Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Remote Branch Office AP Connectivity Options

This thread has been viewed 5 times

  • 1.  Remote Branch Office AP Connectivity Options

    Posted Apr 04, 2018 02:45 PM

    Afternoon chaps

    We're about to embark on an SD-WAN PoC on a few of our remote offices. During the PoC we want to test our existing Aruba Wi-Fi SSID's for Corporate (802.1X) and Guest (PSK/Captive Portal) in the SD-WAN connected branch. Some background on our existing set up is

     

    - Wireless Controllers and ClearPass located in Data Centres

    - Existing remote offices connected to DC via Private MPLS, AP's in those locations in CAP tunneled mode as there is no NAT involved.

     

    When we carry out the PoC our branch office will be connected to our Data Centre by Internet and MPLS. The SD-WAN device will provide an 'IPSec overlay' accross these transports to a head end SD-WAN device in our Data Centre. For both our SSID's we will need to tunnel the authentication traffic back to our main Data Centre and then after authentication either break out user traffic in the branch locally ( e.g. Local Internet Breakout) or send it back to the main Data Centre. As there is a requirement here to 'split' the traffic, does that rule out the Campus AP option from the start? If so, to support the 'split' of traffic the other option is Remote AP in 'split-tunnel' mode as 'bridge' mode doesnt give the option to switch the traffic to the Data Centre.

     

    I'm sure there will be other questions after the discusion is started. Of course the other option would be to deploy a local controller in the branch!.

     

    Many Thanks

     

    Glynn



  • 2.  RE: Remote Branch Office AP Connectivity Options

    EMPLOYEE
    Posted Apr 04, 2018 03:04 PM

    Are you wanting the granularity to split user traffic (some of a given user's traffic tunnels, while other destinations bridge), or just the coarse control to say the Corp SSID tunnels while the Guest SSID stays local?



  • 3.  RE: Remote Branch Office AP Connectivity Options

    Posted Apr 04, 2018 03:10 PM

    For Guest - the users authentication traffic will need to be tunnelled back to the data centre, there after for Guest traffic will be broken out locally via the local internet connection.

     

    For Corporate - the users authentication will need to be tunnelled back to the data centre, thereafter traffic could flow two ways locally to the internet or back to the data centre for corporate services.

     

    Rgds



  • 4.  RE: Remote Branch Office AP Connectivity Options

    EMPLOYEE
    Posted Apr 04, 2018 03:17 PM

    Authentication traffic is usually the easy part, the user's traffic path is more significant for designing.

     

    Based on that, I would suggest either Instant or a branch office controller for the SD-WAN sites if multiple APs are needed per site, unless the site can be serviced with a single RAP per location.



  • 5.  RE: Remote Branch Office AP Connectivity Options

    Posted Apr 04, 2018 03:33 PM

    is there a limit to the amount of RAP's that can be deployed? Or is it recomended to deploy them singly?

     



  • 6.  RE: Remote Branch Office AP Connectivity Options

    EMPLOYEE
    Posted Apr 05, 2018 08:38 AM

    Correct.

     

    It's a bit dated, but the RAP VRD may help: http://www.arubanetworks.com/assets/vrd/RAPVRD_version_8.pdf