07-29-2016 04:52 AM
I'll start by saying i'm new to Aruba, I recently started at a company that has the Aruba Controllers and Aruba Wireless at HQ with Aruba RAPs deployed in the field.
One of my challenges is that the RAP controller configuration seems to be entirely layer 2. With multiple locations having multiple VLANs I now have hundreds of VLANs that are being managed on my Core Switch here at HQ.
I would like to run OSPF at the branch and offload all of those branch gateways back to their location. The benifits i see would be:
1. Clean up my VLANs
2. Place Access Control closest to the source
3. Blocked traffic wouldn't suck up WAN bandwidth if blocked at the site.
4. Scaling out and resilancy for failover
When i talk about blocking traffic, i think i saw ACLs in the controller, but each site might have different requirements, i'm not sure how easy that is to manage on the controller.
Again i'm new to this product so maybe i'm thinking about this wrong. Or maybe i don't have the right product line, maybe i need to go outside the RAP at the locations.
07-29-2016 05:43 AM
It mainly depends on how many devices/users you have at each site. We have both small and large deployments similar to what you describe, but many users are placed into a single subnet, instead of a single site/user for each subnet. Broadcast/Multicast optimization configured at the VLAN level keeps anything but essential broadcasts from propagating to each site and it works well. You can also configure ACLs in user roles to block traffic that you don't want leaving the site, but broadcasts are the big one. Your WLANs can be configured as decrypt tunnel, instead of tunnel, and that will enforce any ACL rules at the AP/Site before it comes back to the main controller.
In summary, typical RAP deployments with a single RAP at each location put all users in a single or a few subnets along with broadcast filtering. That keeps the number of VLANs to an absolute minimum. Enabling decrypt tunnel, instead of tunnel on the Virtual AP (WLAN) allows traffic to be enforced at the AP, instead of the controller.
We have a Remote AP Validated Reference Design Guide here: http://community.arubanetworks.com/t5/Validated-Reference-Design/Remote-AP-Networks/ta-p/155140 that will detail a number of RAP scenarios.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base