Wireless Access

Reply
Contributor I

PEFV Licensing?

Is the PEFV Licensing only for VIA termination? We have two projects were are looking to do and aren't sure if we need this license, our SE told us we would be then others have told us otherwise.

 

Project 1: Controller to controller site-to-site VPN

Project 2: RAP's (205H) for users to use at home back to our corp network on a dedicated controller

 

Guru Elite

Re: PEFV Licensing?

PEFV is required for:



1) Using the VIA VPN client

2) If you need to change the default VPN role for site-to-site,
IAP-VPN, branch VPN



If you just need an allow all on the end of your site-to-site VPN, then you
do not need it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: PEFV Licensing?

I assume the default VPN role is allow all but changing roles like you said will require the license if we want to limit what goes over the VPN? RAP's connecting from a user home to a controller would be IAP-VPN?

Guru Elite

Re: PEFV Licensing?

Correct, but in most cases, that wouldn't be your enforcement point so it's
not usually needed.



IAP-VPN usually needs it in order to src-nat the cluster so that you don't
have to define hundreds of addresses in your RADIUS server.



RAPs do not require PEFV. Only the regular AP licenses (AP, PEFNG).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: PEFV Licensing?

Hello, I have a project where the client is a bank and need to deploy IAP 207 around 80 over its branches and the IAPs are to connect through VPN to the 7010 controller in the main branch. Can someone please explain what is the reason of using the controller here since it's not responsible of the configuration (responsibility of the Virtual controller in each branch). Also, what licenses do we need on the controller in order to terminate the VPN IAPs?

Guru Elite

Re: PEFV Licensing?

IAP-VPN is only used to tunnel traffic from an IAP cluster to a controller in a datacenter.  If you already have a wan link that allows traffic to get from a remote site to your datacenter, you don't necessarily need this.  For example some installations only use IAP-VPN to tunnel guest traffic back to a central location where it can be filtered and put onto the internet, but just bridge all of the enterprise traffic locally...

 

EDIT:  You do not need any licenses on the controller to terminate IAP-VPN traffic.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: PEFV Licensing?

In my case, the wireless network we are building is for the guests of the bank so does it mean that we are using this method to tunnel guest traffic from each branch to the controller in the main branch and the controller do the role of filtering and authenticating. Right?

Afterwards, what happen from the controller side?

I am not getting the main reason behind using a controller when trying to give guests internet access in all the branches...

Guru Elite

Re: PEFV Licensing?

If you have an ISP for each site and you can forward that traffic locally to a guest VLAN for each site, you don't need IAP-VPN.  If you have a centralized guest solution at your datacenter, you would use IAP-VPN to tunnel guest traffic to the controller.  The controller would function as a VPN concentrator to receive the guest traffic from all of the sites and then send it out a centralized ISP, for example.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: