Wireless Access

I have some question here

1-Remote site have 10 AP at each site – customer need to use remote solution and port 4500 is blocked at main site which solution is better ( Branch Controller – RAP – IAP VPN – VIA ) ?

2-Three remote sites connecting as RAP to main site with single Controller behind Firewall with NAT

Customer need to add 2 another controller what is the recommended solution for redundancy

• Make cluster and assign one public IP and 3 Private IP and make NAT over 4501-4502-4503 port
• Purchase two new public IP address
• Purchase two new Public IP address and remove NAT over firewall

------------------------------
n/a
------------------------------

no one here :D ?

------------------------------
amr shawky
------------------------------

Original Message:
Sent: Jan 11, 2021 10:16 AM
From: amr shawky
Subject: Controller with Port 4500 and RAPs

I have some question here

1-Remote site have 10 AP at each site – customer need to use remote solution and port 4500 is blocked at main site which solution is better ( Branch Controller – RAP – IAP VPN – VIA ) ?

2-Three remote sites connecting as RAP to main site with single Controller behind Firewall with NAT

Customer need to add 2 another controller what is the recommended solution for redundancy

• Make cluster and assign one public IP and 3 Private IP and make NAT over 4501-4502-4503 port
• Purchase two new public IP address
• Purchase two new Public IP address and remove NAT over firewall

------------------------------
n/a
------------------------------

RAP (and VIA, and IAP-VPN) will only work over port 4500/udp.

When using AOS8 clustering, you will need to have a public IP for each of the controllers that participate in the cluster that offers the VPN services for RAP/VIA/IAP-VPN. Most common is to NAT on the firewall as it saves IP addresses when public IPs are pulled from a larger block on the firewall, versus putting a public subnet for the controllers that need a network and broadcast address, one IP for the firewall/router and you need to slice a subnet of 4, 8,16 IPs (effective 1, 5, 13 hosts outside your firewall/router). As well, with NAT you can just port-forward port 4500/udp for the controller, and use other ports for other services.

An alternative would be to use the legacy HA, with VRRP, in which case you can have a NAT to the VRRP address of your controllers. This doesn't have the load-balancing active-active behavior like with Clustering, but if one controller can handle all the load/APs, it is an option if getting additional public IP is hard or expensive I think it is a solid option. For increased availability, you can use a backup LMS VRRP in a different datacenter.

Your Aruba partner should be able to advise in your specific situation; or your local Aruba team if you work for a partner.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 11, 2021 10:16 AM
From: amr shawky
Subject: Controller with Port 4500 and RAPs

I have some question here

1-Remote site have 10 AP at each site – customer need to use remote solution and port 4500 is blocked at main site which solution is better ( Branch Controller – RAP – IAP VPN – VIA ) ?

2-Three remote sites connecting as RAP to main site with single Controller behind Firewall with NAT

Customer need to add 2 another controller what is the recommended solution for redundancy

• Make cluster and assign one public IP and 3 Private IP and make NAT over 4501-4502-4503 port
• Purchase two new public IP address
• Purchase two new Public IP address and remove NAT over firewall

------------------------------
n/a
------------------------------

Thanks Herman ,

Please find below comments 

RAP (and VIA, and IAP-VPN) will only work over port 4500/udp.  One of them must work without udp4500 
So this is a question so must have a correct one answer 
( A#Branch Controller – B#RAP – C#IAP VPN – D#VIA ) So this is the chosse A,B,C,and D must chsse one of them 

for second question i have written , it is aquestion with one valid answer it is not design proposal , so i think for your answer tat the correct aswer would be B -- right

------------------------------
amr shawky
------------------------------

Original Message:
Sent: Jan 14, 2021 05:01 AM
From: Herman Robers
Subject: Controller with Port 4500 and RAPs

RAP (and VIA, and IAP-VPN) will only work over port 4500/udp.

When using AOS8 clustering, you will need to have a public IP for each of the controllers that participate in the cluster that offers the VPN services for RAP/VIA/IAP-VPN. Most common is to NAT on the firewall as it saves IP addresses when public IPs are pulled from a larger block on the firewall, versus putting a public subnet for the controllers that need a network and broadcast address, one IP for the firewall/router and you need to slice a subnet of 4, 8,16 IPs (effective 1, 5, 13 hosts outside your firewall/router). As well, with NAT you can just port-forward port 4500/udp for the controller, and use other ports for other services.

An alternative would be to use the legacy HA, with VRRP, in which case you can have a NAT to the VRRP address of your controllers. This doesn't have the load-balancing active-active behavior like with Clustering, but if one controller can handle all the load/APs, it is an option if getting additional public IP is hard or expensive I think it is a solid option. For increased availability, you can use a backup LMS VRRP in a different datacenter.

Your Aruba partner should be able to advise in your specific situation; or your local Aruba team if you work for a partner.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 11, 2021 10:16 AM
From: amr shawky
Subject: Controller with Port 4500 and RAPs

I have some question here

1-Remote site have 10 AP at each site – customer need to use remote solution and port 4500 is blocked at main site which solution is better ( Branch Controller – RAP – IAP VPN – VIA ) ?

2-Three remote sites connecting as RAP to main site with single Controller behind Firewall with NAT

Customer need to add 2 another controller what is the recommended solution for redundancy

• Make cluster and assign one public IP and 3 Private IP and make NAT over 4501-4502-4503 port
• Purchase two new public IP address
• Purchase two new Public IP address and remove NAT over firewall

------------------------------
n/a
------------------------------