Controllerless Networks

Good morning,

We currently have our second office in London deployed with 12 IAP's (AP 105) on an instant controller, we want to move these onto the master controller at our main office, but to pick up the local VLAN's in London for user traffic. In between this we have a firewalled private WAN.

It is my understanding that we do not require RAP's for this as there is no need for the IPSEC tunnel, and that Campus AP's in bridge-mode will work. Can I please confirm this, and also, are there limitations to the amount of AP's which can be deployed in this manner?

Thanks in advance.

Darren

What country is your master controller in?

How many SSIDs or services are you providing on your current instants?

If there is a firewall, it will not work if there is a NAT boundary between your Campus APs and the controller.  In addition if you are running in Campus Mode there are a number of firewall ports that would need to be opened to support those APs.

Hi Colin,

Everything is in the UK.

There is no NAT boundary between the remote office and the office where the Master is, it is all on our corporate MPLS, there shouldn't be any issues regarding firewall rules neither, we have full control over this.

We are currently providing 4x SSID's on the instants, some of which already authenticate with Radius servers back at the main office. We would like to move the London AP's onto the master controller for control, monitoring and authentication only, but users will pick up their respective VLAN from the local switch.

Thanks

You can do this if:

- You have Control Plane Security enabled on your controller

- Open Ports on your firewall:  https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/R-1205" target="_blank" rel="nofollow noopener noreferrer">https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-63 https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/R-1205

- Configure the physical switches that the access points are on as trunks if you want to put users in multiple VLANs

- Captive Portal traffic must be tunneled back to the controller, because Captive Portal is not supported on bridged SSIDs.

Those are the high-level requirements.  There are certainly more details that need to be worked out.

Thanks,

Yes, there certainly are more details to be worked out, I just wanted to ensure I am heading in the right direction, I intend to convert one of the 105's onto the controller and test from there.

As yet we have no captive portal in the company.

I read somewhere that the 105 series AP's do not need control-plane as they have a bespoke cert in built, is this correct?

One more question, is there a limit on the number of campus AP's at a remote site?

If you are doing bridging with Campus APs, you need to have control plane security enabled; that is a requirement.

There is no practical limit to the number of Campus APs at a site.