Wireless Access

It is my understanding that you have to enable control plane security inorder to have campus APs in bridge mode.  I currently have 2 masters with VRRP redundancy between them with 3 local controllers.  I have numerous RAPs terminating on one of the local controllers.  The 6.1 user guide states the following:

"The control plane security feature supports IPv4 campus APs only and is not intended for use with Remote APs. Do
not enable control plane security on a controller that terminates IPv6 APs."

If I turn on control plane security for bride mode will that "break" my RAPs?

If you have RAPs, you can already to bridging on those devices.  You do not have to turn on control plane security.

Turning on control plane security involves downtime for all your APs, because a certificate has to be issued for them.

If you only have a limited amount of APs that you want to do bridging on, turn them into RAPs, instead.

I am not aware of the effect that control plane security has on RAPs, but turning it on will involve some downtime, network-wide when you do.  Better to single out the APs you want to do bridging on and turn them into RAPs.

There is also a way, with a provisioning profile, to convert Campus APs in an ap-group into RAPs specifically to turn on bridging without turning on control plane security.

How many Campus APs do you want to enable briding on?

We're a hospital system with numerous remote sites with probably an average of 5 - 8 APs per location.  We are slowly rolling out Aruba APs to replace existing autonmous Cisco APs.  On the Cisco APs we trunk two vlans to them.  One of the vlans is our corporate data vlan tied to our corporate SSID.  The other vlan is for guest access that is fed by a DSL connection. 

 We would like to be able to configure the Aruba APs at our remote offices in a similar fashion.  We currently just have the APs tunneling all traffic back to the controller, even for guest access.  We would like for the guest users to utilize that local DSL connection.  I believe Cisco calls their funtion for this H-REAP on their controllers.

Okay.

Here is what you need to determine:

What two VLANs will I need at those sites to be trunked?

Will they be the same or different?

We would just have to create an APgroup with Bridged SSIDs that match the VLANs numbers you want trunked.  you would also configure the AP System Profile Native VLAN parameter in that AP-Group to match your switchport on that end so that the WLANs are bridged.  We would then provision a Remote AP into that group, where the remote AP's controller ip address is the internal ip address of the master controller, or whatever controller you want it to end up on.  Of course, you will have to establish a VPN pool on that local controller for remote APs as well as whitelist those APs on the master controller.

Fortunately, if you provision an AP as a remote AP from the controller, that AP is automatically added to the whitelist.

So I would provision my 105s as RAPs not CAPs correct?

The VLANS will differ from site to site. 

Will I be able to present a captive portal page in this scenario?

yes, as RAPs.

For Guests, you may be able to do "split-tunnel captive portal" where your users get an ip address at the headend, but then source-nat all of their traffic out to the internet.  Configuring Captive Portal for Guest Access on a Remote AP in a Virtual Branch Network solution https://kb.arubanetworks.com/app/answers/detail/a_id/825

If at all the sites, you can put the AP in the VLAN that you need your users to be in, you can just have the VLAN be 1, and it will bridge the traffic untagged to that local LAN, so that you won't have to define a VLAN for each site.

Colin, thanks for you help.  I was able to get this working.  Now that these 105s are configured as RAPs and not CAPs I know some functions are offloaded from the controller to the AP.  Will I lose any funtionality in this setup such as PEF, WIPS, etc?  Will roles still be applied to the wireless users?

You will not lose any functionalit, no.