Security

Hi there,

We are planing to deploy AirGroup as the next step in our Aruba infrastrutue and we want to validate some points before going ahead  

in our setup.

We have a master-local environment and ClearPass 6.0.1 and a standalone 3200 controler.

Can we deploy AirGroup in an overlay  deployment in a master-local environment?

Can we use the 3200 controller as a dedicated mDNS proxy controller?

Thank you in advance.

What exactly are you trying to do?  That question requires some more detail to answer correctly...

Hi Joseph,

Thanks for you response.

We want to deploy AirGroup in a Master-local environment 1 master and 2 locals. As we want to avoid the code upgrade on production controllers, we have upgraded a standalone 3200 controller to 6.1.3.6-AirGroup in order to use it as as proxy controller.

In ArubaAirGroup-6136-DG.pdf document, it says "Multi-Controller AirGroup clusters are not supported in overlay deployment model".

In our case, can we deploy AirGroup in overlay deployment?

In an other AirGroup FAQ, it says that 3200 controllers with upgraded memory are supported as proxy controller. How can i check if my controller is supported?

Best regards,

There is nothing wrong with upgrading both controllers to that code.  I would do that instead of dealing with the limitations of "overlay".

Hi Joseph,

I agree with you, with integrated deployment we will have full options with ClearPass.

Upgrading all controllers (1 master & 2 locals) is a big challenge provided that we have about 33 sites and more than 1K AP 105 hidden in the ceillings. My fear is what if the APs don't come up after the controllers upgrade? 

Our 3 controllers are all M3 running 6.1.2.4 build 30768 to upgrade to 6.1.3.6-AirGroup. 

I will go ahead and upgrade the controllers if and only if i can't go with overlay deployment. Losing two options with overlay

(location-based device discovery and role-based access control) is not a big deal. 

So, please advice if in my case I can go with overlay deployment.

Thanks.

So,

Are you doing Airplay, Airprint, etc on the wired network?  If you are, you probably only can do it on a single subnet, because that is how bonjour works.

Airgroup will allow you to drop broadcasts and do it with a single or multiple subnets at a site.  You can do that with a single controller running Airgroup with all of those VLANs trunked to the same controller.  Why would you need an overlay?

Hi Joseph,

No, we are not doing Airplay and Airprint on the wired network. we want to do it on the wireless network. 

Why would we need an overlay? Because its the easiest way to deploy AirGroup on the wireless network. This model is less intrusive for deployment for a network which has live production traffic.

Yes, we should trunk vlans where wired devices are connected and GRE tunnels to forward mDNS traffic to the AirGroup controller.

Thanks.

Okay.  Fair enough.

If you do an overlay, however, you cannot enable "Drop Broadcast and Multicast" on your Virtual APs with that setup, unfortunately.  So, you would lose a huge performance advantage.  I would plan with your local Aruba SE about what your real options are.

Yes, but if you use the overlay, you cannot suppress broadcast traffic on the wireless network, and your performance would plunge, seeing how many access points you have.  Again, I am just on a forum, you should contact your Aruba SE to find out the right way to configure your network, because there is plenty of stuff that I cannot see.  I

Thanks Joseph for the info. Disable Drop broadcast and multicast at vlan level and vap level should be a good raison to avoid overlay :smileywink:.