Wired Intelligent Edge

Dear Arubers,

I have already deployed many "Campus AP" with "tunnel" forward mode.

For new needs, I will have to add "bridge" forward mode in a new Virtual-AP profile.

I think migrate each access point to "remote" mode. Unfortunately, I have not yet seen a clear procedure to do this easily.

So, could you help me on this subject ? :)

My few questions are the following :

- How to configure the LAN port of the AP ? Should I just fill the native VLAN with the VLAN ID currently used by each GRE tunnel?

- On the switch port, should I add support for 802.1q tags with this same native VLAN and VLANs which stay locally on site?

Then, for the rest of the configuration, can I follow the instructions of the following link?

https://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Content/ArubaFrameStyles/Remote_AP/Configuring_the_Secure_R.htm

My last question is :

Can I leave the field "Master Switch IP Address/DNS name" empty with only the aruba-master value for the "DNS-Name" ?

Thanks a lot for your help ?

For Bridged mode, you would only need CPSEC to be enabled.  You would not need to configure an AP as a remote AP.

If you want bridged clients to be on the same VLAN as the AP, you would just make the Virtual AP vlan 1 (which matches the VLAN in the AP system profile).  Making it anything but 1, will tag the user traffic before it gets sent out the AP ethernet port, which means you would need that VLAN to be trunked to the AP.

You can ignore all of the other things about remote APS, because you don't need a remote AP for the forward mode to be bridge.

Thanks for your answer.

I wanted "remote" AP to avoid CPSec management which seems to be heavier to manage.

And more, I wanted to make use of IPSec encryption, including for trafic data.
Is it not a interesting solution ?

I don't want clients on the same VLAN than AP so i understood i have to configure "trunk" port on LAN switch.

CPSEC is not harder to manage:  you just turn it on auto.  For Remote APs, you have to create an ipsec pool for access points and enter their mac addresses manually, so it requires more management overhead.

If you don't want clients on the same vlan as the AP, you can still have tunnel, but trunk your client VLAN to the controller and change the VLAN ID in the Virtual AP to that VLAN.  You don't need CPSEC or Remote AP configuration for that.

Turning on CPSEC encryps the management traffic on the wired network.  Using remote AP encrypts all the traffic on the wired network, but requires management complexity.  If you wanted encryption, you should just do encryption on the SSID.

I already configured some « Virtual-AP » with different VLAN ID ;)

Rightly, my new need is to add a local VLAN - so a new bridge forward mode « Virtual-AP » - to the current « AP-Group »

With Campus AP i have to add CPSec (allow-all) on the controller with « allow-all » option but it is not really recommended. Each new AP must be added (with mac address) before joigning the controller.

So, I thought « Remote-AP » doesn’t require this management. Each new AP has a self-signed certificate known by controller and doesn’t requires others tasks to mount IPSec tunnel.

Am i wrong ?