Security

hello Airheads,

we have a customer who wants to roll out Instant clusters to their retail stores (between 3 and 10 IAP's per store).

They would like to push their guests down IPSEC tunnels from the cluster and terminate on a centrally located

Aruba controllers (3600's). Question is how many IPSEC tunnels can the 3600 terminate from an Instant cluster

(terminating on the VIP of the cluster)?

cheers

Pete

I know this isn't what you asked, but wouldn't it be easier for you/them to use RAPs? Or rather a good indoor AP model in RAP mode?

Granted you'd need the controller licenses, but the result would be slicker?

Absolutely my friend.

We are proposing two solutions.

1. RAP's to Aruba controllers.

2. Instant clusters to Aruba controllers

Like you we prefer the first solution but as cost (as always) may become an issue we are intending to propose solution 2 as well.

cheers

Pete

Pete_Elms,

The second solution is by far the most flexible and resilient.  Any access points that you want to deploy with solution 1, has an IAP equivalent in solution 2.  In addition, the IAP-VPN setup only requires one VPN tunnel per site back to the controller vs. Remote APs, which require an IPSEC tunnel for each access point.

To answer your initial question, please see the document here:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/IAP%20VPN%20Support/Overview.htm

That's our feeling as well.

Appreciate the feedback.

thanks Pete

I personally would want the RAP solution. But that's just personal preference.

Michael_Clarke,

Please say why you prefer it so that Pete can make an informed decision.

CJ, I guess you mean me and not MC? Can't see a post from him.

It's a bit like plumbing isn't it really? Personal preference. All things being fairly equal to the customer of course?

Happy to be challenged, but I guess my initial thoughts are...

1. RAPs tend to be a bit easier to tear up/down/reset in my experience when troubleshooting(retail tends to move around a bit).

2. Split tunnel options with RAPs (maybe we can do this now on instants?).

3. No Airwave or other monitoring was mentioned. So with RAPs, operational state is a bit clearer?

4. 3G backup options with RAPs.

5. More granular easier administrative revoking of RAPs that get stolen?

That sort of thing. Am I wrong?

The racking money,

Yes I do mean you, sorry.

1.  Good Point

2.  Instants do have traffic and DNS split tunnel options

3.  You can monitor users and IAPS with Airwave

4.  You can use 3g/4g backup with instants that have a USB port for that purpose

5.  You can certainly revoke an instant's mac address.

Please stay tuned for an IAP-VPN configuration guide that is coming out shortly.

I've been messing with iAP to Controller tunnelling and so far:

1. I can't speak to this, never used a RAP

2. Splitting is easy enough, the documentation doesn't quite match what I see, but it works fine.

3. Again can't speak to RAPs, but with and without Airwave the iAP operational state is pretty east to tell, just a different method from controller based connections.

4. I believe there are iAP with 3G and 4G backup methods - given all the setup pages for it in the GUI (I haven't got those models)

5. Revocation of the iAP is easy at the Virtual Controller (cluster membership) and at the Controller (VPN/Tunnel connection).

It's probably much more a matter of familiartiy than of technology at this stage. Do what's comfortable if it delivers everything you need, start heading up the learning curve if you need more/different functionality.

msabin,

Thank you for your comments.  Honest conversation allows us to understand what best serves our customers, and to make changes where it doesn't.

You also have to keep in mind that ARM in RAP mode is not going to either work or be optimal for this type of deployment and you will run into issues at some point. Yes, they will all IPSEC tunnel back to the same controller but there is no local controller in place for these APs that will them speak to each other and bounce "ideas" of each other so to speak, they will interfere with each other (based on my experience).

EDIT: Roaming between APs will not work in RAP mode as well, assoc/dissac will likely occur

RAPs were designed for telecomuting purposes and/or single AP deployments for a small remote branch office.

For ARM to work effectively and properly, you either go with:

1) IAP clusters

2) Local controller on site (convert APs to CAPs) and have a tunnel between the local and the master. $$

The logical solution here IMO is to propose IAPs and if ever you want to go controller based, you can (convert the IAPs to CAPs or RAPs).

It is not only ease of management and deployment you have to look at but how that deployment will behave once installed one must look at.

Fair point about the ARM. However, I've done a few big retailers now, and none of them wanted ARM at all. They very rarely have the business resource to support this feature. Maybe somebody has worked with a retailer who worked differently? Note I'm talking about a retailer with small sites (1 or 2 RAPs max). Big site retailers should of course be handled differently.

I'd suggest Pete you really delve deep into the customers desires and primary concerns.

Cheers.

How do you handle interference?

One of our big retail shops (major coffee chain), wouldn't be able to function without ARM.

It really does depend on what the customers concerns and needs are.