Wireless Access

Dear All,

for bandwidth optimisation purpose i need to do split tunnel , can i do it in CAP mode instead of RAP mode.

have any one of you done it before.

Regards.

 

Split-tunnel is only available when the AP is provisioned as a RAP.

 

You should look at using Instant APs if you need bridge-mode functionality with some tunneling in a campus environment.

Rchahbourne, why don't you just bridge the traffic to the local network? Split tunnel was designed for public wan networks. If this is a private network, bridging could solve your issue...

Hi,

i'm traing to fix a design issue , we have one centralized Mobility Controlleur  (located in the  DC) , and 3 sites, the sites are far from each other (300 to 500 Km), the customer have the optical fiber and around  150 APs

my idea was to optimise the bandwitdh by spliting the traffic (the traffic destined to the printer for exemple do not need to go to the DC).

do you have any suggestion.

Regards

If you bridge the traffic to the same wlan, you put it on par with the wired traffic. That makes it no worse than wired traffic. Traffic that is tunneled back to the controller *could* add overhead. For example if you have a wan optimizer, it cannot optimize traffic between the access point and the controller, because it would be encrypted. If you just bridge the traffic, it can optimize it.

Split tunnel usually requires you to source NAT traffic that stays local so that is probably not be a good idea in a campus environment. It works much better when you have a remote site only connected by the internet.

ok ,

the best is to have local controllers in each site, then the traffic will be decrypted locally and then send if needed to  the DC , if not it remain in the local  Site.

but unfortunately the solution was sold this way

since i have no choice  i'll use tunneled mode.

Regards.

Why will bridged mode not work?

For security purpose ,the bridged mode do not support 802.1X.

802.1X is fully supported in bridge mode...

Is it right, that in bridge mode only 32 Access Points are supported?

Only if those 32 access points are in the same layer 2 vlan.

 

---

@Steffen wrote:
Is it right, that in bridge mode only 32 Access Points are supported?

---

@Steffen

as you know , the mode is linked to the VAP, that's way there are no limite to AP supported for any mode (tunneled, split-tunnel and bridged).

Regards

The reason for an 32 AP limit for bridge mode is firewall synchronization:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Does-an-AP-in-bridge-mode-support-firewall-session/ta-p/179504

 

- It is limited only to 32 APs that are in the same VLAN, because the firewall synchronization for clients is only shared to a maximum of 32 APs.

- If the number of APs that are broadcasting the bridged SSID in the same VLAN does not exceed 32, there is no real limit.

- Again, this is only for the scenario when there are 32 APs in the same VLAN, broadcasting the same bridged SSID.  

- Typically at a remote location, where you need to bridge traffic, it would not exceed 32 APS; you would have a controller

- At a location where there is a controller and it exceeds 32 APS, you would be operating in tunnel mode

 

If i dont use any firewall functionality, is it possible to disable firewall synchronization, in order to expand the max number of AP's in bridge mode?

No sir.

Ok, I was thinking something like this already. But, how it works this in tunnel mode? Is then the firewall instance on the controller?

Yes. Tunnel mode does not have that limitation.

Why? Behause the Firewall instance is on the controller and the synchronization is only on this?

Yes. 95% of deployments tunnel traffic back to the controller. Not many bridge traffic. Of the ones that are bridged, it does not pass 32 APS often.

I look forward to the day Aruba spends less effort making excuses for their lackings and instead direct that effort to debugging, documentation, facilitating customers requests.

 

Raouf,

I understand and respect your request. We have the same needs in certain areas of our campus. Be aware just because Aruba can't meet your needs in this area does not mean that your needs are not valid. 

 

We were able to accomplish a campus split-tunnel solution using Cisco's new distributed controller model (controller service built into access switches).

 

We use multiple vendors depending on how a vendor can meet OUR needs. Our needs do not change to facilitate any one vendors short-comings.

 

Good luck in finding a solution,

Fred

Aruba has this as well... The 7024. 


Thanks, 
Tim

Thanks Tim,

Now that is awesome news! I'm looking up the 7024 right now. Even though sometimes we have to use multiple vendors I definitely do not like having to manage multiple vendors. 

 

Fred

 

 

Hi Raouf,

I would definitely take a look at the 7000 series. If you're willing to bring layer3 down to the access layer you may be able to accomplish what you need using a 7000 series controller at the locations you want to keep local traffic local.

 

It totally slipped my mind when reading your post but we're using a 7010 to keep local traffic local at one of our remote fabrication labs. The lab is connected to campus with a 20mbps metroE circuit and we needed to keep as much traffic off the link as possible. It's been working great for us.

 

Thanks again Tim!

 

Fred