Controllerless Networks

Hello,

I have some questions:

1- Is it possible to configure a Master as VPN concentrator for different instant VPN connections and also have it for local controllers?

2- Im chosing it by looking at the maximum VPN tunnels possible + maximum APs (which only the ones connected to the locals count as but not the instants through vpn). Is this correct?

3- If the locals connect through VPN should they need a PEFV licence?

4- Can the master for the termination of VPNs termination also make any action on instant traffic or its only the vpn termination?

 

Thanks!

1. Yes.
2. ALL VPN tunnels count.
3. Only devices terminating VIA clients need the pefv license. Any other VPN is included in the case license.
4. It can do both.

Ok, 

So this changes the pricing interestingly. I thought the instants needed a pefv license on the master centralized controller for vpn termination. In that case:

1- I wont need any pefv licence. For a only instant distributed architecture connected through vpn to a centralized master for auth to a AAA server will only need 1 PEFNG license and 1 AP license on the master?

2- In case a site has more than 2048 users and wants to purchase a local controller instead of a cluster, it would be needed to purchase the lic ap for those aps in that local controller, as well as the pefng right?

3-When you say all vpn counts, for example, if i had 10 instant cluster sites with 8 APs each and 5 local controller based sites with 50APs each (just to create numbers) then i would have only 10vpns for VC and 5 IPSec tunnels for the locals right, and the master has to be able to handle 250 APs? Is this the correct way for sizing the controller?

 

Thanks!

1.  Correct

2.  Correct

3. Yes.  You should contact your local Aruba Sales contact to help you with a design, to double-check that your strategy is feasible, however.

 

Thanks!! I am working with a local aruba sales person, but they are have not such deep technical knowledge on designs. Some specific questions are sometimes faster here and i trust them more :)

Well, ask your questions here and there to come up with the best solution.  Some designs are very unique, so not everyone has all of the answers.  The more input you can get will bring about the best solution.

Thats correct. Thanks for your help! :)

 

If i may and you dont mind i can describe a bit more the design. Maybe you can give me some other vision. 

 

It is a design for a virtual cellular provider that has many clients who are part of the group. Each client has its site with its APs and should manage them and monitor them.Users need to authenticate through eap/sim in this central location where the gateway is located. This is done through a SSID for that purpose, and  then there is a second ssid for visitors. This other ssid is intended for guests and should have an SSID. If possible different for each client. 

 

There are two architectures proposed. An Instant based architecture is designed with a central controller for vpn termination of each Instant cluster. Vpn would work here olny for auth traffic and voice to the carrier, leaving the rest local. 

The Master - Local architecture should work on the same way, but with probably its not needed to use vpn, but normal ipsec tunnels to the master. 

 

Airwave is also in the design, and for the instants aruba central is offered too. 

 

I have to point the pros and cons of each. Which i can mention many points for the instant distributed but i need to know which are the pros of the master-local architecture.

Pros of instant:

- Full Redundancy with no extra cost

- Firewall without pefng license

- No License for APs on the sites

- More scalability

- Easier deployment

- Smaller harware on Master? (being only a termination for vpn tunnels)

 

What pros does the other architecture have? 

Other question they ask is to give a proposal for centralized "policy enforcement" apart from the distributed one. They call "policy enforcement" to the responsible to redirect clients to a captive portal, establish sessions for each user, apply bw control, etc. This would be the controller function when not using another radius. I thought this could be done in the master-local architecture, but i see no pros on this, if we can set up all the policies on airwave and push them to locals to be applied by them. Maybe only in case they need to authenticate to an internal database that should be common for all sites?

 

Thanks

Instant is mainly for the distributed enterprise, where you would end up putting an access point on a trunk.  You would also avoid putting a controller at all of those locations.  In the centralized or campus enterprise, you would want to tunnel all traffic back to a controller, so that you would only configure a trunk connected to the controller.  If you had 1000 access points on a campus, you would not want to configure trunks on all of those access points.  Using a controller would allow access points to be on any access port, as long as the traffic goes back to the controller.  That is the must fundamental difference in the architectures.