Network Management

Reply
Regular Contributor I

Airwave with Global IAP Deployment. How to deal with Groups?

We are preparing for a global deployment of IAP using Airwave as a backend to manage and monitor these devices. We are starting to run into an issue i would describe as 'Group creep'.

 

I relized i would need multiple groups to manage my devices, but now i am strugling how this will be managed in the long term. We are planning to deploy to NA(USA, Canada), multiple EU countires, as well as multiple Asian locations.

 

So as far as i can see, i will need different groups for:

- Every regulatory domain

- Every group which broadcasts different SSIDs(branch vs corp vs guest)

- Different RF limits(wearhouse vs office)

- Different VPN configurations

 

I understand that we could use overrides, but this does not scale to dozens or hundreds of VCs.

 

How do we manage our groups so that we dont end up with so many that any change become a huge effort? If i need to update a firewall policy, and we have 20 groups that makes 20x the same task to change a rule.

 

Another question i have is if we are deploying to multile EU countries, do we need a group for each? Can we apply 1 regulatory domain across all EU zones, or is each country still considered to have different regulatory limits and would require it's own group? I'm worried we are going to have to have a Group for each country(dozens), and in each country we would then need 2 different group, one for guest only, one for corp and guest. So if we have 10 countries in EU, 10 in Asia, plus Canada and USA, we now have 22 regulatory domains, with 2 types of settings in each, we now have 44 groups. This just doesn't scale in my mind.

 

How are people managing global IAP deployments using Airwave? I am open to any advice.

 

I googled around and it looks like regulatory restrictions are harmonized across most of europe, so if we apply a GB regulatory domain to our group could we deploy APs in this group across europe? For 'ROW' APs, can we just put them all in one regulatory domain?

 

_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Aruba

Re: Airwave with Global IAP Deployment. How to deal with Groups?

Eliasz,

 

In principle, we should be able to use the new whitelist function in conjunction with the customized variables to harmonize this from a group perspective. The only one I’m not 100% on is if we can do this for country code, but RF, SSID and VPN is all achievable in current Airwave code today.

 

Whitelist.png

 

This still requires management relative to the ‘group’ requirements as well as management of the whitelist to ensure the custom parameter’s are correct -  but in theory would remove the need for multiple groups. Mismatches are cleared based upon the base group config and the pushed variables.

 

Your regulatory domain will be ROW for all but the US - it is however the country code you'll need to send in the variable to properly set this.

 

I will confirm with PLM if the country code is also something we can send via a variable.

 

Hope that helps, Adam



| Adam Kennedy, Systems Engineer - adamk@hpe.com

| Service Providers – Aruba, an HPE Company

| Twitter: @adam8021x | Airheads: akennedy
Regular Contributor I

Re: Airwave with Global IAP Deployment. How to deal with Groups?

Hi Adam,


This sounds very promissing. However i am not familiar with "the new whitelist function". Is there a new function in 8.0.7 or is this available in the 8.0.6.3 code? 

 

Would this still function using the Instant Gui Config, or would this be using the template method? I'm just not familiar with the process you are describing using the variables. What would be the best documentation to review to get a better picture of this? Looks like Chapter 5 "Creating and Using Templates"


Thanks for the info,


_ELiasz

-------------------
ACDX, ACCP, CISSP, CWNA
Aruba

Re: Airwave with Global IAP Deployment. How to deal with Groups?

Confirmed internally that as long as the country code as part of the Reg Domain is specified in the TEMPLATE as a variable, yes - you can harmonize your group(s) configs by using the whitelist.


Yes, you are right on the money - creating and using templates. Either version which you have referenced will function as I have indicated. This is not a funciton of the Airwave IGC.

 

Are you using Aruba Activate in conjunction with this (or other) deployment(s)?

 

Cheers, Adam



| Adam Kennedy, Systems Engineer - adamk@hpe.com

| Service Providers – Aruba, an HPE Company

| Twitter: @adam8021x | Airheads: akennedy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: