Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VIA + RAP - Controller Positioning

This thread has been viewed 0 times

  • 1.  VIA + RAP - Controller Positioning

    Posted Oct 06, 2016 02:28 PM

    I am looking for recommendations for VIA/RAP/DMZ controller deployment. 

     

    I have an existing infrastructure of Master/Standby/Locals. All roles and policies are built. 

     

    Should I configure the DMZ controllers as Locals to the existing environment? I beleive i read best practices says to build them as Masters. Therefor I would need to rebuild all the policy configurations. That doesnt seem right. AirWave WMS offload seems scary if I need to go that route. 

     

    Thanks much. 

     



  • 2.  RE: VIA + RAP - Controller Positioning
    Best Answer

    EMPLOYEE
    Posted Oct 06, 2016 02:41 PM

    I am not sure where Airwave and WMS offload have a role in this.

     

    In the simplest deployment, you can have a single controller inside your network with a 1:1 static nat on your firewall.  You would be allowing UDP 4500 for ipsec and TCP 443 for SSL to allow VIA and RAP to work.  This setup will work whether it is a master or local, because the ipsec pool is defined on the physical controller that the RAP or VIA terminates on.



  • 3.  RE: VIA + RAP - Controller Positioning

    Posted Oct 11, 2016 01:13 PM

    Thanks Colin. I will deploy via your recommendation. 

     

    I was thinking I could do Multi-Master with the VIA 'Master' in the DMZ and the Master sitting on the Prod network with WMS offload to AirWave so I could keep all my roles and policies in sync. 



  • 4.  RE: VIA + RAP - Controller Positioning

    EMPLOYEE
    Posted Oct 11, 2016 01:28 PM

    Many people dedicate a controller in the DMZ to VIA that does not have any WLAN configuration (just VIA configuration), so there is not necessarily a reason to keep them in Sync.  It also reduces your licensing requirements for VIA VPN to a single controller.  If you did VIA Master/local, you would need a VIA VPN license for the master to configure the VIA policies and one for the local to terminate VIA.  It is probably good to have a single Master in the DMZ that does VIA/RAP, because the policies for remote users many times is only a smaller subset of what WLAN users require and don't need to be synchronized...



  • 5.  RE: VIA + RAP - Controller Positioning

    Posted Oct 11, 2016 01:47 PM

    I didnt consider the additional license on the Master.  The VIA L3 Authentication and Connection profiles are created on the Master and not directly on the Local... which makes sense. 

     

    In that case, since I only have a single PEFV license, I will require the VIA/RAP controller to be a Master and recreate policies. The customer will want a seamless experience no matter how they connect... cap/rap or via.