Wireless Access

Reply
Occasional Contributor II
Posts: 16
Registered: ‎04-16-2012

Basic Question 2 of 3: Remote APs or "not"?

I am in the process of setting up our new Aruba wireless system, and while I’ve learned a lot about ArubaOS et. al. I have a few basic questions on which I’d like your opinions.  I’d like to go down the appropriate path with this setup once, if possible, and so need assistance selecting the right path.  I have read selected sections of the ArubaOS User Guide and other documentation including the KB and forums, but by no means everything. I’ll edit each post with links to the other two so I can ask separate questions but still give a complete picture.  Please feel free to question my assumptions.

 

Question 2:  Remote AP versus non-Remote AP capabilities and restrictions

 

We currently have two 3400 controllers and 50 APs, to use for our HQ site (3 bldgs, total of 6 ‘floors’, 450 users)  a medium sized site (1 floor of 100 users) and one small office of about 10 users.  The other sites are about 45ms and 200ms ‘away,’ respectively.  We intend to expand the installation worldwide to our other 2 major sites, 4 medium sites and 12 small sites similar to the above.

 

We are fairly sure that the medium and small offices will have to have Remote APs since we at least do not want to backhaul their internet traffic back to their relatively distant controller.  We also are concerned about backhauling ‘internal’ traffic from a medium site to their nearest major site, as these medium sites do have some local resources – that would add significant delay for traffic which could stay within that office.

 

We are also thinking of using remote APs for the major offices – this is the most similar to the current Cisco setup we have where each AP is trunked to a switch, and WiFi client traffic hops off the AP onto whatever Vlan is designated at that site.  All access is then controlled by the firewalls & ACLs at that site (including HQ).  We are partly concerned that the increase in WiFi client traffic (mostly due to better coverage from more APs, but also the faster rates) will be a performance issue on either the controller itself, or on the links from the controller to the core network.

 

I can see from Table 40 in the User Guide that perhaps we want Remote AP ‘persistent’ mode with ‘bridged’ tunneling mode.  I noticed that several other combinations limit us to PSK and I am quite sure we’ll need 802.1X.

In general, do we lose features or capabilities going from ‘non-Remote’ (Aruba-speak is ‘thin’ for fully-controlled/tunneled AP?) to Remote AP?

 

All comments and recommendations are welcome!

Thanks - Paul

 

Question 1 here: Question 1 of 3

 

Question 3 here: 

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: Basic Question 2 of 3: Remote APs or "not"?

Remote APs are specifically, devices that pass their traffic via an IPSEC tunnel.  This is good when you want traffic coming back over the internet from a non-private-wan connected site.  Deploy a remote AP when you have an access point that is NOT on your private WAN, but on the public internet.

 

If remote sites are on your private WAN, but simply need user traffic to be sent locally, you can provision devices so that traffic is bridged locally instead of tunneled back to the controller.  You would need control plane security on.

 

Remote AP persistent and tunneled is useful for when an access point is deployed over the internet.  It is not designed for access points already deployed internally.  You should be able to deploy whatever services you want.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-16-2012

Re: Basic Question 2 of 3: Remote APs or "not"?

Thank you.  Per my other reply I had Remote and non 'backwards' I think.  ALL of my APs will be deployed at sites "inside" my WAN in private address space and firewalled from the internet.

 

Do I lose any capability for security, policy enforcement etc. with bridged mode APs?  I could see having non-trivial ACLs etc. on user roles and the like, and my first concern is overloading the AP in terms of this enforcement workload.  That can be mitigated to a degree with more APs to handle the client workload, but only up to a point.

 

Any concerns there?

 

Thanks again.

Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: Basic Question 2 of 3: Remote APs or "not"?


ptrivino wrote:

Thank you.  Per my other reply I had Remote and non 'backwards' I think.  ALL of my APs will be deployed at sites "inside" my WAN in private address space and firewalled from the internet.

 

Do I lose any capability for security, policy enforcement etc. with bridged mode APs?  I could see having non-trivial ACLs etc. on user roles and the like, and my first concern is overloading the AP in terms of this enforcement workload.  That can be mitigated to a degree with more APs to handle the client workload, but only up to a point.

 

Any concerns there?

 

Thanks again.


No concerns.  APs that bridge user traffic can enforce firewall policies at the AP.  You can even have an AP where one WLAN is tunneled back and other WLANs are bridged locally at the same time.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-16-2012

Re: Basic Question 2 of 3: Remote APs or "not"?

Thanks again.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: