Wireless Access

Reply
Contributor I
Posts: 29
Registered: ‎07-17-2016

Branch office controller VPN split tunnel as with Instant

Hello,
Im designing a solution for a client with distributed IAPs virtual controllers and local branch controllers for bigger size venues.
Each Instant will connect through VPN to a controller terminating them for authentication to a centralized client AAA. The idea is that only authentication traffic goes through the vpn and the rest of the traffic goes locally through a split tunnel mode.
When dealing with bigger venues, with more than 2000 clients I understand that instant VC are not enough to support them, so I need to jump to a local controller based solution. For this case I need to know if its possible to configure it in the same fashion as the Instant with a split tunnel mode and if they need to have the PEFV license.

Thanks!

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Branch office controller VPN split tunnel as with Instant

You have a couple of options.

1. The APs are configured as RAPs and you enable split tunneling and the user traffic can break out at the AP on to the local network. This requires a PEF-NG license. You could then create an IPsec tunnel from your local controller back to your centralised controller for internal authentication traffic. You would need to play with the routing to get this working.

 

2. The APs are configured as campus APs and user traffic breaks out on a VLAN at the local controller. You could then create the IPsec tunnel as above for authentication traffic.

 

Option 2 is simpler if you can do that.

You do not need a PEF-V to create IPsec tunnels between controllers.

David
ACDX #98 | ACMP | ACCP
Contributor I
Posts: 29
Registered: ‎07-17-2016

Re: Branch office controller VPN split tunnel as with Instant

Thanks DG, 

 

And regarding this design, I have three questions to add if possible to add:

 

1-Do you think is better to connect local controllers through VPN or maybe the regular way through a Master - local IPSec tunnel creating the routing so that auth goes straight to the central site and local traffic locaclly?

 

2- What benefits would you get by configuring it in either way?

 

3- When connecting locals through VPN to a central redundant Master using VRRP, what redundancy options can we put into de locals and how does it work when tone of the locals goes down?

 

Thanks so much for your assistance!

Martin

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Branch office controller VPN split tunnel as with Instant

1. Using the master-local IPsec tunnel should be fine. You either need to route over it or create a GRE tunnel over the IPsec tunnel and stretch a layer-2 VLAN.

 

2. Both work fine, it is down to personal opinion and how you work out the configurration.

 

3. Each local controller would need an IPsec/GRE tunnel to a VRRP address for the redundant master pair. I would recommend this isn't the same VRRP address which is used for the redundancy as this can cause issues. With regards to local resiliency, this can be achieved by using HA fast failover or VRRP to ensure the APs have an active and standby controller.

David
ACDX #98 | ACMP | ACCP
Contributor I
Posts: 29
Registered: ‎07-17-2016

Re: Branch office controller VPN split tunnel as with Instant

Hi DG, 

 

Regarding answer 3, I was not very clear what do you mean by "I would recommend this isn't the same VRRP address which is used for the redundancy". 

Wouldnt the master be configured as VRRP with its backup, and this shouldnt be the address to which i point the VPN tunnel? So the master and backup locals VPN shouldn´t point to this address? 

 

When having a hybrid configuration (i.e instant clusters in some sites and local controllers on others) is it fine to have the same Master - stby controllers to end VPN and IPSec tunnels for locals, and use the same VRRP Address?

 

Thanks!

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Branch office controller VPN split tunnel as with Instant

When you set-up redundancy for a master/standby master relationship, this uses a VRRP address. Personally, I would create an additional VRRP address between the master/standby master and use this for the IPsec termination. I have seen problems when a single VRRP instance is used for the master/standby master sync and other services.

 

David
ACDX #98 | ACMP | ACCP
Contributor I
Posts: 29
Registered: ‎07-17-2016

Re: Branch office controller VPN split tunnel as with Instant

Thanks DG!

And for the VPN tunnels should I add a third instance?

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Branch office controller VPN split tunnel as with Instant

You are probably ok with 2 instances. As long as you keep the master/standby master redundancy on a separate VRRP that should be fine.

David
ACDX #98 | ACMP | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: