Wireless Access

Hello,

I am brand new here. A bit of background:

We have a 10 story building and about 400 people at our primary location, and two much smaller branch offices. Most of our 400 employees are software devs who need access to machines in our data centers. We have Palo Alto firewalls at each of the three locations.

We just purchased brand new Instant APs (335) for each of locations, with about 35 for our primary location. We also purchased brand new Aruba 5412 chassis switches for our wired connectivity on each floor.

Finally we don't have a wireless controller, we do have the VM edition of Clearpass with basically all features licensed, and we plan to use the Palo Alto for inter-vlan routing (especially outside of the data center).

I have the following goals, in approximate order of importance:

1) Need to create 3x access zones:

A) Guest with internet access only

B) Standard employee workstations with access to data center #1

C) High-security employee workstations with access to data center #1 and data center #2

2) Want to use Palo Alto as inter-vlan router and also remote VPN access. Want to share as much info/credentials between Clearpass and PA (I think there is an integration here that passes user credentials? Does it pass anything else?)

2) Want wireless to be able to roam between floors for video conferencing etc.

3) Want same SSID if possible for Zone B and Zone C. Guest can be same or different SSID (don't care much).

So, a few questions about the above:

What is the best subnet layout for our wired and wireless network? Lots of /24 subnets or one big /20? 

Are there any limitations using Instant APs that I will regret or need to understand?

Do I need a seperate Clearpass VM at each branch office or can I simply have them connected via a VPN tunnel to the HQ? What about one VM at HQ, and one VM at the larger branch office?

Thanks! 

(First Post)

Any area where users are expected to roam between should have a single subnet.  If users on your employee subnet need to be able to roam between the 10 floors, plan on a single subnet between those 10 floors.  If your secure employee subnet needs to be able to roam between those 10 floors, plan on a single subnet for that.  If your guests need to be able to roam between those 10 floors, plan a single subnet for that.  The size of the subnets do not necessarily matter, because there are broadcast controls that can be deployed (broadcast-filter-arp at the SSID level).

As to the Instant limitations, that is a very general question and based on what you just posted on the face of it you should be able to do everrything you want.

With regards to ClearPass, a single appliance for authenticationn that all your clusters can reach as a radius client and all your clusters can reach to present the guest page is all that is necessary.  If your operation is important, you will need a backup ClearPass VM at another location to  provide fault tolerance, or if you have slow WAN links that possibly need to be mitigated.

This is general  advice based on what you posted above..

Thanks for the quick reply!

I assume that we can have Zone B and Zone C on the same SSID and do a user-ID lookup when the client authenticates which will then drop them into the appropriate zone/subnet/vlan?

If there is an attribute that ClearPass can identify, it can return the Aruba-User-Vlan Radiuss Attribute, which will determine what VLAN the user gets dropped into.

What kind of attributes can be used? Username? An Active Directory security group?

Yes and yes.  Too many to name here: