Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IAP335 and 7210 mobility controller design questions

This thread has been viewed 0 times

  • 1.  IAP335 and 7210 mobility controller design questions

    Posted Feb 13, 2017 12:38 PM

    I want to deploy 150 access points in a school environment and want to go with the 335 model. Due to the number of APs I'm assuming it makes sense to use a physical controller so planning on using the 7210 mobility controller. We may need to setup VPN connection to another site running a Cisco ASA firewall. Here are my questions:

     

    1. Can i use the IAP335 with the physical controller? Is there any benefit of buying the IAP model rather than just the controller-based AP model, other than the fact that i can move an AP to a different location and run it independently?

     

    2. I see the 7210 controller has some firewall policy enforcement firewall protection and layer3 capabilities. Is there any advantage of putting a Cisco ASA firewall between the controller and ISP, or does it make better sense to connect the controller directly to ISP?

     

    3. Can i setup a site-to-site VPN from the Controller to a Cisco ASA device?

     

    4. I'm currently planning on using Cisco catalyst switches, mainly because that's what I'm used to. Can you think of any advantages of using Aruba switches instead? If so what model would you recommend?

     

    Looking forward to hearing your thoughts.

    Thanks

     



  • 2.  RE: IAP335 and 7210 mobility controller design questions
    Best Answer

    EMPLOYEE
    Posted Feb 13, 2017 12:44 PM

    using IAPs, even if the plan is controller-based, is more flexible in case you change your deployment years down the road. IAPs can be put on a controller, but controller based APs cannot be made into IAP. Up to you though, as there IS added labor to convert them on the initial install.

     

    You do not need any firewall between the wifi users and LAN, you cna write all security and firewall policies on the controller to apply to the boundary between wireless users and wired network. 

     

    You should be able to build a S2S between the controller and ASA

     

    Those switches should be fine to power the 335s so long as they supply 802.3at power for full functionality. You will also need to make sure they are all running the latest IOS to support Cisco's LLDP bug fixes, as the Aruba APs use LLDP for power selection (not CDP).



  • 3.  RE: IAP335 and 7210 mobility controller design questions

    Posted Feb 13, 2017 01:20 PM

    Thanks Jerrod, that was pretty fast. The initial labor you refer to, is that for converting from IAP to controller-based? 

     

    I was referring to putting a firewall between the WAN and LAN. in other words can the controller act as a gateway device to internet (NAT, firewall,etc) or is it better to have a regular firewall between the LAN and WAN?

     

    Thanks

     



  • 4.  RE: IAP335 and 7210 mobility controller design questions

    EMPLOYEE
    Posted Feb 13, 2017 01:59 PM

    Yes, the IAPs would have to be converted to controller APs first, so there's some labor with that. if you are 100% sure you won't ever want to do IAP, then order CAPs.

     

    Yes the controller can do NAT, but generally speaking most people put a firewall in for the entire network (LAN/WAN). It really depends on whether you want the controller to be your entier LAN's gateway or not. Also it's recommended to use a DHCP server, not the controller, esp for that many APs and clients. 



  • 5.  RE: IAP335 and 7210 mobility controller design questions

    Posted Feb 13, 2017 02:30 PM

    Got it. Thanks a lot!