| Question |
|
What are the different IAP-VPN modes? |
IAP-VPN modes:
1. Local mode
•Master AP is DHCP server for clients
•Master AP is also default gateway for clients
•Traffic to datacenter is Src-NATed with inner IP of AP’s IPSEC tunnel
•Traffic to internet/local destination is Src-NATed with local IP of master AP
•VPN pool used for inner IPs should be routable from the upstream router in the datacenter
•Traffic can be initiated from the branch to datacenter but traffic cannot be initiated from the datacenter
2. Centralized L2 mode
•DHCP server for clients is in the datacenter
•The default gateway for the clients resides in the datacenter
•ARP for default gateway is forwarded to datacenter except when WAN is down
•Traffic to datacenter is forwarded to client’s default gateway through IPSEC tunnel
•Traffic to internet/local destination is Src-NATed with the local IP of master AP
•Configuring a routable VPN address pool, which is used for inner IPs of IPSEC tunnel, allows access to instant WEBUI from datacenter
•Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1X if the RADIUS traffic is not Src-NATed at the controller
3. Distributed L2 mode
•DHCP server for clients is the master AP in the IAP cluster
•Even when the WAN is down, a client can renew its DHCP lease and a new client can receive IP address
•The default gateway of the clients resides in the datacenter
•ARP for default gateway is forwarded to the datacenter except when WAN is down
•Traffic to datacenter is forwarded to client’s default gateway through IPSEC tunnel
•Traffic to internet/local destination is Src-NATed with local IP of master AP
•Configuring a routable VPN address pool, which is used for inner Ips of Ipsec tunnel, allows access to instant WEBUI from datacenter
•Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1x if the RADIUS traffic is not src-NATed at the controller
•Smaller user VLAN subnets are recommended to reduce broadcast/multicast traffic across WAN
4. Distributed L3 mode
•Contains broadcast and multicast traffic to a branch
•DHCP server for clients is the Master AP
•Even when the WAN is down, a client can renew its DHCP leases and a new clients can receive IP address
•The Master AP is also the default gateway for clients
•The traffic to datacenter is routed tunnel to the controller through the IPsec
•The traffic to internet/local destination is Scr-NATed with the local IP of master AP
•Configuring a routable VPN address pool is also essential for RFC 3576 and for 802.1X if the RADIUS traffic is not Scr-NATed at the controller
•Controller uses OSPF to redistribute branch routes to the upstream router (Aruba 6.3 or higher is required on the controller).
•In small deployments, with a single master controller and a VRRP backup controller, the upstream router can use a static route that points to the controller as the next hop for branch subnets
•Static routes cannot be used in multi-controller environments. OSPF is a must for multi-controller environment and for geographical redundancy