Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Basic Question 2 of 3: Remote APs or "not"?

This thread has been viewed 0 times

  • 1.  Basic Question 2 of 3: Remote APs or "not"?

    Posted May 24, 2012 10:59 PM

    I am in the process of setting up our new Aruba wireless system, and while I’ve learned a lot about ArubaOS et. al. I have a few basic questions on which I’d like your opinions.  I’d like to go down the appropriate path with this setup once, if possible, and so need assistance selecting the right path.  I have read selected sections of the ArubaOS User Guide and other documentation including the KB and forums, but by no means everything. I’ll edit each post with links to the other two so I can ask separate questions but still give a complete picture.  Please feel free to question my assumptions.

     

    Question 2:  Remote AP versus non-Remote AP capabilities and restrictions

     

    We currently have two 3400 controllers and 50 APs, to use for our HQ site (3 bldgs, total of 6 ‘floors’, 450 users)  a medium sized site (1 floor of 100 users) and one small office of about 10 users.  The other sites are about 45ms and 200ms ‘away,’ respectively.  We intend to expand the installation worldwide to our other 2 major sites, 4 medium sites and 12 small sites similar to the above.

     

    We are fairly sure that the medium and small offices will have to have Remote APs since we at least do not want to backhaul their internet traffic back to their relatively distant controller.  We also are concerned about backhauling ‘internal’ traffic from a medium site to their nearest major site, as these medium sites do have some local resources – that would add significant delay for traffic which could stay within that office.

     

    We are also thinking of using remote APs for the major offices – this is the most similar to the current Cisco setup we have where each AP is trunked to a switch, and WiFi client traffic hops off the AP onto whatever Vlan is designated at that site.  All access is then controlled by the firewalls & ACLs at that site (including HQ).  We are partly concerned that the increase in WiFi client traffic (mostly due to better coverage from more APs, but also the faster rates) will be a performance issue on either the controller itself, or on the links from the controller to the core network.

     

    I can see from Table 40 in the User Guide that perhaps we want Remote AP ‘persistent’ mode with ‘bridged’ tunneling mode.  I noticed that several other combinations limit us to PSK and I am quite sure we’ll need 802.1X.

    In general, do we lose features or capabilities going from ‘non-Remote’ (Aruba-speak is ‘thin’ for fully-controlled/tunneled AP?) to Remote AP?

     

    All comments and recommendations are welcome!

    Thanks - Paul

     

    Question 1 here: Question 1 of 3

     

    Question 3 here: 


    #3400


  • 2.  RE: Basic Question 2 of 3: Remote APs or "not"?

    EMPLOYEE
    Posted May 24, 2012 11:33 PM

    Remote APs are specifically, devices that pass their traffic via an IPSEC tunnel.  This is good when you want traffic coming back over the internet from a non-private-wan connected site.  Deploy a remote AP when you have an access point that is NOT on your private WAN, but on the public internet.

     

    If remote sites are on your private WAN, but simply need user traffic to be sent locally, you can provision devices so that traffic is bridged locally instead of tunneled back to the controller.  You would need control plane security on.

     

    Remote AP persistent and tunneled is useful for when an access point is deployed over the internet.  It is not designed for access points already deployed internally.  You should be able to deploy whatever services you want.

     

     



  • 3.  RE: Basic Question 2 of 3: Remote APs or "not"?

    Posted May 25, 2012 01:04 AM

    Thank you.  Per my other reply I had Remote and non 'backwards' I think.  ALL of my APs will be deployed at sites "inside" my WAN in private address space and firewalled from the internet.

     

    Do I lose any capability for security, policy enforcement etc. with bridged mode APs?  I could see having non-trivial ACLs etc. on user roles and the like, and my first concern is overloading the AP in terms of this enforcement workload.  That can be mitigated to a degree with more APs to handle the client workload, but only up to a point.

     

    Any concerns there?

     

    Thanks again.



  • 4.  RE: Basic Question 2 of 3: Remote APs or "not"?

    EMPLOYEE
    Posted May 25, 2012 07:09 AM
    @ptrivino wrote:

    Thank you.  Per my other reply I had Remote and non 'backwards' I think.  ALL of my APs will be deployed at sites "inside" my WAN in private address space and firewalled from the internet.

     

    Do I lose any capability for security, policy enforcement etc. with bridged mode APs?  I could see having non-trivial ACLs etc. on user roles and the like, and my first concern is overloading the AP in terms of this enforcement workload.  That can be mitigated to a degree with more APs to handle the client workload, but only up to a point.

     

    Any concerns there?

     

    Thanks again.

    No concerns.  APs that bridge user traffic can enforce firewall policies at the AP.  You can even have an AP where one WLAN is tunneled back and other WLANs are bridged locally at the same time.

     



  • 5.  RE: Basic Question 2 of 3: Remote APs or "not"?

    Posted May 25, 2012 12:43 PM

    Thanks again.