Wireless Access

 View Only
Expand all | Collapse all

Remote branch offices - IAP cluster VPN-tunnel or RAPs?

This thread has been viewed 11 times
  • 1.  Remote branch offices - IAP cluster VPN-tunnel or RAPs?

    Posted Aug 03, 2021 07:28 PM
    Hello,

    Wireless design/architecture question here. I am relatively new to Aruba, so pardon my ignorance.

    We have a cluster of [2] 7240xm controllers managed by a virtual mobility conductor in our data center.
    This cluster manages our campus AP's at our local offices.
    The wifi traffic here is internet only. No protected corporate resources are available on the wifi.

    We are adding two new remote branch offices that will not have "LAN" access to the data center, and can only reach the data center via the internet.
    Office #1 requires 7 AP's.
    Office #2 requires 3 AP's.
    We will be using AP-505's.

    ​What is the best design to bring these AP's "into the fold"?

    1. Should we terminate all 10 AP's as individual RAP's to the controllers? Would they "play nice" together and do all the Airmatch RF magic, etc?
    2. Should we do a cluster of IAP's at each office, and build some sort of VPN tunnel back to the data center controllers from the master IAP's? Would the data center controllers manage the actual configurations of the APs or just route traffic at that point?

    Ideally, we would like to manage these AP's through our data center controllers, and not have some isolated IAP clusters floating out at these offices unable to be managed remotely. Ideally, we would be able to extend our existing WLANs over to these AP's.

    Thanks in advance for any advice you can provide! If you have any configuration guides, those would be appreciated as well. 
    I did find this document already: https://www.arubanetworks.com/assets/vrd/Instant_VRD_2.0.pdf

    Thanks!
    - Chris


  • 2.  RE: Remote branch offices - IAP cluster VPN-tunnel or RAPs?

    Posted Aug 04, 2021 06:00 AM
    Edited by cjoseph Aug 04, 2021 06:03 AM
    If you need more than one AP at a remote site, IAP-VPN is the solution.  It will survive an outage at the datacenter and it allows you to be much more flexible.

    Some firewalls have problems passing more than 4, 6 or 8 VPN tunnels back to the same endpoint, so you should also use IAP-VPN for that reason.

    The IAP-VPN options for "split tunneling" are more flexible than that of RAPs.

    If you would like to manage those clusters centrally, it would require either Airwave or Aruba Central.

    This is an older document on Aruba Instant, but search for the section on "Branch Connectivity" here:  https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedAttachments/1F47BC48-DAFB-4B48-9FF1-2973BB3C2F87-8-Instant%20VRD%202.0.pdf

    Edit: you already found that document.  The "branch connectivity" portion will tell you how to configure IAP-VPN.


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------