Wireless Access

Hi guys,

I have found the attached MM-VA Capacity Table.

Can anybody explain me with an example using: switches, IAPs, Lap Tops, what is the difference among: Devices, Clients, Controllers?.

For example, for MM-VA-50:

• 05 controllers "maximun"?, are these controllers included in the count of 50 devices maximun?
• 50 devices maximun, does this count include also switches and IAPs?, any other network equipment included in this count?
• 500 clients, I suppose this refers to wireless clients, right?. What if I want to deploy dinamic segmentation in the LAN?, does this count include laptops, PCs, cameras, printers, smartphones, tablets, etc?.

Thanks for your support

The MM-VA licence is count as mobility controller + accesspoints.

Example:
50 iaps + 2 mobility controllers needs MM-VA-52, because the licence is selling per 50 you need 2x MM-VA-50.

Or

495 iaps + 5 controllers you need to buy 1x MM-VA-500.

In the end a mm-va-500 bundle is much cheaper then 10x a MM-VA-50 bundel

Hi Marcel,

Thanks for your time, but that only answers my first question, and according to your explanation the answer is "yes, the maximun number of controllers is included in the number of devices".

What about questions 2 and 3?.

The second question is related to de deployment of "Dynamic Segmentation for the Network Edge" as you can see in the picture of page 2 in the attached document. In this deployment a tunnel is set between APs/Switches and the Aruba Controller (it is not clear if it talks about the Mobility Master or the Mobility Controller cluster). But what I need to know is if "Number of Devices" means: Mobility Controller+Switches+APs.

Mobility Master and its redundant Mobility Master are not included in this count?, what if I have a MM, its back up MM, a cluster of 8 Mobility Controllers, 470 APs and 45 edge switches?, would I need MM-VA-525 license (1+1+8+470+45=525)?, and because the licenses are sold in packages of 500 and 50, would that mean I need 01xMM-VA-500 + 01xMM-VA-50 licenses?

The third question is oriented to confirm that the maximun "Number of Clients" includes all wireless clients (laptop, smartphones, tablets, etc) and the wired clients (PCs, cameras, printers, etc). Remember that in Dynamic segmentation I will have all this types of hosts accessing the LAN, and the Controller and Clear Pass must assign those stations to the proper VLAN anywhere they conenct to LAN.

Thanks for your support.

So this is going to be a bit of a long winded answer. Controllers count against the device count in a 'per controller' fashion (4 controllers = 4 devices counted against the MM count) but the per controller limit is not the same as the devices (you'll see on the data sheet there is a different maximum controllers versus maximum APs). Access Points count against the per-device count, as does every single switch and switch stack* using Dynamic Segmentation (DS) against one or more of your MCs under the MM. These device counts (controller and AP) are fixed and a hard limit. if you have an MM-VA-500, it can do a MAXIMUM of 500 devices (controllers, APs, and switches/switch stacks in DS) with a specific max of up to 50 controllers. If you needed to terminate 100 controllers against the MM, you need an MM-VA-1K. **MMs in redundancy do not count against any device deprecations** so ify ou have 2 MMs (active/standby) or even 4, because only one is active at any time, it's not counted against the device limit. 

 

In your example, 8 MCs, 470 APs, and 45 edge switches/switch stacks doing DS would mean there are 523 devices to terminate against your MM. If you are doing VIRTUAL MM, then correct you buy the MM-VA-500+MM-VA-50, and you provision on your hypervisor the resources for an MM-VA-1K. This gives the VMM the resources to support more than 500, but you just stack the liceses to enabled 550 (just like if you wanted to purchase a 7280 and only terminate 10 APs on it). 

Number of clients noted on the DS is what QA tests to, but it *IS NOT* a hard limit. So you COULD push the number of clients above the noted number on the DS, but should there be issues and TAC determines it's a load issue, you would be asked to increase the resources on your VMM. So say in your above case with 470 APs, you provision a MM-VA-1K which QA supports a max of up to 10k clients. However, let's say you average 50 clients concurrent per AP, which would be 23,500 clients. You would then want to provision your VMM as an MC-VA-5K (giving it the CPUs, RAM, and Disk to support a VMM 5K), it would use your 550 MM-VA licenses for your 523 devices, and be scaled up with CPU/RAM/Disk to support up to 50k clients. And these clients will include wireless clients, as well as any client in User-Based Tunneling (UBT) or Port-Based Tunneling (PBT) when the edge switches are doing DS, or any wired client marked as untrusted on a wired port of a controller. Ala any device, wired or wireless, that shows up in the user table of the controller will count against the client count of the MC they terminate on, as well as the MM that manages the MCs. 5k wireless+wired clients on each MC, if the MM has four of those MCs, that's 20k users that show up in the MM user table. This count also does NOT include the user standby tunnels, only the active user tunnels. 

This is one reason why hardware MMs, while they have their place, are not as flexible, because to go from a MM-HW-500, to a 1K to a 5K requires 3 different appliances. For a VMM, you just re-size the MM using the hypervisor and the migration happens in the background as part of the growth process. 

Regarding DS from your switches, you can think of edge switches just like an AP in terms of consumption of licenses, and they will deprecate an AP/PEF/RFP license the exact same way. Also, each switch supports up to 32 tunnels (either PBT or UBT) which helps constrain the tunnel count and prevent over-running the controller from a tunnel max perspective. But be forwarned, if you were to run all your APs with 16 BSSIDs, and then max out the UBT/PBT tunnel count on each edge switch, and then under provision your controller to the AP max, you could exceed the tunnel count of a controller. So be congniscant or max tunnels and the tunnel limitation of your controllers (or just don't skimp on the controller and overbuild at the front so you don't risk exceeding later). Tunnel counts are on the MC data sheets as well. Note tunnels do not terminate on MM, for the MM it's just a matter of device counts as noted above. 

Hi Jerrod,
It is a pretty complete explanation, I really appreciate the fact you have taken some of your invaluable time to answer me.
I have some extra questions I will post later.
Best regards

Hi Jerrod,

Just some questions:
1. Sometimes you use the term DS as Datasheet and sometimes as Dynamic Segmentation, right?. This is just to clarify.
2. About the "Client Count" you said: "any device, wired or wireless, that shows up in the user table of the controller will count against the client count of the MC they terminate on, as well as the MM that manages the MCs. 5k wireless+wired clients on each MC, if the MM has four of those MCs, that's 20k users that show up in the MM user table. This count also does NOT include the user standby tunnels, only the active user tunnels". Question: Do standby tunnels (not included in the count) have to be included in some count of any other MC?, I think standby tunnels do not consume anything, until they became active, but in that situation, those tunnels have to be included in the count of the MCs that terminates them during a contingency situation. Please confirm if I am reaing the situation right.
3. About the 32 tunnels per switch, I do not have clear the idea of how the tunnel is set. The tunnel is set from a port in the switch to the MC?. What if the switch is a 48 port switch?
4. How many tunnels can be set from an AP to the MC?, is the tunnel set per AP to the MC, per AP radio to the MC, per client wireless station to the MC?

 

Thanks for your kind support

Hah, I never paid attention, you should just know what I'm thinking :) I will work on being more clear.

 

2 - Generally not, it's covered as part of the controller capacity design (if you want to support 2000 APs and switches doing DynSeg, you need at least two 7240XMs in a cluster. 

3 - Port-based tunneling (PBT) would be per port, user-based tunneling is per user (UBT). And I mis-spoke, the 32-limit is for User-Based Tunnels per port. If you were doing PBT on a 48port switch, you would be 1 AP feature license with 48 tunnels (depending on uplink config, etc, if you use one of the 48 ports for uplink it's 47, etc).
4 - Tunnels per AP depend on the number of SSIDs. Each AP has a tunnel for control (CPSec/PAPI), then one tunnel per BSSID. 

To add, you would still want to plan for the tunnel count against the max tunnels supported for the MC you plan to use. You can find the maximum tunnels on the Data Sheet of the controller. A 7240XM can do up to 32k tunnels. So you just need to sum up the tunnels in your design.