Wireless Access

Reply
Occasional Contributor II

Connecting Campus AP to Controller over IPSEC VPN Tunnel

Hello's

I have three sites and two of those sites connect back to HQ over an IPSEC VPN connection established between firewalls at each site.

One of the Sites has the Aruba controllers and the other two sites have campus AP's.

 

I'm currently able to connect the Campus AP's back to the controller over the VPN tunnel. I'm howeer looking for feedback on what caveats exist by doing this. The wireless connection at the sites seems slower but i'm not sure whether it is slower because of riding the GRE back to the controller atop the IPSEC tunnel or it's slow simply because of the bandwidth between sites.

 

Thanks for your time,

Malt

 

MVP

Re: Connecting Campus AP to Controller over IPSEC VPN Tunnel

If the remote sites are trying to access something which resides on the central site (where the controller resides) there shouldn't be too much of a performance hit. 

 

But since campus APs per default are tunneled back to the controller before the client traffic truly enters the network .. it might seriously hinder performance, depending on bandwidth and or latency (in both directions) when they try acessing resources on their own site.

 

So make sure your bandwdth is sufficient in both directions.

 

No much else to say about this config.. just test and see where the bottleneck resides. 

If you think the ipsec/gre is adding too much overhead (it shouldn't) just configure an AP to bridge the traffic locally and test again.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: Connecting Campus AP to Controller over IPSEC VPN Tunnel

Hello Koen,

Thanks for your response.

A few more questions. There are two SSID's in use. One SSID is ClearPass integrated and i'm using ClearPass to send back role info to the controller for enforcement. The 2nd SSID uses ClearPass guest services and Portal as well along with role/ploicy enforcement. I'm assuming that once i bridge locally I will lose this functionality. 

I was therefore alternatively thinking of re-configuring these AP's at the remote sites as Instant's broadcasting the same SSID as the main HQ (allowing users to travel between sites and access the same SSID), integrate the SSID's with ClearPass for AD auth as well as for Guest splash page login and role enforcement at the IAP cluster.

Please provide me with thoughts on this change in design vs bridging locally.

 

Thanks again,

MVP

Re: Connecting Campus AP to Controller over IPSEC VPN Tunnel

With a bridged SSID you can't do captive portal auth indeed.

Running them as instant APs does indeed solve your issues (if they are caused by the tunneling bac and forth) and might very well be the best solution. Just remember you won't have any of the central vlans to play with unless you set up a VPN to your clusters.

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: Connecting Campus AP to Controller over IPSEC VPN Tunnel

Perfect. 

So if I go the Instant route, I still should be able to use ClearPass as my RADIUS server, role info from ClearPass to roles defined on the instant Cluster as well as guest splash page right? 

The main caveat here is that i'll have to create the VLAN's locally at the sites. Have I missed anything?

 

Thanks again for your help and timely responses. Much appreciated,

Malt.

MVP

Re: Connecting Campus AP to Controller over IPSEC VPN Tunnel

Correct, as long as you can get a layer3 connection to clearpass all should be fine. Instant accepts the same radius attributes as a controller so you shouldn't have any isues there. 

If you're routing your guest traffic to the clearpass portal, make sure to secure this traffic so I doesnt't get routed to places you don't like. Pretty much allow https to clearpass and block every internal subnet for the guests and you should be fine.

 

As I said, if you realy want the central vlans at the remote site, you could go the VPN route but if you can avoid it, I would.

 

Good luck

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: