Controller-less WLANs

What are the IAP-VPN modes?

Aruba Employee
Question   What are the different IAP-VPN modes?

 

IAP-VPN modes:
1. Local mode

Master AP is DHCP server for clients
Master AP is also default gateway for clients
Traffic to datacenter is Src-NATed with inner IP of AP’s IPSEC tunnel
Traffic to internet/local destination is Src-NATed with local IP of master AP
VPN pool used for inner IPs should be routable from the upstream router in the datacenter
Traffic can be initiated from the branch to datacenter but traffic cannot be initiated from the datacenter
 


2. Centralized L2 mode

DHCP server for clients is in the datacenter
The default gateway for the clients resides in the datacenter
ARP for default gateway is forwarded to datacenter except when WAN is down
Traffic to datacenter is forwarded to client’s default gateway through IPSEC tunnel
Traffic to internet/local destination is Src-NATed with the local IP of master AP
Configuring a routable VPN address pool, which is used for inner IPs of IPSEC tunnel, allows access to instant WEBUI from datacenter
Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1X if the RADIUS traffic is not Src-NATed at the controller


3. Distributed L2 mode

DHCP server for clients is the master AP in the IAP cluster
Even when the WAN is down, a client can renew its DHCP lease and a new client can receive IP address
The default gateway of the clients resides in the datacenter
ARP for default gateway is forwarded to the datacenter except when WAN is down
Traffic to datacenter is forwarded to client’s default gateway through IPSEC tunnel
Traffic to internet/local destination is Src-NATed with local IP of master AP
Configuring a routable VPN address pool, which is used for inner Ips of Ipsec tunnel, allows access to instant WEBUI from datacenter
Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1x if the RADIUS traffic is not src-NATed at the controller
Smaller user VLAN subnets are recommended to reduce broadcast/multicast traffic across WAN


4. Distributed L3 mode

Contains broadcast and multicast traffic to a branch
DHCP server for clients is the Master AP
Even when the WAN is down, a client can renew its DHCP leases and a new clients can receive IP address
The Master AP is also the default gateway for clients
The traffic to datacenter is routed tunnel to the controller through the IPsec
The traffic to internet/local destination is Scr-NATed with the local IP of master AP
Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1X if the RADIUS traffic is not Scr-NATed at the controller
Controller uses OSPF to redistribute branch routes to the upstream router (Aruba 6.3 or higher is required on the controller).
In small deployments, with a single master controller and a VRRP backup controller, the upstream router can use a static route that points to the controller as the next hop for branch subnets
Static routes cannot be used in multi-controller environments. OSPF is a must for multi-controller environment and for geographical redundancy

 

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 04:03 PM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.