Today's distributed enterprise environments are driving WLAN admins insane. How does one quickly configure VLANs, DHCP, and NAT so that different types of mobile users are both productive and secure?
Is it best to do this all centrally? Is it best to do this all edge? Or is there unique combo in between where some services need to be managed locally and others at the edge?
Fortunately for Aruba Cloud WiFi customers, Aruba's HybridControl architecture is a WLAN "Swiss Army knife" that can accommodate any sort of branch office scenarios.
Take the following examples:
1. Typical Coffee Shop (super basic)
For the typical bare bones branch office setup, a simple Cloud WiFi AP has all of the self-contained services to allow user traffic to NAT, DHCP, put all guests on their own local VLAN. This sort of setup is perfect for a single coffee shop with no IT staff.
2. Hair Pinning all User Traffic (Uber Secure Environments)
At the other end of the spectrum might be a health care branch office with stringent security policies an an existing Aruba controller. In these cases, Aruba Central can configure an AP to tunnel all VLAN tagged user traffic the headquarters core for a DHCP address, and once traffic is inspected and expressly allowed, be NAT'd behind the corporate headquarters IP address.
3. Split Tunnel (poor man's site-to-site VPN)
The appeal of migrating to "the cloud" is to bypass the headaches of VPN hardware or leased MPLS lines, yet in many branch office situations, a network admin still needs a VPN-like split-tunnel solution that can both encrypt company traffic and bridge out local traffic. Cloud WiFi in conjunction with HybridControl controllers could encrypt employee traffic to HQ while allowing general Internet traffic to NAT out the local cable modem, thus saving the company the headache of setting up traditional site-to-site VPN hardware.
4. Segmenting Subnets (Coffee Shop Chain)
Say your coffee shop from example #1 has grown into a large chain and you have purchased an expensive point-of-sale system. You now need two DHCP scopes -- one for your point-of-sale system and one for guests. With HybridControl, you could put all guests on the same local VLAN (e.g. 192.168.1.0/24), and then for the point-of-sale system, easily break your company /8 subnet into unique /24 scopes. All guest network traffic would be NAT'd out the virtual controller's public IP address, and all corporate traffic would flow through the IPsec tunnel to the Aruba controller. If you wanted, a separate SSID could split tunnel traffic, as in example #3.
Aruba Central gives you the convenience of cloud management, and with an Aruba controller, you get agility with that convenience.