Wireless Access

So.. due to some other issues I am considering migrating a CAP setup with a few 100 APs to RAP.
I am thinking that since we will be running the RAPs in tunneled mode the controller has all the info and support should be pretty much identical to the CAP setup, right?

Can someone confirm proper roaming (.11r, OKC, PMKID caching, client match, ...) for users connected to RAPs from the same controller cluster will work as I expect? Without issue that is?

You would get better performance by running all of those access points as Iaps and tunneling the traffic back to the controller using IAP-VPN.  Also, some routers cannot pass more than 4 ipsec tunnels to the same ip address, so I wouldn't even try.  The Remote AP was designed around having a single AP at a site.  Whatever you are doing might work today with a few access points, but would not scale to 100 because it wasn't designed or tested for that.  EDIT: and no we cannot guarantee that everything works in that setup because it has not been tested through customer use regularly.  You could run into issues unforseen and make things difficult..  Or think could be okay...  Who knows?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Nov 14, 2022 09:02 AM
From: Koen V
Subject: roaming on remote AP

So.. due to some other issues I am considering migrating a CAP setup with a few 100 APs to RAP.
I am thinking that since we will be running the RAPs in tunneled mode the controller has all the info and support should be pretty much identical to the CAP setup, right?

Can someone confirm proper roaming (.11r, OKC, PMKID caching, client match, ...) for users connected to RAPs from the same controller cluster will work as I expect? Without issue that is?

So we either convert our AP-305 (non-IAP and non-UAP) to IAPs through an unsupported -and non-reversible as i understand it- method or use unsupported RAPs.
Sigh.. neither looks too great to be honest.
Original Message:
Sent: Nov 14, 2022 11:40 AM
From: Colin Joseph
Subject: roaming on remote AP

You would get better performance by running all of those access points as Iaps and tunneling the traffic back to the controller using IAP-VPN.  Also, some routers cannot pass more than 4 ipsec tunnels to the same ip address, so I wouldn't even try.  The Remote AP was designed around having a single AP at a site.  Whatever you are doing might work today with a few access points, but would not scale to 100 because it wasn't designed or tested for that.  EDIT: and no we cannot guarantee that everything works in that setup because it has not been tested through customer use regularly.  You could run into issues unforseen and make things difficult..  Or think could be okay...  Who knows?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 14, 2022 09:02 AM
From: Koen V
Subject: roaming on remote AP

So.. due to some other issues I am considering migrating a CAP setup with a few 100 APs to RAP.
I am thinking that since we will be running the RAPs in tunneled mode the controller has all the info and support should be pretty much identical to the CAP setup, right?

Can someone confirm proper roaming (.11r, OKC, PMKID caching, client match, ...) for users connected to RAPs from the same controller cluster will work as I expect? Without issue that is?

We first need to figure out why you are doing what you plan to do first.  There could be other better options. 

Converting to an IAP is reversible for AP-305s.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Nov 14, 2022 11:58 AM
From: Koen V
Subject: roaming on remote AP

So we either convert our AP-305 (non-IAP and non-UAP) to IAPs through an unsupported -and non-reversible as i understand it- method or use unsupported RAPs.
Sigh.. neither looks too great to be honest.
Original Message:
Sent: Nov 14, 2022 11:40 AM
From: Colin Joseph
Subject: roaming on remote AP

You would get better performance by running all of those access points as Iaps and tunneling the traffic back to the controller using IAP-VPN.  Also, some routers cannot pass more than 4 ipsec tunnels to the same ip address, so I wouldn't even try.  The Remote AP was designed around having a single AP at a site.  Whatever you are doing might work today with a few access points, but would not scale to 100 because it wasn't designed or tested for that.  EDIT: and no we cannot guarantee that everything works in that setup because it has not been tested through customer use regularly.  You could run into issues unforseen and make things difficult..  Or think could be okay...  Who knows?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 14, 2022 09:02 AM
From: Koen V
Subject: roaming on remote AP

So.. due to some other issues I am considering migrating a CAP setup with a few 100 APs to RAP.
I am thinking that since we will be running the RAPs in tunneled mode the controller has all the info and support should be pretty much identical to the CAP setup, right?

Can someone confirm proper roaming (.11r, OKC, PMKID caching, client match, ...) for users connected to RAPs from the same controller cluster will work as I expect? Without issue that is?

Simply because using default GRE tunnels are giving us very bad client download speeds (like 10% of what should be possible.
Testing with RAP, bridged mode and wired does not give any issues.
Mind you not all sites (with GRE tunnels to the same VMC's and connected to the same MPLS) exhibit this issue.

On top of that, the most likely culprits  are in a DC where getting access to take pcap sis taking weeks if at all possible. The only FW in play is also situated in that DC and is managed by 3rd party, so no visibility on settings or config other than than rule set. 

And since the customer is nog willing to spend more time investigating or even pressuring FW guys, we need 'a' solution that doesn't use GRE.
RAPs would allow us to make the switch very easily.
Original Message:
Sent: Nov 14, 2022 12:12 PM
From: Colin Joseph
Subject: roaming on remote AP

We first need to figure out why you are doing what you plan to do first.  There could be other better options.

Converting to an IAP is reversible for AP-305s.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 14, 2022 11:58 AM
From: Koen V
Subject: roaming on remote AP

So we either convert our AP-305 (non-IAP and non-UAP) to IAPs through an unsupported -and non-reversible as i understand it- method or use unsupported RAPs.
Sigh.. neither looks too great to be honest.
Original Message:
Sent: Nov 14, 2022 11:40 AM
From: Colin Joseph
Subject: roaming on remote AP

You would get better performance by running all of those access points as Iaps and tunneling the traffic back to the controller using IAP-VPN.  Also, some routers cannot pass more than 4 ipsec tunnels to the same ip address, so I wouldn't even try.  The Remote AP was designed around having a single AP at a site.  Whatever you are doing might work today with a few access points, but would not scale to 100 because it wasn't designed or tested for that.  EDIT: and no we cannot guarantee that everything works in that setup because it has not been tested through customer use regularly.  You could run into issues unforseen and make things difficult..  Or think could be okay...  Who knows?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 14, 2022 09:02 AM
From: Koen V
Subject: roaming on remote AP

So.. due to some other issues I am considering migrating a CAP setup with a few 100 APs to RAP.
I am thinking that since we will be running the RAPs in tunneled mode the controller has all the info and support should be pretty much identical to the CAP setup, right?

Can someone confirm proper roaming (.11r, OKC, PMKID caching, client match, ...) for users connected to RAPs from the same controller cluster will work as I expect? Without issue that is?

On the face of it, you can use brushed  EDIT: bridge mode with a campus AP as long as you are using Cpsec

We have seen situations where WAN accelerators or IDS boxes inspect GRE and either do not help or decrease the performance.  Bridging the traffic could help.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Nov 16, 2022 03:53 AM
From: Koen V
Subject: roaming on remote AP

Simply because using default GRE tunnels are giving us very bad client download speeds (like 10% of what should be possible.
Testing with RAP, bridged mode and wired does not give any issues.
Mind you not all sites (with GRE tunnels to the same VMC's and connected to the same MPLS) exhibit this issue.

On top of that, the most likely culprits  are in a DC where getting access to take pcap sis taking weeks if at all possible. The only FW in play is also situated in that DC and is managed by 3rd party, so no visibility on settings or config other than than rule set.

And since the customer is nog willing to spend more time investigating or even pressuring FW guys, we need 'a' solution that doesn't use GRE.
RAPs would allow us to make the switch very easily.
Original Message:
Sent: Nov 14, 2022 12:12 PM
From: Colin Joseph
Subject: roaming on remote AP

We first need to figure out why you are doing what you plan to do first.  There could be other better options.

Converting to an IAP is reversible for AP-305s.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 14, 2022 11:58 AM
From: Koen V
Subject: roaming on remote AP

So we either convert our AP-305 (non-IAP and non-UAP) to IAPs through an unsupported -and non-reversible as i understand it- method or use unsupported RAPs.
Sigh.. neither looks too great to be honest.
Original Message:
Sent: Nov 14, 2022 11:40 AM
From: Colin Joseph
Subject: roaming on remote AP

You would get better performance by running all of those access points as Iaps and tunneling the traffic back to the controller using IAP-VPN.  Also, some routers cannot pass more than 4 ipsec tunnels to the same ip address, so I wouldn't even try.  The Remote AP was designed around having a single AP at a site.  Whatever you are doing might work today with a few access points, but would not scale to 100 because it wasn't designed or tested for that.  EDIT: and no we cannot guarantee that everything works in that setup because it has not been tested through customer use regularly.  You could run into issues unforseen and make things difficult..  Or think could be okay...  Who knows?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Nov 14, 2022 09:02 AM
From: Koen V
Subject: roaming on remote AP

So.. due to some other issues I am considering migrating a CAP setup with a few 100 APs to RAP.
I am thinking that since we will be running the RAPs in tunneled mode the controller has all the info and support should be pretty much identical to the CAP setup, right?

Can someone confirm proper roaming (.11r, OKC, PMKID caching, client match, ...) for users connected to RAPs from the same controller cluster will work as I expect? Without issue that is?