Wireless Access

Reply
Contributor II

Remote Branch Office AP Connectivity Options

Afternoon chaps

We're about to embark on an SD-WAN PoC on a few of our remote offices. During the PoC we want to test our existing Aruba Wi-Fi SSID's for Corporate (802.1X) and Guest (PSK/Captive Portal) in the SD-WAN connected branch. Some background on our existing set up is

 

- Wireless Controllers and ClearPass located in Data Centres

- Existing remote offices connected to DC via Private MPLS, AP's in those locations in CAP tunneled mode as there is no NAT involved.

 

When we carry out the PoC our branch office will be connected to our Data Centre by Internet and MPLS. The SD-WAN device will provide an 'IPSec overlay' accross these transports to a head end SD-WAN device in our Data Centre. For both our SSID's we will need to tunnel the authentication traffic back to our main Data Centre and then after authentication either break out user traffic in the branch locally ( e.g. Local Internet Breakout) or send it back to the main Data Centre. As there is a requirement here to 'split' the traffic, does that rule out the Campus AP option from the start? If so, to support the 'split' of traffic the other option is Remote AP in 'split-tunnel' mode as 'bridge' mode doesnt give the option to switch the traffic to the Data Centre.

 

I'm sure there will be other questions after the discusion is started. Of course the other option would be to deploy a local controller in the branch!.

 

Many Thanks

 

Glynn

Aruba Employee

Re: Remote Branch Office AP Connectivity Options

Are you wanting the granularity to split user traffic (some of a given user's traffic tunnels, while other destinations bridge), or just the coarse control to say the Corp SSID tunnels while the Guest SSID stays local?


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Remote Branch Office AP Connectivity Options

For Guest - the users authentication traffic will need to be tunnelled back to the data centre, there after for Guest traffic will be broken out locally via the local internet connection.

 

For Corporate - the users authentication will need to be tunnelled back to the data centre, thereafter traffic could flow two ways locally to the internet or back to the data centre for corporate services.

 

Rgds

Aruba Employee

Re: Remote Branch Office AP Connectivity Options

Authentication traffic is usually the easy part, the user's traffic path is more significant for designing.

 

Based on that, I would suggest either Instant or a branch office controller for the SD-WAN sites if multiple APs are needed per site, unless the site can be serviced with a single RAP per location.


Charlie Clemmer
Aruba Customer Engineering
Contributor II

Re: Remote Branch Office AP Connectivity Options

is there a limit to the amount of RAP's that can be deployed? Or is it recomended to deploy them singly?

 

Aruba Employee

Re: Remote Branch Office AP Connectivity Options

Correct.

 

It's a bit dated, but the RAP VRD may help: http://www.arubanetworks.com/assets/vrd/RAPVRD_version_8.pdf


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: