Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎06-22-2014

Site-Site VPN with RAP 3WN

Is it possible to have a site-site vpn configured using rap at the branch and controller at the central site, if yes, request you to share the doc on how the same has to be done- we are conducting a PoC and we are at our wits end trying.

 

Mahesh

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Site-Site VPN with RAP 3WN

[ Edited ]

kkumarm,

 

Yes.  Did you see the user guide here:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Remote_AP/Remote_AP.htm ?

 

EDIT:  To be clear, the controller can extend a layer2 network that exists in the headend network to the remote site, wired or wirelessly.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎06-22-2014

Re: Site-Site VPN with RAP 3WN

how is the site-site configuration done for the RAP-3WN? Is there any site-site specific configuration that needs to be done on the controller?

 

Mahesh

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Site-Site VPN with RAP 3WN

Mahesh,

 

The best use case for a RAP3 or any RAP is to extend a Layer2 network at the headend to a remote location.  To have a full site to site VPN, which would mean a different Layer2 or Layer3 VLAN at a remote site connected back to corporate, it would be better to configure a smaller controller for a site to site VPN.

 

If you simply want to extend connectivity using a RAP, your devices would simply have to use a subnet that is defined at corporate and extended through the wired or wireless on a RAP.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎06-22-2014

Re: Site-Site VPN with RAP 3WN

Colin,

 

Let me explain my scenario,

 

I want my remote branch users (5-10) to connect to the corporate office when the WAN connectivity fails, these users are all connected to a switch with a different network prefix than that of the corporate DC network. If i have to acheive this i am considering to deploy a RAP-3WN connected to the same switch where the users and the branch router is connected. The use case would be as under;

1) No VPN clients on the user machines, they have to connect seamlessly to the corporate network with the existing branch network prefix.(since their applications are mapped with their ips).

2) In case of wan link/router failure, the traffic to the corporate network should take the cellular route through the RAP.

3) In case of failure of the wired network port/cable of the user, the user should be able to latch on to the RAP via wireless and get access to the corporate network.

 

with the above conditions is it possible to configure the RAP-3WN for site-site VPN connectivity( I have gone through the document link sent by you and have seen there is an option for site-site vpn connectivity on the controller)

 

Please do advice on how this can be acheived.

 

Regards,

 

Mahesh

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Site-Site VPN with RAP 3WN

Mahesh,

 

You have a number of requirements here.  Let's go through this step by step.  Have you already gotten the RAP to work over the internet connecting to the controller?  If yes, we can move on to the next step.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎06-22-2014

Re: Site-Site VPN with RAP 3WN

Colin,

 

yes, it is able to connect but no traffic flows from the branch to the coporate network, i am able to ping test from the controller to the rap(reachable) over the internet, hence i was thinking if there are any settings to be done in the site-site tab on the controller.

 

Regards,

 

Mahesh

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Site-Site VPN with RAP 3WN

If you are doing wireless connectivity, the ap-group the AP is in, should have a Virtual AP that has a VLAN that exists on your controller.  if you are doing wired connectivity, the wired ap-profile in the AP-group the AP is in should be assigned to a VLAN that is on the controller.

 

The RAP is mainly a device to extend a VLAN that exists on your controller to a site, rather than route between your corporate networks and your site networks.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎06-22-2014

Re: Site-Site VPN with RAP 3WN

Colin,

 

 

So if the scenario has to work then I will have to create the branch network prefix on the controller right, then how do i define the default gateway for the RAP?

 

Regards,

 

Mahesh

 

 

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Site-Site VPN with RAP 3WN

the RAP's user networks are simply an extension to your existing headend network.

 

Let's suppose you have an existing VLAN in your production network, called VLAN 10.  The ip address is 10.10.10.x.  Default gateway is 10.10.10.1.    You trunk VLAN 10 to the controller.  If you want wireless devices at that branch office to be in VLAN 10, you make the virtual AP vlan , vlan 10.  If you want wired devices at that branch office to be on VLAN 10, you would configure your AP wired profile to Vlan 10.

 

Users that plug into the RAP, after connects to the controller will be tunneled back to the controller over the internet and get an ip address from VLAN 10.  That is because the traffic is tunneled and then bridged to whatever VLAN number you specify.

 

 

 

Does that make sense?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: