Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

PEFV Licensing?

This thread has been viewed 7 times

  • 1.  PEFV Licensing?

    Posted May 11, 2016 01:29 PM

    Is the PEFV Licensing only for VIA termination? We have two projects were are looking to do and aren't sure if we need this license, our SE told us we would be then others have told us otherwise.

     

    Project 1: Controller to controller site-to-site VPN

    Project 2: RAP's (205H) for users to use at home back to our corp network on a dedicated controller

     



  • 2.  RE: PEFV Licensing?

    EMPLOYEE
    Posted May 11, 2016 01:32 PM
    PEFV is required for:



    1) Using the VIA VPN client

    2) If you need to change the default VPN role for site-to-site,
    IAP-VPN, branch VPN



    If you just need an allow all on the end of your site-to-site VPN, then you
    do not need it.


  • 3.  RE: PEFV Licensing?

    Posted May 11, 2016 01:36 PM

    I assume the default VPN role is allow all but changing roles like you said will require the license if we want to limit what goes over the VPN? RAP's connecting from a user home to a controller would be IAP-VPN?



  • 4.  RE: PEFV Licensing?

    EMPLOYEE
    Posted May 11, 2016 01:45 PM
    Correct, but in most cases, that wouldn't be your enforcement point so it's
    not usually needed.



    IAP-VPN usually needs it in order to src-nat the cluster so that you don't
    have to define hundreds of addresses in your RADIUS server.



    RAPs do not require PEFV. Only the regular AP licenses (AP, PEFNG).


  • 5.  RE: PEFV Licensing?

    Posted Dec 29, 2016 07:04 AM

    Hello, I have a project where the client is a bank and need to deploy IAP 207 around 80 over its branches and the IAPs are to connect through VPN to the 7010 controller in the main branch. Can someone please explain what is the reason of using the controller here since it's not responsible of the configuration (responsibility of the Virtual controller in each branch). Also, what licenses do we need on the controller in order to terminate the VPN IAPs?



  • 6.  RE: PEFV Licensing?

    EMPLOYEE
    Posted Dec 29, 2016 08:31 AM

    IAP-VPN is only used to tunnel traffic from an IAP cluster to a controller in a datacenter.  If you already have a wan link that allows traffic to get from a remote site to your datacenter, you don't necessarily need this.  For example some installations only use IAP-VPN to tunnel guest traffic back to a central location where it can be filtered and put onto the internet, but just bridge all of the enterprise traffic locally...

     

    EDIT:  You do not need any licenses on the controller to terminate IAP-VPN traffic.



  • 7.  RE: PEFV Licensing?

    Posted Dec 29, 2016 08:38 AM

    In my case, the wireless network we are building is for the guests of the bank so does it mean that we are using this method to tunnel guest traffic from each branch to the controller in the main branch and the controller do the role of filtering and authenticating. Right?

    Afterwards, what happen from the controller side?

    I am not getting the main reason behind using a controller when trying to give guests internet access in all the branches...



  • 8.  RE: PEFV Licensing?

    EMPLOYEE
    Posted Dec 29, 2016 09:03 AM

    If you have an ISP for each site and you can forward that traffic locally to a guest VLAN for each site, you don't need IAP-VPN.  If you have a centralized guest solution at your datacenter, you would use IAP-VPN to tunnel guest traffic to the controller.  The controller would function as a VPN concentrator to receive the guest traffic from all of the sites and then send it out a centralized ISP, for example.