default router— Default router for the subnet. This is an IP address on/behind the controller in the same subnet.
Client count— This along with network and mask determines how many branches can be supported. For the current phase of IAP, it is important that this value is configured consistent across all branches.
DNS server— An optional field which defines the DNS server.
Domain name— An optional field which defines the domain name.
Lease time— An optional field which defines the lease time for client.
2. Click OK to apply these changes.

Figure 215 - Distributed L2 DHCP Configuration

Distributed L3 DHCP Configuration

In Distributed L3 mode, the Virtual Controller acts as both DHCP Server and default gateway. Traffic is routed into the VPN tunnel.

1. Click New in the DHCP Server window and select Distributed, L3 to configure the following parameters for Distributed L3 mode DHCP pool:
Name — Name of the subnet (must be unique).
Type— Indicates the type of DHCP server. Available options are Local, Distributed L3, Distributed L2, Centralized L2. Distributed, L3 implies that this is a Distributed mode L3 DHCP subnet.
VLAN— VLAN ID of the subnet. This needs to be referenced in the SSID configuration to make use of this subnet.
Network— Network to be used for this subnet.
Netmask— Net mask of the subnet. This along with Network determines the size of the subnet.
Client count— This along with network and mask determines how many branches can be supported. For the current phase of IAP, it is important that this value is configured consistent across all branches.
DNS server— An optional field which defines the DNS server.
Domain name— An optional field which defines the domain name.
Lease time— An optional field which defines the lease time for client
2. Click OK to apply these changes.

Figure 216 - Distributed L3 DHCP Configuration

Centralized L2 DHCP Configuration

In Centralized L2 mode, both the DHCP server and default gateway are in the data center, on the other side of the VPN tunnel.

1. Click New in the DHCP Server window and select Centralized, L2 to configure the following parameters for the Distributed L3 mode DHCP pool:
Name — Name of the subnet (must be unique).
Type— Indicates the type of DHCP server. Available options are Local, Distributed L3, Distributed L2, Centralized L2. Centralized, L2 implies that this is a Centralized mode L2 DHCP subnet.
VLAN— VLAN ID of the subnet. This needs to be referenced in the SSID configuration to make use of this subnet.
DHCP Relay Agent and Option 82— Select to enable or disable these features.

When a DHCP server is configured with a DHCP Relay agent, the client's Broadcast DHCP Discover packet is not sent to the corporate network, instead the Virtual Controller acts as the DHCP Relay and unicasts DHCP packets to the corporate DHCP server. Enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string.

The Option 82 string is available only in the Alcatel (ALU) format. The ALU format for the Option 82 string consists of the following:

Remote Circuit ID¡ X AP-MAC; SSID; SSID-Type
Remote Agent¡ X IDUE-MAC

 

The Option 82 is specific to Alcatel and is not configurable in this version of Instant.

The following table describes the behavior of DHCP Relay Agent and Option 82 in the IAP.

Table 46 - DHCP Relay and Option 82

DHCP Relay

Option 82

Behavior

Enabled

Enabled

DHCP packet relayed with the ALU-specific Option 82 string

Enabled

Disabled

DHCP packet relayed without the ALU-specific Option 82 string

Disabled

Enabled

DHCP packet not relayed, but broadcasted with the ALU-specific Option 82 string

Disabled

Disabled

DHCP packet not relayed, but broadcasted without the ALU-specific Option 82 string

2. Click OK to apply these changes.

Figure 217 - Centralized L2 DHCP Configuration