RAP (and VIA, and IAP-VPN) will only work over port 4500/udp.
When using AOS8 clustering, you will need to have a public IP for each of the controllers that participate in the cluster that offers the VPN services for RAP/VIA/IAP-VPN. Most common is to NAT on the firewall as it saves IP addresses when public IPs are pulled from a larger block on the firewall, versus putting a public subnet for the controllers that need a network and broadcast address, one IP for the firewall/router and you need to slice a subnet of 4, 8,16 IPs (effective 1, 5, 13 hosts outside your firewall/router). As well, with NAT you can just port-forward port 4500/udp for the controller, and use other ports for other services.
An alternative would be to use the legacy HA, with VRRP, in which case you can have a NAT to the VRRP address of your controllers. This doesn't have the load-balancing active-active behavior like with Clustering, but if one controller can handle all the load/APs, it is an option if getting additional public IP is hard or expensive I think it is a solid option. For increased availability, you can use a backup LMS VRRP in a different datacenter.
Your Aruba partner should be able to advise in your specific situation; or your local Aruba team if you work for a partner.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Jan 11, 2021 10:16 AM
From: amr shawky
Subject: Controller with Port 4500 and RAPs
I have some question here
1-Remote site have 10 AP at each site – customer need to use remote solution and port 4500 is blocked at main site which solution is better ( Branch Controller – RAP – IAP VPN – VIA ) ?
2-Three remote sites connecting as RAP to main site with single Controller behind Firewall with NAT
Customer need to add 2 another controller what is the recommended solution for redundancy
- Make cluster and assign one public IP and 3 Private IP and make NAT over 4501-4502-4503 port
- Purchase two new public IP address
- Purchase two new Public IP address and remove NAT over firewall
------------------------------
n/a
------------------------------