Security

Hello i got yet another question!

This client got a remote Branch(you access this remote branch through a point to point private link)

So well he has his AP on campus bridge mode

But he would like to use Captive portal(the Controller is on the Central Site)

I know that the bridge mode is does not support captive portal.

He wants that using with captive portal he is able to send those users of captive portal thruogh the internet link on the remote site

The problem si that he has the APS con campus bridge mode....

He cannot put that in noraml campus as he doesnt want it to tunnel central site

Now the only solution i can find is settign those APS as Remote APS and put them with split tunnel... but now ill have an extra overhead with the ipsec tunnel which will be created to the communication if i put it as remote AP(knowing you can access this site through the private link)

IS there a way to do this without putting it as a remote AP and not having this IPSEC overhead?

Doing split tunnel Captive Portal requires that the AP be provisioned as a RAP.  Not sure about IPSEC overhead, though.

So basically the only way doing it that you aware of is doing it by putting it as RAP even if it has a private link between both sides

Now my question to you is:

It is not recommend to do that? or its okay if we put it instead of campus bridge to rap split tunneling so the client can use the captive portal and also send that traffic over the internet of the remote branch

Actually the client had those APS on RAP mode but on bridge mode, and tunnel mode for guest  

I was telling him that it would be a good idea to change them to campus bridge mode that way he wont have that ipsec overhead on his link....

But now he told me that he doesnt want to bring that internet traffic to the central site... and he would rather send that traffic over the internet traffic of the remote site

Just want to know your humble opinion of what you would advice the client in this situation if he asked you that?

At least i would tell him that you can do what you want but you must stay your APS as Remote APs and keep the ipsec overhead but put those guest VAPS on remote Branch on split tunneling.  

The thing is that i cannot tell him how much in BW is that ipsec overhead!

---

@NightShade1 wrote:

So basically the only way doing it that you aware of is doing it by putting it as RAP even if it has a private link between both sides

 

Now my question to you is:

It is not recommend to do that? or its okay if we put it instead of campus bridge to rap split tunneling so the client can use the captive portal and also send that traffic over the internet of the remote branch

 

Actually the client had those APS on RAP mode but on bridge mode, and tunnel mode for guest  

 

I was telling him that it would be a good idea to change them to campus bridge mode that way he wont have that ipsec overhead on his link....

But now he told me that he doesnt want to bring that internet traffic to the central site... and he would rather send that traffic over the internet traffic of the remote site

 

Just want to know your humble opinion of what you would advice the client in this situation if he asked you that?

 

At least i would tell him that you can do what you want but you must stay your APS as Remote APs and keep the ipsec overhead but put those guest VAPS on remote Branch on split tunneling.  

The thing is that i cannot tell him how much in BW is that ipsec overhead!

 

 

---

There is no other way to do split tunnel captive portal but to provision it as a remote AP.  There is no "ipsec overhead" to doing this.  Campus APs that have control plane security enabled also use IPSEC...

Well i was asking you that becasue he doesnt have like high speed WAN links...

As far i remenber he told me that he has like 2mbs WAN links and i was  wondering how much of BW is used for the IPSEC tunnel and how much BW is left of the clients

I didnt know that when you enable the control plane security you also using IPSEC

Now you mention this there is a table which says for example AP 93 has a total throughput for clients of 10mbs on rap mode

But if im using them as normal campus APS then this wont be true... im sure that even if i use the control plane security i would get a way more than that... like 300mb(theorical throughput) like the documentation says...

As far i understand there is a much better throughput if you put them on campus mode rather than if you put them on RAP mode...

I dont know what makes the through put go from 300mbs to 10mbs? just be putting them on differnet modes???

I dont know if you know this? or where  could i get this information?

Aren't the access points ALREADY in RAP Mode?

Yeah they are already.  i can easily put the vap of the guest on split tunnel configure the rules and problem solved i know that :)

But i was asking the best way to tdo it.... maybe there is another better way of doing it, when using private links between sites....

And well the other question i was asking was that where can i get the information of why the throughput is heavily iimpacted when using it as remote AP?

Now this throughput just apply were traffic goes to the corporate?

Or this throutput is overall the AP? and even if the traffic is local it will get affected by that trhougput?

Because as i see it... if it not fffected by the local traffic i mean the one im not sending trhough the tunnel... i could configure it as split tunel but on the rules tell him to bridge tell to route source nat all the traffic?

But well if i do that then if he wants to access those machine for some reason i guess he wont be able fromt he corporate as he is source natting from the AP

Well i just ask all this because i want to implement it in the BEST way... not just well he asked me something lets find the easy way for me  to do it....i want to deploy aruba networks deployment Cleanand with the best practice always :)