Wireless Access

Reply
New Contributor

IAP335 and 7210 mobility controller design questions

I want to deploy 150 access points in a school environment and want to go with the 335 model. Due to the number of APs I'm assuming it makes sense to use a physical controller so planning on using the 7210 mobility controller. We may need to setup VPN connection to another site running a Cisco ASA firewall. Here are my questions:

 

1. Can i use the IAP335 with the physical controller? Is there any benefit of buying the IAP model rather than just the controller-based AP model, other than the fact that i can move an AP to a different location and run it independently?

 

2. I see the 7210 controller has some firewall policy enforcement firewall protection and layer3 capabilities. Is there any advantage of putting a Cisco ASA firewall between the controller and ISP, or does it make better sense to connect the controller directly to ISP?

 

3. Can i setup a site-to-site VPN from the Controller to a Cisco ASA device?

 

4. I'm currently planning on using Cisco catalyst switches, mainly because that's what I'm used to. Can you think of any advantages of using Aruba switches instead? If so what model would you recommend?

 

Looking forward to hearing your thoughts.

Thanks

 

Re: IAP335 and 7210 mobility controller design questions

using IAPs, even if the plan is controller-based, is more flexible in case you change your deployment years down the road. IAPs can be put on a controller, but controller based APs cannot be made into IAP. Up to you though, as there IS added labor to convert them on the initial install.

 

You do not need any firewall between the wifi users and LAN, you cna write all security and firewall policies on the controller to apply to the boundary between wireless users and wired network. 

 

You should be able to build a S2S between the controller and ASA

 

Those switches should be fine to power the 335s so long as they supply 802.3at power for full functionality. You will also need to make sure they are all running the latest IOS to support Cisco's LLDP bug fixes, as the Aruba APs use LLDP for power selection (not CDP).

Jerrod Howard
Sr. Techical Marketing Engineer
New Contributor

Re: IAP335 and 7210 mobility controller design questions

Thanks Jerrod, that was pretty fast. The initial labor you refer to, is that for converting from IAP to controller-based? 

 

I was referring to putting a firewall between the WAN and LAN. in other words can the controller act as a gateway device to internet (NAT, firewall,etc) or is it better to have a regular firewall between the LAN and WAN?

 

Thanks

 

Re: IAP335 and 7210 mobility controller design questions

Yes, the IAPs would have to be converted to controller APs first, so there's some labor with that. if you are 100% sure you won't ever want to do IAP, then order CAPs.

 

Yes the controller can do NAT, but generally speaking most people put a firewall in for the entire network (LAN/WAN). It really depends on whether you want the controller to be your entier LAN's gateway or not. Also it's recommended to use a DHCP server, not the controller, esp for that many APs and clients. 

Jerrod Howard
Sr. Techical Marketing Engineer
New Contributor

Re: IAP335 and 7210 mobility controller design questions

Got it. Thanks a lot!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: