Wireless Access

last person joined: 23 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Controller with Port 4500 and RAPs

  • 1.  Controller with Port 4500 and RAPs

    Posted 15 days ago

    I have some question here

    1-Remote site have 10 AP at each site – customer need to use remote solution and port 4500 is blocked at main site which solution is better ( Branch Controller – RAP – IAP VPN – VIA ) ?

    2-Three remote sites connecting as RAP to main site with single Controller behind Firewall with NAT

    Customer need to add 2 another controller what is the recommended solution for redundancy

    • Make cluster and assign one public IP and 3 Private IP and make NAT over 4501-4502-4503 port
    • Purchase two new public IP address
    • Purchase two new Public IP address and remove NAT over firewall


  • 2.  RE: Controller with Port 4500 and RAPs

    Posted 13 days ago
    no one here :D ?

    amr shawky

  • 3.  RE: Controller with Port 4500 and RAPs

    Posted 12 days ago
    RAP (and VIA, and IAP-VPN) will only work over port 4500/udp.

    When using AOS8 clustering, you will need to have a public IP for each of the controllers that participate in the cluster that offers the VPN services for RAP/VIA/IAP-VPN. Most common is to NAT on the firewall as it saves IP addresses when public IPs are pulled from a larger block on the firewall, versus putting a public subnet for the controllers that need a network and broadcast address, one IP for the firewall/router and you need to slice a subnet of 4, 8,16 IPs (effective 1, 5, 13 hosts outside your firewall/router). As well, with NAT you can just port-forward port 4500/udp for the controller, and use other ports for other services.

    An alternative would be to use the legacy HA, with VRRP, in which case you can have a NAT to the VRRP address of your controllers. This doesn't have the load-balancing active-active behavior like with Clustering, but if one controller can handle all the load/APs, it is an option if getting additional public IP is hard or expensive I think it is a solid option. For increased availability, you can use a backup LMS VRRP in a different datacenter.

    Your Aruba partner should be able to advise in your specific situation; or your local Aruba team if you work for a partner.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.