Wireless Access

Hi Guys,

 

I have a small technical question - to understand if what my client would like to achieve is possible.

 

Here is a small diagram - please focus on the remote site:

 

 

Let's say I deploy there a RAP unit and connecting it to a TRUNK port (native vlan= enterprise).

I would like to configure two ssid: 1 for the enterprise - using full tunnel - back to the main site.

                                                             2 for the guest - using the 2nd vlan that tagged on that vlan (on the remote site)

 

*the controller on the main-site only knows the 1 (enterprise vlan) the 2nd vlan is only seen on the remote site*

can it be done?

 

Because bridge mode..isnt fitted to this kind of solution

split-mode also mint fit to this need.

 

please advise.

 

thanks ,

 

me

 

My idea was instant on the remote-site that will do vpn in front of the controller

and also will be connected to the ADSL gw.... But my client would like to use DHCP fingerprint and some other featuers that are available only in a controller.

 

 

I believe you can do a wired port in bridge mode off the RAP.  That isn't the problem.  Instant would also work but what is the use case for DHCP fingerprinting as Instant supports that??

my RAP units are 105 (only 1 port ) that will be connected to the trunk port on the remote site.

vlan X = enterpsie - SDH gateway from remote to main site
vlan z = guest - ADSL gateway to the internet (a vlan that isnt located and seend on the main site)

two diffrent vlans on the remote site...

please advise.

forget about the instant - its was just an idea..that i left..i need it to be full controller base solution

Not possible with the 105.  (only one port).  Again...why not Instant?  I wouldn't discredit that solution vs. a "full controller" based approach.  

AP-105 = 1 port..so? i will configure the port on the switch in the remote site as TRUNK. (and i will configure both vlans on that port + naitve vlan)

 

Instant wont fit - because my client would like to use DHCP fingerprint and user devriton roles. - and controller all sites and configuration from the main controller.

 

I need to know if it's possible to transmit a vlan on the ssid of the remote ap that dosent get to the controller itself (in any method except tunnel)

please look on the diagram.

First, let me refute the instant solution objections:

 

1. You can manage with an Instant UI on Airwave centrally.

2. Instant supports user derivation rules with DHCP fingerprinting

 

Now...on that trunk port idea...I don't think it will work...what VLAN will the IPSec tunnel traverse? I just don't see it happening.  Take a RAP3 or RAP155 and we can have a different discussion possibly.

Yes...you can transmit an SSID in bridge mode (vlan which doesn't get to controller) BUT you have an instance here of wanting to change e0 on a RAP and that isn't allowed.

aware to that :) i have a lot of diffrent rap's deployments in diffrent methods...bridge mode will not fit to this kind of solution because we speaking on two diffrent vlans! two diffrent gw on the remote site.

1. already known.

2. from which version?

--------------------------

 

on the trunk port...the native vlan will be the enteprise vlan and trough this the ap will do ipsec to the controller.

AP135 will also fit. ( i tought it's possiable ap collecting all the vlans on his trunk port to the controller for wip/rfp so......tunnel to the enteprise vlan and split tunnel to a diffrent vlan on the remote site - that only his tag number will apper on the controller)

 

u gave me an idea - soo... i will deploy only instant based solution all over the enteprise.

all i need is an AirWave + Turnked ports (of both vlans) ...no controller need for dhcp fingerprinting and user devertion roles.

right?

 

 

User derivation has been in Instant for quite sometime.  I want to say 3.2 but I am not positive.  

 

In any case, it's in there.  On the Access settings in SSID config choose role based and then in role assignment rules, select dhcp-option.  Works great.  Also, vlan pooling is supported as well just so you know.

 

Instant +VPN to a controller should work using Airwave to manage.  However, the multiple ISP uplink idea is something you'd need to test.  Instead of a 135, I vote for the 155 for the LAN ports.  Food for thought!

 

ok,thanks on the info,and thanks for opening my eyes :)

can i also assigen vlan on dhcp fingerprint? or only role?

 

I need to know...because i'am desiging all the deployment based on dhcp fingerprint... (role + vlan assigining)

 

if really i can do DHCP FINGERPRINT and assigen vlan .. so i can trunk two diffrent vlans to the vc...and then no controller is needed at all...

Yes. you can assign a vlan in the vlan tab using dynamic vlan assignment

OK. . . Nice to know that.. :smileyhappy:

 

All those site are werehouses and working floors.

Can I be relaxed that instant will handle those environments good?

 

And if I add a user devertion role to one VC in remote site #2 ... I will also need to do it manually to remote site #3..Even with AirWave...Right?

If those remote sites are all part of the same group in Airwave, they will share the same config template. So?same SSIDs, roles, derivation rules, etc?

As far as RF environments, the Instant APs have the same hardware so the performance and ARM features (outside of client match) are supported.

ok.

 

Thanks.