Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Site-Site VPN with RAP 3WN

  • 1.  Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 05:28 AM

    Is it possible to have a site-site vpn configured using rap at the branch and controller at the central site, if yes, request you to share the doc on how the same has to be done- we are conducting a PoC and we are at our wits end trying.



  • 2.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 05:44 AM



    Yes.  Did you see the user guide here:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Remote_AP/Remote_AP.htm ?


    EDIT:  To be clear, the controller can extend a layer2 network that exists in the headend network to the remote site, wired or wirelessly.




  • 3.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 10:45 AM

    how is the site-site configuration done for the RAP-3WN? Is there any site-site specific configuration that needs to be done on the controller?



  • 4.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 11:23 AM



    The best use case for a RAP3 or any RAP is to extend a Layer2 network at the headend to a remote location.  To have a full site to site VPN, which would mean a different Layer2 or Layer3 VLAN at a remote site connected back to corporate, it would be better to configure a smaller controller for a site to site VPN.


    If you simply want to extend connectivity using a RAP, your devices would simply have to use a subnet that is defined at corporate and extended through the wired or wireless on a RAP.


  • 5.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 12:13 PM



    Let me explain my scenario,


    I want my remote branch users (5-10) to connect to the corporate office when the WAN connectivity fails, these users are all connected to a switch with a different network prefix than that of the corporate DC network. If i have to acheive this i am considering to deploy a RAP-3WN connected to the same switch where the users and the branch router is connected. The use case would be as under;

    1) No VPN clients on the user machines, they have to connect seamlessly to the corporate network with the existing branch network prefix.(since their applications are mapped with their ips).

    2) In case of wan link/router failure, the traffic to the corporate network should take the cellular route through the RAP.

    3) In case of failure of the wired network port/cable of the user, the user should be able to latch on to the RAP via wireless and get access to the corporate network.


    with the above conditions is it possible to configure the RAP-3WN for site-site VPN connectivity( I have gone through the document link sent by you and have seen there is an option for site-site vpn connectivity on the controller)


    Please do advice on how this can be acheived.





  • 6.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 12:36 PM



    You have a number of requirements here.  Let's go through this step by step.  Have you already gotten the RAP to work over the internet connecting to the controller?  If yes, we can move on to the next step.

  • 7.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 12:56 PM



    yes, it is able to connect but no traffic flows from the branch to the coporate network, i am able to ping test from the controller to the rap(reachable) over the internet, hence i was thinking if there are any settings to be done in the site-site tab on the controller.





  • 8.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 12:58 PM

    If you are doing wireless connectivity, the ap-group the AP is in, should have a Virtual AP that has a VLAN that exists on your controller.  if you are doing wired connectivity, the wired ap-profile in the AP-group the AP is in should be assigned to a VLAN that is on the controller.


    The RAP is mainly a device to extend a VLAN that exists on your controller to a site, rather than route between your corporate networks and your site networks.


  • 9.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 01:20 PM




    So if the scenario has to work then I will have to create the branch network prefix on the controller right, then how do i define the default gateway for the RAP?







  • 10.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 02:09 PM

    the RAP's user networks are simply an extension to your existing headend network.


    Let's suppose you have an existing VLAN in your production network, called VLAN 10.  The ip address is 10.10.10.x.  Default gateway is    You trunk VLAN 10 to the controller.  If you want wireless devices at that branch office to be in VLAN 10, you make the virtual AP vlan , vlan 10.  If you want wired devices at that branch office to be on VLAN 10, you would configure your AP wired profile to Vlan 10.


    Users that plug into the RAP, after connects to the controller will be tunneled back to the controller over the internet and get an ip address from VLAN 10.  That is because the traffic is tunneled and then bridged to whatever VLAN number you specify.




    Does that make sense?

  • 11.  RE: Site-Site VPN with RAP 3WN

    Posted Jun 22, 2014 04:24 PM



    I will test this out today and let you know how it turns out.