Security

Reply
Contributor II
Posts: 100
Registered: ‎10-04-2012

Instant clusters to Aruba controller IPSEC tunnels

hello Airheads,

we have a customer who wants to roll out Instant clusters to their retail stores (between 3 and 10 IAP's per store).

They would like to push their guests down IPSEC tunnels from the cluster and terminate on a centrally located

Aruba controllers (3600's). Question is how many IPSEC tunnels can the 3600 terminate from an Instant cluster

(terminating on the VIP of the cluster)?

cheers

Pete

 

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Instant clusters to Aruba controller IPSEC tunnels

I know this isn't what you asked, but wouldn't it be easier for you/them to use RAPs? Or rather a good indoor AP model in RAP mode?

 

Granted you'd need the controller licenses, but the result would be slicker?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Contributor II
Posts: 100
Registered: ‎10-04-2012

Re: Instant clusters to Aruba controller IPSEC tunnels

Absolutely my friend.

We are proposing two solutions.

1. RAP's to Aruba controllers.

2. Instant clusters to Aruba controllers

 

Like you we prefer the first solution but as cost (as always) may become an issue we are intending to propose solution 2 as well.

cheers

Pete

 

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Instant clusters to Aruba controller IPSEC tunnels

Pete_Elms,

 

The second solution is by far the most flexible and resilient.  Any access points that you want to deploy with solution 1, has an IAP equivalent in solution 2.  In addition, the IAP-VPN setup only requires one VPN tunnel per site back to the controller vs. Remote APs, which require an IPSEC tunnel for each access point.

 

To answer your initial question, please see the document here:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/IAP%20VPN%20Support/Overview.htm



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 100
Registered: ‎10-04-2012

Re: Instant clusters to Aruba controller IPSEC tunnels

That's our feeling as well.

Appreciate the feedback.

thanks Pete

 

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Instant clusters to Aruba controller IPSEC tunnels

I personally would want the RAP solution. But that's just personal preference.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Instant clusters to Aruba controller IPSEC tunnels

Michael_Clarke,

 

Please say why you prefer it so that Pete can make an informed decision.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Instant clusters to Aruba controller IPSEC tunnels

CJ, I guess you mean me and not MC? Can't see a post from him.

 

It's a bit like plumbing isn't it really? Personal preference. All things being fairly equal to the customer of course?

 

Happy to be challenged, but I guess my initial thoughts are...

 

1. RAPs tend to be a bit easier to tear up/down/reset in my experience when troubleshooting(retail tends to move around a bit).

2. Split tunnel options with RAPs (maybe we can do this now on instants?).

3. No Airwave or other monitoring was mentioned. So with RAPs, operational state is a bit clearer?

4. 3G backup options with RAPs.

5. More granular easier administrative revoking of RAPs that get stolen?

 

That sort of thing. Am I wrong?

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Instant clusters to Aruba controller IPSEC tunnels

The racking money,

 

Yes I do mean you, sorry.

 

1.  Good Point

2.  Instants do have traffic and DNS split tunnel options

3.  You can monitor users and IAPS with Airwave

4.  You can use 3g/4g backup with instants that have a USB port for that purpose

5.  You can certainly revoke an instant's mac address.

 

Please stay tuned for an IAP-VPN configuration guide that is coming out shortly.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 707
Registered: ‎12-01-2010

Re: Instant clusters to Aruba controller IPSEC tunnels

I've been messing with iAP to Controller tunnelling and so far:

 

1. I can't speak to this, never used a RAP

2. Splitting is easy enough, the documentation doesn't quite match what I see, but it works fine.

3. Again can't speak to RAPs, but with and without Airwave the iAP operational state is pretty east to tell, just a different method from controller based connections.

4. I believe there are iAP with 3G and 4G backup methods - given all the setup pages for it in the GUI (I haven't got those models)

5. Revocation of the iAP is easy at the Virtual Controller (cluster membership) and at the Controller (VPN/Tunnel connection).

 

It's probably much more a matter of familiartiy than of technology at this stage. Do what's comfortable if it delivers everything you need, start heading up the learning curve if you need more/different functionality.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: