Wireless Access

We currently have a number of offices that have local controllers.  These sites generally have 40 - 150 users.  It has been suggested that we get rid of the controllers and just use multiple remote ap's in their place to save on the cost of the controllers.  Does anyone have any experience with running multiple remote AP's in a branch office and some potential pitfalls.  I am skeptical about having 100 users running on multiple remote AP's but I am looking for any valuable input as to what may occur or what functionality we may lose. 

Thanks

This is dependent on your network access requirements and traffic flow. Will your remote branch office users require connection back to the HQ or is all the user traffic natted to the internet? It will be better if you can expalin the user traffic flow for your current setup and what services are available at the remote site such as RADIUS, DHCP etc

RAPs are generally recommended only for telelcommuters i.e. single AP deployments. If you have 40 -150 users per site then RAPs are not recommended. 

Regards,

Sathya

Thanks Sathya.  We currently use remote AP's at a bunch of WAN sites purely so we can put them in bridge mode and dump traffic locally without a local controller.  All of these sites are WAN connected.   If we were to configure them as campus AP's with no local controller all the traffic would be coming off the controller located back at the datacenter location.  It makes sense for WAN connected offices with 2 AP's and 20 users for instance but I am wondering at what point or for what reasons a local controller is justified.  For instance do you have controllers at every WAN site even if they are only 1 or 2 AP's?  It can be hard to justify the cost at site to site VPN offices or other small MPLS WAN connected offices

Thanks.

• Local controllers are probably needed for regional sites that have more than 50 users. If you have sites that have 20 users nad you can support them with 1 or 2 APs then you have a couple of options depending on the traffic flow.
• If the user traffic nevers comesback to the HQ then you can use 2 APs in bridge mode and have a local DHCP server and you are pretty much done
• If the traffic has to come back to the corporate HQ and you dont have a private line/MPLS between your branches and HQ you can use tunnel or split-tunnel mode. Remember that roaming in not very effective between RAPs operating in split-tunnel mode.
• If you have a VPN endpoint at the branch office that can take care of the routing and IPsec , then you can use RAPs in bridge mode.

A very good alternative for sites that have upto 256 users is the Aruba insatnt deployment. As long as the traffic stays local or until you have a private link to HQ or a VPN setup this is the best solution. In the insatnt solution you wont need a controller even at the HQ. Currently, the Aruba instant soution is a cluster of upto 16APs that can operate togother using the concept of virtual controller. The AP clusters can be centrally managed using Airwave. For details on how this architecture works see the Aruba insatnt documentation available at support.arubanetworks.com 

Regards,

Sathya

I have a similar scenario where the customer has the plan to use 48 APs at the remote site in Thailand. The centralised controller is hosted in Singapore and they are interconnected by MPLS. The APs would broadcast only 2 SSID with EAP-TLS authentication. The Staff SSID would be in bridge mode and only the Guest SSID will be in tunneled mode. The number of Staff remotely is about 1000 and the Guest is less than 30 daily. 

I would like to know whether we can drop local controller and configure the APs as remote ap in this case?

Thank you.

yes it can work, point the LMS IP in the ap system profile to the public IP with 500+4500 UDP port-forwarded to the local controller.

I am not sure how much benefit you get from the local controller if the authentication back end for the eap-tls is back in corp in Singapore, if the auth traffic has to go to Singapore, maybe the APs will be happy enough running from Singapore too.

Just watch out that bridge mode is a bit unloved (not just from unsupported features perspective but also 'features that work in Instant but don't exist in bridge mode (e.g. DPI related things)'

And watch out for limitations like "no more than 32 aps on the lan" so that the firewall state can sync during ap to ap roaming (which doesn't work well if the bridge VAP is also using route src-nat).

Try to avoid using src-nat for the bridge virtual APs if you have any sort of roaming happening at the site(s), not just for the above mentioned issue but also because there is no nat anchor and you will get session breakage on roaming. Better to use another device above the APs as the NAT device (e.g. a capable L3 switch or the broadband router that connects you to the Internet, but you need to take care of the dhcp and/or routing in that case)

Finally, going the RAP route can incur a heavier provisioning overhead - unless your using the newfangled unified APs or "real RAPs" not just campus APs reprovisioned as RAP (thus requiring console port provisioning or local lan access to a controller at least once to provisoning before sending to site).

These are just some random thoughts, there are a few ways to skin this cat, I am sure you will get some other thoughts about it - including a few reminders to use instant :)