Network Management

Hi guys, we currently deploy in each remote office 2 controllers, when we configure those 2 controllers we configure them as with master-redundancy so the config between them is replicated and also we  configure ha fast-failover for APs. Now i really want to move the "master" role from each remote office the a central localtion (datacenter) and just push configs to the local controllers. Now, my question is... All config that is in the master controller will be pushed to ALL local controllers regardless if that remote office doesn't need a part of the config? So for example 1 config will have all the ha group-profiles on their running config and then i need to assign that specific site as member of its ha group?

There is no way of just push a specific part of the config to specific sites??? Is it all or nothing?

Locals get their entire global configuration from the master.  There is no selective push....

so my next and probably last questions are,i mean i am kind of tired of doing the config on the remotes office i really prefer to push the configs from a master controller

what design is more scalable and easy to mantain?

How will the master/local design works with a deployment with 200 remotes offices? 

I wonder what model big deployment with a central datacenter and hundreds of remote offices prefer.

thanks for your input

It depends on how complicated your local office configuration is...

If you have the same 2 SSIDs at all of your sites, you can use VLAN names for your global configuration.  Your virtual AP would have VLAN name "staff" for example and the staff vlan would be defined locally on each branch controller.  That is an overview of the simplest way to do it.

What are you doing at each branch?

well, we have a couple of different scenarios

1. Offices that tunnels all traffic back to a DMZ controller

2. offices with local internet circuits

3. offices with "non standard" ssid

so all SSIDs are 90% of the time the same "corp" "guest" "byodevice" , user-roles are named the same, we have CPPM for captive portal. I think I am worried about all sites having all configs from all other sites so even if a site don't need an ssid it will still be on the running-config.

An SSID is only broadcast if there is a virtual AP in its ap-group.  The global configuration can call for a single ap-group that only has the SSIDs for 90% of your sites.  There can be other ap-groups, that are more specific and part of the global configuration.  Only those sites with that requirement will have access points provisioned in those ap-groups.  You typically start out general and make specifics for the exceptions.  VPN connections are not part of the global configuration and normally are configured point to point.  VLAN numbers and routing is not part of the global configuration and is configured locally on each controller.  The trunks that are on interfaces, what vlans interfaces are in , and the timezone on a controller are local configurations.

I agree, to be honest it is not about the functionality i am worried about, i know i will only add the virtual ap with the ssid profile to the ap-group i need for that specific side, i am more worried about sites that don't need a piece of the config will still show them on the running config making a little bit confusing the troubleshooting part of our jobs.

I guess it would come down to style and approach in terms of troubleshooting.  If an AP is not in an ap-group, the configuration will not be applied.  You would skip to the section (ap-group) that applies to that ap-group to start your troubleshooting, and nothing else, really...

ok, now i am evaluating airwave to push configs to the wireless controllers. I know it is for much more than that but i guess it will help me to do what i am looking to do, push different configs to different devices.

Take a look at the Airwave controller configuration guide:

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=23731

The Airwave configuration for the controller is a different paradigm and generally needs some lab time to get up to speed with it.

thank you sir, I already requested a eval license and going to setup a lab to test a couple of things. I appreaciate all your answers.