Controllerless Networks

Hallo, is there any Document available where i an see the Differences on the Feature Set between a IAP and a Controller based Solution?

 

Thank you and best Regards 

Hi,

**LOOK ON THE PDF ATTACHED TO THIS POST-ISNT UPDATED SO MUCH - BUT WILL GIVE U SOME CLUE**

 

IAP is close to a contoller in capabilities but is not eqaul. Depending on your deployment requirements you might need one or the other. Currently these are some of the features that are available in a controller but not on an IAP. 

 

(off the top of my head)

Spectrum analysis

L3 roaming

DHCP fingerprinting

VIA and VPN client termination

Site-Site VPN

 

This may change in the future.

 

Normally if customer is looking at security features we would go for the controller base as it comes with PEFNG and RFP etc and support RAP at the end of the day. As for roaming is L2 versus L2 + L3.

 

Besides some feature difference, also consider the following.

 

A controller simplifies VLANs at the edge.  You do not have to worry about deploying VLANs. 

A controller will manage both your wired and wireless Aruba network.   All clients, wired and wireless, have the same policy.

A controller provide remote functionality such as VPN and Remote APs to extend your network.

 

Aruba Instant will scale, now beyond 16APs, but are limited to a L2 subnet.  Using basic network architecture rules, A class C subnet is 256 users.  It's best to keep a subnet to that limit.  For a Class B flat network, while IAP and Controllers will both manage much more than 256 users, you should be careful.  Large L2 subnets create a lot of chatter and the network can and will have issues.

 

ALSO CONTROLLER WILL GIVE YOU:

 

-an option for HSPA+ backhaul

- flexibility to use the multiple ports as 'legs' into different networks (e.g. admin, guest, internal).

- Assuming you are already trained in Aruba OS (AOS) then == zero learning curve

 

If you are trying to make this site 'look like' other corporate sites (say HQ) then I would go controller, and do master--local.   If on the other hand its a one-off site and never needs/wants to be in sync with other sites than Instant (IMHO) is a good candidate, if you don't need any of the 650 additions that have been mentioned in this thread already.

 

Hope this info helpd u

Bump. Is there any updates to this document. There have been a lot of enhancements & changes to the Instant platform. It would be great to see a document that explains ALL of the comparisons betwen Instant & Controller-based wireless.

 

---

@kdisc98 wrote:

.

.

.

Normally if customer is looking at security features we would go for the controller base as it comes with PEFNG and RFP etc and support RAP at the end of the day. As for roaming is L2 versus L2 + L3.

 

Besides some feature difference, also consider the following.

 

A controller provide remote functionality such as VPN and Remote APs to extend your network.

 

 

---

This part concerns me. I'd like to confirm whether or not there are any site-to-site or VPN capabilities in the new version of Instant.

Yes, VPN capabilities exist for the purpose of connecting the branch office running an IAP to a controller at your home office.

 

See details here: http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/VPN_Conf/Plan VPNl.htm%3FTocPath%3DVPN%20Configuration%7C_____1

VPN termination is possible between an IAP and an Aruba controller.  This has been around since IAP 3.2 and AOS 6.2.  You cannot do VPN between IAPs.

kdisc98,

 

Coming back to this.. The PDF you attached is great.  But old.. wondering if there is an update.

Anything official from Aruba with the comparison.

 

Also, I notice when pulling up the Instant OS UG versus Aruba OS UG (i.e. from a Mobility Controller) there is a ton of difference..I.e. Virtual AP groups in Aruba OS, but not Instant OS.. to name just one...

hi,

 

is there anything official from Aruba with a detailed comparison available - maybe also with covering when using Branch Controller as well?

 

greets

 

Nothing official that I've seen. I would suggest contacting your local SE who could do a detailed review of the different solutions available for your environment.

They both change quite often.  The IAP is very robust and seems to do most of what a controller based solution would do.  I would suggest deciding based on the limitation of the IAP solution. Things such as max IAP's, max users supported, whether you have airwave to centrally manage pods of IAP's, etc.

 

Take a look in my POST (I attached a small PDF - isnt so updated , but will give u some idea)

 

Me.

The VPN I'm referring to is a user VPN via IPSEC to the controller.

If you are referring to the VIA Client that is a controller-based feature only.

No VIA. Just using a Cisco IPSEC VPN client.

 

Speaking of which...does Aruba even develope VIA any longer?

VIA is an active Aruba product under the PEFV license and does receive updates.

Sorry for slow response. I was referring to IPSEC VPN from a PC or mobile device to the controller itself. We have other locations where an iPhone or iPad does IPSEC VPN to the controller for remote access. Is that possible in the IAP?

IAP's have a full firewall like the aruba controller. You can allow VPN as you would normally.

 

The only VPN limitation in instant refers to the ability for the actual IAP's to create a VPN to a central Aruba Controller to access central resources. A VPN client on any of the client devices would function as normal.

To be clear, I'm NOT talking about VPN from a client to another device in the network. I'm talking about a client (iPhone/iPad, Android, Windows...etc) initiating an IPSEC VPN tunnel that terminates ON THE IAP (Controller). I can do this currently to a physical Aruba controller. I just need to make sure the same functionality exists on an IAP virtual controller.

No, the only client VPN product Aruba develops is VIA, which is only available in the controller. IAP's have no capability to terminate client VPNs on the IAP VC (IE, no VPN server runs on the VC).

Thanks for confirming. I appreciate it. 

Do you have resources regarding in-depth/detailed differences of IAP vs. AP/CAP specifically in terms of SECURITY and AUTHENTICATION features? I only see old documentation on this about year 2014*.

 

Thanks!