Remote Networking

Occasional Contributor I

Can I deploy AP across existing VPN link?

OK .
We have recently rolled out Aruba wireless on our main campus. Now its time to put APs at our remote offices. These offices are connected by VPN and on its own subnet. I would like to put an AP at a remote site and let it connect back to the controller through that existing VPN and provide connectivity to users on the existing subnet.
My questions are: Do i need RAP licenses? I have read through the VBN document and that doesn't seem to apply because of our VPN. Would I have to create a new SSID for each of the remote sites since they are on separate subnets? Has anyone seen documentation for this type of setup?
Aruba Employee

Can I deploy AP across existing VPN link?

If your APs are going over pre-existing then you'll most likely need to
set/adjust the MTU that the AP uses for the GRE tunnels. This is in the
system-profile of the AP. Since the overall VPN link is using a lower
MTU, the AP should be set a little lower. I've seen MTU discovery not
work over VPN links, so this is the reason to manually set it. But you
should test it to see if you need to do this at all I think.

If you're going to set these APs as "RemoteAPs", then they'll use an MTU
of 1300.
Aruba Employee

Campus AP across VPN link


Adding to what bjwhite said, if the VPN is such that controller IP is reachable via the link, then you would not need RAP licenses or VPN licenses. You would only need standard campus AP licenses. Just make sure your MTU issues are taken care of.

As far as the SSIDs, you can use the existing ones, but remember that from a campus AP perspective, all traffic will be tunnelled back to the controller. Any wireless traffic destined for local servers, printers, clients, voice gateways, etc, will be sent to the controller, decrypted and sent back to the site where the client lives. The reply for that packet would then be sent back to the controller, encrypted and forwarded to the originating AP. This may result in added traffic over the WAN link.

If you have significant local traffic at your remote sites, you may want to consider and small (600 series) controller at each site (depending on the number of APs per site) OR setting up Remote APs (RAPs) at the remote sites so that you can bridge local traffic and avoid the WAN utilization.
Contributor II

Deploying AP over VPN Link

Other than "MTU" is there anything that I should be concerned with? How about TFTP of the image after a code upgrade? Will TFTP be an issue? We have 1Mb links to 125 sites. They have no 'local' traffic so split tunneling isn't needed. If I don't need RAP for an IPSEC tunnel and don't need it for split-tunnel do I need it for anything else?
Search Airheads
Showing results for 
Search instead for 
Did you mean: