Wireless Access

Reply
Occasional Contributor I

Master/Local for HQ/Branch deployment, or standalone at branch sites?

Hello,

 

I've inherited a medium sized campus Aruba install and I'm deploying a branch site with just a couple of AP's and a 7005 controller.  I've noticed all of the Master/Local design guides are designed around campus implementations and don't discuss remote sites.

 

Would configuring the remote site controller as a Local controller and tying it back to the master at HQ be a proper deployment model, or are there disadvantages?

 

My initial plan was to configure the remote site controller as a standalone.

 

There are some limitations on the Instant OS, that affect my deployment, which is why I'm using a Mobility Controller for this site.  The main things I'm trying to accomplish are as follows:

 

1. Local routing (I don't want traffic to tunnel back to HQ to route)

2. Survivability - Local clients will point to local auth servers, etc. so local operation will continue if the WAN link goes down.

 

My understanding is that I can do all of this with the master/local model and it will allow me to centralize configuration.

 

The one thing I'm somewhat confused about though is that I use the local DB for guest access.  Would this be synced from the master to the local?

 

Is the only issue with a split that I wouldn't be able to make new configuration on the local until connectivity is restored?

 

Sorry for so many questions.

 

Thanks for your help!

 

 

Guru Elite

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

Yes, this would be a common deployment.

 

In order to sync the internal db, you would have to use AirWave. The longer term solution would be to use your RADIUS server for guest management.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

Thanks for the reply!  That makes my decision a lot clearer.  We're not using airwave, so I will deploy the remote controller as a standalone.

 

My long term clean up plan involves implementing a better solution for guest management.  I'll addressa possible re-design then.

 

Thanks!

 

 

Guru Elite

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

I would still do master-local. Management is much easier than maintaining multiple controllers separately.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

If running master/local with guest on internal DB, does that mean that guest auth will only work if the local can reach the master?  Is it all proxied through the master?

 

Also, on that note, we're terminating radius on the controller and authenticating with ldap on the back end.  Would this still work if the local auth profile pointed to a local ldap server?  Would it continue to work locally if WAN connectivity was lost?  Or would this need to be proxied through the controller as well?

 

Thanks!

Guru Elite

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

Both standalone and master/local cannot use another controller's internal db. You could setup a GRE tunnel for guest from the local to the master, which would hten use the master's database, however this would not work if the master was down.

 

For the LDAP stuff, you would esentially clone your AAA profiles and server groups and reference the local LDAP servers instead of the central ones. It will not be proxied.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

So for the local DB guest stuff, in master/local, I could still manage the local DB of the local and add guests there?  Then any policy that referenced the local DB would reference whichever one was on the local controller?

Guru Elite

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

Yes, that's correct.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Master/Local for HQ/Branch deployment, or standalone at branch sites?

To make the local switch authenticate guest users locally rather than against the master, the command is on the local.

Aaa authentication-server internal use-local-switch

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: