aruba instant vrd

Aruba Instant Validated Reference Design | 1

Aruba Instant Validated Reference Design

Version 1.0.1

Authors: Contributors: Vishal Mann Yan Liu Sathya Narayana Gopal Naveen Manjunath

Copyright

© Copyright 2016 Hewlett Packard Enterprise Development LP

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open source licenses. A completemachine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of this information andshall expire three years following the date of the final distribution of this product version by Hewlett-PackardCompany. To obtain such source code, send a check or money order in the amount of US $10.00 to:

Hewlett-Packard Company

Attn: General Counsel

3000 Hanover Street

Palo Alto, CA 94304

USA

Please specify the product and version for which you are requesting source code. Youmay also request a copy ofthis source code free of charge at [email protected].



Contents

About this Guide 9Intended Audience 9

Scope 9

Related Documents 9

Conventions 9

Introduction to Aruba Instant 1111

Introduction 11

Aruba Instant 12

Aruba Instant Architecture 12

Management Plane 12

Control Plane 12

Data Plane 13

Virtual Controller 13

PreferredMaster 13

Cluster mechanics 14

Virtual Controller IP Address 14

Role of a Virtual Controller 14

Management plane functions of a virtual controller: 14

Instant communications 15

Intra cluster communication 16

Inter cluster communication 17

IAP & AirWave 17

IAP & RADIUS server 17

IAP & XMLAPI 18

IAP & Activate/Provisioning server 18

IAP & VPN end point 18

IAP &WebCC lookup 18

IAP & SNMP/syslog communication 18

Instant Access Points Portfolio 19

How Instant Solution fits into needs of various Enterprises 22

Aruba Instant Solution for Small andMedium Enterprises 22

Aruba Instant Solution for Distributed Enterprises 25

Aruba Instant Solution for Hybrid Deployments 27

Designing Enterprise Networks with Aruba Instant 28Aruba Instant Solution Basic Concepts 28

VLANs in an Aruba Instant Cluster 28

Client IP assignment with the “Virtual Controller assigned” option 29

Client IP assignment with the “Network assigned” option 30

4 | Aruba Instant Validated Reference Design

Traffic Flows in an Aruba Instant Cluster 31

AP Traffic 31

Client Traffic 31

Dynamic RADIUS Proxy 32

Layer 3Mobility 33

Physical and Logical Design 33

Wired Infrastructure Design 34

Recommendations for an Uplink Management VLAN 35

Uplink Management VLAN 35

Client VLAN Design 35

Cluster Design 36

Cluster Design for Single-Building Layout 36

Cluster Design for aMulti-Building Layout within a Contiguous RF Domain 37

Cluster Design for aMulti-Building Layout with a Non-Continuous RF Domain 37

Cluster Design for a K-12 School District 37

Cluster Security Recommendations 38

RF Design 39

RadioModes on Aruba Instant 40

Scanning of IAPs 40

AP Scanning (Access Mode) 41

AM Scanning (MonitoringMode) 41

SpectrumMonitoring (SpectrumMonitor mode) 42

Adaptive RadioManagement 42

Additional RF Optimization Features 44

Client Match 47

Recommended IAP Settings 48

QoS Design 50

End-to-EndQoS 50

QoS on theWLAN 51

QoS on the LAN Edge and Core 51

ArubaQoS Features 51

Stateful Firewall 51

Media Classification 52

BandwidthManagement 52Application BandwidthManagement 52

User and NetworkBandwidthManagement 53

Dynamic Multicast Optimization (DMO) 57

ARP Broadcast Filter 58

Design for Plug-and-Play Services 59

Challenges with Multicast DNS 59

The AirGroup Solution 60

AirGroup Capabilities Supported by Aruba Instant 60

AirGroup Solution Architecture 61

AirGroup in a Single IAP Cluster 61

AirGroup in a Single IAP Cluster with ClearPass Policy Manager 61

AirGroup inMultiple IAP Clusters 62

AirGroup Recommendations 64

Configuring AirGroup 65

Enabling AirGroup 65

Filtering Services Based on User Role 66

Filtering Services Based on VLANs 67

Creating a “Personalized”WLAN: Registering Personal and Shared Devices on ClearPass 69

Extending an AirGroup across Instant Clusters 71

Content Filtering using Open DNS 73

Security Design 75

Authentication and Encryption 75

Authentication and Encryption for an Employee SSID 75

AuthenticationMethods 75

Authentication Recommendations 76

Encryption Levels 77

Encryption Recommendations 78

Authentication and Encryption for a Guest SSID 78

AuthenticationMethods 78

Authentication Recommendations 79

Encryption Levels 79

Encryption Recommendations 79

Wireless Intrusion Detection and Prevention 80

Intrusion Detection System (IDS) 80IDSDashboard 80

IDSWizard 81

Aruba IDSRecommendations 81

Intrusion Prevention System (IPS) 82IPSWizard 82

Aruba IPSRecommendations 83

Designing Distributed Enterprise Networks with Aruba Instant 84BranchOffice Deployments 84

Single AP Branch 85

Multi AP Branch 85

Hierarchical Mode Design 86

Flat Mode Design 87

MPLS-Based Branch Deployments with Aruba Instant 88

Use Case 1: Wireless Employee Access andGuest Access 89

Use Case 2: Wireless Employee Access andGuest Access with the Ability to Tunnel the Guest Traffic toa Central DMZ 89

VPN-Based Branch Deployments with Aruba Instant 91

Understanding Instant-VPN (Aruba Instant-VPN in a Nutshell) 92

Licensing 92

WLAN Controller Scalability for Instant-VPN deployments 93



AP Selection for Instant-VPN Deployments 94

Firewall Ports 94

Understanding Instant-VPN Modes 94

Instant-VPN: Local Mode 97

Instant-VPN: Centralized L2Mode 98

Instant-VPN: Distributed L3Mode 100

Branch-ID Allocation Algorithm 102BID Allocation ProcessDetails 102

MAX-BID Calculation Examples 104

Traffic Flow and Uplink Switch Requirements for aMulti-AP Aruba Instant-VPN Network 105

802.1X and RFC 3576 Handling in an Aruba Instant-VPN Network 106

DNS Handling in an Aruba Instant-VPN Network 107

Control Traffic between an Aruba Instant-VPN Branch and theWLAN Controller 108

Redundancy Design for Aruba Instant-VPN Deployments 109

Single Data Center Deployment with Redundancy 110

Multiple Data Center Redundancy (Geographical Redundancy) 110

Designing Instant-VPN Deployments 111

Single-AP Branch with a Single Data Center 112

IAP Setup (Single-AP Branch with a Single Data Center) 113

Data Center Configuration (Single-AP Branch with a Single Data Center) 114

Single-AP Deployment with Multiple Data Centers 115

IAP Setup (Single-AP Branch with Multiple Data Centers) 116

Data Center Configuration (Single-AP Branch with Multiple Data Centers) 118

Multi-AP Deployment with Single Data Center 118

IAP Setup (multi-AP Deployment with a Single Data Center) 120

Data Center Configuration (Multi-AP Deployment with a Single Data Center) 122

Uplink Switch Setup (Multi-AP Deployment with a Single Data Center) 122

Multi-AP Deployment with Multiple Data Centers 122

IAP Setup (multi-AP Deployment with Multiple Data Centers) 124

Data Center Configuration (Multi-AP Deployment with Multiple Data Centers) 126

Uplink Switch Setup (Multi-AP Deployment with Multiple Data Centers) 126

Designing HomeOffice Deployments with Aruba Instant 127

Configuring theWLAN Controller for Instant-VPN Deployment 127

Defining the VPN Pool on aWLAN Controller 128

Adding IAPs to RAPWhitelist 130

Configuring VLANs for Layer 2Modes 131

Configuring OSPF Route Redistribution of Layer 3 Branch Routes 131

Configuring the Controller to Perform Source NATing for 802.1X and RADIUS Traffic from Branches 132

Configuring an IAP for Instant-VPN Deployment 136

Defining the VPN Host Settings 136

Configuring a Routing Profile 138

Controller Redundancy Example 1 139

Controller Redundancy Example 2 139

Configuring DHCP Profiles for Instant-VPN Modes 141

DHCP Profile for Local Mode 142

DHCP Profile for Centralized L2Mode 144

Network Tab 145

Branch Size Tab 147

Static IP Tab 148

Configuring an SSID orWired Port for Instant-VPN 149

Enabling Dynamic RADIUS Proxy (DRP) 150

Configuring Enterprise Domains (Split-DNS) 151

Aruba Instant management using Aruba AirWave 152Communication Concepts 152

Adding IAPs to AirWave 153

Manually Adding an IAP through the VC WebUI 153

Provisioning an IAP through Aruba Activate 154

Add Devices in Activate 154

Create Folders in Activate 155

Create provisioning rules in Activate 156

Assign Devices to Folders in Activate 158

Provisioning an IAP through DHCP Options 160

AirWave prerequisites 162

AirWave whitelist 163

Adding devices to the whitelist 163Manually on AMPGUI 164

Import through Activate 164

In bulk through CSV file 165

AirWave in DMZ 165

Organization String 167

Setting upGroups, Folders and Roles in AirWave 167

Groups 168

Folders 168

Roles 169

Managing Device Firmware with AirWave 170

Setting up AirWave to Automatically Update Firmware on New Devices 170

Bulk Upgrades of IAPs 171

Monitoring Firmware Upgrade Jobs 172

Managing Device Configurations with AirWave 173

AirWave use cases 175

AirWave for the Distributed Enterprise 175

AirWave for the Small andMedium Enterprise 176

AirWave for a HomeOffice 178

Network Visibility using AppRF on Aruba Instant 179AppRF on Instant Access Points 179

Introduction 179

DPI 180

WebContent Filtering 181



Categories 181

Reputation 181

Configuration 184

Enforcement through policies 184

Visibility in UI 185Per AP view 185

Per client view 186

Per SSID view 186

AppRF tab details 186

Troubleshooting 188

Show commands 188

Traces 189

Appendix 191Performance impact due to DPI 191

Custom error page 191

Websites dependency on web category 193

Terminology 196Acronyms and Abbreviations 196

Glossary 197

Aruba Instant Validated Reference Design About thisGuide | 9

Chapter 1About this Guide

The Aruba Validated Reference Design (VRD) series is a collection of technology deployment guides that includedescriptions of Aruba technology, recommendations for product selections, network design decisions, configurationprocedures, and best practices for deployment. Together these guides comprise a referencemodel for understandingAruba technology and designs for common customer deployment scenarios. Each Aruba VRD network design hasbeen constructed in a lab environment and thoroughly tested by Aruba engineers. Our customers use these provendesigns to rapidly deploy Aruba solutions in production with the assurance that they will perform and scale asexpected.

This VRD describes Aruba Instant, the easiest way to get enterprise-gradeWi-Fi up and running. Aruba Instant,delivers a controller-less Wi-Fi solution that is easy to set-up, and loaded with security and smarts needed toaccelerate your business without breaking your budget.This guide provides an overview of Aruba Instant solution,and describes the different use cases and deployments, as well as configurations and recommendations.

Intended AudienceThis guide is intended for administrators who are responsible for deploying and configuring Aruba Instant devices incustomer premises.

ScopeThis is a base design guide for Aruba Instant, and hence will not cover the fundamental wireless concepts. Readersshould have a good understanding of wireless concepts and the Aruba technology.

Related DocumentsIn addition to this document, the IAP product documentation includes the following:

l Aruba Instant User Guide

l Aruba Instant CLI ReferenceGuide

ConventionsThe following conventions are used throughout this manual to emphasize important concepts:

10 | About thisGuide Aruba Instant Validated Reference Design

Style Type Description

Italics This style is used to emphasize important terms and to mark the titles of books.

System items This fixed-width font depicts the following:

l Sample screen output

l System prompts

l Filenames, software devices, and specific commands when mentioned in the text.

Commands In the command examples, this style depicts the keywords that must be typed exactly asshown.

<Arguments> In the command examples, italicized text within angle brackets represents items that youshould replace with information appropriate to your specific situation. For example:

# send <text message>

In this example, you would type “send” at the system prompt exactly as shown, followed bythe text of the message you wish to send. Do not type the angle brackets.

[Optional] Command examples enclosed in brackets are optional. Do not type the brackets.

{Item A |Item B}

In the command examples, items within curled braces and separated by a vertical barrepresent the available choices. Enter only one choice. Do not type the braces or bars.

Table 1: Typographical Conventions

The following informational icons are used throughout this guide:

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of damage to your hardware or loss of data.

Indicates a risk of personal injury or death.

Aruba Instant Validated Reference Design Introduction to Aruba Instant | 11

Chapter 2Introduction to Aruba Instant

This VRD provides details about the Aruba Instant solution. Table 1 Software Versions lists the software version forthis guide.

Figure 1 Table 1 Software Versions

Product Version

ArubaOS (Mobility Controller) 6.4

Aruba InstantOS 4.2

IntroductionDuring the early days of Wi-Fi, wireless networks were designed to be convenience networks and they were notmission-critical. It was very common even for a large organization to deploy just a few APs in areas such as lobbies,cafes, and CTO offices. This deployment allowed network administrators to build wireless networks using fat APs(also known as autonomous APs) because performance, quality of service (QoS), mobility scalability, andmanageability were not critical. To deploy fat APs, the IT staff had tomanually configure each and every AP thatwas deployed. However, as wireless technology progressed and as organizations discovered the advantages ofwireless networks, the scale of wireless deployment grew. As deployment sizes grew, scalability andmanageabilitybecamemajor issues with the fat AP technology. This demand led to the evolution of controller-basedWLANs withthin APs.

In controller-basedWLAN technology with thin APs, themanagement and control plane functions are centralized atthe controller and the data plane is either centralized or switched locally at the APs, based on themode of operation.Controller-basedWLANs allow WLANs to scale to thousands of APs and provide a single point of management andconfiguration for the entire network. The development of controller-basedWLAN technology greatly helped in theadoption of wireless networks. The controller-based solution could be deployed easily as overlay architecturewithout any overhaul to the existing wired network. Today, WLAN-based controller networks are, in fact, thearchitecture that is used in these environments:

l Government, department of defense, and other security conscious organizations that require central encryptionand decryption of wireless data

l Large campuses such as university and enterprises, which scale to thousands of APs at a single location

l Organizations with large Layer 2 domains that do not want amajor overhaul, such as adding and deleting VLANs,to their edge network

The Aruba controller-based architecture includes the ArubaOS™, Aruba controllers, and Aruba APs.

In the past few years, the advancements in AP hardware technology (such as chipsets andmemory) have openedup the possibility of a distributedWLAN system. Modern APs allow wireless vendors to distribute themanagement,control, and data paths amongst APs without the need for a physical controller. This architecture is suitable for smallandmedium-sizedWLAN deployments and distributed enterprises that do not require the additional benefits of acontroller-based architecture but still require a feature-rich, enterprise-grade solution that can bemanaged from asingle interface. The Aruba answer to the controller-less architecture is Aruba InstantOS™ and Aruba Instant™ APs(IAPs).

12 | Introduction to Aruba Instant Aruba Instant Validated Reference Design

Aruba understands that theWLAN requirements of organizations vary and that the choice between a controller-lessand controller-based architecture depends on the type of organization and theirWLAN requirements. Aruba is theonly WLAN vendor to offer the flexibility of both controller-less and controller-based architecture with no architecturelock-in. Aruba also recognizes that, as organizations grown in size, they might want to move from a controller-less toa controller-based architecture. In that respect, Aruba provides investment protection: if the requirements of yourorganization change, you can convert Aruba IAPs to controller-basedmode, which allows them to function withArubaOS controllers.

Aruba InstantProviding wireless connectivity at remote sites has been a challenge for organizations with distributed locations,such as retail chains and K-12 school districts. These organizations need robust WLAN functionality, including voiceand video optimization, high reliability, and strong security. They also need a solution that is affordable both to buyand to operate in a distributed environment. The solutionmust be able to be deployed rapidly, and configured andmanaged centrally. In addition to these requirements, certain organizations, like hotel operators, restaurant owners,retailers, and other distributed enterprises, must comply with data privacy regulations such as the Payment CardIndustry (PCI), Data Security Standard, and HIPAA for healthcare. In general, these organizations need a feature-rich, enterprise-gradeWLAN that can be deployed rapidly at geographically-dispersed locations that have limited orno on-site IT resources.

The Aruba Instant architecture is designed to address these situations. Aruba Instant combines enterprise-gradeWLAN performance, security, and scalability with industry-leading ease-of-use and affordability. With Aruba Instant,the entire deployment process is automated, including zero-touch provisioning, firmware upgrades, and inventorymanagement. You can deploy thousands of Aruba IAPs cost-effectively anywhere in the world with unprecedentedspeed and ease.

Aruba Instant ArchitectureAruba Instant consists of a family of high-performance controller-less Instant Access Points (IAPs) that run theAruba InstantOS to provide a distributedWLAN system. In an Instant deployment, all IAPs on the same Layer 2domain form a cluster with one dynamically-elected AP that functions as themaster. Themaster AP assumes therole of virtual controller (VC) within a cluster. Aruba Instant is a distributedWLAN system with a completelydistributed control and data plane. However, certain network functions, such as monitoring, firmwaremanagement,and source Network Address Translation (NAT) require a central entity within a cluster. The VC within a clusterfunctions as this central entity. In an Aruba Instant cluster, if themaster fails, another AP is elected as themasterand assumes the role of VC.

In general, you can divide the functions of aWLAN system into three planes: themanagement plane, control plane,and data plane. Each Aruba Instant cluster handles themanagement, control, and data plane functions as describedin the following sections.

Management Plane

Aruba Instant has a centralizedmanagement plane. At a cluster level, the self-elected VC functions as the singlepoint of configuration for an IAP cluster. The graphical user interface (GUI) to the VC provides local configuration andmonitoring of an IAP cluster. Centralized configuration andmanagement for multi-cluster networks are availableusing AirWave® or Aruba Central™ (public cloud).

Control Plane

The control plane in an Aruba Instant cluster is completely distributed and handled by the individual IAPs. Thedistributed control plane functions include:

l Adaptive RadioManagement (ARM)

l Auto Channel/Power assignment

l Intrusion detection system (IDS)/ intrusion prevention system (IPS)

l Client handover

l Deep Packet Inspection

The VC is not responsible for any of these functions. For example, the client database is entirely maintained in theAP to which the client is connected. When a client roams, the new AP determines the last associated AP for theclient and requests all client information from that AP. The other IAPs send updates to the VC IAP periodically, onlyfor management plane reporting.

Data Plane

The data plane in an Aruba Instant cluster is also fully distributed, with a few exceptions. Each individual IAPhandles the traffic for the clients that are associated to that IAP. Firewall policies and bandwidth control are alsoapplied on a per-IAP basis. The flow of user traffic is not centralized to the VC. An exception to this rule is amagicVLAN (also known as a VC-assigned VLAN). On an SSID that uses amagic VLAN for its clients, all IAPs forwardthe traffic on that SSID to the VC, which performs NAT for the traffic. This process allows Layer 2mobility for theVC-assigned VLAN. Similarly, any traffic that must be source NATed by the Aruba Instant cluster also flows throughthe VC. It is common to source NAT user traffic in remote deployments that have split-tunnel or bridgingrequirements. For more information on the traffic flow in an Aruba Instant cluster, see Traffic Flows in an ArubaInstant Cluster.

Virtual ControllerAruba IAPs on the same Layer 2 domain form a cluster by electing one AP as themaster AP, which functions as thevirtual controller (VC). Themaster election is based on amaster election protocol. The election process to select amaster AP/VC is simple; the first IAP that comes online on the network is elected as themaster AP/VC. If a masterAP/VC fails, a new AP is reelected as themaster AP of the cluster. Themaster-reelection algorithm uses theseconditions during a VC failover:

1. An IAP with an alternative uplink (3G or 4G only) receives preference.

2. If an IAP with an alternative uplink is not available, an IAP with themore capable hardware/a newermodelreceives preference in the following descending order:[IAP225 & all the other newermodels] > [IAP134/5 = RAP155] > [IAP104/5 = IAP175 = RAP108/9 = RAP3]

This rule is being used to distinguish only between older models & newermodels.

3. If both of the previous considerations are not applicable, an IAP with the longest uptime receives preference.

In an Aruba Instant cluster, themaster AP/VC failover time varies from 13 seconds to 100 seconds because the VCelection algorithm also takes the CPU load on the IAPs in the network into account.

The criteria for new VC election are used only in case of a VC failover for a new VC election. There is no preemptionif a new IAP is plugged into an existing network andmeets any of the above-mentioned criteria.

Preferred Master

Themaster election and re-election process is the default behavior for IAP clusters. In addition to the default masterelection algorithm, Aruba InstantOS 4.0 lets youmanually assign themaster AP role. Manual assignment works wellin an environment that requires a specific AP with a lower load, an AP with more capable hardware, or an AP with analternate uplink to always function as themaster. The AP that youmanually select as themaster is known as thepreferredmaster. As long as the preferredmaster is online, it is the cluster master. If the preferredmaster goes downbecause of an uplink failure, the default reelection algorithm elects a new AP as themaster. When the preferredmaster comes back online, it becomes the cluster master again, and the AP that was automatically elected as themaster through the reelection algorithm reboots to rejoin the cluster as a regular member AP.



Cluster mechanics

A preferredmaster will never lose its configuration or become a slave AP of another master, unless it is on factorydefault configuration. It will either take over as master or become a single-AP cluster by itself. An existing AP that isnot a ‘preferredmaster’ can be pre-empted by a preferredmaster.

An IAP x, if connected to an active cluster (with an already electedmaster IAP y):

l IAP x will have its configuration replaced by themaster’s configuration, if the IAP x does not have ‘preferredmaster’ enabled.

l If IAP x, has preferredmaster enabled, then it will check if the existing cluster’s master AP y, has ‘preferredmaster’ enabled or not.

l If the existing cluster’s master IAP y, does not have ‘preferredmaster’ set, the new IAP x will take over as thenew master of the cluster & its configuration will be propagated.

l If the existing cluster’s master IAP y, also has ‘preferredmaster’ set, then the new IAP x will come up as a single-IAP cluster by itself, if IAP x has a non-default configuration.

l If the existing cluster’s master IAP y, also has ‘preferredmaster’ set, then the new IAP x will join the cluster asslave, if IAP x has factory default configuration. IAP x will download the configuration of IAP y.

Virtual Controller IP Address

Like any other networking device, every AP in an Aruba Instant cluster has its own physical IP address. When anIAP is connected to a Layer 2 network, the IAP uses a DHCP service to receive an IP address on the default VLANof the uplink port. You can also statically assign a physical IP address to individual APs. For information aboutassigning IP addresses statically to an IAP, see the Aruba Instant User Guide that is available at the Aruba supportwebsite. Aruba recommends the use of DHCP services to assign IP addresses to APs because it simplifies APdeployment.

Themaster AP of the cluster assumes the role of the virtual controller. Every AP in an Aruba Instant cluster,including themaster AP, has its own physical IP address. In addition to the physical IP addresses of APs, an ArubaInstant cluster also can be assigned a static IP address, known, for management purposes, as the VC IP address.The VC IP address is a floating IP address (that is, a virtual IP address) that is used by an IAP if it is elected as themaster AP. The VC IP address is different from the physical IP address of themaster AP. If an IAP is elected as themaster AP of a cluster, it takes ownership of the VC IP address. Themaster AP assumes the VC IP address andupdates the ARP cache of the upstream network by sending three gratuitous ARP messages with the VC IPaddress and Ethernet MAC address of its uplink port (enet0).

By default, any other traffic from the AP is sent untagged by the IAPs. Examples of this traffic are RADIUS,Syslog, and SNMP traffic as well as DHCP discover and request messages that are used to obtain the IP addressof the AP. You canmodify this behavior in certain environments by changing the setting of the Uplink ManagementVLAN feature. Aruba recommends that you set the uplink management to its default value and change it only inenvironments that absolutely require it. For more information, see Uplink Management VLAN.

Role of a Virtual Controller

If an AP is selected as themaster and it assumes the virtual controller role, themaster AP performs the VC functionin addition to all the regular functions that are also performed by themember APs in the cluster. These functions arethe VC functions of amaster AP in an Aruba Instant cluster:

Management plane functions of a virtual controller:l Aruba Instant cluster configuration synching: In an IAP cluster, you only need to configure themaster AP that

functions as the VC. All other APs in the cluster download their configuration from themaster AP. Any

http://support.arubanetworks.com/


configuration change that is pushed from themanagement platform or configured over the GUI of the VC issynchronized to the other APs in the cluster.

l Aruba Instant cluster monitoring: In an IAP cluster, the VC assumes themonitoring role. All APs in the clusterperiodically update the VC with their status. The VC consolidates all of this monitoring data, presents the data onits local WebUI, and pushes the data tomanagement platforms, such as AirWave and Aruba Central.

l Aruba Instant firmware image management: The VC handles the imagemanagement in an IAP cluster. TheVC ensures that all APs in the cluster are upgraded to the correct image version before rebooting the cluster.

l Communication with management platforms: Management platforms, such as AirWave and Aruba Central,communicate only with the VC of the cluster. The VC sends periodic updates of cluster monitoring data to themanagement platforms. Management platforms also push cluster configuration changes to the VC, which, inturn, updates the other APs in the cluster.

Control plane functions of a virtual controller:

l Dynamic RADIUS proxy (DRP): In an Aruba Instant cluster, the initial client authentication is handled by the APto which the client is connecting to and not by themaster AP. This means that youmust add each AP in an ArubaInstant as a NAS client on a RADIUS server. In certain environments, youmight not want to add each AP as aNAS client. DRP makes the VC the proxy for RADIUS exchanges. When you enable DRP, all APs in a clusterforward RADIUS exchangemessages to the VC, which acts as a RADIUS proxy. For more information, seeDynamic RADIUS Proxy.

l Handling Change of Authorization (CoA): The RADIUS protocol, which is defined in RFC 2865, does notsupport unsolicitedmessages that are sent from aRADIUS server to a network access server (NAS). However,in certain circumstances, session characteristics might need to be changed without requiring the NAS to initiatethe exchange. The extensions that are defined in RFC 3576 allow a RADIUS server to send unsoliciteddisconnect or CoA messages to a NAS. In an Aruba Instant cluster, the RADIUS server sends RFC 3576-compliant messages to the VC, which then performs the necessary action.

l DHCP server for client VLANs: When you configure the Aruba Instant cluster as the DHCP server for a specificclient VLAN, the DHCP server functions are handled by the VC.

Data plane functions of a virtual controller:

l Handling traffic for magic VLANs and VLANs that are local to the Aruba Instant cluster: When you set upan SSID on an Aruba Instant network, client IP address assignment can be set to the VC-assigned option. (Thisconfiguration is also referred to as amagic VLAN.) If you select this option, the client obtains its IP address fromthemagic VLAN of themaster AP (that is, the VC). A magic VLAN is a private subnet that is created on themaster AP for client IP address assignment. A magic VLAN differs from a traditional VLAN. The client traffic on amagic VLAN is always source NATed by themaster AP and themaster AP functions as the DHCP server formagic VLAN. For more information about client IP address assignment using the VC-assigned option, see VirtualController-Assigned IP Addresses.

l Handling traffic for VLANs that are local to the Aruba Instant cluster: The Aruba Instant cluster lets youdefine VLANs such as local, centralized Layer 2, distributed Layer 2, centralized Layer 3, and distributed Layer 3VLANs. (For more information, see Understanding Instant-VPN Modes and Configuring VLANs for Layer 2Modes.) The DHCP definitions for these VLANs reside on the Aruba Instant cluster. The client traffic on theseVLANs flows through the VC of the cluster. For more information about the traffic flow for these VLANs, seeTraffic Flows in an Aruba Instant Cluster.

l Handling traffic when source NATing is required: In an Aruba Instant network, the VC performs sourceNATing of any client traffic that requires it.

Instant communicationsThe following are themajor entities with which an IAP in cluster communicates:



l Master and Slave APs – Intra cluster

l BetweenMaster APs in a cluster – Inter cluster

l IAP and Airwave server

l IAPs and Radius server

l IAPs and XMLAPI server

l IAPs and Provisioning server

l IAP and VPN end point

l IAPs and External WebContent classification lookup servers

l IAPs andMonitoring servers (Syslog/SNMP)

Intra cluster communication

There are twomajor types of communication between APs in a cluster:

l L2 Broadcast messages for cluster maintenance and roaming

Master AP sends out a Layer 2 “beacon” message every second to notify that themaster AP is currently active. Thishelps in new APs discovering themaster and join the cluster & existing APs detectingmaster failover and take overas master of cluster.

There is also a session request message for Layer 2 roaming. When a client roams between APs in a cluster, asession request message is used to transfer client session and role data between APs

Sample frame for L2 communication:

l L3 unicast messages between IAPs (master and slave)

UDP messages on port 8211 betweenmaster and slave APs for config sync, firmware upgrade and control-planemessaging between APs.

Sample frame for L3 unicast communication:

Inter cluster communication

With L3mobility is enabled, themaster APs of each cluster communicate with each other to enable roaming ofclients. Mobility messages use a UDP message on port 8211 between the twomaster APs of the cluster. Followingthe initial exchange, the Foreign AP sets up aGRE tunnel with the HomeAP.

IAP & AirWave

IAP & RADIUS server

Based on the Radius proxy configuration, either the individual AP or themaster AP communicate with Radiusserver.

Two specific radius communicationmessages are possible:

l Radius authentication requests using a configurable UDP port

l Radius accounting requests using a configurable UDP port



RADSEC is a special type of Radius communication whose primary use case is to interface with CloudGuestServer. However, it is also possible to use RADSEC with any servers using a configurable TCP port.

IAP & XML API

l IAP supports XML API interface to authorize role changes

l XMLAPI server communicates with IAP using SSL – TCP port 443

l The communication can be secured using a shared key or can use clear-text

l The servers allowed to communicate can be controlled by using a list of server IPs/subnets which can authorizea change using XMLAPI interface

IAP & Activate/Provisioning server

l IAP communicates with an Aruba owned provisioning server for provisioning, periodic reporting and firmwarechecks

l This uses DNS for resolution of server IP and all communication uses SSL (TCP port 443)

IAP & VPN end point

l IAP supports VPN termination using either IPSec or GRE

l GRE termination is supported with both Aruba and Non-Aruba devices supporting standard EoGRE

l GRE using ArubaGRE uses UDP 4500 for secure control channel establishment with controller and uses GREwith configurable GRE type for all data connection

l GRE usingManual GRE uses GRE with configurable GRE type for all data connection

l IPSec termination is supported using either Aruba controller with Certs or Standard VPN end points for PSK

l IPSec with Aruba controller uses certs stored in secure TPM of AP for IKEv2 using NATT (UDP 4500)

l IPSec with Third-party devices only supports PSK based IKEv2

IAP & Web CC lookup

l AppRF service on IAP uses a third party lookup service.

l The communication with that service involves DNS resolution to aruba.brightcloud.com and a HTTP lookup forcontent classification

IAP & SNMP/syslog communication

l IAP can be configured to use syslog server which uses UDP port 514 for communication

l IAP uses UDP ports 161/162 for SNMP services (polling and sending traps)

Instant Access Points PortfolioThe Aruba AP product line includes the traditional controlled-based APs, Aruba Instant APs (IAPs), and remote APs(RAPs). Aruba controller-based APs start with part number AP-xxx, the IAPs with part number IAP-xxx, and RAPswith part number RAP-xxx. A controller-based AP that has the samemodel number (that is, the xxx in the partnumber) as an Instant-based AP has the same hardware specifications. For example, the controller-based AP withpart number AP-135 has the same hardware specifications as the Instant-based AP with part number IAP-135. Thekey difference with an IAP is that it ships with Aruba InstantOS and, if needed, can be converted to a controller-based AP. All new RAP models also ship with Aruba InstantOS and, if needed, can be converted to controller-basedRAPs.

You cannot convert a controlled-based AP (for example, the AP-135) to an Instant-based AP.

Aruba Instant summarizes the different Aruba Instant AP models.

IAPModel

RadiusRFBand(GHz)

802.11modes

TxR:SAntenna andMounting Type

PowerEthernetPorts

USBPorts

IAP-325

2 2.4 & 5 a/b/g/n/ac 4x4:4 Internal Omnidowntilt - CeilingMount

PoE/ PoE+(3af/3at) orExternalAdapter

2xGE 1

IAP-324

2 2.4 & 5 a/b/g/n/ac 4x4:4 External Antennas -Wall, Ceiling, andFlat Surfaces Mount


2xGE 1

IAP-225



2xGE 1

IAP-224



2xGE 1

IAP-215



2xGE 1

IAP-214



2xGE 1

Table 2: Aruba Instant APs



IAPModel

RadiusRFBand(GHz)

802.11modes


PowerEthernetPorts

USBPorts

IAP-205H

2 2.4 & 5 a/b/g/n/ac 2x2:2 Internal Omni –

Desktop & Wallmount


1xGE +3xGE

1

IAP-205


PoE/ PoE+(3af) orExternalAdapter

2xGE 1

IAP-204



2xGE 1

IAP-103H

2 2.4 & 5 a/b/g/n 2x2:2 Internal Omni –

Wall mount


1xGE +2xFE

No

IAP-103

2 2.4 & 5 a/b/g/n 2x2:2 Internal Omnidowntilt - CeilingMount


1xGE No

IAP-228

2 2.4 & 5 a/b/g/n/ac 3x3:3 External Antennas -

6xRP-SMA typeconnectors

(3 per radio)

PoE+ (3at)or ExternalPower

2xGE No

IAP-274

2 2.4 & 5 a/b/g/n/ac 3x3:3 External Antennas -

6xN typeconnectors

(3 per radio)


2xGE No

IAP-275


5dBi


2xGE No

IAP-277


6.5dBi


2xGE No

RAP-155P

2 2.4 & 5 a/b/g/n 2x2:2 Internal Omni – ExternalPower

5xGE Yes

IAPModel

RadiusRFBand(GHz)

802.11modes


PowerEthernetPorts

USBPorts

(2.4GHz)3x3:3(5GHz)

Desktop mount 54 VDCpowerinterface.

802.3af onE1 & E2.

OR

802.3at onE1 or E2.

uplink

RAP-155

2 2.4 & 5 a/b/g/n 2x2:2(2.4GHz)3x3:3(5GHz)

Internal Omni –

Desktop mount

ExternalPower

12 VDCpowerinterface.

5xGE Yes

uplink

RAP-3WNP

1 2.4 b/g/n 2x2:2(2.4GHz)

Internal Omni –

Desktop mount

AC input:

100-240voltsAC/0.75 A

DC output:

48 voltsDC/0.75 A

3xFE

802.3af PoE(15.4 watts)on the E2port.

Yes

uplink

RAP-3WN

1 2.4 b/g/n 2x2:2(2.4GHz)

Internal Omni –

Desktop mount

AC input:

100-240volts AC/0.5A

DC output:

12 voltsDC/1.5 A

3xFE Yes

Uplink

RAP-109

2 2.4 & 5 a/b/g/n 2x2:2 Internal Omni andDesktop & WallMount

PoE orExternaladapter

2 1

RAP-108

2 2.4 & 5 a/b/g/n 2x2:2 External Antennasand Desktop & Walland Flat SurfacesMount

PoE orExternaladapter

2 1

To prevent inconsistent client connections, Aruba recommends that you do not enable band steering when youcombine single and dual-radio APs in the same area. Dual-radio APs and single radio air monitors (AMs) can beused in the same area.



How Instant Solution fits into needs of various Enterprises

Aruba Instant Solution for Small and Medium Enterprises

An organization with a workforce that ranges from a hundred to a few thousand users is often categorized as a smallor medium enterprise. Although the density of users and devices in these organizations is not as concentrated as inlarge enterprises, the demand for a high-performingWLAN is the same as in a large enterprise. Like IT teams of largeenterprise, the IT teams in small or medium enterprises must provide a high performanceWLAN that can support thecontinuing growth in mobile devices, including bring your own devices (BYODs).

Unlike large enterprises, small andmedium enterprise are often faced with the challenge of limited IT staff with littleor no expertise in deploying secureWLAN systems. So, the key requirement of small andmedium enterprises is anenterprise-gradeWLAN solution that is easy to deploy andmaintain. The secure and scalable Aruba Instant solutionwith its enterprise-grade features and ease of deployment andmanagement is an ideal choice for these small andmedium enterprises.

The design of an Aruba Instant network for a small or medium enterprise depends on the size and physical layout ofthe organization. From a physical layout perspective, most small enterprises are single building campuses that hosta few hundred users. These small enterprises can usually be covered by a single Aruba Instant cluster.

Medium enterprises usually consist of a collection of buildings that are interconnected by dark fiber within the samegeography. The buildings of amedium enterprise are typically within a contiguous RF domain and can be deployedas a single Aruba Instant cluster or as multiple Aruba Instant clusters, depending on the physical layout, size, anddevice density.

Diagram of an Aruba Instant design for amedium enterprise and Aruba Instant show an overview of an Aruba Instantdesign for a small andmedium enterprise.

Figure 2 Diagram of an Aruba Instant design for a small enterprise

Figure 3 Diagram of an Aruba Instant design for amedium enterprise

An Aruba Instant solution for small andmedium enterprises includes these key components:

l Instant Access Points: IAPs are the basis of an Aruba Instant WLAN system. In a campus deployment, IAPsprovide all core functionalities of aWLAN, such as client access for employees and guests, traffic engineering, astateful firewall, QoS, mobility, Adaptive RadioManagement (ARM), a wireless intrusion prevention system(WIPS), Airgroup services (for example, plug-and-play services), and spectrum analysis.

l ClearPass: The ability to support BYOD initiatives and guest services is essential in enterprise deployments. Aruba ClearPass is the only standards-based BYOD solution that integrates every critical aspect of BYOD—network access control (NAC), mobile devicemanagement (MDM), andmobile applicationmanagement (MAM)—into a single platform. With ClearPass, IT canmanage network policies, onboard andmanage devices, admitguest users, assess device health, and even securely distribute andmanage work applications through a singlepane of glass, on any network.

l AirWave or Aruba Central: You canmanage small deployments that are served with a single Aruba Instantcluster through the local WebUI of a VC. However, when a deployment includes multiple Aruba Instant clusters,you need a central management platform tomanage the different Aruba Instant clusters. Aruba provides twomanagement options for Aruba Instant deployments: AirWave and Aruba Central. AirWave is an in-houseappliance (much like a private cloud) that that provides monitoring, configuration, firmwaremanagement, andtroubleshooting for Aruba Instant networks. Aruba Central is a public cloud-basedmanagement platform thatprovides monitoring, configuration, firmwaremanagement, and troubleshooting for Aruba Instant networks. (Formore information, see Diagram of a K-12 district with Aruba Central management and Aruba Instant.)

l Aruba Activate: One of the key challenges in deployments that includemultiple interconnected buildings isdeployment of APs. Aruba addresses this challenge with Aruba Activate, which is a cloud based, zero-touchprovisioning system. Aruba Activate provides plug-and-play capability to an Aruba Instant cluster, which allowsrapid deployment of Aruba Instant clusters with minimal or no IT expertise.



In addition to small andmedium enterprises, Aruba Instant is also ideal for certain deployments such as K-12 schooldistricts that mimic a collection of small or medium enterprises. K-12 school districts include a group of high schools,middle schools, and elementary schools that are geographically spread within a limited area such as a district. Mostof these schools are interconnected by dark fiber or Metro Ethernet and represent a network that serves severalthousands of users and devices. Schools in a K-12 school district are usually spread out in such a way that they donot fall under a contiguous RF domain. However, the individual schools themselves oftenmimic a small or mediumenterprise. In other words, each of these schools can be a single or multi-building site within a contiguous RFdomain, hosting hundreds or a few thousands of users and devices. Similar to small or medium enterprises, K-12school districts have limited IT staff and require a high performanceWLAN that is easy to deploy andmanage. TheAruba Instant solution is well suited for K-12 deployments.

Diagram of a K-12 district with Aruba Central management and Aruba Instant show a K-12 school district with anAirWave and Aruba Central management deployment.

Figure 4 Diagram of a K-12 district with AirWavemanagement

Figure 5 Diagram of a K-12 district with Aruba Central management

Aruba Instant Solution for Distributed Enterprises

A distributed enterprise is an operation with multiple locations that are geographically distributed across a limitedgeography or across the entire globe. These days, organizations aremore distributed than ever because of the costsaving and increased productivity that is associated with employing a distributed workforce. A distributed enterprisemight be a collection of branch offices, home offices, or a combination of both. The number of distributed sites andthe user density at these sites vary across organizations. The way in which the remote sites connect to the datacenter or headquarters also varies. Some enterprises use services such as MPLS, while others use VPNs. Ingeneral, distributed enterprises can be classified as follows:

l Branch office deployments

l Home offices deployments

Because distributed enterprises often include remote sites that have limited or no IT support, the Aruba Instantsolution with its zero-touch provision, multiple uplink options, enterprise features, and VPN capabilities is ideal fordistributed enterprise deployments.

The following figures show Aruba Instant designs for distributed enterprises that useMPLS with AirWavemanagement (Distributed enterprise that uses MPLS and Aruba Central), MPLS with Aruba Central management(Distributed enterprise with home or branch offices connecting over VPN), home offices with VPNs (Aruba Instant),and branch office with VPNs (Figure 9).

Figure 6 Distributed enterprise that uses MPLS and AirWave



Figure 7 Distributed enterprise that uses MPLS and Aruba Central

Figure 8 Distributed enterprise with home or branch offices connecting over VPN

An Aruba Instant solution for a distributed enterprise includes the following key components:

l Instant Access Points: IAPs are the basis of an Aruba Instant WLAN system. In a remote deployment, IAPsprovide all core functionalities such as VPN capabilities, uplink redundancy, client access for employees andguests, traffic engineering, a stateful firewall, QoS, mobility, Adaptive RadioManagement (ARM), a wirelessintrusion prevention system (WIPS), and spectrum analysis.

l Aruba Controllers: In distributed enterprises that require an Aruba Instant-VPN solution, the Aruba controllersfunction as VPN concentrators that terminate VPN tunnels from Aruba Instant clusters at remote sites.Depending on the Aruba controller platform, each controller can support thousands of Aruba Instant-VPNbranches. For information about controller limits, seeWLAN Controller Scalability for Instant-VPN deployments.

l ClearPass: Depending on the type of distributed enterprise deployment, network administrators must be able tosupport employee access, BYOD initiatives, and guest services. Aruba ClearPass is the only standards-based

BYOD solution that integrates every critical aspect of BYOD—network access control (NAC), mobile devicemanagement (MDM), andmobile applicationmanagement (MAM)—into a single platform. With ClearPass,network administrators of distributed enterprises canmanage network policies, onboard andmanage devices,admit guest users, assess device health, and even securely distribute andmanage work applications through asingle pane of glass.

l AirWave or Aruba Central: Most organizations with remote networking have hundreds or even thousands ofremote sites. Managing each of these remote locations using the Local WebUI on a VC is not feasible. Arubaprovides twomanagement options tomanage, monitor, and troubleshoot these remote networks: AirWave andAruba Central. AirWave is an in-house appliance (much like a private cloud) that that provides monitoring,configuration, firmwaremanagement, and troubleshooting for Aruba instant networks. Aruba Central is a publiccloud-basedmanagement platform that provides monitoring, configuration, firmwaremanagement, andtroubleshooting for Aruba Instant networks.

l Aruba Activate: One of the key challenges in deployments with remote networks is the lack of on-site ITsupport. The ability to roll out thousands of remote sites with minimal effort is critical to IT teams. Aruba Activateaddresses the deployment challenges of remote networks. Aruba Activate is a cloud-based, zero-touchprovisioning system that provides plug-and-play capability to an Aruba Instant network and allows rapiddeployment of Aruba Instant-based remote sites.

Aruba Instant Solution for Hybrid Deployments

As organizations becomemore distributed, network administrators might need to support large sites that resemble acampus network and also remote workers. Organizations that have large campus sites and remote networks areconsidered hybrid deployments. Hybrid deployments are becoming common, so network administrators need asolution that addresses the demands of both campus and remote networks. The ArubaWLAN offering is an idealsolution for hybrid networks.

Aruba Instant is ideal for hybrid organizations with small-to-medium campuses and thousands of remote sites. If acampus in a hybrid organization grows to thousands of APs, Aruba Instant can be Distributed enterprise with homeor branch offices connecting over VPN.

Figure 9 Distributed enterprise with home or branch offices connecting over VPN


Aruba Instant Validated Reference Design Designing Enterprise Networkswith Aruba Instant | 28

Chapter 3Designing Enterprise Networks with Aruba Instant

The needs and requirements of small andmedium enterprises make Aruba Instant the ideal choice in thesedeployments. Design of an enterpriseWLAN is influenced by several factors such as the number of users anddevices, types of devices and applications, type of facility and its RF coverage zones, security, QoS requirements,and so on. Designing and optimizing aWLAN network can easily become a complex assignment. To simplify thedesign of an enterpriseWLAN, you can apply a phased approach to aWLAN design. In general, you can divide aWLAN design into the following categories:

l Physical and logical design: In a distributed architecture, the APs work together to provide the necessaryfunctionality without a dedicated physical controller. The physical and logical design in a distributed architectureincludes the AP selection process, Layer 2 and Layer 3 design for the end users and APs, and the logicalclustering of APs based on roaming patterns and physical boundaries.

l RF design: The RF design determines the number of required APs, the optimal AP locations, and how the RFfeature set can be optimized.

l Authentication and security design: The authentication and security design includes selecting the appropriatetype of authentication for users and devices, integrating the AAA servers, and securing the network against rogueAPs and wireless attacks.

l Quality of Service (QoS) design: TheQoS design includes optimizing theWLAN and underlying infrastructurefor latency-sensitive applications such as voice and video.

l Design for plug-and-play services: This design includes determining the plug-and-play services such asBonjour and optimizing the network for such services.

This chapter describes the Aruba Instant design for small andmedium enterprises under these categories.

Aruba Instant Solution Basic ConceptsBefore you start aWLAN design with Aruba Instant, youmust understand some of the basic concepts of the ArubaInstant solution.

VLANs in an Aruba Instant ClusterAn Aruba Instant cluster has two basic types of VLANs:

l AP VLAN: The VLAN to which the APs in a cluster are connected is called the AP VLAN. Inmost deployments,this VLAN is the native VLAN of the trunk port to which an AP connects. Aruba recommends that you enableDHCP services on the AP VLAN to facilitate AP deployment. However, if required, you can assign static IPaddresses to IAPs.

l Client VLAN: This VLAN is assigned to the clients that connect to the Aruba Instant cluster. These clientsreceive their IP address on the client VLAN that is assigned to them. In an Aruba Instant cluster, the client VLANand client IP addresses can be assigned in the following ways:

l Virtual-controller assigned

l Network-assigned

Aruba Instant Solution Basic Concepts shows the client IP assignment and VLAN assignment options.

29 | Designing Enterprise Networkswith Aruba Instant Aruba Instant Validated Reference Design

Client IP assignment with the “Virtual Controller assigned” option

In an Aruba Instant network, if a client connects to an SSID that is configured for the “Virtual Controller assigned”option (see Aruba Instant Solution Basic Concepts), the VLAN that is assigned to the client is called amagic VLAN.

A magic VLAN has the following characteristics:

l Themaster AP (virtual controller) is the DHCP server and the default gateway for the clients on the VLAN.

l DHCP requests on themagic VLAN are forwarded to themaster AP of the cluster on the AP VLAN.

l Unicast packets from the clients are forwarded to themaster AP and themaster AP performs source NATing.

l If a client on amagic VLAN is connected to amember AP, the traffic from the clients is forwarded to themasterAP on the AP VLAN. Therefore, do not use amagic VLAN in environments that require VLAN-based segregationbetween client traffic and AP traffic.

l Broadcast andmulticast packets from the client are not allowed to go through the uplink port of an IAP. In otherwords, the broadcast andmulticast traffic on themagic VLAN is not forwarded to the uplink by individual IAPs.

l Communication between clients on amagic VLAN is through themaster AP, that is, clients on themagic VLANcannot directly communicate with each other.

l In an Aruba Instant cluster, you can define only a single DHCP scope for amagic VLAN. In other words, youcannot usemultiple magic VLANs in an Aruba Instant cluster.

DHCP scope definition for amagic VLAN is a screen shot of the DHCP server options for amagic VLAN.

Figure 10 DHCP scope definition for amagic VLAN

l You do not need to add amagic VLAN to the uplink switches that connect the IAPs of an Aruba Instant cluster.

A magic VLAN is designed to simplify guest WLAN implementation. When you add a guest WLAN, amagic VLANcan process the guest traffic on the network without any modification the underlying wired infrastructure (that is,you do not need to add a VLAN). When you use the “Virtual Controller assigned” option for an SSID, all clienttraffic on that SSID is forwarded on the AP VLAN to themaster AP and themaster AP performs source NATing.Do not use theVC-assigned IP address option if you need VLAN-based segregation between guest traffic and theAP VLAN.

Client IP assignment with the “Network assigned” option

The network can also assign a client IP address in an Aruba Instant cluster. Client IP address assignment by thenetwork includes the following options (see also Aruba Instant Solution Basic Concepts):

l Default: The default VLAN to which the IAP is connected is also assigned to clients, that is, the AP VLAN is thesame as the client VLAN. Aruba does not recommend this option for an Aruba Instant cluster because user trafficis forwarded on the same VLAN that is used tomanage the IAPs.

l Static: A specific VLAN ID must be assigned to the clients that connect to the SSID. This VLAN ID can be eithera VLAN that connects to a DHCP server on the wired network or a VLAN for which the Aruba Instant cluster isthe DHCP server. For information about defining a DHCP server and its associated VLANs on an Aruba Instantcluster, see Understanding Instant-VPN Modes. As part of the static settings, you can also define VLAN pools.For more information about defining VLAN pools, see the Aruba Instant User Guide that is available at the Arubasupport website.



l Dynamic: You can define VLAN derivation rules to assign users dynamically to different VLANs based onseveral attributes. For more information about dynamic VLAN assignment, see the Aruba Instant User Guide thatis available at the Aruba support website.

If a client belongs to a VLAN for which themaster AP is not the DHCP server or the default gateway, the clienttraffic leaves from the IAP to which the client is connected and does not flow through themaster AP. However, if aclient belongs to a VLAN for which themaster AP is the DHCP server, the client traffic flows through themasterAP. Client traffic from amember AP to themaster AP is always bridged and not tunneled.

For recommendations about client IP address assignment, see Physical and Logical Design.

Traffic Flows in an Aruba Instant Cluster

In aWLAN network, two primary types of traffic exist: AP-generated traffic and client-generated traffic.

AP Traffic

In an Aruba Instant cluster, AP-generated traffic includes RADIUS transactions, management traffic,communications between APs, SNMP traffic, Syslog traffic, and so on. This AP-generated traffic is forwarded onthe AP VLAN. The AP VLAN in an Aruba Instant cluster is the default VLAN of the port (that is, the native VLAN of atrunk port) to which the AP is connected. Therefore, any AP-generated traffic is untagged. However, certainenvironments might require AP traffic to be tagged. The uplink VLAN management feature allows you to tag APtraffic. For more information, see Uplink Management VLAN.

Client Traffic

Each device in an Aruba Instant cluster is assigned a user role. Client traffic in an Aruba Instant cluster is firstexamined by the stateful firewall of the IAP to which the client is connected before being forwarded to the uplinknetwork with the appropriate client VLAN tag. For example, if a client is assigned an IP address in VLAN 20 usingthe static network-assigned IP address option (for more information, see Network-Assigned IP Addresses), theclient traffic is forwarded to the uplink of the AP with VLAN tag 20. The uplink switch that connects the IAPs in anAruba Instant cluster must support all client VLANs on that cluster. For example, if VLAN 10, VLAN 20, and VLAN30 are used as client VLANs in an Aruba Instant cluster, the uplink network that connects the IAPs must supporttagged VLANs 10, 20, and 30. The only exception to this rule is theWLAN configuration, which uses amagic VLANfor clients (for more information, see Virtual Controller-Assigned IP Addresses).

The client traffic flow in an Aruba Instant cluster also depends on whether themaster AP is the DHCP server for theclient VLAN. Aruba Instant deployments typically have these types of client VLANs and traffic:

l VLAN managed by an uplink network: A VLAN that is managed by the uplink network -For example, if VLAN20 is managed by the uplink network and is mapped to the “Employee” SSID, the client traffic is examined by thefirewall of the IAP to which the client is connected, bridged to VLAN 20, and does not flow through themaster APof the cluster.

l VLAN with a DHCP server on an Aruba Instant network: A VLAN for which the DHCP server is on themasterAP of the Aruba Instant cluster. This type of VLAN includes a VLAN in local mode, centralized Layer 2mode,distributed Layer 2mode, centralized Layer 3mode, or distributed Layer 3mode. (For more information aboutthesemodes, see Understanding Instant-VPN Modes.) If an Aruba Instant SSID is mapped to such a VLAN, theclient traffic on that SSID leaves (with the appropriate VLAN tag) from the IAP to which the client is connected,but the traffic flows through themaster AP. The VLAN ID that is used in the DHCP configuration for theseVLANs must be supported on the uplink switch that connects the IAPs.

For more information about traffic flows in an Aruba Instant cluster that is configured for Instant-VPN, see TrafficFlows in an Aruba Instant Cluster.

The only exception to this behavior is amagic VLAN. The DHCP server for amagic VLAN is on the Aruba Instant


network and the client traffic on themagic VLAN flows through themaster AP. However, the client traffic on themagic VLAN reaches themaster AP on the AP VLAN and not on a specific client VLAN. For more informationabout amagic VLAN, see Virtual Controller-Assigned IP Addresses.

Dynamic RADIUS ProxyIn a distributed architecture, each AP functions as a RADIUS authenticator for its clients, whichmeans that youmust configure each AP as a RADIUS client on the authentication server. However, adding all APs as NAS clientsto a RADIUS server might not always be feasible. The dynamic RADIUS proxy (DRP) feature of Aruba Instantprovides an alternative to adding all APs as NAS clients. When DRP is enabled, themaster AP becomes a singleanchor for RADIUS requests for all users on an Aruba Instant cluster, regardless of the AP to which a user connects.Themaster AP acts as the RADIUS proxy for all RADIUS transactions in an Aruba Instant cluster. When DRP isenabled, all RADIUS packets that originate form an Aruba Instant cluster are sourced with the virtual controller (VC)IP address that is assigned to the cluster. You only need to add the VC IP address to the RADIUS client list on theauthentication server.

Virtual Controller IP address for DRP shows the VC IP address and DRP configuration.

Figure 11 Virtual Controller IP address for DRP

By default, when DRP is enabled, all RADIUS packets are sourced with the VC IP address. Using the VC IPaddress for RADIUS transactions works well in most environments, but in certain situations the RADIUS servermight be on a network or VLAN that cannot be reached from the AP VLAN. For these situations, Aruba InstantOSlets you define a DRP VLAN, IP address, and subnet on a per-RADIUS server basis. This capability allows networkadministrators to define the VLAN and source IP address for transactions with a specific RADIUS server. If DRP isenabled and if the RADIUS server on an Aruba Instant network does not include the DRP VLAN and IP configurationfor a RADIUS sever, the transactions with that RADIUS server are sourced with the default VC IP address andVLAN. For more information about DRP, see the Aruba Instant User Guide that is available at the Aruba supportwebsite.





DRP options for a RADIUS server shows how you can configure the DRP settings on a per-RADIUS server basis.

Figure 12 DRP options for a RADIUS server

In Aruba Instant VPN deployments, DRP is essential to tunnel the RADIUS traffic to the centralized authenticationserver in the data center. For more information on DRP in Aruba Instant-VPN deployments, see 802.1X and RFC3576 Handling in an Aruba Instant-VPN Network.

Layer 3 MobilityIAPs within the same Layer 2 domain form a single Aruba Instant cluster. In some situations, because of thephysical building layout or the roaming patterns, Aruba Instant deployments within a contiguous RF domainmightneed to be broken up intomultiple clusters. The Layer 3mobility feature lets clients roam away from the ArubaInstant cluster to which they first connected (home network) to another Aruba Instant cluster (foreign network) thatsupports the sameWLAN access parameters, and continue their existing sessions.

Layer 3mobility allows clients to roam without losing their IP address and sessions across IAP clusters within acontiguous RF domain. If WLAN access parameters are same across the clusters, clients that are connected toIAPs in an Aruba Instant network can roam to APs in a foreign Aruba Instant network and continue their existingsessions. Layer 3mobility enables seamless roaming in amulti-cluster Aruba Instant deployment. For moreinformation about Layer 3mobility and how to configure it, see the Aruba Instant User Guide that is available at theAruba support website.

Physical and Logical DesignOne of the key differences of a distributed architecture when compared to a centralized controller-based architectureis the need to create wireless user VLANs at the edge of the network. Unlike a centralized controller-basedarchitecture, in a distributed architecture youmust configure the wireless user VLANs on the uplink switches thatconnect the APs. This requirement influences the logical design of an Aruba Instant network.

As described in Chapter 1, the physical layout of the small andmedium enterprise falls in one of these categories:

l Single-building layout: This layout is typical for most small enterprises with head-quarters in a single buildingwith one or more floors.


l Multi-building layout within a contiguous RF domain: The physical layout of the buildings in this category issuch that the users expect to roam seamlessly across the buildings. The buildings in this type of layout areusually connected by dark fiber or Metro Ethernet. Examples of this type of layout include:

n A medium enterprise with a few buildings in close proximity

n Individual schools of a K-12 school district that has multiple buildings in close proximity

l Multi-building layout with a non-continuous RF domain: The physical layout of the buildings in this categoryis such that seamless roaming across buildings is not practical. A typical example is amedium enterprise thathas offices in two cities. Another example is a K-12 school district with elementary, middle, and high schools thatare geographically separated in such a way that seamlessly roaming of users across the schools is not practicalwithout aMetroWi-Fi solution. The buildings in this type of layout are usually connected by Metro Ethernet orMPLS.

To select the optimal physical and logical design for any of these environments, youmust combine these designelements:

l Wired infrastructure design

l Client VLAN deign

l Cluster design

Wired Infrastructure DesignThere is a fundamental difference in designing a network with a centralized architecture that is controller-based asopposed to a distributed architecture such as Aruba Instant. In a distributed architecture, the user VLANs and the APmanagement VLANs must be configured and extended to the edge (access layer) of the network.

To design the wired infrastructure and VLANs in an Aruba Instant deployment, consider these guidelines:

l Create a separate VLAN (that is, subnet) to manage the Aruba Instant cluster and ensure that the AP VLAN doesnot carry any multicast and user traffic. To simplify IAP deployment, enable DHCP for the AP VLAN. If the APVLAN does not support DHCP, stage and configure each AP with a static IP address.

l Configure all switch ports that are used for IAP connections as trunk ports. Configure the AP VLAN as the nativeVLAN of the trunk port and add user VLANs to the allowed VLANs list on the trunk port. All client VLANs, exceptmagic VLANs, must be tagged VLANs on the trunk port.

l Ensure that the native VLAN of the trunk port to which the AP connects is functional because all traffic that isgenerated by the AP is carried on the native VLAN of the trunk port.

l Do not modify the uplink management VLAN settings from its default settings. An exception to this guideline isdescribed in Recommendations for an Uplink Management VLAN.

l Segregate the wireless VLANs from the wired VLANs. Maintaining separate VLANs for wireless clientseliminates unnecessary broadcast andmulticast traffic from the wired VLAN occupying the airtime.

l DRP is not required if you can add the entire AP VLAN subnet as a NAS client on the RADIUS server.

l Enable DRP if your security policy requires a single entity to function as a NAS client for a cluster. If DRP isenabled, assign a static VC IP address on the same subnet as the AP VLAN and ensure that the RADIUS servercan be reached from that VLAN. If the AP VLAN cannot reach the RADIUS server, enable DRP and configurethe DRP IP address on a VLAN that can reach the RADIUS server. For more information, see Dynamic RADIUSProxy.

If an IAP is the DHCP server for a VLAN such as a local-mode VLAN, the uplink switches that connect the IAPsin a cluster must support the VLAN. Themaster AP is the DHCP server and gateway for the local VLAN, so if theuplink switches do not support the VLAN, other IAPs in the cluster cannot forward traffic to themaster AP. (Formore information, see Traffic Flows in an Aruba Instant Cluster.) This requirement does not apply to amagicVLAN.



Recommendations for an Uplink Management VLAN

By default, traffic that is generated by an AP is untagged. The native VLAN of the trunk port that connects the APmust be functional. If the native VLAN of the trunk port to which an IAP is connected is a dummy VLAN, youmighthave to use a tagged VLAN on the port as the AP VLAN. In such a situation, the AP traffic must be tagged to ensurethat the IAP receives its IP address from the tagged AP VLAN and that all traffic that is generated by the AP iscarried on the tagged AP VLAN. To accommodate this type of configuration, Aruba Instant supports the UplinkManagement VLAN feature.

Uplink Management VLAN

The Uplink Management VLAN feature determines if the AP traffic is tagged or untagged.

By default, the setting for this feature is 0, whichmeans that the AP traffic is untagged. Aruba recommends thisdefault setting. Aruba also recommends that youmake sure that your native VLAN is not a dummy VLAN. However,in an environment in which you cannot modify the native VLAN to be functional, use the Uplink Management Featureto tag the AP traffic with the appropriate VLAN tag. For example, if the native VLAN is a dummy VLAN and VLAN 20must be themanagement VLAN for APs, set the uplink management VLAN to 20. An uplink management VLAN is a“per AP” configuration and youmust modify it only in an environment in which you cannot modify the native VLAN ofa trunk to be functional. Click on the IAP’s edit link and update the Uplink tab.

Client VLAN DesignAs discussed in Traffic Flows in an Aruba Instant Cluster, Aruba Instant provides multiple options to assign client IPaddresses. Below mentioned are some of the guidelines for a client VLAN design:

l Aruba strongly recommends the network-assigned IP addressing option for client IP assignment.

l Aruba recommends separating the AP VLAN and client VLANs. Use the “Default-Network Assigned IP Address”option only in an environment in which a separate AP VLAN and client VLAN are not possible.

l Use VC-assigned IP addressing only in the following situations:

n The switch that the IAP connects to is an unmanaged Layer 2 switch on which VLANs cannot be defined.

n You do not want to configure additional VLANs for guest traffic across all switches.

l Do not use the VC-assigned IP option in an environment in which a VLAN-based segregation is required betweena client VLAN (that is, a guest user VLAN) and the AP VLAN. A good example of such a situation is anenvironment in which PCI compliance is required.

Cluster DesignBy default, all Aruba IAPs on a Layer 2 domain form a cluster. No hard limit exists on the number of APs or clientsthat you can support on a single cluster. However, themaximum tested IAP cluster size is 128 IAPs in a cluster.Guidelines for cluster andmobility design include the following guidelines:

l Aruba recommends that you use the validated cluster size of 128 APs and 2048 clients per cluster for your clusterdesign. To allow for some future growth, design a cluster at 80 to 90% (about 110 APs) of the validated capacity.

l If a deployment within a contiguous RF domain requires more than 110 APs, divide the deployment into multipleclusters and enable Layer 3mobility between them.

Although the validated cluster size limit applies to a cluster, you can expand a deployment to more than 128 APsby deployingmultiple clusters that have Layer 3mobility enabled between them.

l Layer 3 roaming has little to no impact on performance if you enable the HomeAgent Load Balancing feature thatis part of the Aruba Instant architecture. If you enable this feature, the VC assigns the home AP for roamedclients by using a round robin policy. With this policy, the load for the APs acting as home agents for roamedclients is uniformly distributed across all the IAPs in the cluster.

NOTE: Aruba recommends that you enable the Home Agent Load Balancing feature in deployments in which you expecta high volume of Layer 3 roaming between clusters.

Cluster Design for Single-Building Layout

A single-building layout might be an office on one level or multiple levels. Youmust base the cluster design in theseenvironments on the AP and client density. If you can support the building with fewer than 110 APs, Arubarecommends a single cluster. Most single-building layouts can be accommodated with a single cluster. However, ifyou have amulti-storey building that exceeds the recommended AP and client limit for a single cluster, divide thedeployment into two clusters with Layer 3mobility enabled between the clusters. If you enable Layer 3mobility,Aruba recommends that you also enable the HomeAgent Load Balancing feature. By default, Home Agent LoadBalancing is disabled. Go to System>Show advanced options>L3Mobility to enable it.



Cluster Design for a Multi-Building Layout within a Contiguous RF Domain

In this layout, users are expected to roam seamlessly across buildings. Youmust base the cluster design in theseenvironments on the AP and client density. If the layout includes three buildings that can be covered by fewer than110 APs, Aruba recommends that you deploy the IAPs as a single cluster. However, if these three buildings require50 APs per building, deploy the IAPs as two clusters with Layer 3mobility enabled between them. In amulti clusterdesign, take the roaming patterns into consideration.

Cluster Design for a Multi-Building Layout with a Non-Continuous RF Domain

In this layout, the buildings are geographically separated in such a way that seamless roaming across buildings isnot practical. In this case, support each building with a single cluster. The geographical separationmeans thatseamless roaming across buildings is not required.

Cluster Design for a K-12 School District

A K-12 school district is a combination of high schools, middle schools, and elementary schools. The individualschools that make up the K-12 school district can represent a single-building layout or amulti-building layout with acontiguous RF domain. Apply the cluster design for a single-building layout or amulti-building layout with acontiguous RF domain to the individual schools.

The different schools in a K-12 school district are typically separated geographically such that seamless roamingacross schools is not practical. A typical K-12 school district design has these characteristics:

l Each individual school is a single or multi-cluster design that is based on the number of APs that are required toprovide a capacity-based RF design.

l Seamless roaming across schools is not required because of the geographical separation.

l The entire school district is managed by a single management platform–AirWave or Aruba Central.

Cluster Security Recommendations

When you add a new IAP to a Layer 2 network that is hosting an Aruba Instant cluster, the new AP joins the clusterautomatically. This behavior is enabled by the Auto-Join feature that is enabled by default on an Aruba Instantcluster. The Auto-Join feature simplifies the deployment of Aruba Instant networks. However, after the initialdeployment of the network, Aruba recommends that you disable the Auto-Join feature to prevent unauthorized APsfrom joining the cluster. If youmust add additional authorized APs to the network, you have these options:

l Manually add new APs to an existing cluster by adding theMAC addresses of the new APs to the Instant clusterconfiguration (see Physical and Logical Design).

l Temporarily enable the Auto-Join feature to allow new authorized APs to be added automatically during the APdeployment window. By default, Auto Join is enabled. Change it in System>show advanced settings.

Below is the screen shot of the New Access Point pop-up screen that lets you add theMAC address of a newauthorized IAP.



Figure 13 Manually adding an AP by specifying its MAC address

RF DesignGoodRF design is one of themost essential aspects of designing an enterpriseWLAN because RF design relatesdirectly to the user experience. With the proliferation of mobile devices and applications in the network, it is importantto ensure that aWLAN can accommodate them and can provide optimal performance over the air. Good RF designincludes these recommendations:

l WLANs can be designed as either capacity-based networks or coverage-based networks. Coverage-basednetworks have fewer APs deployed and further apart from each other. Capacity-based networks havemoredensely deployed APs that are capable of serving a higher number of clients and provide better speeds.

To accommodate the influx of wireless devices in the near future, Aruba highly recommends that you design yourenterprise network for capacity rather than coverage.

l Before you deploy APs, Aruba recommends that you run a site survey on your floor plan (either a virtual orphysical site survey) to determine the ideal number of APs that can provide a targetedminimum data rate and toidentify where to place the APs for optimal performance.

l Select the types of APs (2-stream or 3-stream) based on application requirements.

l Select the types of antennas (internal or external), based on the type of environment (warehouse or cubicles,presence of concrete walls, metal drawers and cabinets, and so on).

l After you have placed the APs optimally, fine-tune them with the appropriate channel and power assignments.

For detailed information about RF planning requirements, see the Site Survey and Planning Validated ReferenceDesign.

One of challenges with RF environments is their ever-changing nature. Even when you follow good designrecommendations to deploy the APs, RF performance can degrade. RF performance can degrade due tomanyfactors: an RF coverage holemight occur when an AP goes down, Wi-Fi or non-Wi-Fi interferencemight be presentin the air, legacy 802.11 a/b/g devices might be present in the network, and so on.

It is critical that you have certain mechanisms in place to allow for dynamic adjustment to the constantly changingRF environment. Adaptive RadioManagement (ARM) is such amechanism. For more information, see AdaptiveRadioManagement.

http://www.arubanetworks.com/resources/reference-design-guides/


Radio Modes on Aruba InstantYou can set each AP in an Aruba Instant cluster to one of the below mentionedmodes of operation:

l Access: The AP serves clients while alsomonitoring for rogue APs in the background.

l Monitor: The AP functions as a dedicatedmonitor, scanning all channels for rogue APs and clients. In theMonitor mode, the AP cannot serve any clients.

l SpectrumMonitor: The AP functions as a dedicated full-spectrum RFmonitor, scanning all channels to detectinterference, whether from neighboring APs or from non-WiFi devices such as microwaves and cordless phones.In the SpectrumMonitor mode, the AP cannot serve any clients.

You configure the radiomode per individual AP. By default, all APs function in access mode.

RF Design is a screen shot of the radio operationmodes for an AP.

Figure 14 Setting the radio operationmode for an AP

Scanning of IAPsIAPs can work in various modes, on each of its radio 2.4 GHz or 5GHz.

Select the IAP and click on edit to bring the following box:-



AP Scanning (Access Mode)

The primary duty of an AP is to serve clients. However, an AP also scans the air to perform the following tasks:

l Looking for better channels

l Monitoring for Intrusion Detection System (IDS) events

l Listening for clients

l Searching for rogue devices

l Participating in containment of rogue devices

By default, an AP scans its current channel in the normal course of operation and goes off channel to scan every 10seconds. A small amount of jitter occurs to ensure that a full beacon period is examined. The AP spends 85milliseconds scanning off-channel, that is, the AP scans the foreign channel for approximately 65milliseconds (with20milliseconds of overhead used as the radio changes channels) and then reverts to its home channel.

The scanning behavior in an IAP is the same as that in a campus AP, which is to perform off-channel scanningevery 10 seconds. The only difference is at boot-up: an IAP scans more aggressively (1 scan per second) duringthe first 10minutes after boot-up.

AM Scanning (Monitoring Mode)

AM scanning is similar to AP scanning, except that the air monitor (AM) constantly scans other networks and doesnot serve clients. The AM listens, and transmits only to contain rogue APs or clients. When a rogue devicemust becontained, the AM can spendmore time containing the rogue device than scanning, which results in more consistentenforcement.

When you deploy AMs on AP hardware that has only one radio, the AM alternates between the 2.4 and 5GHz bandon the single radio AP.

Spectrum Monitoring (Spectrum Monitor mode)

In most WLAN deployments, the primary source of any performance degradation starts at Layer 1, that is, the RFspectrum or physical layer. Aruba Instant offers integrated spectrum analysis, which adds a layer of visibility into802.11WLANs. Visibility into the RF allows you to see what is occurring in the air and is a key requirement fortroubleshooting RF issues.

Spectrum analysis can classify and identify non-802.11 interference sources, providing real-time analysis at thepoint where the problem occurs. Spectrum analysis is best utilized when integrated into theWLAN infrastructure,because hand-held tools are useful only when IT staff are on-site and interference is present – an unlikelycombination in distributed enterprises.

The solution to the problem is a set of integrated tools that enable visibility when using the existing infrastructure.Instant offers spectrummonitoring in twomodes of operation:

l Hybrid Spectrum (Background SpectrumMonitoring: An AP radio in hybrid AP mode continues to serveclients as an AP while it analyzes spectrum analysis data for the channel that the radio uses to serve clients. Youcan record data for both types of spectrummonitor devices. However, the recorded spectrum is not reported tothe virtual controller (VC).If a non-Wi-Fi interference device is detected, a spectrum alert is sent to the VC.

l Dedicated SpectrumMonitor (SM): SMs are IAP radios that gather spectrum data but do not service clients.Each SM scans and analyzes the spectrum band that is used by the SM radio (2.4 GHz or 5 GHz).

Themain difference between Hybrid Spectrummode and Dedicated SpectrumMonitor mode is that in HybridSpectrummode, the AP reports only spectrum data for its home channel. In Dedicated SpectrumMonitor mode,spectrum data for all channels is reported.

For more information about spectrummonitoring, see the Aruba Instant User Guide that is available at the Arubasupport website.

Adaptive Radio ManagementIf channels and power are updated only when an AP boots up or only every 24 hours, then radiomanagement isinsufficient and based on a snapshot of the RF environment only. Devices, walls, cubes, office doors that open andclose, microwave ovens, and even the human body all have an effect on the RF environment. Generally, you cannottest and compensate for such a fluid environment in a static channel and power plan. You need a system that candynamically adjust to and optimize the ever changing RF environment. Adaptive RadioManagement (ARM) is sucha system.

At themost basic level, before ARM configures power and channel settings for APs, it allows the network toconsiderWi-Fi interference, non-Wi-Fi interference, and the presence of other APs. APs and air monitors (AMs)continuously scan the environment. If an AP goes down, ARM automatically fills in the RF hole and increases thepower on the surrounding APs until the original AP is restored. When the AP is restored, ARM sets the network to anew optimal setting. If an interfering device (Wi-Fi or non-Wi-Fi) appears on the network, such as a wireless camerathat consumes a channel, ARM adjusts the AP channels appropriately.

Some of the functionalities that ARM provides are shown in RF Design and described in Selected ARM Settings.(For recommendations about ARM settings, see Recommended IAP Settings.)





Figure 15 Configuring the ARM settings

Table 3: Selected ARM Settings

ARM Setting Description

Auto Channel andPower setting

These settings are enabled by default on IAPs. You also canmanually set thechannel or power for APs.

ScanningWhen enabled, the APs periodically scan other channels for RF managementandWIPS enforcement.

Client-awarescanning

When enabled, ARM does not change channels for APs when clients areactive, except for high-priority events such as radar or excessive noise. Toensure a stableWAN experience, Aruba recommends that you enable client-aware scanning for most deployments.

Band steering mode

Supports these four modes:

l Prefer mode: If the client supports both the 5GHz and 2.4 GHz bands,the AP directs the client to use the 5GHz band.

l Force mode: If the client supports both the 5 GHz and 2.4 GHz bands,the AP allows the client to use only the 5 GHz band. However, clientsthat support only the 2.4 GHz band can still connect to the 2.4 GHz band.

l Balance mode: Attempts to balance clients between the two bandswithin an approximate ratio of four 5 GHz clients for each single 2.4GHz client.

l Disabled mode: The client selects which band to use.

Client matchContinuously monitors the RF neighborhoods of the clients and provides bandsteering and load balancing of the clients while they are associated to thenetwork. Helps sticky clients roam to better APs.

Airtime fairness mode

Supports these threemodes:

l Default Access: Airtime fairness algorithms are disabled.l Fair Access: All clients get the same airtime irrespective of their

capabilities.l Preferred Access: 11n/11ac clients get more airtime than 11a/11g

clients, which get more airtime than 11b clients. The ratio is 16:4:1.

Additional RF Optimization FeaturesIn addition to the ARM settings that are described in the previous section, you can enable these features on an IAPto further optimize the performance over the air. For a complete list of recommendations for ARM settings and eachof these features, see Recommended IAP Settings.

l Broadcast Filtering: This feature is available in the Network (SSID) settings on the virtual controller andsupports the following settings:

n All: The APs drop all broadcast andmulticast frames except DHCP and ARP.

n ARP: In addition to dropping all broadcast andmulticast frames except DHCP and ARP, the APs convertARP requests to unicast and send these packets to the associated clients.

n Disabled: All broadcast andmulticast traffic is forwarded.

Figure 16 Configuring broadcast filtering



Aruba recommends that you set broadcast filtering to ARP. However, if you runmulticast applications on thenetwork, disable broadcast filtering to prevent multicast traffic from being dropped from theWLAN.

l Multicast Transmission Optimization: If you enablemulticast optimization, the AP selects the optimal rate forsending broadcast andmulticast frames based on the lowest transmission rate that is indicated by the rateadaptation state of each associated client. (See RF Design.)

l Dynamic Multicast Optimization (DMO): The 802.11 standard states that multicast traffic overWLAN must betransmitted at the lowest supported rate so that all clients can decode it. The low transmission rate results inincreased airtime utilization, and therefore decreased overall throughput for transmissions. Because of the slowerspeed, it is desirable to transform multicast traffic to unicast traffic when a few clients have subscribed to amulticast stream. Transformingmulticast traffic to unicast traffic increases the speed of wireless transmissionsby using the higher unicast rates. (See RF Design.)

For more information, see ArubaQoS Features.

Figure 17 Configuringmulticast optimization

l Local Probe Request Threshold: A station that is trying to join any WLAN can search for available wirelessnetworks by performing an active scan or a passive scan. During a passive scan, the client listens to beaconframes that are sent by the APs on every possible channel to discover the available wireless networks. During apassive scan, the stationmust wait until it can detect a beacon from the AP. During an active scan, the clientsends a probe request to detect the presence of an AP on a channel. An AP that detects a probe request mustrespond with the probe response. The probe response provides the client with all the required information aboutthe network that is broadcasted by the AP.

In dense environments, some clients might join an AP with a lower SNR, even in the presence of APs with a betterSNR. The local probe threshold feature defines the SNR value below which the AP ignores the incoming proberequests. As a result, the clients get a probe response only from APs that have a good SNR with the client. Thisfeature encourages proper roaming in dense deployments. The supported range for the SNR value is 0-100 dB. Avalue of 0 disables this feature.

Aruba recommends that you enable this feature in dense environments (an AP every 3600 sq. ft) with the value set to25 dB. (See RF Design).

Figure 18 Configuring the local probe request threshold

l Interference Immunity Level: If an AP attempts to decode a non-802.11 signal, its ability to receive traffic canbe interruptedmomentarily. The noise immunity feature helps improve the network performance in environmentswith a high level of non-802.11 noise from devices such as Bluetooth headsets, videomonitors, and cordlessphones. You can configure the noise immunity feature form level 0 through level 5. For more information aboutinterference immunity levels, see the Aruba Instant User Guide that is available at the Aruba support website.

Increasing the immunity level makes the AP slightly “deaf” to its surroundings, that is, it causes the range of theAP to decrease slightly. The default and recommended immunity level for most deployments is level 2. (See RFDesign).




Figure 19 Configuring the interference immunity level

Client MatchARM helps theWLAN to steer clients to the best APs, and it does so during the time of client association. It does nottrigger AP changes for clients that are already associated to an IAP.

The Aruba Client Match feature continually monitors the RF neighborhood of a client to provide ongoing client bandsteering and load balancing for associated clients, and enhanced AP reassignment for roaming clients.

When the Client Match feature is enabled on an IAP, the AP measures the RF health of its associated clients. If oneof these threemismatch conditions is met, clients aremoved from one AP to another for better performance andclient experience:

l Dynamic Load Balancing: The Client Match feature balances clients across IAPs on different channels, basedupon the client load on the APs and the SNR levels that the client detects from an underutilized AP. If an AP radiocan support additional clients, the AP participates in Client Match load balancing, and clients are directed to thatAP radio, subject to predefined SNR thresholds.

As of Instant 6.3.1.1-4.2., spectrum load balancing is integrated with the Client Match feature.

l Sticky Clients: The Client Match feature helps mobile clients that tend to stay associated to an AP despite lowsignal levels. IAPs using the Client Match feature continually monitor the RSSI of a client as it roams betweenAPs, andmove the client to an AP when a better radio match is found. This feature prevents mobile clients fromremaining associated to APs with a less than ideal RSSI, which can cause poor connectivity and reduceperformance for other clients that are associated with that IAP.

l Band Steering: IAPs that use the Client Match featuremonitor the RSSI for clients that advertise a dual-bandcapability. If a client is associated to the 2.4 GHz radio and the AP detects that the client has a good RSSI fromthe 5GHz radio, the AP attempts to steer the client to the 5GHz radio, as long as the 5GHz RSSI is notsignificantly worse than the 2.4 GHz RSSI, and the IAP retains a suitable distribution of clients on each of itsradios.

Aruba recommends that you use the default settings for the Client Match feature.

Recommended IAP SettingsAruba recommends the IAP settings that are summarized in Recommended Settings for an IAP.

Table 4: Recommended Settings for an IAP

FeatureDefaultSetting

SparseAP withDataonly

Dense APwith DataOnly

Recommendedsettings for Videoand Voice

High InterferenceEnvironment

Scanning Enabled Default Default Default

(Disable scanning ondetecting voice or videotraffic under ACL)

Default

Client AwareScanning

Enabled Default Default Default Disabled

BackgroundSpectrumMonitoring

Disabled Default Default Default Enabled (to show thesources of interference)

Client Match Disabled Default Default Default Default

Band Steering Prefer5Ghz

Default Default Default Default

Airtime fairness FairAccess

Default Default Default Default

Min TransmitPower

18 Default 9 Default 12

Broadcast filtering Disabled All ARP ARP

(Disabled if runningmulticast applications)

ARP



FeatureDefaultSetting

SparseAP withDataonly

Dense APwith DataOnly

Recommendedsettings for Videoand Voice

High InterferenceEnvironment

MulticastOptimization

Disabled Enabled Enabled Enabled Enabled

Dynamic MulticastOptimization

Disabled Default Default Enabled Default

Local ProbeRequestThreshold

0 =Disabled

Default Enabled(value=25db)

Enabled (value=25db) Enabled (value=25db)

InterferenceImmunity Level

2 Default Default Default Default

Modify this value only if theAruba Support Teamadvises that you do so.

Wide ChannelBands

5 GHz Default Default Default Default

Beacon Interval 100ms Default Default Default Default

Dynamic CPUManagement

Automatic Default Default Default Default

Min Legacy (non-11n) TransmitRates 2.4 GHz

1 2 11 Default 11

Min Legacy (non-11n) TransmitRates 5 GHz

6 Default Default Default Default

4.2 is required for IAP Client Match and IAP software 4.2.1 onwards is recommended. On IAP softwares 4.1.1 andearlier, client match is not recommended.

Band steering requires equal coverage between the 2.4 GHz and 5GHz bands to be effective. A larger 2.4 GHzcoveragemodel results in unpredictable results for clients, especially if band steering is set to the “Force 5Ghz”mode. Examine the network coverage using VisualRF™ Plan before you set band steering to the “Force 5Ghz”mode. Plan new networks using a5GHz coveragemodel and deploy the network with dual-mode APs at each location. Such a deployment allowsARM to decrease power in the 2.4 GHz band to compensate for the dense deployment.

Starting 4.2, you can set different max & minimum level of transmit power, for 2.4 GHz & 5GHz bands, you can do itthrough the following settings:

QoS DesignDepending upon what type of applications are expected in your network, it might be important to have certainmechanisms in place that treat real-time applications differently than other applications. For example, voice andvideo applications that are sensitive to jitter and latency must traverse the network faster, so they are givenprecedence over best-effort applications such as email and print jobs.

Quality of service (QoS) is a set of packet markings and queuingmechanisms that prioritize classes of trafficthrough the network. Wi-Fi Multimedia (WMM) is based on the 802.11e amendment. WMM is a system for markingtraffic as higher priority and adjusting the packet timers to allow delay-sensitive data to have precedence on the air.

End-to-End QoSFor QoS andWMM to work effectively, they must be deployed end-to-end throughout the network. All componentsmust recognize the packet marking andmust react in the sameway to ensure proper handling. Completedeployment of QoS ensures consistent delivery of data. With proper planning, high-quality voice and video can beachieved over theWLAN.

QoS Design shows how DSCP, 802.11p, andWMMmarking are used in an Aruba Instant deployment.



Figure 20 DSCP, 802.11p, andWMMmarking

Twomechanisms are involved: WMM/802.11e on the wireless side and DiffServ Code Point (DSCP) and 802.1ptagging on the wired side. WMM handles prioritization, queuing of packets, and servicing of queues. WMM also hasadditional power-savingmechanisms to extend battery life. DSCP/802.1p tagging ensures appropriate delivery onthe wired side of the network. To be effective, this taggingmust be implemented throughout the network with thesame values at all nodes.

QoS on the WLANAruba Instant uses WMM to provide the correct level of service to wireless clients. WMM specifies four classes oftraffic: voice, video, best effort, and background. WMM also enables shorter wait times for higher-priority traffic byadjusting the interframe spacing for these packets. The traffic classes map directly to DSCP traffic classes andmarks, which enables traffic to be easily translated between the twomechanisms.

When a packet with a DSCP/802.1pmarked packet arrives from the wired side of the network, that marking istranslated into aWMMmarker. When a wireless frame that is marked withWMM is received from awireless client,the IAP includes themarking in the Ethernet frame header before forwarding it on the wired network. The IAP hasqueues to ensure that traffic is processed with the proper priority.

The Aruba infrastructure can set the appropriate tagging from the IAP to theWLAN client, and from the IAP into theaccess layer. However, the client must also understandWMM and use the proper tagging and sendingmechanismsto ensure that traffic flows appropriately.

QoS on the LAN Edge and CoreThe LAN between the IAP and the coremust recognize and prioritize DSCP-marked traffic through the network.Similarly, the coremust respect the QoS marks from the LAN edge to any multimedia servers.

Aruba QoS FeaturesIn addition to the standard-based features, Aruba supports features that are specific to the Instant solution.

Stateful Firewall

The Aruba Instant firewall module allows policies to be applied to user traffic sessions.

In addition to the functions that are typically associated with firewalls, the Aruba firewall can also reclassify traffic.Firewall policies and Application Layer Gateways (ALGs) allow traffic that is not marked with the correct priority to bedynamically reclassified for proper prioritization.

Media Classification

Apart from ALG support for applications such as SIP and Vocera, the Classify Media feature can also be enabledinside the firewall rule of an IAP to classify and prioritize hard-to-detect applications such as Lync voice and video.These Lync applications use Session Initiation Protocol-Transport Layer Security (SIP-TLS) as the signalingprotocol, whichmeans the signaling traffic is encrypted. Encryptionmakes it harder to detect the type of theapplication and thus apply any markings on encrypted traffic. Using the Classify Media feature enables the firewallon the IAP to perform a deep packet inspection (DPI) to analyze the packet flows and accurately classify the trafficas Lync voice or video.

It is critical that all devices in the network are capable of QoS and are configured for QoS. Switches and themultimedia servers themselves must mark traffic appropriately. Failure to ensure end-to-end prioritization can causeunpredictable performance for these applications.

Bandwidth Management

Bandwidthmanagement, in general, ensures that each traffic class gets the proper prioritization, but considerationshould also be given to the overall bandwidth of the system. Bandwidthmanagement on Aruba Instant can beloosely divided into two categories listed below:

l Application bandwidthmanagement

l User and network bandwidthmanagement

Application Bandwidth Management

Application bandwidthmanagement is based onWMM classification.

Each traffic class (voice, video, best effort, and background) is allocated a certain percentage of the traffic. Thismechanism takes effect during congestion to service queues on a percentage basis. (SeeQoS Design .)

In the absence of congestion (that is, no traffic queues exist), all four traffic classes are allowed to use the entireavailable network bandwidth.



Figure 21 ConfiguringWMM for traffic classes

ConfigureWMM percentages in networks that have special requirements or when Aruba Technical Supportadvises you to do so.

User and Network Bandwidth Management

Aruba Instant provides the following user and bandwidthmanagement options:

l SSID-based bandwidth management: Airtime is allocated to each SSID on the system as a percentage. Eachindividual SSID is allowed some percentage with the ability to burst if there is no contention for themedium. (SeeQoS Design .)

Figure 22 Configuring airtime for SSIDs

Configure an airtime percentage only in networks that have special requirements or when Aruba Technical Supportadvises you to do so.

l Radio-based bandwidth management: Each radio is allocated a bandwidth amount, which is the aggregatethroughput that is provided to all clients that are connected to that radio. (SeeQoS Design ).



Figure 23 Configuring radio-based bandwidth

Configure radio bandwidth only in networks that have special requirements or when Aruba Technical Supportadvises you to do so.

l User-based bandwidth management: Each user is allocated a portion of the available bandwidth for their use.(SeeQoS Design .)

Figure 24 Configuring user-based bandwidth

Role-based bandwidth management: All users on the Aruba system are assigned a role, and a bandwidthcontract is allocated to all users for that particular role. (SeeQoS Design ).

Figure 25 Configuring role-based bandwidth



Dynamic Multicast Optimization (DMO)

The 802.11 standard states that multicast overWLAN must be transmitted at the lowest supported rate so that allclients can decode it. Also, broadcast andmulticast frames are not acknowledged, so these transmissionmethodsuse lower (that is, slower) data rates to provide a better chance of reception. The low transmission rate results inincreased airtime utilization, and therefore decreased overall throughput for transmissions.

Multicast is transmitted at slower speed, so it is beneficial to transform multicast traffic to unicast traffic if a fewclients have subscribed to amulticast stream. Transformingmulticast traffic to unicast traffic increases the speed ofwireless transmissions by using the higher unicast rates.

QoS Design shows a non-DMO flow versus a DMO flow. QoS Design is a screen shot of theWLAN settingsscreen that lets you configure DMO.

Figure 26 Non-DMO flow (left image) versus DMO flow (right image)

Figure 27 Configuring DMO

ARP Broadcast Filter

The ARP broadcast filter converts broadcast ARP requests to unicast requests. The ARP request is directed only tothe client that must receive the request. This feature reduces the need to broadcast requests to multiple clients fordata that only one client must receive.

If you runmulticast applications on the network, disable ARP broadcast filtering to prevent multicast traffic frombeing dropped on theWLAN. (SeeQoS Design .)



Figure 28 Configuring ARP broadcast filtering

Design for Plug-and-Play ServicesThis section describes a particular plug-and-play protocol: Apple Bonjour.

AirGroup is a unique enterprise-class Aruba capability that leverages zero-configuration networking to efficientlyenable Bonjour services such as Apple AirPrint and AirPlay frommobile devices. Apple AirPlay and AirPrint servicesare based on the Bonjour protocol and are essential services in campus Wi-Fi networks.

Zero-configuration networking enables, address assignment, service discovery, and name resolution for desktopcomputers, mobile devices, and network services. Zero-configuration networking is designed for a flat, single-subnetIP network such as a wireless home network.

Bonjour is the trade name for the zero-configuration implementation that Apple introduced. Bonjour is supported bymost of the Apple product lines, including theMac OS X operating system, iPhone, iPod Touch, iPad, Apple TV, andAirPort Express.

Challenges with Multicast DNSMulticast DNS (mDNS) is a host name resolution service that is implemented by Apple as an alternative to thepopular DNS service. WhenmDNS was introduced, it was intended primarily for local shared networks in whichdevices could find each other without requiring additional infrastructure on the network such as a DNS server.

The addresses that Bonjour uses are link-scopemulticast addresses, so each query or advertisement can beforwarded only on its respective VLAN, but not across different VLANs.

As Bonjour-capable products such as iPods, iPads, iPhones andMacBooks started penetrating enterprise networks,they presented certain challenges:

l In K-12 schools, universities and enterprise networks, it is common for Bonjour-capable devices to connect to thenetwork across VLANs. As a result, an iPad on one VLAN cannot discover an Apple TV that resides on another

VLAN becausemDNS traffic in its native form is limited to a Layer 2 network and does not propagate acrossVLANs.

l Broadcast andmulticast traffic are usually filtered out from aWLAN to preserve the airtime and battery life. Thislimitation inhibits the performance of Bonjour services because they rely onmulticast traffic.

l Other users on the same VLAN can discover personal devices, whichmight not be desirable.

The AirGroup SolutionAirGroup is an Aruba-proprietary solution that helps to address the above-mentionedmDNS challenges as follows:

l AirGroupmaintains seamless connectivity between clients and services across VLANs and SSIDs.

l Even if broadcast andmulticast controls are enabled on an SSID, AirGroup creates special exceptions to sendselect mDNS traffic across theWLAN to learn about Bonjour services.

l AirGroup on an IAP sends unicast mDNS responses to clients requestingmDNS services on theWLAN. TheWLAN carries no downstreammulticast traffic, so airtime, and client battery life are significantly improved.

You can also integrate AirGroup with the ClearPass Policy Manager (CPPM) to provide these benefits:

l Users can register their personal devices on the network in such a way that they have exclusive access to thesedevices. They can also define a group of users who can share the registered devices.

l Administrators can register andmanage the shared devices of an organization, such as conference room printersand classroom Apple TVs. An administrator can grant global access to each device (for example, Apple TVaccess for both teachers and students), or restrict access according to the user name, role, or user location.

In Aruba Instant 4.2 release, Digital Living Network Alliance (DLNA)/ Universal Plug and Play (UPnP) devices (thatuse Simple Service Discovery Protocol [SSDP] for discovering other DLNA/UPnP based services) are alsosupported in their native form, that is, DLNA devices can interconnect on the same VLAN. A future Aruba Instantrelease would support AirGroup functionality for DLNA devices on Aruba Instant, in the sameway it is currentlysupported for mDNS-based Bonjour devices.

AirGroup Capabilities Supported by Aruba InstantAirGroup Capabilities summarizes some of the AirGroup capabilities. The Integrated column shows whether thecapabilities are supported in Aruba Instant. The Integrated with CCPM column shows capabilities that requireClearPass Policy Manager.

Table 5: AirGroup Capabilities

FeaturesInstant Deployment Models

IntegratedIntegrated withCPPM

Allow mDNS to propagate across subnets andVLANs

Yes Yes

Limit multicast mDNS traffic on the network Yes Yes

VLAN based mDNS service filtering Yes Yes

User-role based mDNS service filtering Yes Yes

Portal to self-register personal devices No Yes



FeaturesInstant Deployment Models

IntegratedIntegrated withCPPM

Device owner based policy enforcement No Yes

Location based policy enforcement No Yes

Shared user list based policy enforcement No Yes

Shared role list based policy enforcement No Yes

AirGroup Solution ArchitectureThe distributed AirGroup architecture allows each IAP to handle Bonjour queries and responses individually insteadof overloading a virtual controller with these tasks. This type of traffic handling results in a scalable AirGroupsolution.

AirGroup in a Single IAP Cluster

Below mentioned is a configuration example in which IAP1 discovers Air Printer (P1) and IAP3 discovers Apple TV(TV1). IAP1 advertises information about P1 to the other IAPs (IAP2 and IAP3). Similarly, IAP3 advertises TV1 toIAP1 and IAP2. This type of distributed architecture allows any IAP to respond to its connected devices locally. Inthis example, the iPad that is connected to IAP2 obtains a direct response from the same IAP about the otherBonjour-enabled services in the network.

Figure 29 Example of an AirGroup in a single IAP cluster

AirGroup in a Single IAP Cluster with ClearPass Policy Manager

You can use ClearPass Policy Manager (CPPM) in an IAP cluster to provide users with a personalized AirGroupexperience. You can use the device registration portal under CPPM to register AirGroup devices on the network.These devices can then be used as personal or shared devices on the network.

Below is a configuration example in which a network administrator registers an AirPrint printer (P1) and an Apple TV(TV1) on the network through the ClearPass device registration portal, using IT admin credentials. The printer P1 isvisible to both users X and Y, whereas TV1 is visible only to user X.

Figure 30 Example of an AirGroup in a single IAP cluster with CPPM

AirGroup in Multiple IAP Clusters

You can configure AirGroup domains to enable AirGroup users on one cluster to access AirGroup servers on anothercluster. AirGroup server databases are synchronized between IAP clusters every twominutes.

Below Design for Plug-and-Play Services is a configuration example in which clusters (also referred to as swarms) 1and 2 are configured as members of an AirGroup domain. (You configure this on the VC of each cluster.) An iPad thatis connected to IAP2 not only has access to servers P1 and TV1within its own cluster (Swarm 1) but also to serversP2 and TV2 that are connected to IAPs in the neighboring cluster (Swarm 2).



Figure 31 Example of an AirGroup inmultiple IAP clusters

When you enable an AirGroup across multiple clusters, the DNS records in the virtual controller of one cluster can beshared with all virtual controllers that are configured for Layer 3Mobility. (By default, Layer 3Mobility is disabled).

Design for Plug-and-Play Services is a screen shot of the screen that lets you enable an AirGroup and AirGroupservices, and define a ClearPass Policy Manager server.

Figure 32 Configuring AirGroup settings

AirGroup RecommendationsAruba has the following recommendations for AirGroup:

l In large deployments with many wireless and wired users, oftenmany Bonjour services are advertised, whichcan consume a significant amount of system resources. In such large deployments, Aruba recommends that youinitially enable only themost commonly used AirGroup services, such as AirPlay and AirPrint, and disable the“allowall” service.

l Wired AirGroup devices:

n All AirGroup devices that are wired on the network must have their VLANs trunked on the access switch tothe IAP on which AirGroup is configured. If you do not follow this recommendation, AirGroup does not detectmDNS activity from these wired devices.

n Tag a wired AirGroup server with location-based attributes such as AP name, AP group, or AP FQLN. Forexample, if you tag a wired AirGroup server with an AP named AP1, both users that are connected to AP1 andusers that are connected to APs that are in the RF neighborhood of AP1 can detect the wired AirGroup server.

n Port recommendations: Bonjour uses UDP port 5353 for mDNS discovery, whereas application-specifictraffic for services such as AirPlay can use dynamically selected port numbers. If you configure role-based ornetwork-based access rules on an SSID, modify these access rules to allow traffic on these ports. Static andDynamic Ports for AirPlay Service lists the port numbers for AirPlay service. Static Ports for AirPrint Servicelists the port for AirPrint service.

AirGroup is not supported on a 3G uplink.

Table 6: Static and Dynamic Ports for AirPlay Service

Ports for AirPlay Service

Protocol Ports

TCP 554

5000

7000

7100

8612

49152-65535

UDP 554

7010

7011

8612

49152-65535

AirPlay operates using dynamic ports, but printing protocols such as AirPrint use static ports.



Table 7: Static Ports for AirPrint Service

Ports for AirPrint Service

Protocol Print Service Port

TCP Data stream 9100

TCP IPP 631

TCP HTTP 80

TCP Scanner 9500

TCP HTTP-ALT 8080

Configuring AirGroupThis section provides sample procedures of how you can configure AirGroup, AirGroup services, and associatedfeatures on a Virtual Controller.

Enabling AirGroup

You can enable AirGroup and AirGroup services to advertise services across VLANs:

1. ChooseMore > Services and then click the Air Group tab.

2. Select the Enable AirGroup check box.

3. Choose the desired AirGroup services (for example, AirPlay and AirPrint) by selecting their check boxes.

4. Click OK.

Filtering Services Based on User Role

You can filter AirGroup services based on a user role. For example, you can prevent students from seeing any AppleTVs on the network:



3. Select the airplay check box.

4. Next to airplay disallowed roles, click the Edit link.



5. Select student (which, in this case, is the role to disallow).

6. Click OK.

7. Verify the configuration.

8. Click OK.

Filtering Services Based on VLANs

You can prevent a service such as AirPrint that originates from a particular VLAN from being advertised to otherusers on the network:



3. Select the airprint check box.

4. Next to airplay disallowed vlans, click the Edit link.

5. Enter the VLAN ID.

6. Click OK.

7. Verify the configuration.

8. Click OK.



Creating a “Personalized” WLAN: Registering Personal and Shared Devices on ClearPass

When you enable AirGroup, by default, all users in an Instant cluster can see all services that originate within thecluster, irrespective of what user role or VLAN they belong to. However, in many environments, users must haveexclusive access to the services that they own.

For example, a student in a campus dorm roommight want exclusive access to his Apple TV and AirPrint-enabledprinter. Students from neighboring dorm rooms should not be allowed to see these devices.

The student can register these devices on the ClearPass device registration portal and specify whether the devicescan be shared by other students or not.

To allow such a configuration, ensure that the Instant VC and ClearPass Guest are properly configured tocommunicate with each other.

As a network administrator, you can register a classroom Apple TV on the ClearPass “Device Registration Portal” byfirst configuring the VC and then the ClearPass settings:



3. Select the airplay and airprint check boxes.

4. Add a ClearPass server to exchange AirGroupmessages between the VC and the ClearPass server.

In the ClearPass Settings section of the screen, next to CCPM server 1, choose New from the dropdown box.

5. On the New Server Screen, enter the IP address and shared key for the ClearPass server.

6. To query and receive updates from the ClearPass server, define an RFC 3576-compliant AirGroup server, whichis different from anRFC 3576-complaint authentication server. If a port is already defined for an authenticationserver, you cannot use that same port for an AirGroup server.

On the New Server screen, enable RFC 3576, specify the AirGroup CoA port, and click OK.

By default, Aruba Instant and the ClearPass server use port 5999 to communicate with each other. You can useanother port, provided that you specify the same port on both the Instant VC and the ClearPass server.



7. On the AirGroup screen, in the ClearPass Settings section, select the Enforce ClearPass registration checkbox.

8. Click OK.

Essentially, on the ClearPass server, you define the AirGroup controller that ClearPass must communicate withand assign the correct AirGroup privileges to users. These users can then log in to the device registration portaland register their devices.

For information about configuring AirGroup settings on ClearPass, including best-practice recommendations, see theAirGroup Deployment Guide and ClearPass User Guide that are available at http://support.arubanetworks.com.

Extending an AirGroup across Instant Clusters

By default, AirGroup services are advertised among IAPs that belong to the same cluster. An iPad that is connectedto an IAP in one cluster cannot detect an Apple TV that is connected to an IAP in another cluster.

You can enable sharing of AirGroup services across Instant clusters by completing these configuring steps on theVC of each Aruba Instant cluster:

1. Choose System > Show advanced options and then click the L3 Mobility tab.


2. Define the VCs of all Instant clusters across which AirGroupmust be enabled.

3. Click OK.


5. Select the Enable AirGroup across mobility domains check box.



6. Click OK.

Make sure that you complete these configuration steps on the VC for each cluster that participates in AirGroupservice sharing.

Content Filtering using Open DNSThe Content Filtering feature lets you create Internet access policies that allow or deny user access to websitesbased on website categories and security ratings. With this feature, you can take the following actions:

l Prevent knownmalware hosts from accessing your wireless network.

l Improve employee productivity by limiting access to certain websites.

l Reduce bandwidth consumption significantly.

Aruba Instant can use theOpenDNS credentials to access OpenDNS and provide enterprise-level content filtering.

You can configure content filtering on an SSID and you canmanually configure up to four enterprise domains. Whenenabled, all DNS requests to non-corporate domains on this wireless network are sent to the open DNS server. (SeeEntering credentials for OpenDNS and Content Filtering using Open DNS.)

Figure 33 Entering credentials for OpenDNS

Figure 34 Enabling content filtering

To create corporate domain exceptions, ensure that you configure enterprise domains on the VC. When you enablecontent filtering, all client DNS requests to non-corporate domains are routed to the OpenDNS server. (See ContentFiltering using Open DNS.)

Figure 35 Configuring enterprise domain names

For information about configuring content filtering, see the Aruba Instant User Guide that is available at the Arubasupport website. You can also create policies using AppRF feature on IAP.





Security DesignWhen you design an enterpriseWLAN, youmust determine the following important security aspects:

l How are users authenticated on the network and how is data secured over the air?

l How is the air monitored and how do you protect your infrastructure and users frommalicious attacks?

In addition, you also can restrict user access to the network based on their identity. After users are authenticated ona network, you can assign them different user roles. A user role determines the resources that a user can access onthe network.

You can also combine Aruba Instant with the ClearPass system to enforcemore granular security policies acrossthe network based on the identity and device type of the user.

For information about ClearPass and how to integrate it with Aruba Instant, see the ClearPass User Guide that isavailable at the Aruba support website.

Authentication and EncryptionA strong understanding of authentication and encryption is essential to deploy a secure and functional WLAN.Evaluate the different options against the goals of the organization and the security and operational requirements thatthe organization operates under. The number of different authentication and encryption options that must besupported also influences the design of theWLAN and the number of SSIDs that must be broadcast.

In general, each new authentication type or encryptionmode that is requiredmeans that youmust deploy anadditional SSID. Each SSID that you deploy appears as an individual AP, and it must send beacons, which uses upvaluable airtime. To preserve radio resources, organizations should consider the types of devices to be deployed andattempt to limit the number of SSIDs.

Depending upon whether you configure an SSID for employee or guest usage, Aruba Instant provides differentauthentication and encryptionmethods:

l Authentication: Aruba Instant supports multiple authenticationmethods. Whichmethod you use depends on thenetwork goals, security requirements, user types, and device types on the network.

Authentication is typically separated into twomodels, Layer 2 and Layer 3. Thesemodels can be combined foradditional authentication.

l Encryption: In addition to authentication, youmust choose an encryptionmethod that protects the over-the-airtransmissions. Aruba strongly recommends using encryption because the wireless transmissions of anorganization can easily be captured or “sniffed” directly in the air during transmission.

Authentication and Encryption for an Employee SSIDThis section describes the authenticationmethods and encryption levels that are available for an SSID for employeeusage and provides recommendations for authentication and encryption.

Authentication Methods

When you configure an SSID for employee usage, select one of the following authenticationmethods:

l Open authentication: Open authentication really means no authentication. The network is available for anyoneto join and no keys are required. This form of authentication is often combined with MAC authentication or a Layer3 authenticationmethod that is used after connection to the network.

Aruba strongly advises against using open authentication in employee networks.

l MAC authentication: MAC authentication is a legacy form of filtering that requires theMAC address of amachine tomatch amanually defined list of addresses. This form of authentication does not scale past a handfulof devices because it is difficult to maintain the list of MAC addresses.


In addition, never rely onMAC authentication as the primary authenticationmethod. With the help of built-in drivertools, it is easy to change theMAC address of a station tomatch one on the accepted list.

l Personal authentication: Each of the following Layer 2 authenticationmethods is available as the primaryauthenticationmethod on an Aruba Instant network and can be combined with MAC authentication. In the lattercase, all users that are subject to any of these authenticationmethods must first pass MAC authentication.

n Wired Equivalent Privacy (WEP): Themost common version of WEP is static WEP, for which all stationsshare a single key for authentication and encryption. Other versions of WEP have different key lengths anddynamic key assignments.As an authentication (and encryption) protocol, WEP was fully compromised in 2001. Aruba recommends thatall organizations discontinue the use of WEP and opt for stronger authenticationmethods.

n Pre-Shared Key (PSK): PSK is part of theWPA/WPA2 personal certifications. PSK authentication is themost common form of authentication for consumerWi-Fi routers. LikeWEP, the key is used both forauthentication and encryption.In enterprise deployments, PSK is often limited to devices that cannot perform stronger authentication. Alldevices share the same network key, whichmust be kept confidential. This form of authentication is easy toconfigure for a small number of devices. However, whenmore than a few devices must use the key, keymanagement quickly becomes difficult.The key usually must be changedmanually on devices, which poses more problems if the number of devicesthat share a key is very large. When an attacker knows the key, they can connect to the network and decryptuser traffic. Good security practicemandates that the key should be changed whenever someone with accessto the key leaves the organization. This key should be complex and be rotated on a regular basis.

n Enterprise authentication: This form of authentication includes 802.1X/EAP, which is part of theWPA/WPA2 Enterprise certifications.

802.1X was developed to secure wired ports by placing the port in a “blocking” state until authentication is completedusing the Extensible Authentication Protocol (EAP). The EAP framework allows many different authentication typesto be used, themost common being Protected EAP (PEAP), followed by EAP-TLS that uses server- and client-sidecertificates.

To secure user credentials, a Transport Layer Security (TLS) tunnel is created and user credentials are passed to theauthentication server within the tunnel. When the authentication is complete, the client and the IAP have copies ofthe keys that are used to protect the user session.

Users can be authenticated using the internal server on Aruba Instant or by redirecting client authentication requeststo an external authentication server. Using an external server such as ClearPass provides additional features andadditional granularity. Aruba strongly recommends that you useWPA2 for employee authentication.

Authentication Recommendations

Aruba Authentication Recommendations for an Employee SSID summarizes the authenticationmethods that Arubarecommends for an employee SSID.



Table 8: Aruba Authentication Recommendations for an Employee SSID

AuthenticationMethod

Recommendation

Open Not recommended

MAC Auth Not recommended as the only authentication method. If required, combine with restricted userrole.

WEP Not recommended.

PSK Recommended only for devices that do not support stronger authentication.

802.1X/EAP Recommended for use on all networks. Use TLS if client-side certificate distribution is practical,and use PEAP for all other deployments.

Encryption Levels

When you configure an SSID for employee usage, the following encryption levels are available:

l Open: As the name implies, open networks have no encryption and offer no protection from wireless packetcaptures. Most hot spot or guest networks are open networks, and the end user is expected to use their ownprotectionmethods to secure their transmissions, such as VPN or SSL.

l Personal: The same pre-shared key that is used for authentication is also used for encryption. Based on whetheryou select WPA Personal orWPA2 Personal for authentication, either TKIP or AES is used for encryption.

n Temporal Key Integrity Protocol (TKIP): The Temporal Key Integrity Protocol (TKIP, part of theWPAPersonal certification) was a stopgapmeasure to secure wireless networks that previously usedWEPencryption and whose 802.11 adapters were not capable of supporting AES encryption. TKIP uses the sameencryption algorithm as WEP, but TKIP is muchmore secure and has an additional message integrity check(MIC). Recently some cracks have begun to appear in the TKIP encryptionmethods.Aruba recommends that all users who use TKIP migrate to AES as soon as possible.

n Advanced Encryption Standard (AES): The Advanced Encryption Standard (AES) encryption algorithm(part of theWPA2 Personal certification) is now widely supported and is the recommended encryption type forall wireless networks that contain any confidential data. AES inWi-Fi leverages 802.1X or PSK to generateper-station keys for all devices. AES provides a high level of security, similar to what is used by IP Security(IPSec) clients.Aruba recommends that all devices are upgraded or replaced so that they are capable of AES encryption.

n WEP: ThoughWEP is an authenticationmethod, it is also an encryption algorithm for which all users typicallyshare the same key. As mentioned previously, WEP is easily broken with automated tools, and should beconsidered nomore secure than an open network. Aruba recommends against deployingWEP encryption andstrongly encourages organizations that useWEP tomigrate to Advanced Encryption Standard (AES)encryption.

l Enterprise: Based on whether you have chosenWPA Enterprise orWPA2 Enterprise for authentication, eitherTKIP or AES is used for encryption. Dynamic WEP with 802.1X is also an option but not recommended.

Dynamic WEP with 802.1X was intended as an enhancement to makeWEP more secure. However, dynamicWEP with 802.1X has many security shortcomings and is not secure. Aruba recommends against deployingdynamic WEP with 802.1X.

Encryption Recommendations

Aruba Encryption Recommendations for an Employee SSID summarizes the Aruba recommendations for encryptiononWi-Fi networks. Full 802.11ac and 802.11n rates are available only when you use either open (that is, noencryption) or AES encryption becauseWEP and TKIP limit theWLAN connection speed to 54Mb/s.

Table 9: Aruba Encryption Recommendations for an Employee SSID

Encryption Type Recommendation

Open Not recommended for use.

WEP Not recommended for use.

TKIP Not recommended for use.

AES Recommended for all deployments

Authentication and Encryption for a Guest SSIDThis section describes the authenticationmethods and encryption levels that are available for an SSID for guestusage and provides recommendations for authentication and encryption.

Authentication Methods

When you configure an SSID for guest usage, select one of the following authenticationmethods:

l Open authentication: Open authentication actually means no authentication. The network is available foranyone to join and no keys are required. This form of authentication is often combined with a Layer 3authenticationmethod (a captive portal) that is used after connection to the network. You can combineMACauthentication with Layer 3 authentication.

l PSK authentication: In some guest deployments, PSK is used to provide aminimum amount of protection forguest sessions, and authentication is performed by a Layer 3mechanism. The PSK key should also be rotated ona regular basis.

l Wireless Internet Service Provider roaming (WISPr) authentication: This type of authentication allowsWISPr-enabled clients to connect to the guest network.

l Captive portal (splash page): After guest users access the network, they can be presented with a captiveportal on their web browser. The captive portal requires the guest user to register or supply guest login credentialsbefore allowing them to browse the web. After registration and authentication, guests are usually placed inlimited-access roles that allow basic web browsing but deny access to any of the internal resources of theenterprise.

As a network administrator, you can choose between the internal captive portal and an external captive portal. ArubaInstant supports a built-in internal captive portal with limited customization. For advanced guest services and highlycustomizable captive portal pages, Aruba recommends that you use an external captive portal server such asClearPass Guest.

l Captive portal plus MAC authentication: WhenMAC authentication is enabled, MAC authentication will beperformed before captive portal authentication. If MAC authentication passes, captive portal authentication canbe skipped.

The internal captive portal on Aruba Instant is customizable, but Aruba recommends that you use ClearPassGuest for advanced guest services.



Authentication Recommendations

Aruba Authentication Recommendations for a Guest SSID summarizes the authenticationmethods that Arubarecommends for a guest SSID.

Table 10: Aruba Authentication Recommendations for a Guest SSID

AuthenticationMethod

Recommendation

Open Recommended for guest networks in conjunction with a higher-level authentication method, suchas captive portal

PSK Can be used if you must restrict who connects to the guest network or if you must limit the DHCPscope exhaustion by drive-by devices. PSK on the guest network increases the managementoverhead and does not guarantee security.

WISPr Used in WISPr deployments, common in public venues such as airports.

Captive Portal Recommended for guest networks if certain policies must be accepted to use the network or acommon logon page is required.

Encryption Levels

When you configure an SSID for guest usage, select one of the following encryption levels:

l Open: As the name implies, open networks have no encryption and offer no protection from wireless packetcaptures. Most hot spot or guest networks are open networks, and the end user is expected to use their ownprotectionmethods to secure their transmissions, such as VPN or SSL.

l Personal: The same pre-shared key that is used for authentication is also used for encryption. Based on whetheryou select WPA Personal orWPA2 Personal for authentication, either TKIP or AES is used for encryption. Youcan also select WEP but this is is not recommended.

Encryption Recommendations

Aruba Encryption Recommendations for a Guest SSID summarizes the Aruba recommendations for encryption onWi-Fi networks. Full 802.11ac and 802.11n rates are available only when you use either open (that is, no encryption)or AES encryption becauseWEP and TKIP limit theWLAN connection speed to 54Mb/s.

Table 11: Aruba Encryption Recommendations for a Guest SSID

EncryptionType

Recommendation

Open Recommended for guest networks.

PSK Using PSK on the guest network increases the management overhead and does not guaranteesecurity.

l WPA 2 Personal: Recommended for all deployments that use PSK for guest SSID.l WPA personal: Not recommended for use.l WEP: Not recommended for use

Wireless Intrusion Detection and PreventionIntrusion detection and prevention features are built into an Aruba IAP to helpmonitor the RF spectrum and theinfrastructure network for the presence of unauthorized network devices (intrusion detection) and take appropriatemeasures to prevent any security breaches on the network (intrusion prevention).

Wireless security can be a complex topic with many different options, and it can be difficult to manage the widerange of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) options that are available. Tomake things easier for users, a set of powerful, yet simple-to-use wizards are available in Aruba Instant. Thesewizards provide reasonable default values and help you step through the available configuration options.

You can select a default template that provides an acceptable level of security for the network or create acustomized set of options. The wizard simplifies the selection of security options and helps to eliminate errors in theconfiguration. For more information about these wizards, see IDS Wizard and IPS Wizard.

Intrusion Detection System (IDS)

The Intrusion Detection System (IDS) on the IAP monitors the network for the presence of unauthorized APs andclients, logs information about these devices, and generates reports based on the logged information. The IDS letsyou detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.

The IDS function is divided into the following components:

l Infrastructure IDS: For the network to function as intended, attacks on the infrastructuremust be detected andmitigated. Aruba considers the infrastructure to consist of authorized APs, the RFmedium itself, and the wirednetwork that the APs attach to.

l Client IDS: The Aruba systemmust alsomonitor the clients that attach to the network. Any client thatassociates to the network, passes authentication, and is using encryption is considered a valid station. Thesystem looks for various attack signatures, such as hotspotter and TKIP replay attacks that are targeted atclients that are attached to the wireless network. The system can also watch for valid stations that attempt toattach to rogue or neighboring APs.

IDS Dashboard

The IDS dashboard presents an overview of the security for the whole network. This dashboard provides a view intothe status of APs and clients and provides a classification of rogue and interfering APs.

The built-in IDS scans for APs that are not controlled by the virtual controller (VC). These APs are listed andclassified as either interfering or rogue, depending on whether they are on a foreign network (that is, a different VLANor subnet than that of the IAP) or on the same network (that is, the same VLAN or subnet as the IAP):

l Interfering AP: An AP that is detected in the RF environment but that is not connected to the wired network.Although an interfering AP can potentially cause RF interference, it is not considered a direct security threat,because it is not connected to the wired network. However, an interfering AP can be reclassified as a rogue AP.

l Rogue AP: An unauthorized AP that is connected to the wired side of the network.

For classification to work, all potential VLANs on which a rogue AP could be connectedmust be trunked to IAPs.



Figure 36 Detected foreign access point and clients

IDS Wizard

TheWIP wizard that is shown Security Design provides the options to enable, define, and change these items:

l Detection options for infrastructure attacks

l Detection options forWLAN clienxts attacks

Figure 37 Detection settings of theWIP wizard

The detection setting on theWIP wizard for the infrastructure and the client can be turned off or set to a predefinedhigh, medium, or low level. TheWIP wizard also allows custom settings. The high detection setting enables allapplicable detectionmechanisms. Themedium setting enables some important detectionmechanisms, and the lowsetting enables only themost critical detectionmechanisms.

Aruba IDS Recommendations

Aruba recommends this WIP wizard setting for detection:

To ensure that most critical attacks are detected, set the detection to “Low” and then customize the settings basedon your needs. Setting the detection to “Medium” or “High” results in false positives or toomany alerts.

Intrusion Prevention System (IPS)

The Intrusion Prevention System (IPS) is the second security function built into the IAP. The IPS determines themeasures that must be taken tomitigate the security breaches that are identified on the Aruba Instant network.

IPS Wizard

TheWIP wizard that is shown Security Design provides the options to enable, define, and change these items:

l Protection options for infrastructure attacks

l Protection options forWLAN clients attacks

Figure 38 Protection settings of theWIP wizard

The protection setting on theWIP wizard for the infrastructure and the client can be turned off or set to a predefinedhigh or low level. TheWIP wizard also allows custom settings. The high setting enables all applicable protectionmechanisms, and the low setting enables only themost critical protectionmechanisms.

Security requirements are specific to each organization. To enable rogue AP containment, you can set the slider barunder Infrastructure to “Low” or you can enable “rogue-containment” using the custom settings.

Under AdvancedOptions, these two containment methods are available:

l Wired containment: When enabled, IAPs generate ARP packets on the wired network to contain wirelessattacks. These ARP packets poison rogue devices.

l Wireless containment: When enabled, Aruba Instant attempts to disconnect all clients that are connected orthat are attempting to connect to an identified AP. Twowireless containment mechanisms are supported:

n Deauthentication containment: The AP or client is contained by disrupting the client association on thewireless interface.

n Tarpit containment: The AP is contained by luring clients that are attempting to associate with it to a tarpit.The tarpit can be on the same channel or a different channel as the AP that is being contained.



For containment, you do not need to have a dedicated AM. An IAP that functions in access mode can containrogue devices. For wireless containment with an IAP that functions in access mode, the preferredmethod is tarpitcontainment. Deauthentication containment works more effectively for AMs. Wired containment with ARPpoisoning is also effective for wireless clients and works for both AMs and IAPs that functions in access mode.

Aruba IPS Recommendations

Consult an RF security expert and your legal department to determine the security needs and legal implicationsbefore enabling containment.

Aruba recommends this WIP wizard setting for protection:

Enable all critical attacks that are defined in the lowest setting and then customize them tomeet the needs of yournetwork. If you enable all WIP protection features, toomany alarms can interfere with the performance of yournetwork and neighboringWLANs.

Aruba Instant Validated Reference Design Designing Distributed Enterprise Networkswith Aruba Instant | 84

Chapter 4Designing Distributed Enterprise Networks with Aruba Instant

You can broadly classify distributed enterprise deployments into branch office deployments and home officedeployments, both of which differ in design and requirements. This chapter describes in detail how you can useAruba Instant to design a branch office deployment and a home office deployment.

Branch Office Deployments

A branch office is a location other than themain office, where business is conducted. The term, ‘branch’ meansdifferent things to different organizations. For a retail chain, the term, ‘branch’ represents all the stores that servecustomers, whereas for a traditional hi-tech enterprise, a branch represents an offsite location where employees andcontractors come to accomplish day-to-day work.

Though the use cases and requirements of branch office networks vary across organizations, the key goal of anybranch office network is to support some or all of the below mentioned tasks:

l Provide secure employee access

l Provide guest access

l Support different applications types such as voice and video

l Support different device types, frommobile devices to printers, kiosks, and security cameras

l Comply with standards such as PCI, HIPPA, CALEA, and so on

l Secure sensitive data

l Provide high availability

In terms of user and device density, branch office deployments are usually small and can be supported with a fewAPs. A key requirement that influences the design of a distributed enterprise is the need to secure sensitivecorporate data that traverses the link between the remote site and the data center. To securely interconnectbranches, organizations havemultipleWAN options such as leased lines, MPLS networks, and VPN over publicinternet. Connecting branches using leased lines is expensive and it does not justify the cost when compared toother technologies. Common choices for organizations to interconnect their branches areMPLS networks and VPNover Internet broadband services, such as DSL, 3G/4G, and cable services.

ThoughMPLS is a form of VPN, the term VPN in this document refers to theWAN that is created by usingencrypted tunnels over the public internet.

The decision to use VPN versus MPLS for branch connectivity is based on factors such as cost, security policies,and service availability. To simplify the design discussion, this chapter describes branch office deployments in thefollowing categories:

l MPLS-based branch deployments

l VPN-based branch deployments

The physical design of a branch network, with Aruba Instant is often influenced by the number of IAPs that arerequired to support a branch. Depending on the user and device density, and the size of the branch, the number ofIAPs that are required to support a branch officemight vary from a single AP to a few IAPs. Typically, any branchthat requires more than 20 IAPs often falls in the realm of small enterprises. This section describes branch officedeployments of 20 or fewer IAPs. You can classify the physical design options that are available with Aruba Instantfor branch office networks as follows:

85 | Designing Distributed Enterprise Networkswith Aruba Instant Aruba Instant Validated Reference Design

l Single-AP branches

l Multi-AP branch

Single AP BranchSingle-AP branches are those that are supported by a single AP. These are branches with 30 or less wireless usersand a few wired devices. Examples of a single-AP branch include home offices, home-based call centers, smallretail stores of a coffee or restaurant chain, mobile clinics, offsite offices of law firms, realty groups, and so on.

In addition to wireless access, some single-AP deployments require support for a few wired devices. Therefore, IAPmodels with extra wired ports are ideal for these deployments because they simplify the network design andeliminate the need for additional switching equipment. Select an IAP model based on whether a branch requireswireless only or wired and wireless access and consider factors such as wireless performance, AP mounting(ceiling, wall, or table mount), wired port requirements, and uplink type (Ethernet uplink or 3G/4GUSB modem). Forinformation about the available IAP models, see Aruba Instant.

BranchOffice Deployments shows a typical single-AP deployment. In a single-AP deployment, the IAP serves boththe wireless and wired clients. The uplink Ethernet port of the IAP is directly plugged into theWAN uplink,eliminating the need for additional networking infrastructure at the branch.

Figure 39 Typical single-AP deployment

With Aruba Instant, you can choose betweenmultiple uplinks. Aruba Instant supports Ethernet-basedWAN uplinks,3G/4G uplinks, andWi-Fi uplinks. Being able to choose frommultiple uplinks in a single AP deployment allows youto select the appropriate uplink based on service availability and lets you set up uplink redundancy. For moreinformation about Aruba Instant uplinks, see the Aruba Instant User Guide that is available at the Aruba supportwebsite.

You can apply a single-AP design to bothMPLS and VPN-based branch deployments.

Multi AP BranchBranches that require more than a single AP to support the end users and devices are consideredmulti-AP branches.The number of IAPs that are required by amulti-AP branch depends on the size of the branch, and the user, anddevice density. Aruba Instant provides the following physical design options for multi-AP branches:

l Hierarchical mode design



l Flat mode design

Whether you select one option over the other is related to the number of IAPs that are required to support the branch.

Hierarchical Mode Design

Somemulti-AP branches are small enough to be covered by four or fewer APs and to be deployed in hierarchicalmode or flat mode. In hierarchical mode, you can use the downlink ports of amulti-port IAP that is connected to theWAN uplink as an uplink for other IAPs and wired devices in order to extend the network. The IAP that is connectedto theWAN uplink (called the root IAP) functions as the wired device for the network, provides DHCP services, andprovides a Layer 3 connection to the ISP WAN uplink with NAT. The root IAP is always themaster of the ArubaInstant network. The downlink port of the root IAP that connects to other IAPs can be a trunk or an access port thatis configured with a VLAN in local mode without authentication. The local mode VLAN functions as the AP VLAN forthemembers IAPs that are connected to the root IAP of the hierarchical mode design. For information about localmode, see Instant-VPN: Local Mode.

Only one IAP (the root IAP) in the network uses its downlink port to connect to the other IAPs. That is, IAPs inhierarchical mode should not be deployed in a daisy chain fashion.

For hierarchical mode, the IAP that connects to the branch uplink must be amulti-port IAP like RAP-155. Aruba doesnot recommend using hierarchical mode for multi-AP branches that require five or more IAPs. Hierarchical mode isuseful if a managed uplink switch is not available. In hierarchical mode, you can configure the uplink IAP for uplinkredundancy with alternate uplinks such as a secondary Ethernet uplink or a 3G/4G uplink.

If a managed uplink switch is available, Aruba recommends that you deploy the IAPs in flat mode.

In general, hierarchical mode design is more applicable to VPN-based branch deployments than toMPLS-baseddeployments. MPLS-based deployments have either a single-AP design or amulti-AP design in flat mode. A typicalhierarchical deployment consists of the following components:

l A direct wiredWAN ISP connection or a 3G/4G uplink to the root IAP.

l One ormore DHCP pools for member IAPs (that is, one or more AP VLANs for member IAPs) and wired andwireless user VLANs.

l One ormore downlink ports that are configured on a private VLAN (in local mode) without authentication toconnect to member IAPs. Note the following guidelines for downlink ports:

n If the AP VLAN and wireless user VLANs are different, which is true for many deployments, the downlink portof the root IAP to which themember IAPs connect must be a trunk port with the AP VLAN as the nativeVLAN.

n You can configure additional downlink ports of the root IAP with an appropriate VLAN and authentication forwired clients.

n Ensure that the downlink port that is configured for IAP access is not used for any wired client connection.

BranchOffice Deployments and BranchOffice Deployments are examples of the hierarchical mode design.



Figure 40 Hierarchical mode design with IAPs

Figure 41 Hierarchical mode design with IAPs and an unmanaged switch

Flat Mode Design

Flat mode design is a default deployment model for amulti-IAP network. This mode is recommended for all branchnetworks that require five or more IAPs. In this mode, all IAPs that support a branch are plugged into an uplinkswitch. This physical network design is the same as the design that is used in small andmedium enterprises. If theIAP must support multiple VLANs or if the client VLAN and the AP VLAN are separate, the IAPs must be trunked toan uplink switch that is VLAN-aware. That is, if the Aruba Instant cluster is required to support multiple VLANs, theuplink switchmust be amanaged switch. For example, if the AP VLAN is VLAN 10, the employee VLAN is VLAN20, and the guest VLAN is VLAN 30, the IAP should be trunked to the uplink switch with native VLAN 10 and taggedVLANs 20 and 30.

No encapsulation tunnels exist between IAPs in an Aruba Instant cluster. The traffic that is generated by the IAPsand clients in a cluster is forwarded on the respective AP and client VLANs.

Flat mode design is applicable to bothMPLS-based and VPN-based branch deployments.

BranchOffice Deployments shows an example of a flat mode design.

Figure 42 Flat mode design

The logical network design options that are available with Aruba Instant vary for MPLS-based branch deploymentsand VPN-based branch deployments and are described in the following sections.

MPLS-Based Branch Deployments with Aruba InstantMPLS is popular in distributed enterprises such as healthcare that have several critical latency-sensitiveapplications. Some key benefits of MPLS are high-availability, security, guaranteed SLAs, andQoS. Whenorganizations use anMPLS backhaul for branch connectivity, theMPLS backbone is provided by a service provider.In these deployments, theMPLS service provider is also responsible for securing the customer data traversing theMPLS network, handling the complex WAN routing issues, and honoring the SLAs, QoS, and high-availabilityrequirements of theWAN.

Depending on the size of the branch, the physical design of the Aruba Instant network in anMPLS-based branchdeployment can either be a single-AP design or amulti-AP design in flat mode.

Aruba Instant supports VPN functionality. However, VPN functionality is not required in anMPLS-based deploymentbecause data security over theWAN is handled by theMPLS provider. Therefore, the logic design of an ArubaInstant network in anMPLS-based branch deployment differs from that of a VPN-based branch deployment. Atypical branch office network that connects to theMPLS backbone has the following network components:

l Network access devices: Network access devices includeWLAN system and switches that provide networkaccess to IAPs and end-user devices.

l Customer edge router: The customer edge (CE) router is the router that interfaces with the provider edge (PE)router. The provider edge router is an interface between theMPLS-based backhaul and the customer branchnetwork. The CE router at each branch injects the branch routes to the PE router using protocols such as OpenShortest Path First (OSPF). The PE router connects to theMPLS core of the provider (P) routers and other PErouters and interconnects the branch networks.

l Network services: Depending on the type and size of the branch, network services such as DHCP, DNS, andRADIUS are localized to the branch or centralized at a data center.



In MPLS-based deployments, the branches are served by a dedicated local or centralized DHCP server and theAruba Instant network need not provide any DHCP services. Themain function of the Aruba Instant WLAN systemin these types of branches is to provide secure client access and forward the appropriate traffic to the uplink network.

The following use cases describe themost common logical design options for MPLS-based branch deployments.

Use Case 1: Wireless Employee Access and Guest AccessThis is a typical use case inMPLS-based branch deployments in which theWLAN system is required to provideemployee and guest access, and forward traffic on the appropriate VLAN to an uplink managed switch.

The following requirements and components are common in this type of design:

l Dedicated VLAN for employee access (withWPA2 security)

l Role-based access and BYOD for employees

l Dedicated VLAN for guests

l Captive portal for guest authentication and authorization

l Centralized or local DHCP and RADIUS services (aWLAN system is not required to provide DHCP services)

l IAPs on a dedicated AP VLAN

l Uplink managed switch for IAPs and wired clients

l CE router to interface with theMPLS backbone

The Aruba Instant solution for this type of requirement is as follows:

l Employee SSID with appropriate authentication (WPA2-Enterprise) that is mapped to the employee VLAN. Afterenforcing the appropriate firewall policies, the IAPs bridge the employee traffic to the employee VLAN on theuplink switch.

l Role based access and BYOD for employees on the employee SSID. For more information about role-basedaccess and BYOD on an Aruba Instant network, see the Aruba Instant User Guide that is available at the Arubasupport website.

l Guest SSID that is mapped to the appropriate VLAN and captive portal authentication. (This applies only toenvironments that require guest access) Guests can be supported with the internal captive portal page and guestmanagement features that are supported by Aruba Instant or a centralized ClearPass server. For informationabout guest access, see the Aruba Instant User Guide available at the Aruba support website. After enforcing theappropriate firewall policies, the IAPs bridge the guest traffic to the guest VLAN on the uplink switch.

l As an option, dynamic RADIUS proxy in environments in which adding all IAPs as NAS clients to a RADIUSserver is not feasible. For more information about dynamic RADIUS proxy, see Dynamic RADIUS Proxy.

l Uplink switch and CE router for traffic engineering.

Use Case 2: Wireless Employee Access and Guest Access with the Ability to Tunnel theGuest Traffic to a Central DMZUse case 2 is common if the security policy of an organization requires that all the guest traffic from branches ishandled at a central Demilitarized Zone (DMZ). These requirements and components are common in this type ofdesign:

l Employee Access (WPA2 security) with a dedicated VLAN

l Role-based access and BYOD for employees

l Guest access on a dedicated VLAN.

l Captive portal for guess access with a central captive portal server

l Tunneling of all guest traffic to a DMZ for centralized handling of guest traffic




l Dedicated centralized or local DHCP and RADIUS services for employee access

l Central DHCP service for guest access

l IAPs on a dedicated AP VLAN

l Uplink managed switch for IAPs and wired clients

l CE router to interface with theMPLS backbone

The typical Aruba Instant solution for this type of requirement is as follows:

l Employee SSID with appropriate authentication (WPA2-Enterprise) that is mapped to the employee VLAN. Afterenforcing the appropriate firewall policies, the IAPs bridge the employee traffic to the employee VLAN on theuplink switch. For example, if all employee traffic on the employee SSID must be forwarded to employee VLAN20 on the uplink switch, the employee SSID must bemapped to VLAN 20.

l Role-based access and BYOD for employees on the employee SSID. For more information about role-basedaccess and BYOD on an Aruba Instant network, see the Aruba Instant User Guide that is available at the Arubasupport website.

l Uplink switch and CE router for traffic engineering of employee traffic.

l As an option, dynamic RADIUS proxy in environments in which adding all IAPs as NAS clients to a RADIUSserver is not feasible. For more information about dynamic RADIUS proxy, see Dynamic RADIUS Proxy.

l Guest SSID with captive portal authentication to tunnel the guest traffic to an Aruba controller in the DMZ, usingthe following Generic Routing Encapsulation (GRE) capabilities on Aruba Instant:

n To tunnel guest traffic using GRE, the guest SSID must be configured with a VLAN in centralized Layer 2mode and the Aruba Instant cluster must be configured for GRE. For more information about centralized Layer2mode, see Instant-VPN: Centralized L2Mode.

n Aruba Instant supports either Auto-GRE with Aruba controllers or amanual GRE configuration with Arubacontrollers and other GRE endpoints. Aruba recommends Auto-GRE because it simplifies the network designby eliminatingmanual configuration of GRE tunnels for each branch or each individual IAP.

n Aruba Instant supports either per-AP GRE tunnels or single GRE tunnels (that is, a setup from themaster APof the cluster) for an Aruba Instant cluster. For information about GRE in Aruba Instant, see Appendix B: GREwith Aruba Instant.

n If you configure a single GRE for an Aruba Instant cluster, the GRE tunnel is initiated by themaster AP of thatcluster. If you use amulti-AP flat mode design with a single GRE tunnel, the guest traffic from thememberIAPs must first reach themaster AP before it is tunneled to the DMZ controller. The uplink switch thatconnects the IAPs must support the guest VLAN because the guest traffic from themember IAPs to themaster AP is forwarded on the guest VLAN.

n If a per-IAP GRE tunnel is enabled, each IAP in a cluster forms aGRE tunnel to the DMZ controller and theuplink switch that connects the IAPs does not need to support the guest VLAN. The IAP to which the guest isconnected tunnels the guest traffic directly to the DMZ controller.

n All guest traffic can be tunneled to the DMZ controller using a routing profile of “0.0.0.0 0.0.0.0 <GRE tunnel IPaddress of the DMZ controller>”. For more information about routing profiles, see Configuring a RoutingProfile.

The routing profile also affects any traffic that is generated by the IAP such as RADIUS and Syslog traffic.Creating a routing profile of “0.0.0.0 0.0.0.0 <GRE tunnel IP address of the DMZ controller>” allows theRADIUS traffic for employees to be forwarded through the tunnel. However, in certain deployments, it is notnecessary. Any traffic that should not be tunneled to the DMZ controller must be added to the routing profilewith the gateway IP address field set to 0.0.0.0.

For example, if traffic to the RADIUS server with IP address 10.10.10.10 and the Syslog server with IPaddress 10.10.10.11must be forwarded outside the tunnel by using the gateway of the IAP, the below entries





should be added to the routing profile:

10.10.10.10 255.255.255.255 0.0.0.010.10.10.11 255.255.255.255 0.0.0.0

This will ensure that the traffic to these destinations is forwarded through the default gateway of the IAP andnot through theGRE tunnel. Aruba InstantOS 4.x and greater is required for this configuration.

Since employee traffic is on the branch VLAN that is managed by the uplink infrastructure and not by the IAP,the routing profile does not affect the employee traffic.

VPN-Based Branch Deployments with Aruba InstantConnecting branches usingMPLS has its advantages but is not the best option for some branch office deploymentsbecause of cost and service availability. With cost savings being a key driver in the adoption of distributed enterprisestrategy, organizations seek amore affordable alternative toMPLS. Internet broadband service with better serviceavailability and affordability provide an attractive alternative to anMPLS-basedWAN. Over the years, both theconsumer grade and business grade broadband services have become faster, more reliable, andmore affordable.Many organizations prefer switching to a broadband service for branch and home office connectivity. Especially fororganizations that support home-based employees, broadband is the only choice because connecting home officeswith anMPLS-basedWAN is not a viable solution.

Data security over theWAN which is handled by the service provider in anMPLS-based deployment, is theresponsibility of the corporate IT team when a public Internet is used for branch connectivity. Themost commonVPN technologies that provide secure remote access are SSL VPN and IPsec VPN. SSL VPN is suited to provideremote access to a specific application but is not suitable for connecting networks. Therefore, IPsec VPN is themost common choice for securely extending corporate networks and resources to remote sites. IPsec VPN protectssensitive data by interconnecting the remote sites with secure encryption tunnels over the Internet.

Traditional implementation of IPsec VPN was site-to-site. Implementing IPsec VPN requires IPsec-capablehardware at the remote site and involves complex configurations. Most branch sites have limited or no IT staffonsite, so interconnecting branches using IPsec VPN can be a challenge.

Complexity is one of themain issues that is associated with the classic site-to-site VPN. To deploy a site-to-siteIPsec VPN, organizations configure and ship a branch router or VPN gateway to each location. To create a site-to-site VPN, the following tasks are involved:

l Configuring the IPsec tunnel parameters, including the key management protocol (IKEv1 or IKEv2), securityprotocol (AH or ESP), IPsec encapsulationmode (tunnel mode or transport mode), encryption key, encryptionalgorithm (DES, 3DES, or AES), authentication key or certificates, and authentication algorithm (SHA orMD5)

l Configuring a routing protocol such as OSPF between the data center and remote branches

l Configuring aGRE tunnel within the IPsec tunnel to carry themulticast advertisements of routing protocols

In other words, the complexity and cost involved in deploying andmanaging a classic site-to-site IPsec VPN is achallenge to IT departments.

Aruba Instant is designed to solve the complexity that is associated with site-to-site IPSec VPN. With the ArubaInstant built-in VPN capabilities and zero-touch provisioning, VPN deployments are easy. The zero-touchprovisioning capability of Aruba Instant reduces deployment costs and eliminates the complexity that is associatedwith traditional IPsec VPN deployments.

Understanding Instant-VPN (Aruba Instant-VPN in a Nutshell)This section describes how you can design a branch with Instant-VPN and what the different modes of operation are.The Aruba Instant-VPN solution has three components:

l Aruba IAPs at the branch sites

l ArubaWLAN controller at the data center

l AirWave and Aruba Central

Themaster AP (that is, the VC) at the branch functions as the VPN endpoint and the ArubaWLAN controller at thedata center functions as the VPN concentrator. If an Aruba Instant cluster is configured for VPN, themaster AP ofthe cluster establishes an IPsec tunnel (using IKEv2) with theWLAN controller to secure the sensitive corporatedata. The IPsec authentication and authorization between theWLAN controller and the IAP is based on TPM-basedAruba certificates and the RAP whitelist in ArubaOS.

Only themaster AP in an IAP cluster can establish a VPN tunnel.

From an ArubaWLAN controller perspective, themaster AP that establishes the VPN tunnel is considered a VPNclient and not an AP. Therefore, the traditional AP count of aWLAN controller platform does not apply to thisarchitecture. Instead, theWLAN controller scalability in the Aruba Instant-VPN architecture depends on factors suchas the IPsec tunnel limit and routing table limit. Since theWLAN controller does not count themaster AP as an AP,controller licenses such as the AP capacity license, per-AP PEFNG license, and RFProtect license do not apply tothis architecture.

The function of theWLAN controller in the Aruba Instant-VPN architecture is to terminate VPN tunnels and route orswitch VPN traffic. TheWLAN controller is not responsible for configuring, managing, reporting, or monitoring theIAP networks in remote branches. Instead, these responsibilities are handled by AirWave or Aruba Central. ArubaInstant uses a distributed architecture, so features and functions such as role-based access control, bandwidthcontracts, ARM, WIPS, mobility, and Application Level Gateways (ALGs) are local to the Aruba Instant network atthe branch and are not the responsibility of theWLAN controller.

LicensingTheWLAN controller considers themaster AP that establishes a VPN tunnel a VPN client and not an AP, solicenses such as the AP capacity license, per-AP PEFNG license, and RFProtect license are not required. When anIPsec connection is established between theWLAN controller and an IAP, each end of the IPsec tunnel has two IPsaddresses: an inner IP address and an outer IP address. By default, theWLAN controller assigns these two roles tothe inner and outer IP addresses of an IAP that terminates its VPN tunnel on theWLAN controller:

l Outer IP address: logon role

l Inner IP address: default VPN role with an “allow all” access control list (ACL)

Although you do not need licenses to terminate an IAP-VPN tunnel on theWLAN controller, you need a PEFVlicense in one of the following scenarios:

l Changing the ACLs in the default VPN role: In this scenario, you need a PEFV license for eachWLANcontroller. A common reason to change the ACL is to limit the number of RADIUS client entries in the RADIUSserver. For instance, an organization with 100 branches an 10 IAPs per branch should add all IP addresses thatare used as inner IP addresses for IAP VPN tunnels (that is, the IP addresses that are defined as the VPNaddress pool on theWLAN controller) as RADIUS clients to allow 802.1X authentication with the RADIUS serverin the data center. Alternatively, you canmodify the default VPN role to include a rule that source NATs allRADIUS traffic to the IP address of theWLAN controller. With such a source NAT rule, you only need to add theWLAN controller as a RADIUS client on the RADIUS server.



l Changing the role that is applied to the inner IP address and the ACLs within that role: In this scenario,you need a PEFV license for theWLAN controller.

Aruba Instant-VPN License Requirements summarizes the licensing requirement.

Table 12: Aruba Instant-VPN License Requirements

Licenses Features

BaseArubaOS (nolicenses)

IAP can terminate a VPN tunnel and pass VPN traffic.Roles and policies are not editable.

ArubaOSwith a PEFVlicense(PEFV is aper-unitlicense)

IAP can terminate a VPN tunnel and pass VPN traffic.The default role in the default IAP VPN authentication profile of a WLAN controller can be edited and anew user role with custom firewall policies can be applied to the default IAP VPN authenticationprofile.

WLAN Controller Scalability for Instant-VPN deploymentsThe number of Instant-VPN branches that can be supported on aWLAN controller depends on theWLAN controllermodel. Choose an appropriate controller model based on the size of your deployment. Instant-VPN scalability fordifferent ArubaWLAN controller models shows the Instant-VPN scalability for different ArubaWLAN controllermodels.

Table 13: Instant-VPN scalability for different ArubaWLAN controller models

Controller Maximum recommended IAP VPN branches

7240 8192

7220 4096

7210 2048

7205 1024

7030 256

7024 128 (Upcoming)

7010 128

7005 64

M3 2048

3600 512

3400 256

3200-XM 128

AP Selection for Instant-VPN DeploymentsAn Aruba Instant network that is configured for Instant-VPN establishes a single IPsec tunnel from themaster AP ofthe cluster to theWLAN controller. Therefore, it is important to choose the right IAP for your deployment. Although allIAP models have gigabit uplink ports, the IPsec throughput for each IAP model varies. IAP Models and IPsecThroughput shows the IPsec throughput for different IAP models.

Table 14: IAP Models and IPsec Throughput

IAP Model IPsec Throughput (in Mb/s)

IAP-225 150

IAP-224 150

IAP-135 40

IAP-134 40

IAP-105 15

IAP-104 15

RAP -155 80

RAP -109 20

RAP -108 20

RAP-3 20

IAP-175 15

IAP-92 10

IAP-93 10

Firewall PortsInstant-VPNs connect to theWLAN controller on UDP port 4500 for establishing the IPsec connection. UDP port4500must be open on all firewalls that lead up to theWLAN controllers in the DMZ.

Understanding Instant-VPN ModesThe classic RAP architecture has four forwardingmodes: tunnel, split-tunnel, decrypt-tunnel, and bridgemode.These forwardingmodes control how user traffic is handled, including where decryption occurs and where role-basedfirewall policies are applied. The ability to forward user traffic to corporate and local destinations also depends on theselected forwardingmode. In tunnel, decrypt-tunnel, and split-tunnel modes, the classic RAP architecture extendsthe corporate VLAN to the remote location, that is, the broadcast domain is extended to the branches. The defaultgateway resides in the data center for the clients that connect to an SSID or wired port operating in one of thesemodes. For clients that connect to a bridge-mode network, the default gateway is the RAP but corporate access isnot available. ForwardingModes for Classic RAPs provides an overview of the capabilities of the differentforwardingmodes that are available for classic RAPs. For more information about the forwardingmodes of classicRAPs, see the Aruba Remote Access Points (RAP) Validated Reference Design.




Table 15: ForwardingModes for Classic RAPs

ForwardingMode Firewall

ProcessingTraffic Engineering Site Survivability

Tunnel 802.11encryptionanddecryptionand firewallprocessingoccur on theWLANcontroller.

User traffic is forwarded to the WLANcontroller through the IPsec tunnel.Traffic cannot be bridged to a localdestination.

WAN-dependent. If the connection to theWLAN controller is lost, the SSIDs andwired ports operating in this mode are shutdown.

Decrypttunnel

802.11encryptionanddecryptionoccur at theAP, butfirewallprocessingoccurs on theWLANcontroller.

User traffic is forwarded to the WLANcontroller through the IPsec tunnel.Traffic cannot be bridged to a localdestination


Split-tunnel 802.11encryptionanddecryptionand firewallprocessingoccur at theAP.

With appropriate firewall policies, theuser traffic that is destined tocorporate servers can be forwardedto the WLAN controller through theIPsec tunnel. The traffic to local andInternet destinations can be sourceNATed by APs to the local network.


Bridge 802.11encryptionanddecryptionand firewallprocessingoccur at theAP.

User traffic is bridged andsource NATed to local destinations.Traffic cannot be forwarded to theWLAN controller through the IPsectunnel.

Varies based on the operation mode.Bridge-forwarding mode has four operationmodes (standard, always, persistent, andbackup). For more information about theseoperation modes and their capabilities, seethe Aruba Remote Access Points (RAP)Validated Reference Design .

Do not confuse the classic RAP solution with AP part numbers that start with a RAP prefix (that is, RAP-3, RAP-109, and RAP-155). All latest APs with part numbers that start with a RAP prefix can operate in either the classicRAP mode or the Instant-VPN mode. The RAP part number indicates that the AP is designed for table mount.



The Instant-VPN architecture differs from the classic RAP architecture in the following ways:

l The 802.11 encryption and decryption and firewall processing in an Instant-VPN always occur at the IAP in thebranch.

l Traffic forwarding behavior in an Instant-VPN is similar to that of split-tunnel mode in a classic RAP solution.User traffic can be forwarded through the IPsec tunnel or bridged locally, based on the destination. If required,traffic to any destination can be forwarded through the IPsec tunnel or bridged locally. (These options arecomparable to the traffic engineering behavior of tunnel, decrypt-tunnel, and bridge forwardingmodes in a classica RAP solution).

l The Instant-VPN architecture has fivemodes of operation. Thesemodes do not determine how firewallprocessing and traffic forwarding occur. Rather, they define whether a branch is a Layer 2 extension, Layer 3extension, or independent, that is, thesemodes determine whether the DHCP server and default gateway forclients reside at the branch or at the data center.

The followingmodes are available in the Instant-VPN architecture:

n Local mode

n Centralized L2mode

n Distributed L2mode

n Distributed L3mode

n Centralized L3mode

l Aruba Instant architecture provides site survivability in all modes of operation.

Aruba recommends Centralized L2 & Distributed L3modes of operation, as they are a better fit for deployments &traffic engineering objectives.CL3 and DL2 aremeant for specialized use cases where there is a need achievedcentralized DHCP, with a routed network and Distributed DHCP with centralized forwarding and are notdiscussed in detail, as they are not common use cases. Hence, thesemodes will not be explained or mentioned infuture sections.



The table below, summarizes the key features of the different modes in the Instant-VPN architecture.

Table 16: Instant-VPN Modes

Instant-VPNMode

Firewallprocessing

TrafficEngineering Site Survivability Branch Subnet

LocalMode

802.11 encryptionand decryptionand firewallprocessing occuron the IAP in thebranch.

User traffic can beforwarded throughthe IPsec tunnel orbridged locally,based on thedestination.

Supported. (The IAPauthenticationsurvivability feature evenprovides 802.1Xsurvivability when theWAN is down.)

The branch subnet isindependent (that is, thesubnet is local to the branch,similar to a home networkbut with VPN capabilities.)

CentralizedL2




The branch is aLayer 2 extension.

DistributedL3




The branch is aLayer 3 extension.

Instant-VPN: Local Mode

Local mode is similar to the local network of a homewireless router but with VPN capabilities and other enterprisegrade features. In this mode, the IAP cluster at the branch has a local subnet (for example, 192.168.200.0 /24) andthemaster AP of the cluster functions as the DHCP server and gateway for clients. The local mode provides VPNcapabilities using the inner IP address of the Instant-VPN IPsec tunnel.

Client traffic that must be forwarded to the corporate destinations is source NATed by themaster AP using the innerIP address of the IPsec tunnel. Traffic that is destined for the Internet or local destinations is source NATed usingthe local IP address of themaster AP. It is essential that the IP addresses that are defined in the VPN address poolof theWLAN controller (which is used for inner IP addresses of IPsec tunnels) are routable from the upstream routerin the data center. If required, all client traffic can be forwarded through the IPsec tunnel or bridged locally. Forinformation about VPN address pools, see Defining the VPN Pool on aWLAN Controller.

In local mode, clients in the branch can initiate connections to a server in the data center but the connections cannotbe initiated from the data center to remote clients. (This behavior is similar to that of a NAT device). TheWLANcontroller and the upstream routers have no visibility or direct route to the branch subnet. Therefore, you cannotinitiate connections from the data center to remote clients for troubleshooting. The local mode is well suited forbranch guest networks that use a captive portal sever in the data center for guest authentication.

Below figure shows the traffic flow in local mode.

Figure 43 Packet flow in Instant-VPN local mode

To summarize, the key features of the Instant-VPN local mode are as follows:

l Themaster AP in the IAP cluster is the DHCP server for clients.

l Themaster AP in the IAP cluster is the default gateway for clients.

l Traffic to the data center is source NATed with the inner IP address of the IPsec tunnel.

l Traffic to the Internet or a local destination is source NATed with the local IP address of themaster AP in the IAPcluster.

l The VPN pool for inner IP addresses of the IPsec tunnel must be routable from the upstream router of theWLANcontroller in the data center.

l Traffic can be initiated from the branch to the data center, but traffic cannot be initiated from the data center to thebranch.

For an example of a local mode configuration, see Configuring an IAP for Instant-VPN Deployment.

Instant-VPN: Centralized L2 Mode

Centralized L2mode is analogous to the L2 extension in a classic RAP solution. This mode extends the corporateVLAN and the broadcast domain to remote branches. The DHCP server and the gateway for the clients reside in thedata center. Either theWLAN controller or an upstream router can be the gateway for the clients. For DHCP servicesin centralized L2mode, Aruba recommends that you use an external DHCP server and not the DHCP server on theWLAN controller.

Client traffic that is destined for data center resources is forwarded by themaster AP through the IPsec tunnel to thedefault gateway of the client in the data center. Any traffic that is destined for the Internet or a local destination issource NATed using the local IP address of themaster AP and bridged locally. If required, all client traffic can beforwarded through the IPsec tunnel or bridged locally. An easier configurationmethod to, send all client traffic overIPsec tunnel is introduced, called “Split tunnel mode->disable”.

In centralized L2mode, you can initiate a connection from the data center to remote clients for troubleshooting.

If the RADIUS traffic is not source NATed at theWLAN controller, youmust make the VPN pool for inner IPaddresses routable for RFC 3576-compliance and 802.1X. A routable VPN address pool also allows access to thelocal WebUI of the Aruba Instant cluster from the data center. For information about VPN address pools, seeDefining the VPN Pool on aWLAN Controller.



By default, the ARP messages of a client for its gateway are forwarded to the data center through the IPsectunnel. However, if theWAN is down, themaster AP of the cluster does proxy ARP for the default gateway in thedata center.

The centralized L2mode extends the corporate VLAN to remote branches, enabling broadcast andmulticast trafficto traverse theWAN between the branch and data center. However, in centralized L2mode, broadcast andmulticasttraffic might saturate theWAN link. Therefore, when you deploy a branch in centralized L2mode, Arubarecommends that you use smaller subnets for user VLANs. For example, use a /24 or /23 network for a user VLANinstead of a /16 network that spans several thousand branches. If an organization with 1000 branches and amaximum of 50 clients per branch has amandate to extend the data center VLAN to remote branches, Arubarecommends grouping the branches as follows:

l 5 branches per group, with each group sharing a /24 user VLAN, resulting in 200 groups

l 10 branches per group, with each group sharing a /23 user VLAN, resulting in 100 groups

Grouping the branches into smaller subsets increases the number VLANs and the number of groups and folders inAirWave but minimizes WAN bandwidth consumption.

Aruba recommends the centralized L2mode only if Layer 2 extension is mandatory for branches. Themode is wellsuited for organizations that streammulticast videos to remote branches. Below Understanding Instant-VPN (ArubaInstant-VPN in a Nutshell) shows the traffic flow in centralized L2mode.

Distributed L3mode is the recommendedmode of operation for Instant-VPN networks. Use centralized L2modeonly for organizations that mandate extension of corporate VLANs to branch networks.

Figure 44 Packet flow in instant-VPN centralized L2mode

You can summarize the key features of the Instant-VPN centralized L2mode as follows:

l The DHCP server for the clients is in the data center.

l The default gateway for the clients is in the data center.

l ARP messages for the default gateway are forwarded to the data center, except if theWAN is down.

l If theWAN is down, themaster AP of the cluster does proxy ARP for the gateway of the client.

l Traffic to the data center is forwarded to the default gateway of the client through the IPsec tunnel.

l Traffic to the Internet or a local destination is source NATed with the local IP address of themaster AP.

l The split tunnel feature is enabled by default. If the split tunnel feature is disabled, then irrespective of anyconfiguration under the routing profile, all client traffic, for this VLAN, is sent to the data center over the IPSectunnel. This feature was introduced as a centralized L2mode. This feature is useful when all traffic should betunneled over the IPSec tunnel to the data center and no traffic should be split tunneled and source NATed overVC IP. This feature was introduced to achieve this easily for a particular VLAN.

l Configuring a routable VPN address pool which is used for inner IP addresses of the IPsec tunnel, allows accessto the local WebUI of the Aruba Instant cluster from the data center.

l If RADIUS traffic is not source NATed at theWLAN controller, configuring a routable VPN address pool is alsoessential for 802.1X. To support RFC-3576, the RADIUS traffic must not be source NATed at theWLANcontroller and a routable VPN address pool is required.

l Aruba recommends that you use small VLAN subnets as user VLANs to reduce the broadcast andmulticasttraffic across theWAN.

Instant-VPN: Distributed L3 Mode

Aruba recommends distributed L3mode for organizations that do not require Layer 2 extensions. Distributed L3mode contains all broadcast andmulticast traffic to a branch and eliminates any WAN bandwidth consumptionchallenges that are associated with classic RAPs and Instant-VPN L2modes. Distributed L3mode reduces the costand eliminates the complexity that is associated with the classic site-to-site VPN. However, in terms offunctionality, distributed L3mode is very similar to a classic site-to-site IPsec VPN in which two VPN endpointsconnect individual networks over a public network.

In distributed L3mode, each branch location is assigned a dedicated subnet. Themaster AP in the branchmanagesthe dedicated subnet and functions as the DHCP server and gateway for clients. Client traffic that is destined fordata center resources is routed to theWLAN controller through the IPsec tunnel. TheWLAN controller then routesthe traffic to the appropriate corporate destinations.

Any traffic to the Internet or a local destination is source NATed using the local IP address of themaster AP andbridged locally. TheWLAN controller in the data center is aware of the Layer 3 subnet at each branch and canredistribute these routes to upstream routers throughOSPF. If required, all client traffic can be forwarded through theIPsec tunnel or bridged locally.

In distributed L3mode, you can initiate a connection from the data center to remote clients for troubleshooting.

If RADIUS traffic is not source NATed at theWLAN controller, the VPN pool that is used for inner IP addresses ofthe IPsec tunnel must be routable for RFC 3576-compliance and 802.1X. For details about VPN address pools, seeDefining the VPN Pool on aWLAN Controller.

In distributed L2mode, the BID allocation process is essential for the operation of distributed L3mode. In distributedL3mode, after you configure a large subnet and define the number of clients per branch, the BID allocation algorithmallocates a dedicated subnet to each branch by dividing the large address space into smaller subnets, based onclient count.



For example, an organization with a configuration of 10.10.0.0 /16 with 250 clients per branch can support 256branches with a /24 subnet for each branch. In this example, the BID allocation process determines the /24 networkthat is allocated to each branch. The BID allocation algorithm is essential to avoid subnet overlap across branches.TheWLAN controller depends on the BID allocation process to determine the active branches and redistribute theappropriate routes using OSPF. TheWLAN controller redistributes routes throughOSPF only for those branches thatare up and running. If a branch goes down, theWLAN controller removes that branch from its OSPF routeredistribution.

Organizations would like to upgrade their existing branch infrastructure while retaining the same address poolbecause their branches include devices with static IP addresses. To accommodate this requirement, Aruba InstantOS 3.3 and greater enables you to assign predefined subnets to branches in the distributed L3mode. For informationabout configuring distributed L3mode, see Instant-VPN: Distributed L3Mode.

Youmust run Aruba Instant OS 3.3 or greater and ArubaOS 6.3 to support the configuration of predefined subnetsper branch. For more information, see Configuring an IAP for Instant-VPN Deployment.

Youmust run ArubaOS 6.3 or greater to support redistribution of Instant-VPN branch routes throughOSPF.

Below figure shows the traffic flow in distributed L3mode.

Figure 45 Packet flow in instant-VPN distributed L3mode

To summarize, the key features of the Instant-VPN distributed L3mode as follows:

l Contains broadcast andmulticast traffic to a branch.

l The BID allocation process must occur when the branch site comes up for the first time. Until BID allocation iscomplete, themaster AP cannot lease IP addresses to the clients in the branch.

l The DHCP server for clients is themaster AP in the cluster.

l If theWAN is down, a client can renew its DHCP lease and a new client can receive an IP address.

l Themaster AP in the cluster is the default gateway for the clients in the branch.

l Traffic to the data center is routed through the IPsec tunnel to theWLAN controller.

l Traffic to the Internet or a local destination is source NATed with the local IP address of themaster AP.

l Configuring a routable VPN address pool, which is used for inner IP addresses of the IPsec tunnel, allowsaccess to the local WebUI of the Aruba Instant cluster from the data center.

l If RADIUS traffic is not source NATed at theWLAN controller, configuring a routable VPN address pool is alsoessential for 802.1X. To support RFC-3576, the RADIUS traffic must not be source NATed at theWLANcontroller and a routable VPN address pool is required.

l TheWLAN controller uses OSPF to redistribute branch routes to the upstream router. (TheWLAN controller mustrun ArubaOS 6.3 or greater.)

l In small deployments with a single masterWLAN controller and a VRRP backupWLAN controller, the upstreamrouter can use a static route that points to the VRRP IP address between theWLAN controllers as the next hopfor branch subnets.

l Static routes cannot be used inmulti-WLAN controller environments. OSPF is required in amulti-WLANcontroller environment and for geographical redundancy.

l Please note that DL3 does not have a split tunnel knob, like CL2. In CL2 deployments, this knob has morefrequent use case. To achieve similar objective in DL3, use routing profiles.

Branch-ID Allocation Algorithm

For branches that are deployed in distributed L3mode, themaster AP in the branch and theWLAN controller mustcoordinate the subnet and IP addresses that are used for DHCP services in the branch. The VC andWLANcontroller determine the subnet and IP addresses that are used in a branch through BID allocation process. (The BIDallocation process is not essential for branches that are deployed in local or centralized L2.)

The BID allocation process includes the following key functions:

l Determination of the IP addresses that are used in a branch for distributed L2mode

l Determination of the subnet that is used in a branch for distributed L3mode

l Prevention of IP address or subnet overlap (IP address conflicts must be prevented)

l Allocation of the same subnet or range of IP addresses to a branch, irrespective of which AP in the branch is themaster AP in the cluster

l Allocation of a branch subnet that remains consistent during failover to a backupWLAN controller

BID Allocation Process Details

The BID allocation process consists of these steps:

When a branch comes up for the first time, one AP in the branch is elected as themaster AP through the electionalgorithm.

Themaster AP in a cluster generates and distributes a branch key to all member IAPs in the cluster. This branch keyis generated by hashing theMAC address of themaster AP. The branch key plays a significant role in ensuring that abranch is allocated the same subnet and IP addresses, irrespective of which IAP becomes themaster AP of thecluster at a later stage. The branch key is generated even for IAP clusters that are not configured for Instant-VPN.

Themaster AP forms an IPsec connection to the primary host (that is, the primary WLAN controller) and obtains aninner IP address from the VPN address pool that is configured on theWLAN controller.

If the IAP cluster is configured for VPN in distributed L3mode, themaster AP starts the BID allocation process bysending a registrationmessage to theWLAN controller. This registrationmessage includes these variables:

Inner IP: The inner IP address of themaster AP that has established an IPsec tunnel to theWLAN controller.

Branch Key: The branch key that was generated and distributed to all member IAPs by the first master AP of thecluster.

MAC: TheMAC address of themaster AP that participates in the BID process.



MAX_BID and subnet name: Themaximum number of subnets or IP address blocks that can be created based onthe subnet size and client count in the distributed L3 and distributed L2 configuration on IAP. For examples onMAX_BID calculation, seeMAX-BID Calculation Examples.

In addition to theMAX_BID, the IAP sends the corresponding subnet name. The subnet name is derived from thestart and end IP address configuration and the client count for eachmode. For example, if an organization uses10.10.0.0 /16 with 250 clients per branch, the IP configuration on the IAP is 10.0.0.0 – 10.10.255.255 instead of10.10.0.0/16. The subnet name for this distributed L3 subnet is “10.0.0.0 – 10.10.255.255.250”. The subnet namekeeps track whichMAX_BID applies to which distributedmode configuration. If a branch is configured for multipledistributedmodes, the IAP sends multiple combinations of MAX_BID and corresponding subnet names to theWLAN controller. This method allows a branch to havemultiple SSIDs that use different distributedmodes anddifferent subnet sizes. For example an organization can have an SSID_1 with distributed L3mode and aconfiguration of "10.10.0.0 /16” with 250 clients per branch and SSID_2 with distributed L3mode and a configurationof "10.20.0.0 /16” with 100 clients per branch.

BID: The value that specifies whether a branch is new or already has a BID. A new branch uses a unique value inthis field to specify that it requires a BID from theMAX_BID range. In a branch that has already a BID allocated, themaster AP might go down and a new AP might be elected as themaster AP. When the new master AP connects totheWLAN controller, it uses the previously allocated BID in this field.

Backup: It is the value that specifies whether themaster AP is communicating with a backup host. A backup host isa backupWLAN controller to which themaster AP can initiate an IPsec connection. A backup host is similar to abackup local management switch (BLMS) controller in ArubaOS and it does not represent a VRRP backup to aWLAN controller.The BID allocation process occurs only between the primary host and themaster AP. So when a branch comes upfor the first time, theWLAN controller that functions as the primary host must be up. That is, any Instant-VPN branchthat comes up from factory defaults and that is configured for distributed L3modemust exchange its very first BIDprocess with its primary host for allocation of the address space or subnet that is required for the distributed L3mode.

Upon receiving the BID registrationmessage, theWLAN controller determines whether a branch is new byexamining the BID field. If the branch is new, theWLAN controller verifies whether the branch key in the registrationmessage is present in its database (DB). If the branch key is not in the DB, theWLAN controller selects an unusedBID from theMAX_BID range and returns it to themaster AP. If the branch key is already present in theWLANcontroller DB, theWLAN controller returns the BID that is already associated with the branch key.

The possibility that amaster AP represents itself as a new branch when the branch key is already registered in theWLAN controller DB is very rare. However, the BID process is designed to prevent an IAP from losing its BIDbecause of a crash.

When the BID is allocated, themaster AP uses the BID to determine the IP subnet or IP addresses that must beused. The following examples describe how the subnets are determined, based on BID value:

Consider an organization that uses a “10.10.0.0 /16” configuration with 250 clients per branch as the distributed L3mode configuration on IAPs in 200 branches. This configuration can support 256 branches. If a branch is assigned aBID of 0, it takes the first available /24 subnet. The subnet for the branch is 10.10.<bid>.0/24 = 10.10.0.0 /24. If abranch is assigned a BID of 50, the subnet for the branch is 10.10.<bid>.0 /24 = 10.10.50.0 /24.

After determining the IP address or the subnet that must be used, themaster AP registers the IP addresses and IPsubnet with theWLAN controller, using the ROUTE ADD and VLAN ADD messages. The ROUTE ADD messagereports to theWLAN controller about the L3 subnet that is used by an IAP in the branch and the VLAN ADDmessage reports to theWLAN controller about the L2 VLAN that is used in the branch.

Even though the BID process is not used for the centralized L2mode, the VLAN ADD andROUTE ADD messagesare used by branches in centralized L2 and centralized L3modes to report to theWLAN controller about the VLANand subnet that are in use. This information enables theWLAN controller to forward the traffic to appropriatebranches. The Route ADD and VLAN ADD messages are not part of the BID process. These data pathprogrammingmessages are used to add the appropriate VLAN and Route information to theWLAN controller datapath.

Themaster AP distributes the BID that is allocated to the branch to all member IAPs. If themaster AP fails and amember IAP becomes the new master AP, the branch key and BID do not change, and the branch continues to usethe same subnet and IP addresses. If a new member IAP becomes themaster AP, it performs the BID process.However, instead of registering as a new branch, the new master AP sends the existing BID in the registrationmessage.

Since the branch key is essential for the BID process, Aruba recommends that you reset an IAP to factory defaultsbefore youmove it from one branch to another.

MAX-BID Calculation Examples

Consider an organization that uses “10.10.0.0 /16” with 250 clients per branch as the distributed L3modeconfiguration on IAPs in 200 branches. Themaster AP in each branch performs the followingmath to determine theMAX_BID:

l If each branch has 250 clients, in the equation 2^n = 250, nmust be 8 (2^8 = 256). Themaster AP has the n valuethat determines the subnet size required for a branch.

l Subnet size in a branch = (total number of address bits in IPv4minus the above-mentioned n). The equation is,32-8 = 24. Themaster AP determines that it needs a /24 address space for that branch.

l TheMAX_BID is the number of /24 subnets that is possible with a 10.10.0.0 /16 address space. MAX-BID =(total number of IP addresses in a /16 address space divided by the total number of IP addresses in a /24 addressspace). The equation is 65536/256 = 256. So theMAX_BID is 255, because 0 is also considered a BID value.

Below Understanding Instant-VPN (Aruba Instant-VPN in a Nutshell) shows the BID allocation process between aVC and aWLAN controller.

Figure 46 Allocating the BID

1. In a new branch, themaster AP/VC generates a branch key from its mac.

2. Branch key generated by master/VC is distributed, to all member APs in the cluster.

3. VC forms IPSec tunnel to primary controller, and obtains inner IP address for IPSec.



4. VC starts the BID allocation process, by sending a registrationmessage to primary controller, that it’s a newbranch. The transaction also contains, Max-BID, subnet name, inner IP, mac address of VC, backup & branchkey.

The backup field indicates if the controller is primary or backup.

Max-BID determines the number of possible branches based on subnet size, and clients per branch config.

Subnet namemaps Max-BID to a subnet configuration.

5. Controller ensures that the branch key does not already exist in DB. If it does not exist, the controller will send anew BID. However if a branch key/BID combination exists on the controller, the controller will send the BIDalready associated with that branch key.

6. After BID is allocated, the VC calculates the subnet for the branch and register it with the controller. BID plays animportant role in subnet calculation.

7. If the current master AP fails, and amember AP becomes themaster, themember AP will have the same branchkey and BID. Themember AP, after forming the IPSec connection, informs the controller of branch key and BID,this ensures that the branch gets the same subnet irrespective of which AP becomes themaster.

Aruba recommends that theWLAN controller for Aruba Instant-VPN termination runs 6.3.xx. or greater.

Traffic Flow and Uplink Switch Requirements for a Multi-AP Aruba Instant-VPN NetworkIn an Aruba Instant cluster that is configured for Instant-VPN, only themaster AP establishes the VPN tunnel to theWLAN controller. In amulti-AP network, traffic from clients that are connected tomember IAPs always reaches themaster AP in local, centralized L2 and distributed L3modes. In local and distributed L3modes, the VC/master AP isthe default gateway for clients, so the client traffic reaches themaster AP. When the traffic reaches themaster AP,themaster AP forwards the traffic through the IPsec tunnel or bridges it locally based on the destination.

NoGRE tunnels or proprietary tunnels exist between IAPs in an IAP cluster. A switch that connects all IAPs in amulti-AP Aruba Instant network must be VLAN-aware and tag the traffic appropriately to ensure that the traffic fromclients onmember IAPs reaches themaster AP.

For example, consider a branch with 10 IAPs that are connected to a switch. The branch has two SSIDs:

l A guest SSID that is configured in local mode with VLAN 20 to provide captive portal authentication using anexternal server

l An employee SSID that is configured in distributed L3mode with VLAN 30

In this example, the switch that connects the IAPs must be aware of both VLAN 20 and VLAN 30. All IAPs must beconnected to a dot1q trunk port. Basically, the switch that connects the IAP cluster must be aware of all VLANs thatare used in the IAP configuration.

The only exception to this rule is amagic VLAN. (To configuremagic VLAN, use “virtual controller managed” &“Default Client VLAN assignment” in the VLAN option, while configuring SSID, as shown in figure below).

Themaster AP uses an IPsec tunnel to forward the traffic from clients in local and L3mode. However, in centralizedL2mode, themaster AP uses an IPsec-GRE tunnel for clients. This IPsec-GRE tunnel provides multicast trafficforwarding capabilities in distributed L2 and centralized L2modes. Multicast traffic cannot be forwarded from aWLAN controller to an IAP branch that operates in local or distributed L3modes.

802.1X and RFC 3576 Handling in an Aruba Instant-VPN NetworkIn an Instant-VPN branch network, users can be authenticated through a local RADIUS server or a RADIUS serverin the data center. Themaster AP in an Instant-VPN branch determines whether a RADIUS server is local or locatedin the data center by checking its routing profile. For more information about the IAP routing profile, see Configuringan IAP for Instant-VPN Deployment. If the routing profile indicates that traffic to a subnet is in the data center (forexample, 10.0.0.0 /8) and if the IP address of the RADIUS server that is configured on the IAP belongs to thataddress space (for example, the RADIUS server IP address is 10.68.32.40), themaster AP forwards the 802.1Xtraffic through the IPsec tunnel to the data center.

RADIUS traffic to a RADIUS server in the data center is sourced using the inner IP address of the IPsec tunnel.Therefore, the VPN address pool that is used for inner IP addresses of IPsec tunnels must be routable from theupstream router in the data center. If RFC 3576-compliance is not required, you can use a source NAT rule on theWLAN controller to source NAT all RADIUS traffic with the IP address of that WLAN controller. If a branch networkhas a local RADIUS server (for example, 192.168.10.20), and if dynamic RADIUS proxy (DRP) is enabled on theIAP, the 802.1X traffic is source NATed with the VC IP address.

For RFC 3576-compliance, CoA messages are initiated by the RADIUS server. Therefore, you should not enablea rule on theWLAN controller to source NAT all RADIUS traffic with the IP address of that WLAN controller. ForRFC 3576-compliance, if the RADIUS server is in the data center, the inner IP addresses of the IPsec tunnelsmust be listed as RADIUS clients. If you use RFC 3576-compliance with a local RADIUS server, the VC IPaddress must be added as the RADIUS client. DRP must be enabled onmulti-AP Aruba Instant networks totunnel the RADIUS traffic from themember IAPs to the authentication server in the data center.

Table 17: DRP settings and RFC compliance



RADIUSserverlocation

(DC/local

DRP

VPN poolroutable fromDC

ACL source NATstraffic to controllerIP

Source IP NAS IPRFC 3576compliant

DC Enabled Yes No Inner IP ofIPSec tunnel

VPN TunnelIP

Yes

DC Enabled No Yes Controller’sIP

VPN TunnelIP

No

Local Enabled N.A. N.A. VC/masterAP’s local IP

VC IP Yes

Local Disabled N.A. N.A. Each memberAP’s local IP

Master/SlaveAP IP

Yes

In amulti-AP Instant-VPN network, to tunnel the RADIUS traffic frommember IAPs to the RADIUS server in thedata center, youmust enable DRP. When DRP is enabled, the 802.1X transactions for clients connecting to themember IAPs are forwarded to themaster AP, which functions as a RADIUS proxy. With DRP enabled, the NAS-IPattribute in RADIUS packets that are destined for the RADIUS server in the data center is set to the inner IP addressof the IPsec tunnel.

DRP is not required for single AP deployments. However, if DRP is disabled in single AP deployments, the NAS-IPattribute in RADIUS packets that are destined to the RADIUS server in the data center is set to the local IP addressof the IAP and not to the inner IP address of the IPsec tunnel. Therefore, Aruba recommends that you enable DRP insingle AP deployments with RADIUS servers that use the NAS IP attribute as a filter for authentication.

DNS Handling in an Aruba Instant-VPN NetworkBy default, all DNS requests from a client are forwarded to the clients DNS server. In a typical IAP deploymentwithout VPN configuration, client DNS requests are resolved by the DNS server of the client. However, thisbehavior changes if an IAP is configured for Instant-VPN.

The DNS behavior of an IAP network (with SSIDs or wired ports) that is configured for Instant-VPN is determined bythe enterprise domain settings. The enterprise domain setting on the IAP defines the domains for which the DNSresolutionmust be forwarded to the default DNS server of the client. For example, if the enterprise domain isconfigured for arubanetworks.com, the DNS resolution for host names in the arubanetworks.com domain isforwarded to the default DNS server of the client. The DNS resolution for host names in all other domains is sourceNATed to the local DNS server of the IAP.

If no configuration is present in enterprise domain section and the client is on an SSID for IAP VPN, all the DNStraffic will be source NATed to DNS server of IAP. Apart from this VPN SSID, if there is a non VPN SSID, its trafficwill go to client’s DNS server.

If split tunnel knob is set to disabled, all DNS traffic will be sent over IPSec tunnel to DNS server of the client, nomatter what the configuration of enterprise domain is. Configuration is present at IAP GUI>>System>>showadvanced options>>Enterprise domains.

If you configure an asterisk (*) instead of a domain name in the enterprise domain list, all DNS requests areforwarded to the default DNS server of the client. If you want all DNS requests to be processed by the DNS serverof the client, configure an asterisk (*) in the enterprise domain setting.

Control Traffic between an Aruba Instant-VPN Branch and the WLAN ControllerThe bandwidth consumption on the tunnel between an Aruba Instant branch and theWLAN controller is a sum of allclient data traffic through the tunnel and the control traffic between the Aruba Instant branch and theWLANcontroller. The control traffic between an Aruba Instant branch and theWLAN controller is minimal. By default, themaster AP sends a 56-byte ICMP packet to theWLAN controller every 5 seconds to detect if the tunnel is up. Youcan set the frequency of these ICMP packets to any value between 1-3600 seconds. If you set the value higher, thedownside is that the IAP requires more time to detect whether a tunnel is down and failed over to the backupWLANcontroller. Aruba recommends that you keep the ICMP packet frequency value at its default.

If you want to change them, please follow information on the link.

Recommendations for IAP-VPN Modes summarizes the usage recommendations for the IAP-VPN modes.


http://community.arubanetworks.com/t5/Controller-less-WLANs/What-keepalive-or-control-traffic-is-sent-between-Instant-AP-and/ta-p/178936


Table 18: Recommendations for IAP-VPN Modes

IAP-VPN Mode Usage Recommendations Things to Remember

Local Recommended if you there is norequirement to access the clientson remote location, where IAP VPNis deployed, from Data center.

Any traffic for a corporate destination is source NATedwith the inner tunnel IP address, so the inner IP addresspool that is used for VPN must be routable from thecorporate network, or you can src NAT the traffic again.

Clients on remote location, where IAP VPN is deployed,can always access resource at Data center. But reverseway is not true, as all traffic is source NATed over inner IPof VPN tunnel.

For more information, see Instant-VPN: Local Mode andDHCP Profile for Local Mode.

Centralized L2 Recommended only if multicasttraffic to a branch is required. If it isnot required, use L3 modes.

The DHCP server is centralized, so DHCP services fornew clients and DHCP renewals fail if the WAN is down.

Aruba recommends a /24 or /23 subnet for user VLANs.

For more information, see Instant-VPN: Centralized L2Mode and DHCP Profile for Centralized L2 Mode.

Distributed L3 Recommended for all deployments.

You can access the clients onremote location, where IAP VPN isdeployed, from Data center.

Branch routes must be redistributed using OSPF on theWLAN controller.

For more information, see Instant-VPN: Distributed L3Mode and DHCP Profile for Distributed L3 Mode.

Redundancy Design for Aruba Instant-VPN DeploymentsTo ensure productivity in branch deployments, high availability of data center resources is essential. One of the coreprinciples of the Aruba Instant solution is redundancy and resiliency. The following data center redundancy optionsare available with the Aruba Instant-VPN solution:

l Single data center with redundancy

l Multiple data centers with redundancy (geographical redundancy)

In a single data center deployment without redundancy, all Instant-VPNs terminate on a singleWLAN controller in asingle data center. If theWLAN controller or the data center is down, the branch network loses access to allcentralized resources. Aruba strongly recommends that you design your Instant-VPN deployments with redundancy.

Below figure is an example of an Instant-VPN network without redundancy.

Figure 47 Instant-VPN network without redundancy

Single Data Center Deployment with Redundancy

This design provides WLAN controller redundancy within a single data center deployment. All Instant-VPNsterminate on a pair of redundant WLAN controllers in a data center andWLAN controllers are deployed in a VRRP-basedmaster redundancy topology. The IAP-VPNs in this deployment terminate on the VRRP IP address of themaster redundancy topology. For information about master redundancy betweenWLAN controllers, see the ArubaCampus Redundancy Models Validated Reference Design.

Below is an example of an Instant-VPN network with a single data center and redundancy.

Figure 48 Instant-VPN network with a single data center and redundancy

Multiple Data Center Redundancy (Geographical Redundancy)

Organizations that design high availability plan for geographical redundancy to ensure that data center networkproblems, natural disasters, or calamities in one region do not affect the productivity of the distributed workforce.Aruba Instant-VPN supports geographical redundancy with a primary and backup setup. Geographical redundancyprovides these two options:





l Geographical redundancy without redundant WLAN controllers at each data center: In this setup,Instant-VPNs terminate on a primary WLAN controller in one data center with anotherWLAN controller in ageographically separate data center functioning as the backup. There is no redundancy forWLAN controllers atevery data center.

l Geographical redundancy with redundant WLAN controller at each data center: In this setup, Instant-VPNs terminate on a pair of redundant primary WLAN controllers in one data center with another pair of redundantWLAN controllers in a geographically separate data center functioning as the backup.

The BID that is required for distributed L3mode is allocated only by the primary host. The very first BID processfor an Instant-VPN branch in distributed L2 or distributed L3mode with geographical redundancy must beexchanged with the primary host. If the primary host of a branch goes down after the initial BID allocation process,the branch fails over to the backup host and all modes function as expected. For more information, see Branch-IDAllocation Algorithm

Below figure is an example of an Instant-VPN network with multiple data centers and redundant WLAN controller atevery data center.

Figure 49 Geographical redundancy with redundant WLAN controller at each data center

Designing Instant-VPN DeploymentsDesigning a VPN-based branch deployment with Aruba Instant is a combination of the following components:

l Physical design of the branch (single-AP ormulti-AP branch)

l Data center redundancy (single data center or multiple data centers)

l Logical design (Instant-VPN mode, traffic engineering, and so on)

To build a sound Instant-VPN deployment, it is critical that you understand the deployment requirements and selectthe appropriate physical, logical, and redundancy design. To help you understand the considerations andrecommendations that are involved in designing an Instant-VPN deployment, consider themost commondeployment use cases:

l Single-AP branch with a single data center

l Single-AP deployment with multiple data centers

l Multi-AP deployment with a single data center

l Multi-AP Deployment with multiple data centers

These use cases are described in the following sections:

Single-AP Branch with a Single Data CenterFor the deployment of a single-AP branch with a single data center, the common components and requirements areas follows:

l Small branches supported by single IAP

l Single data center deployment with no geographical redundancy requirement

l Secure wireless access for employees and access to corporate resources using VPN

l Optional guest access in certain deployments

l Optional support for corporate wired devices such as printers

l WAN uplink (Ethernet or 3G/4Gmodem)

The typical Instant-VPN design and configuration for this deployment is as follows:

l Physical design: The physical design for this deployment is a single-AP design. Uplink redundancy for thebranch network is optional. For information about uplink redundancy, see the Aruba Instant User Guide that isavailable at the Aruba support website.

l Data center redundancy: Based on the total number of branch sites, select the appropriateWLAN controllerplatform. Because this deployment is designed for a single data center, Aruba recommends that you deployredundant WLAN controllers in the data center usingmaster redundancy to safeguard against controller failure.For more information, see Redundancy Design for Aruba Instant-VPN Deployments.

l Logical design: The logical design for this deployment includes the following components andrecommendations:

n Employee SSIDs with the appropriate authentication. The VLAN that is used for an employee SSID mustbelong to the appropriate Instant-VPN mode. Aruba recommends that you use distributed L3mode for alldeployments except for those that require support for multicast traffic from the data center to the branch. Youcan use centralized L2modes for deployments that require a centralized DHCP server. For more informationabout Instant-VPN modes, see Understanding Instant-VPN Modes.

n Wired ports that are used for corporate devices with the appropriate authentication. The VLAN that is used forcorporate wired devices must belong to the appropriate Instant-VPN mode. Aruba supports role-basedaccess, so separate VLANs are not required for employees and corporate devices. Both the employee SSIDand the wired ports for corporate devices can use the same VLAN in Instant-VPN mode. You can restrictaccess using appropriate user roles.

n As an option, you can use a separate VLAN in the appropriate Instant-VPN mode for wired clients. Forexample, if you use “10.10.0.0 /16” with 50 clients per branch for an employee SSID in Layer 3mode, you canset up a separate address range of “10.11.0.0 /16” with 5 clients per branch for wired devices and a separateVLAN in distributed L3mode for the wired clients.

n Split-tunnel traffic. You can use the routing profile to tunnel or split-tunnel traffic from employees and wireddevices. Tomeet the different traffic engineering requirements, you can use a combination of the routingprofile and source NAT ACLs in user roles.

n Role-based access for wired and wireless devices.

n BYOD for employees on the employee SSID with ClearPass.

n In single-AP deployments, deny corporate access to any rogue clients on the IAP’s uplink device by using the“Restrict Corporate Access” feature on Aruba Instant.

n Modify split-DNS behavior according to the requirements. For more information, see DNS Handling in anAruba Instant-VPN Network.




n As an option, guest access using a guest SSID that is mapped to a local-mode VLAN and captive portalauthentication is supported. Guests can be supported with the internal captive portal page and guestmanagement features of Aruba Instant or ClearPass Guest Solution. For more information, see the ArubaInstant User Guide that is available at the Aruba support website.

n As an option, authentication survivability with ClearPass to address WAN failures.

An Aruba Instant network that is configured for Instant-VPN establishes only a single IPsec tunnel from themaster AP of the cluster to theWLAN controller. That is, an Aruba Instant cluster does not build separate IPsectunnels for each SSID or wired port that is configured for Instant-VPN.

Below figure is an example of a single-AP deployment with a single data center withWLAN controller redundancy.

Figure 50 Single-AP deployment with a single data center withWLAN controller redundancy

The following sections provide an overview of the basic IAP and data center configurations that are required todesign a single-AP branch with a single data center.

This example uses distributed L3mode for employees and wired devices.

IAP Setup (Single-AP Branch with a Single Data Center)

The key configurations that are required for the IAP include the following configurations:

1. Set up the VPN primary IP configuration.

2. Define the routing profile. This profile specifies the traffic that must be tunneled to the data center. Formore information about routing profiles, seeConfiguring an IAP for Instant-VPN Deployment.

3. Configure the enterprise domains on the IAP for split-DNS.

4. Configure the DHCP server for appropriate Instant-VPN mode. For example, set up a distributed L3mode DHCPconfiguration for the employee SSID and corporate wired devices.

5. Configure the authentication servers for user authentication. For example, set up a RADIUS serverconfiguration for ClearPass for employee authentication, BYOD, and wired device authentication.

DRP is not required in single AP Instant-VPN deployments. In single AP deployments, the RADIUS traffic issourced with the inner IP address of the IPsec tunnel or the VC IP address, based on the routing profile definition.


6. Configure the employee SSID with the appropriate authentication, RADIUS servers, and user roles andmap it tothe VLAN in the appropriate Instant-VPN mode. For example, map the employee SSID and the wired ports to thedistributed L3mode VLAN that you set up in step 4.

7. For some environments, set up a combination of a routing profile and a source NAT ACL in the user roles tomeetthe different traffic engineering requirements. For example, if all traffic for corporate wired devices must betunneled but employee Internet traffic must be split-tunneled, set up a routing profile with a “0.0.0.0 0.0.0.0<gateway IP>” configuration and an employee user role that tunnels traffic for corporate destinations but sourceNATs traffic for all other destinations (that is, set up an ACLwith a permit action for corporate destinationsfollowed by an ACLwith a source NAT action for Internet destinations).

8. In single AP deployments, as part of the Firewall Settings screen, enable the “Restrict Corporate Access” settingto restrict corporate access to only those devices that are downstream from the IAP. The “Restrict CorporateAccess” setting prevents corporate access to any rogue clients on the APs uplink switch. Do not enable the“Restrict Corporate Access” setting in amulti-AP flat-mode design. By default, the “Restrict Corporate Access”setting is disabled.

9. In environments that require guest access, perform the following steps:

n Set up a DHCP configuration in local mode.

n Map the configuration to the guest SSID that is set up for captive portal authentication.

10. Configure uplink redundancy in environments that require uplink redundancy.

Data Center Configuration (Single-AP Branch with a Single Data Center)

Aruba recommends that you plan for redundancy. The following procedure describes a redundant WLAN controllerconfiguration:

The key configurations that are required on theWLAN controller are listed below:

1. Configure theWLAN controllers with the basic settings such as VLANs, IP addresses, and the required license.

2. Configure theWLAN controller pair for master redundancy. For information about configuringmaster redundancy,see the Aruba Campus Networks Validated Reference Design or the Aruba User Guide at the Aruba supportwebsite.

3. Define the VPN address pool that is used to assign inner IP addresses to the IPsec tunnel that is established atthe branch.

4. Add IAPs in the branch to the RAP whitelist. This whitelist can be offloaded to a CCPM or other servers thatsupport authorization. For more information, see Adding IAPs to RAPWhitelist.






5. Configure the appropriate VLANs for branches that are deployed in Layer 2mode. (This step is required only if thebranch is configured for centralized L2mode.) For more information, see Configuring VLANs for Layer 2Modes.

6. Configure OSPF route redistribution of Layer 3 branch routes. (This step is required only if the branch isconfigured for distributed L3mode.) For more information, see Configuring OSPF Route Redistribution of Layer 3Branch Routes.

7. As an option, configure theWLAN controller to perform source NATing of 802.1X and RADIUS traffic from IAPbranches. However, if RFC 3576-based CoA is a requirement, RADIUS traffic from the IAP branches must notbe source NATed at theWLAN controller. For CoA capabilities, all IP addresses and subnets that are used in theVPN address pool must be added to the RADIUS server. For more information, see Configuring the Controller toPerform Source NATing for 802.1X and RADIUS Traffic from Branches.

Single-AP Deployment with Multiple Data CentersThe requirements of this deployment are similar to those of the single-AP deployment with a single data center,except that geographical redundancy is required. Below are the common requirements and components of thisdeployment:

l Small branches supported by single IAP

l Multiple data center deployment with geographical redundancy requirement






l Physical design: The physical design for this deployment is a single-AP design. Uplink redundancy for thebranch network is optional. For information about uplink redundancy, see the Aruba Instant User Guide that isavailable at the Aruba support website.

l Data center redundancy: Based on the total number of branch sites, select the appropriateWLAN controllerplatform. Because this deployment requires geographical redundancy, themulti data center redundancy modelapplies to this deployment. Aruba recommends that you consider redundant masterWLAN controllers in theindividual data centers of amulti data center design to safeguard against controller failure in the individual datacenters. For more information, see Redundancy Design for Aruba Instant-VPN Deployments.

l Logical design: The logical design for this deployment includes the following components andrecommendations:

n Employee SSIDs with the appropriate authentication. The VLAN that is used for an employee SSID mustbelong to the appropriate Instant-VPN mode. Aruba recommends that you use distributed L3mode for alldeployments except for those that require support for multicast traffic from the data center to the branch. TheVLAN IP address that is configured in the centralized L3mode definition is different for each branch, so youmust either modify the AirWave configuration on a per-branch level during the initial deployment, or use aseparate group in AirWave for each branch. For more information about Instant-VPN modes, seeUnderstanding Instant-VPN Modes.


n As an option, a separate VLAN in the appropriate Instant-VPN mode for wired clients. For example, if you use“10.10.0.0 /16” with 50 clients per branch for an employee SSID in Layer 3mode, you can set up a separate


address range of “10.11.0.0 /16” with 5 clients per branch for wired devices and a separate VLAN in distributedL3mode for the wired clients.




n In single-AP deployments, deny corporate access to any rogue clients on the IAPs uplink device using the“Restrict Corporate Access” feature on Aruba Instant.

n Modify split-DNS behavior according to the requirements. For more information, see DNS Handling in anAruba Instant-VPN Network.

n As an option, guest access using a guest SSID that is mapped to a local-mode VLAN and captive portalauthentication. Guests can be supported with the internal captive portal page and guest management featuresof Aruba Instant or ClearPass Guest Solution. For more information, see the Aruba Instant User Guide that isavailable at the Aruba support website.



Below is an example of a single-AP deployment with amultiple data centers withWLAN controller redundancy.

Figure 51 Single-AP deployment with multiple data centers andWLAN controller redundancy

The following sections provide an overview of the basic IAP and data center configurations that are required todesign a single-AP branch with multiple data centers.

This example uses distributed L3mode for employees and wired devices.

IAP Setup (Single-AP Branch with Multiple Data Centers)

The key configurations that are required for the IAP are listed below:





2. Set up the VPN secondary IP configuration.

3. Set up a fast failover configuration if the environment requires a fast failover.

4. Define the routing profile. This profile specifies the traffic that must be tunneled to the data center. The routingprofile must have two sets of routes. One points to the primary data center and the other points to the backup datacenter. The IAP selects a route based on the data center that it is terminating on. For example, if all 10.0.0.0 /8networks must be tunneled back to the data center, the routing profile must have two routes: “10.0.0.0 255.0.0.0<controller in data center 1>” and “10.0.0.0 255.0.0.0 <controller in data center 2>”. For more information aboutrouting profiles, seeConfiguring an IAP for Instant-VPN Deployment.



7. Configure the authentication servers for user authentication. For example, set up a RADIUS server configurationfor ClearPass for employee authentication, BYOD, and wired device authentication.

DRP is not required in single AP Instant-VPN deployments. In single AP deployments, the RADIUS traffic issourced with the inner IP address of the IPsec tunnel or the VC IP address, based on the routing profile definition.



10. In single AP deployments, as part of the Firewall Settings screen, enable the “Restrict Corporate Access” settingto restrict corporate access to only those devices that are downstream from the IAP. The “Restrict CorporateAccess” setting prevents corporate access to any rogue clients on the APs uplink switch. Do not enable the“Restrict Corporate Access” setting in amulti-AP flat-mode design, which is themost commonly used design. Bydefault, the “Restrict Corporate Access” setting is disabled.




Data Center Configuration (Single-AP Branch with Multiple Data Centers)

In addition to geographical redundancy, Aruba recommends that you considerWLAN controller redundancy in everydata center of a geographically redundant design. If aWLAN controller failure occurs at the primary data center, thebackupWLAN controller in the primary data center takes over, which prevents the branch network from switchingover to the backup data center. This procedure describes a redundant WLAN controller configuration for a datacenter.



2. Configure theWLAN controller pair for master redundancy. For information about configuringmaster redundancy,see the Aruba Campus Networks Validated Reference Design or the Aruba User Guide at the Aruba supportwebsite.

Define the VPN address pool that is used to assign inner IP addresses to the IPsec tunnel that is established at thebranch. Aruba recommends that you use a routable address space for the VPN address pool. For more information,see Defining the VPN Pool on aWLAN Controller.

Aruba also recommends that you set up a unique VPN address pool for eachWLAN controller in each data center.


4. Configure the appropriate VLANs for branches that are deployed in Layer 2mode. (This step is required only if thebranch is configured for centralized L2 or distributed L2mode). For more information, see Configuring VLANs forLayer 2Modes.

5. Configure OSPF route redistribution of Layer 3 branch routes. (This step is required only if the branch isconfigured for distributed L3mode). For more information, see Configuring OSPF Route Redistribution of Layer 3Branch Routes.


Multi-AP Deployment with Single Data CenterFor the deployment of amulti-AP branch with a single data center, the following components and requirements arecommon:

l Branches that require more than one IAP

l Single data center deployment with no geographical redundancy requirement






l Physical design: The physical design for this deployment is amulti-AP design. For branches that require 2 to 4IAPs, use either hierarchical or flat mode design for AP deployment. In branches with 5 or more IAPs, use flat






mode design. Flat mode deployment requires a trustedmanaged switch to connect the IAPs. For moreinformation about multi-AP design, seeMulti AP Branch. Uplink redundancy for the branch network is optional.For information about uplink redundancy, see the Aruba Instant User Guide that is available at the Aruba supportwebsite.

l Data center redundancy: Based on the total number of branch sites, select the appropriateWLAN controllerplatform. Because this deployment is designed for a single data center, Aruba recommends that you deployredundant WLAN controllers in the data center usingmaster redundancy to safeguard against controller failure.For more information, see Redundancy Design for Aruba Instant-VPN Deployments.

l Logical design for hierarchical mode design: The logical design for this deployment includes the followingrecommendations and components:

n If deployed in hierarchical mode, themember IAPs connect to the downlink ports of the root IAP. Configurethe wired ports of the root IAP to which themember IAP connect with a VLAN in local mode. These portsmust be in trunk mode with the native VLAN set to the local mode VLAN that is used for member IAPs. Thissetup allows the IAPs in hierarchical mode to support multiple VLANs.

n In hierarchical mode, you can use the wired ports of the root IAP for corporate wired devices.

n Employee SSIDs with the appropriate authentication. The VLAN that is used for an employee SSID mustbelong to the appropriate Instant-VPN mode. Aruba recommends that you use distributed L3mode for alldeployments except for those that require support for multicast traffic from the data center to the branch. Youcan use centralized L3modes for deployments that require a centralized DHCP server. The VLAN IP addressthat is configured in the centralized L3mode definition is different for each branch, so youmust either modifythe AirWave configuration on a per-branch level during the initial deployment, or use a separate group inAirWave for each branch. For more information about Instant-VPN modes, see Understanding Instant-VPNModes.


n As an option, a separate VLAN in the appropriate Instant-VPN mode for wired clients. For example, if you use“10.10.0.0 /16” with 50 clients per branch for an employee SSID in Layer 3mode, you can set up a separateaddress range of “10.11.0.0 /16” with 5 clients per branch for wired devices and a separate VLAN in distributedL3mode for the wired clients.




n In hierarchical mode deployments, deny corporate access to any rogue clients on the IAPs uplink deviceusing the “Restrict Corporate Access” feature on Aruba Instant.

n Modify split-DNS behavior according to the requirements. For more information see DNS Handling in anAruba Instant-VPN Network.







l Logical design for flat mode design: The logical design for this deployment includes the followingrecommendations and components:

n In amulti-AP flat mode design, the trustedmanaged switch that connects the IAPs must support all VLANsthat are used by the Aruba Instant network. For example, if the Aruba-Instant network is configured with adistributed L3mode VLAN with VLAN ID 100 for corporate access, the trusted uplink switch that connects theIAPs must support this VLAN.

n In amulti-AP flat mode design, you can connect the corporate wired devices to the trustedmanaged switch.The wired devices that connect to the switch have corporate access as long as the switch port is on theInstant-VPN mode VLAN. For example, if the Aruba-Instant network is configured with a distributed L3modeVLAN with VLAN ID 100 for corporate access, the trusted uplink switch ports that are used for wired devicesmust be on VLAN 100.

n In flat mode deployment, disable the “Restrict Corporate Access” feature.

n All other logical design elements for flat mode design are same as for the hierarchical mode design.

Designing Instant-VPN Deployments is an example of amulti-AP deployment with a single data center andredundant WLAN controllers.

Figure 52 Multi-AP deployment with a single data center withWLAN controller redundancy

The following sections provide an overview of the basic IAP, data center, and uplink switch configurations that arenecessary to design amulti-AP deployment with a single data center. The example that is described in the followingsections uses distributed L3mode for employees and wired devices.

IAP Setup (multi-AP Deployment with a Single Data Center)



2. Define the routing profile. This profile specifies the traffic that must be tunneled to the data center. For moreinformation about routing profiles, see Configuring an IAP for Instant-VPN Deployment.






6. Enable DRP inmulti AP Instant-VPN deployments to tunnel the RADIUS traffic frommember IAPs. When DRPis enabled in amulti-AP network, the RADIUS traffic is sourced with the inner IP address of the IPsec tunnel orthe VC IP address, based on the routing profile definition.


8. For some environments, set up a combination of a routing profile and a source NAT ACL in the user roles tomeetthe different traffic engineering requirements. For example, consider an environment that requires all traffic forcorporate wired devices to be tunneled, but employee Internet traffic to be split-tunneled. In this case, set up arouting profile with a “0.0.0.0 0.0.0.0 <gateway IP>” configuration and an employee user role that tunnels trafficfor corporate destinations but source NATs traffic for all other destinations. (That is, set up an ACLwith a permitaction for corporate destinations followed by an ACLwith a source NAT action for Internet destinations).

9. In flat mode design, disable the “Restrict Corporate Access” setting that is part of the Firewall Settings screen.By default, the “Restrict Corporate Access” setting is disabled.However, in hierarchical design, you can enablethe “Restrict Corporate Access” setting to restrict corporate access to only those devices that are downstreamfrom the root IAP.




11. As an option for hierarchical mode design, configure uplink redundancy. In hierarchical mode, the redundantuplink must be on the root IAP.

Data Center Configuration (Multi-AP Deployment with a Single Data Center)

Aruba recommends that you plan for redundancy. This procedure describes a redundant WLAN controllerconfiguration.



2. Configure theWLAN controller pair for master redundancy. For information about configuringmaster redundancy,see the Aruba Campus Networks Validated Reference Design or theAruba User Guide at the Aruba supportwebsite.

3. Define the VPN address pool that is used to assign inner IP addresses to the IPsec tunnel that is established atthe branch.





Uplink Switch Setup (Multi-AP Deployment with a Single Data Center)

In a flat mode design, the trustedmanaged switch that connects the IAPs in the branchmust support the clientVLANs that are defined in the Aruba Instant network. This support is required because any client traffic that must beforwarded from themember IAP to themaster AP is tagged with the appropriate client VLAN. For example, if theAruba-Instant network is configured with a distributed L3mode VLAN with VLAN ID 100 for the employee SSID, thetrusted uplink switchmust support VLAN 100. This configuration allows for traffic from the clients that are connectedto the employee SSID on themember APs to be forwarded to themaster AP with VLAN tag 100. (VPN tunneling orsource NATing of client traffic is performed by themaster AP). For more information about traffic forwardingbehavior, see Traffic Flows in an Aruba Instant Cluster.

Multi-AP Deployment with Multiple Data CentersFor the deployment of amulti-AP branch with multiple data centers, the common components and requirements areas follows:

l Branches that require more than one IAP

l Multiple data center deployment with geographical redundancy requirement






l Physical design: The physical design for this deployment is amulti-AP design. For branches that require 2 to 4IAPs, use either hierarchical or flat mode design for AP deployment. In branches with 5 or more IAPs, use flat






mode design. Flat mode deployment requires a trustedmanaged switch to connect the IAPs. For moreinformation about multi-AP design, seeMulti AP Branch. Uplink redundancy for the branch network is optional.For information about uplink redundancy, see the Aruba Instant User Guide that is available at the Aruba supportwebsite.

l Data center redundancy: Based on the total number of branch sites, select the appropriateWLAN controllerplatform. Since this deployment requires geographical redundancy, themulti data center redundancy modelapplies to this deployment. Aruba recommends that you consider redundant masterWLAN controllers in theindividual data centers of amulti data center design to safeguard against controller failure in the individual datacenters. For more information, see Redundancy Design for Aruba Instant-VPN Deployments.

l Logical design for hierarchical mode design: The logical design for this deployment includes the belowrecommendations and components:

n If deployed in hierarchical mode, themember IAPs connect to the downlink ports of the root IAP. Configurethe wired ports of the root IAP to which themember IAP connects with a VLAN in local mode. These portsmust be in trunk mode with the native VLAN set to the local mode VLAN that is used for member IAPs. Thissetup allows the IAPs in hierarchical mode to support multiple VLANs.

n In hierarchical mode, you can use the wired ports of the root IAP for corporate wired devices.

n Employee SSIDs with the appropriate authentication. The VLAN that is used for an employee SSID mustbelong to the appropriate Instant-VPN mode. Aruba recommends that you use distributed L3mode for alldeployments except for those that require support for multicast traffic from the data center to the branch. Youcan use centralized L3modes for deployments that require a centralized DHCP server. The VLAN IP addressthat is configured in the centralized L3mode definition is different for each branch, so youmust either modifythe AirWave configuration on a per-branch level during the initial deployment, or use a separate group inAirWave for each branch. For more information about Instant-VPN modes, see Understanding Instant-VPNModes.


n As an option, a separate VLAN in the appropriate Instant-VPN mode for wired clients. For example, if you use“10.10.0.0 /16” with 50 clients per branch for an employee SSID in Layer 3mode, you can set up a separateaddress range of “10.11.0.0 /16” with 5 clients per branch for wired devices and a separate VLAN in distributedL3mode for the wired clients.




n In hierarchical mode deployments, deny corporate access to any rogue clients on the IAPs uplink deviceusing the “Restrict Corporate Access” feature on Aruba Instant.

n Modify split-DNS behavior according to the requirements. For more information see DNS Handling in anAruba Instant-VPN Network.


n As an option, authentication survivability with ClearPass to address WAN failures is supported.





l Logical design for flat mode design: The logical design for this deployment includes the followingrecommendations and components:

n In amulti-AP flat mode design, the trustedmanaged switch that connects the IAPs must support all VLANsthat are used by the Aruba Instant network. For example, if the Aruba-Instant network is configured with adistributed L3mode VLAN with VLAN ID 100 for corporate access, the trusted uplink switch that connects theIAPs must support this VLAN.

n In amulti-AP flat mode design, you can connect the corporate wired devices to the trustedmanaged switch.The wired devices that connect to the switch have corporate access as long as the switch port is on theInstant-VPN mode VLAN. For example, if the Aruba-Instant network is configured with a distributed L3modeVLAN with VLAN ID 100 for corporate access, the trusted uplink switch ports that are used for wired devicesmust be on VLAN 100.

n In flat mode deployment, disable the “Restrict Corporate Access” feature.

n All other logical design elements for flat mode design are same as for the hierarchical mode design.

Designing Instant-VPN Deployments is an example of amulrti-AP deployment with multiple data centers, each ofwhich include redundant WLAN controllers.

Figure 53 Multi-AP deployment with multiple data centers withWLAN controller redundancy

The following sections provide an overview of the basic IAP and data center configurations that are required todesign amulti-AP deployment with a single data center. The example that is described in the following sections usesdistributed L3mode for employees and wired devices.

IAP Setup (multi-AP Deployment with Multiple Data Centers)



2. Set up the VPN secondary IP configuration.

3. Set up a fast failover configuration if the environment requires a fast failover.



4. Define the routing profile. This profile specifies the traffic that must be tunneled to the data center. The routingprofile must have two sets of routes. One points to the primary data center and the other points to the backup datacenter. The IAP selects a route based on the data center that it is terminating on. For example, if all 10.0.0.0 /8networks must be tunneled back to the data center, the routing profile must have two routes: “10.0.0.0 255.0.0.0<controller in data center 1>” and “10.0.0.0 255.0.0.0 <controller in data center 2>”. For more information aboutrouting profiles, see Configuring an IAP for Instant-VPN Deployment.




8. Enable DRP inmulti-AP Instant-VPN deployments to tunnel the RADIUS traffic frommember IAPs. When DRPis enabled in amulti-AP network, the RADIUS traffic is sourced with the inner IP address of the IPsec tunnel orthe VC IP address, based on the routing profile definition.



11. In flat mode design, disable the “Restrict Corporate Access” setting that is part of the Firewall Settings screen.By default, the “Restrict Corporate Access” setting is disabled. However, in hierarchical design, you can enablethe “Restrict Corporate Access” setting to restrict corporate access to only those devices that are downstreamfrom the root IAP.

12. In environments that require guest access, perform these steps:



13. As an option for hierarchical mode design, configure uplink redundancy. In hierarchical mode, the redundantuplink must be on the root IAP.

Data Center Configuration (Multi-AP Deployment with Multiple Data Centers)

In addition to geographical redundancy, Aruba strongly recommends that you considerWLAN controller redundancyin each data center of a geographically redundancy design. If aWLAN controller failure occurs at the primary datacenter, the backupWLAN controller in the primary data center takes over, preventing the branch network fromswitching over to the backup data center. The following procedure describes a redundant WLAN controllerconfiguration for a data center.



2. Configure theWLAN controller pair for master redundancy. For information about configuringmaster redundancy,see the Aruba Campus Networks Validated Reference Design orAruba User Guide at theAruba supportwebsite.

3. Define the VPN address pool that is used to assign inner IP addresses to the IPsec tunnel that is established atthe branch. Aruba recommends that you use a routable address space for the VPN address pool. For moreinformation, see Defining the VPN Pool on aWLAN Controller. Aruba also recommends that you set up a uniqueVPN address pool for individual WLAN controllers in every data center.





Uplink Switch Setup (Multi-AP Deployment with Multiple Data Centers)

In a flat mode design, the trustedmanaged switch that connects the IAPs in the branchmust support the clientVLANs that are defined in the Aruba Instant network. This support is required because any client traffic that must beforwarded from themember IAP to themaster AP is tagged with the appropriate client VLAN. For example, if theAruba-Instant network is configured with a distributed L3mode VLAN with VLAN ID 100 for the employee SSID, thetrusted uplink switchmust support VLAN 100. This configuration allows for traffic from the clients that are connectedto the employee SSID on themember APs to be forwarded to themaster AP with VLAN tag 100 (VPN tunneling orsource NATing of client traffic is performed by themaster AP). For more information about traffic forwardingbehavior, see Traffic Flows in an Aruba Instant Cluster.






Designing Home Office Deployments with Aruba InstantEmploying a home-based work force is becoming common across many verticals. The cost saving on facilityexpenses and the ability to source talent from a broad pool of applicants with specialized skill sets is an attractiveproposition. The affordability and availability of high speed broadband services has allowedmany companies to takeadvantage of the home-based workforce. In addition to employing a home-based work force, many companies wantto increase the productivity of their conventional office-based employees by providing them secure corporate accessfrom their homes.

One of the key requirements of a work-from-homemodel is to equip the work-from-home employees with all thenecessary tools and connect them securely to the corporate resources. The key requirement for these types ofdeployments is the ability to securely and effortlessly extend the corporate resources to the homes of remoteworkers. Aruba Instant with its zero-touch provisioning and VPN feature set is the ideal solution for thesedeployments.

A home office deployment has the following requirements:

l Wired and wireless access to laptops and VDI terminals

l Wireless access to BYOD devices

l Wired access for phones

l Wired access to printers that are provided by the company or the ability to allow users to securely print to apersonal printer on the home network

l Secure access to corporate resources

The solution and design for this deployment is similar to that of a single-AP branch office deployment. For the designand recommendations of a single-AP branch office deployment, see Single-AP Branch with a Single Data Center.

Configuring the WLAN Controller for Instant-VPN DeploymentAs discussed in Understanding Instant-VPN (Aruba Instant-VPN in a Nutshell), theWLAN controller considers theIAP that establishes the VPN tunnel as a VPN client and all configurations such as SSIDs, user roles,authentication servers, andWIPS are local to the Aruba Instant network.

To configure theWLAN controller for Instant-VPN deployments, perform the following steps:

1. Define the VPN address pool to assign inner IP addresses to the IPsec tunnel that is established by the IAP.

2. Add IAPs in the branch to the RAP whitelist. You can offload the whitelist to a CCPM or other server thatsupports authorization.

3. Configure the appropriate VLANs for branches that are deployed in Layer 2mode. (This step is required only if thebranch is configured for centralized L2mode or distributed L2mode).

4. Configuring OSPF route redistribution of Layer 3 branch routes (This step is required only if the branch isconfigured for distributed L3mode or centralized L3mode).

5. As an option, configure theWLAN controller to perform source NATing of 802.1X and RADIUS traffic from anIAP branch.

Each of these steps is described in detail in the following sections:

In small deployments, with a single masterWLAN controller and a VRRP backupWLAN controller, the upstreamrouter can use a static route that points to theWLAN controller as the next hop for Layer 3 branch subnets.However, you cannot use static routes in amulti-controller e

For classic RAPs on ArubaOS, theWLAN controller must be configured with the appropriate AP groups, whichdefine the SSIDs, user roles, WIPS settings, ARM settings, regulatory domain settings, and so on. However, theAP group settings do not apply to an Instant-VPN.

Aruba recommends that you run ArubaOS 6.3 or greater for Aruba Instant-VPN deployments.

Defining the VPN Pool on a WLAN ControllerEvery IAP (Instant-VPN), RAP (classic), Virtual Intranet Access (VIA) client, and third-party VPN client thatauthenticates and successfully terminates an IPsec tunnel on the VPN server module of theWLAN controller isgiven a valid inner IP address. This inner IP address is issued from the address pool that is configured in the VPNserver module on theWLAN controller. More than one pool can be configured. Aruba recommends that you usededicated controllers for Instant-VPN because terminating a combination of Instant-VPN, classic RAPs, and VIAclients on the same controller alters the scale limit of the controller and complicates the calculation of scale limits.However, for testing purposes or duringmigration from a classic RAP to Instant-VPN architecture, youmight preferto use the same controller for classic RAPs and Instant-VPNs. In such cases, you can use separate VPNaddresses pools for Instant-VPN and classic RAPs.

If only a single pool is configured, all the VPN clients (Instant-VPN, RAPs, and VIA) are issued an inner IP addressfrom the same pool. Whenmultiple address pools are available, you can configure the controller to use distinct VPNpools for Instant-VPN, RAPs, and VIA. You can achieve this configuration by appending a VPN pool to the role thatis assigned to the Instant-VPN, classic RAPs, and VIA clients. For Instant-VPN, the default role is “default-vpn-role”for the inner IP address.

Aruba recommends that you use a routable IP subnet as the VPN pool because this allows you to access the localWebUI of Aruba Instant from the data center. Having a routable address pool is also important for RADIUSauthentication. The inner IP address of the IAP is used as the RADIUS packet source IP address forauthentication servers in the data center, unless theWLAN controller is configured to source NAT the RADIUStraffic from Aruba Instant branches. If RFC 3576-compliant CoA is a requirement, the RADIUS traffic form theAruba Instant branchmust not be source NATed at theWLAN controller and the IP address space that is used forthe VPN address pool must be added to the NAS client list on the centralized authentication server.

When distinct VPN pools are not defined, theWLAN controller automatically uses the first pool in the VPN addresspool. When this pool expires, the next pool in the list is used, and so on. If the VPN address pool is exhausted, newIAPs (Instant-VPN), RAPs (classic), or VIA clients cannot establish the IPsec tunnel until the required number of IPaddresses are added to the pool.

The VPN address pools are not synchronized from the activeWLAN controller to its VRRP backupWLANcontroller during database synchronization. Create VPN address pools individually on both the active and standbymasterWLAN controllers. The VPN pools that are used on the active and the VRRP backupWLAN controller canbe same or different. If the same VPN pool is used on active and the VRRP backupWLAN controller, theupstream router must use the virtual IP address that is used between the twoWLAN controllers as the next hopaddress to reach this address pool.

Below figures and the corresponding CLI command examples illustrate how to configure a VPN address pool andappend it to a user role.



Figure 54 Configuring VPN address pools

The CLI command to configure VPN address pools is as follows:

!ip local pool "iap-pool-1" "10.68.61.6" "10.68.61.254"ip local pool "iap-pool-2" "10.68.62.6" "10.68.62.254"!

Figure 55 Appending a VPN address pool to a user role

The CLI command to configure VPN user roles is as follows:

!user-role "default-vpn-role"pool l2tp "iap-pool-2"!

Adding IAPs to RAP WhitelistWhen an IAP establishes an IPsec tunnel to theWLAN controller, Aruba TPM certificates in the IAP andWLANcontroller are used for IPsec authentication. After authenticating the IAP, theWLAN controller authorizes the IAP bycomparing the CN in the certificate (the CN in the certificate is theMAC address of the IAP) to theMAC address inthe RAP whitelist. If theMAC address is not present in the RAP whitelist, the IAP is not allowed to terminate itsIPsec tunnel on theWLAN controller. This ensures that only an authorized IAP can establish the IPsec tunnel andnot any Aruba AP.

You can offload the RAP whitelist that is used for authorization of the IAPs to ClearPass or to an external serverthat supports authorization.

The RAP whitelist on theWLAN controller has the following fields:

l AP MAC address (required): TheMAC address of the IAP that is authorized to establish an IPsec tunnel to theWLAN controller.

l User Name (optional): The name of the user or branch to which the IAP belongs.

l AP Group (required): Although the AP group is not required for IAPs, the RAP whitelist requires that you use thisfield to add the IAP to the database. Select the default AP group or any other AP group.

l AP Name (optional): A name for the IAP.

l Description (optional): A short description about the IAP.

l Revoked (optional). You can use this field to revoke the secure status of an IAP.

l IP address (optional): You can use this field to assign a specific IP address from the VPN address pool to aspecific IAP.

Below figure is a screen shot of the screen that lets you configure the whitelist on theWLAN controller.

Figure 56 Configuring the whitelist on theWLAN controller

The CLI command to configure the whitelist on theWLAN controller is as follows:

whitelist-db rap add mac-address 94:b4:0f:cb:dc:98 ap-group default remote-ip 192.168.100.100

show whitelist-db rap

The ap-group parameter is not used for any configuration, but needs to be configured. It can be any valid string, as itis not used. If an external whitelist is being used, the AP MAC address needs to be saved in the Radius server as alower case entry without any delimiter.

The remote-ip parameter is optional. If you specify an IP here, the particular IP always chooses that IP address asthe inner IP of the IPSec tunnel from the VPN pool.

whitelist-db rap addmac-address 94:b4:0f:cb:dc:98 ap-group default ?

ap-name AP-Name

description Description



full-name Full Name

remote-ip IP-address assigned to remote peer

Rest of the arguments are present but are optional and do not provide any specific configuration enhancements. ThisCLI is used for RAP as well, where these configurations provide additional enhancements, but in context of IAPVPN, just configure ap-group and that should get the tunnel up.

When you use IAPs that are running Aruba InstantOS 4.0 or greater and ArubaWLAN controllers that are runningArubaOS 6.4 or greater in a configuration with Auto-GRE, theWLAN controllers allow tunnels only from IAPs thatare configured through AirWave or Aruba Central. Tunnels are not allowed from other IAPs even if they are on theRAP whitelist. This measure provides additional security. To allow tunnels from IAPs that are configured throughthe local WebUI of Aruba Instant, use theWLAN controller CLI to add the IAPs to the “iap trusted-branch-db” list.For example,

iap trusted-branch-db ?

add Configure an IAP trusted branch entry

allow-all Allow all branches as trusted

del Delete an IAP trusted branch entry

del-all Delete all trusted branch entries

Configuring VLANs for Layer 2 ModesIn centralized L2mode, themaster AP adds the appropriate VLAN tag to the client traffic that is destined for the datacenter and sends it to theWLAN controller through the IPsec-GRE tunnel. When theWLAN controller receives thepacket, it inspects the tag and forwards the packet accordingly. The VLAN that is defined in the centralized Layer 2configuration of an IAP must exist on theWLAN controller. The VLAN that is defined on theWLAN controller can beconfigured as a Layer 2 VLAN (that is, no IP address is configured on the VLAN interface) or a Layer 3 VLAN (that is,an IP address is configured on the VLAN interface).

Depending on your network setup, youmust enable the inter-VLAN routing between the VLANs on theWLANcontroller.

Configuring OSPF Route Redistribution of Layer 3 Branch RoutesIn Layer 3mode, each branch has a dedicated subnet. Only theWLAN controller can detect the branch each subnetbelongs to. The following example describes the need for OSPF redistribution:

Consider that an organization with 100 branches has designed an Instant-VPN network for geographical redundancyand fast VPN failover. In such a network, the primary host (WLAN controller) is in data center 1 (DC1) and thebackup host (WLAN controller) is in data center 2 (DC2). Under ideal conditions, all 100 branches terminate on theprimary host in DC1. If branch 10 has WAN problems with DC1, it fails over to DC2. Now, 99 branches terminate onDC1 but one branch terminates on DC2. This means that 99 branches can be reached through the primary host inDC1, but the traffic to branch 10 goes through the backup host in DC2. The network that connects the two datacenters must be updated with the appropriate route information that could change dynamically.

Using OSPF and redistributing routes appropriately ensures that routing does not break. WhenOSPF redistributionis enabled, theWLAN controller redistributes routes for the branches that are active on that WLAN controller. Evenwith fast failover enabled, the OSPF process on theWLAN controller redistributes a branch route only if the IPsectunnel is in active state. This is because themaster AP exchanges the route Addmessage, which is used to registerthe subnet in the branch, only with theWLAN controller on which the VPN tunnel is active. For information aboutconfiguring OSPF on the Aruba controller, see the ArubaOS User Guide at the Aruba support website.


By default, a master AP establishes a single IPsec tunnel, either to the primary or to the backup host. If thecommunication to one host fails, themaster AP establishes an IPsec tunnel to the other host. However, if fastfailover is enabled, themaster AP can establish a backup VPN tunnel even while the primary VPN tunnel is stillup. The primary tunnel is in an active state and the backup tunnel is in an idle state. The purpose of fast failover isto reduce the failover time by eliminating the tunnel setup time during failover.

The CLI command to redistribute Instant-VPN branch routes using OSPF is as follows:

!router ospf redistribute rapng-vpn!

Use the show ip route command on theWLAN controller to display the Instant-VPN routes that are redistributed bytheWLAN controller. All the routes with a “V” flag in the command output represent Instant-VPN branch routes. Thebelow sample output shows Instant-VPN branch routes:

(Aruba-Controller) #show ip routeCodes: C - connected, O - OSPF, R - RIP, S - staticM - mgmt, U - route usable, * - candidate default, V - RAPNG VPNGateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10Gateway of last resort is 10.15.148.254 to network 0.0.0.0 at cost 1S* 0.0.0.0/0 [1/0] via 10.15.148.254*V 12.12.2.0/24 [10/0] ipsec mapV 12.12.12.0/25 [10/0] ipsec mapV 12.12.12.32/27 [10/0] ipsec mapV 50.40.40.0/24 [10/0] ipsec mapV 51.41.41.128/25 [10/0] ipsec mapV 53.43.43.32/27 [10/0] ipsec mapV 54.44.44.16/28 [10/0] ipsec mapC 9.9.9.0/24 is directly connected, VLAN9C 10.15.148.0/24 is directly connected, VLAN1C 43.43.43.0/24 is directly connected, VLAN132C 42.42.42.0/24 is directly connected, VLAN123C 44.44.44.0/24 is directly connected, VLAN125C 182.82.82.12/32 is an ipsec map 10.15.149.69-182.82.82.12C 182.82.82.14/32 is an ipsec map 10.17.87.126-182.82.82.14

When an Instant-VPN branch in distributed L3mode fails over from one data center to another, the time that OSPFroute convergence requires depends on the user idle timeout setting on theWLAN controller. For fasterconvergence in Instant-VPN deployments, Aruba recommends that you set the user idle timeout to 30 seconds.

Configuring the Controller to Perform Source NATing for 802.1X and RADIUS Traffic fromBranchesTo establish an IPsec connection with theWLAN controller, a VPN client (IAP, RAP, VIA, or third-party VPN client)submits the appropriate authentication credentials during the IPsec establishment process. The VPN server on theWLAN controller validates these credentials and assigns a user role to the authenticated VPN clients. This user roleis defined by the VPN authentication profile on theWLAN controller. The four predefined VPN authentication profilesare:

l default: For third-party VPN clients

l default-cap: For campus APs (CAPs)

l default-rap: For RAPs



l default-iap: For IAPs

You cannot add additional VPN profiles. The “default”, “default-iap,” and “default-rap” profiles are configurable, butthe “default-cap” profile cannot be edited.

To bring up the IAP VPN tunnel, no licenses are needed on the controller. However, to bring up the default-vpn-role,for editing in the controller, PEFV licensemust be installed:-

Before installing PEFV license:-

After installing PEFV license:-

The “Add” icon to add a new role, and “default-vpn-role” for editing are now available.

The IPsec authentication between theWLAN controller and the IAP is based on Aruba TPM certificates on theWLAN controller and the IAP. The TPM certificate-based authentication ensures that the IAP that establishes aVPN connection to theWLAN controller is an Aruba IAP. This process does not guarantee that the authenticatedAruba IAP is authorized. To ensure that the IAPs that connect to theWLAN controller are authorized, the RAPwhitelist is used. The RAP whitelist ensures that only authorized IAPs can establish a VPN tunnel to theWLANcontroller. After authenticating a RAP using the TPM certificate, theWLAN controller compares the CommonName(CN) in the certificate to the list of authorizedMAC addresses in the RAP whitelist. (The CN is theMAC address ofthe IAP that presents the certificate to theWLAN controller.) If a MAC address is not present in the RAP whitelist,the IAP is not allowed to terminate its IPsec tunnel on theWLAN controller.

ArubaOS 6.3 and greater allow the use of a CPPM or an external RADIUS server to authorize IAPs attempting toconnect to theWLAN controller. By default, the internal RAP whitelist database is used to authorize IAPs.

The “check certificate common name against AAA server” settingmust be enabled to allow authorization of theMAC address in the certificate CN against the RAP whitelist. If this setting is disabled, IAPs are authorized evenif their MAC addresses are not in the RAP whitelist. Aruba recommends that you enable this setting in alldeployments to ensure that only authorized IAPs connect to theWLAN controller.

After successfully authenticating and authorizing an IAP, theWLAN controller assigns the default role defined in the“default-iap” VPN authentication profile. The default role defined under the “default-iap” VPN authentication profile isthe predefined “default-vpn-role” that has an “allow-all” firewall policy. All traffic from an IAP-VPN tunnel is forwardedor routed by theWLAN controller.

In Instant-VPN deployments in which the authentication server is located in the data center, the IAP tunnels allauthentication traffic to theWLAN controller using the inner IP address of the IAPs IPsec tunnel. Because thesource IP address for RADIUS traffic from amaster AP in the branch is the inner IP address of the IPsec tunnel, youmust add all IP addresses that are used in the VPN address pool as RADIUS clients on the RADIUS server. Insome environments, a security policy would not allow you to add all addresses in the VPN pool to the NAS client liston the authentication server. In these situations, you can add a rule that source NATs all RADIUS traffic with the IPaddress of theWLAN controller. With this rule, you only need to configure theWLAN controller as the NAS client onthe RADIUS server. Place the source NAT rule above the “allow-all” rule in the “default-vpn-role.”

Enable Dynamic RADIUS Proxy (DRP) onmulti-AP Aruba Instant networks to ensure that the IAP tunnels theauthentication traffic to the RADIUS server in the data center. When DRP is enabled, RADIUS traffic that isdestined for a corporate authentication server is sourced with the inner IP address of the IPsec tunnel but RADIUStraffic that is destined for local authentication servers is forwarded using the VC IP address.

The ArubaOS controller does not require any licenses to terminate IAP-VPN tunnels. However, a PEFV license isneeded to change the firewall policies or the user role that is applied to IAPs. For more information, see Licensing.

Configuring theWLAN Controller for Instant-VPN Deployment figure shows how to set up source NATing forRADIUS traffic with the IP address of theWLAN controller.

Figure 57 Configuring a firewall policy for source NATing of RADIUS traffic

Configuring theWLAN Controller for Instant-VPN Deployment figure shows how to set up a user role (“iap-role”) withthe appropriate firewall policy to allow source NATing of RADIUS traffic.



Figure 58 Configuring a user role for source NATing of RADIUS traffic

Below figure shows how you can apply a role to the “default-iap” VPN authentication profile.

Figure 59 Applying a role to the “default-iap” VPN authentication profile

Use the below command on controller CLI to find out IAP to user role mapping:-

(Aruba7030) #show user

Users-----

IP MAC Name Role Age(d:h:m) Auth

---------- ------------ ------ ---- ---------- ----192.168.200.106 00:00:00:00:00:00 logon 01:03:48 VPN

192.168.100.101 00:00:00:00:00:00 94:b4:0f:cb:dc:98 iap-role 00:05:59 VPN

VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name

-------- ------- ------- --------------- ------- ------------ ---- ---------N/A tunnel

192.168.200.106 N/A default-iap tunnel

User Entries: 2/2Curr/Cum Alloc:2/3 Free:0/1 Dyn:2 AllocErr:0 FreeErr:0

In the above scenario, IAP VC’s IPSec’s inner IP, 192.168.100.101 is using the role, “iap-role” and profile is “default-iap”. 192.168.200.106 is the actual IP of the same VC.

If CoA is a requirement, do not perform source NATing for RADIUS. For RFC 3576-compliance, CoA messagesare initiated by the RADIUS server. Therefore, do not configure a rule on theWLAN controller to source NATRADIUS traffic. If the RADIUS server is in the data center, for RFC 3576-compliance, list the inner IP addressesthat are used for the IPsec tunnels as RADIUS clients.

Configuring an IAP for Instant-VPN DeploymentYou can configure an IAP network locally through the Instant WebUI, AirWave, or Aruba Central. Irrespective of howyou configure an IAP network, the entire IAP network configuration resides on the IAPs in a cluster. An IAP uses adistributed architecture, so an IAP network does not require a physical controller to provide the configuredWLANservices. A physical ArubaWLAN controller is required only for terminating VPN tunnels from IAP networks atbranch locations. TheWLAN controller in the data center functions only as a VPN concentrator and it is not requiredfor IAP branches that do not require VPN functionality.

In addition to configuring basic settings such as user roles and SSIDs, an IAP network requires you to perform thefollowing configuration tasks for Instant-VPN operation:

l Defining the VPN host settings

l Configuring the routing profile

l Configuring DHCP profiles for different Instant-VPN modes

l Configuring an SSID or wired port for Instant-VPN

l Enabling Dynamic RADIUS Proxy (DRP)

l Configuring enterprise domains

The sections below describe these tasks in detail.

Defining the VPN Host SettingsThe VPN endpoint on which amaster AP terminates its VPN tunnel is considered the host. You can configure amaster AP in an IAP network with two hosts; a primary and a backup. The primary and backup host configurationprovides VPN redundancy. Typically, the primary and backup hosts areWLAN controllers located in geographicallyseparate data centers. The VPN host controller within each data center can be configured with a VRRP basedbackup controller. The primary and backup hosts are analogous to the LMS and BLMS controllers in a classic RAParchitecture.



Below figure shows an Instant-VPN architecture designed for redundancy.

Figure 60 Instant-VPN architecture designed for redundancy

To configure the VPN settings, select the VPN menu on Instant WebUI, AirWave, or Aruba Central. The controllertab in the VPN menu includes all the VPN host settings.

The controller tab provides the following settings:

l Protocol: This setting defines whether the IAP establishes aGRE tunnel or an IPsec tunnel. Since the Instant-VPN architecture defines a secure VPN tunnel, this field is set to IPsec.

l Primary host: This setting defines the IP address of theWLAN controller that functions as the primary host. Ingeneral, most organizations have a public IP address on the corporate firewall, which forwards the packets to thecontroller in the DMZ. If twoWLAN controllers are deployed as a VRRP redundant pair in the data center, thefirewall must be configured to forward the packets that are destined for the public IP address to the virtual IPaddress that is used between themaster and the VRRP backupWLAN controller. The only port that is required tobe open on the firewall for Instant-VPN is UDP port 4500 (IPsec NAT-T). The primary host IP address is an IPaddress that can be reached through the Internet (that is, a public IP address). In general, an IP network shouldbe able to reach the primary host IP address without any tunneling.

l Backup host: This setting defines the IP address of theWLAN controller that functions as the backup host. Theprimary and backup hosts are deployed in geographically redundant data centers. Like the primary host IPaddress, the backup host IP address must be reachable from an IAP network without any tunneling.

l Preemption: Even when an IAP is on a backup host, it tests connectivity to the primary host in the background.If preemption is enabled, an IAP that terminates its tunnel on the backup host switches back to the primary hostwhen the primary host becomes available again.

l Hold time: This setting defines the time (in seconds), that an IAP waits before it switches back to the primaryhost when preemption is enabled. This setting is visible on the Instant WebUI only if preemption is enabled.

l Fast failover: By default, a master AP in an IAP cluster establishes only a single IPsec tunnel at any time, eitherto the primary or to the backup host. If the communication to one host fails, themaster AP establishes an IPsectunnel to the other host. However, if fast failover is enabled, themaster AP can establish a backup VPN tunneleven while the primary VPN tunnel is still up. The primary tunnel is in the active state and the backup tunnel is inan ideal state. The purpose of fast failover is to reduce the failover time by eliminating the tunnel setup time duringfailover.

l Secs between test packets: This setting defines the frequency at which packets are sent to the controller todetect the connection status. The unit is seconds per packet and the default value is 5 seconds, whichmeansthat every 5 seconds the IAP sends one packet to the controller.

l Max allowed test Packet loss: This setting defines the number of lost packets after which the IAP tears downthe tunnel. The default value is 6 packets.

Below is an example IAP configuration with these settings:

l Protocol:IPsec

l Primary Host: 199.xx.xx.137 (public IP)

l Backup Host: 199.xx.xx.138 (public IP)

Figure 61 IAP IPSec configuration with primary and backup hosts

Configuring a Routing ProfileThe second tab under the VPN settings menu is the routing profile tab. The routing profile on an IAP determineswhether the traffic that is destined for a subnet is forwarded through an IPsec tunnel or bridged locally. If the routingprofile is empty, the client traffic is bridged locally. If the routing profile is configured to tunnel 10.0.0.0 /8, trafficdestined for 10.0.0.0 /8 is forwarded through the IPsec tunnel and the traffic to all other destinations is bridgedlocally.

An IAP network has only one active tunnel even if fast failover is enabled. At any time, traffic can be tunneled only toone VPN host. (Policy-based routing and load balancing between the primary and backup hosts is currently notsupported).

To configure a route in the routing profile, define these settings:



l Destination: This setting defines the IP address or subnet that must be reached through the IPsec tunnel. Trafficis forwarded through the IPsec tunnel to the IP address or subnet that is defined by this setting.

l Netmask: This setting defines the network mask to the destination that is defined in the Destination setting.

l Gateway: This setting defines theWLAN controller to which the traffic must be tunneled. This address is theactual WLAN controller IP address and not the public IP address that is defined as the VPN host. You can findthe actual IP address of theWLAN controller that functions as the primary or backup host through the controllerCLI in the output of the show controller-ip command or on the “controller IP details” screen on theWebUI of theWLAN controller. If you have a primary and backup host, configure two routes with the same destination andnetmask, but for the primary route, configure the gateway as the IP address of the primary controller, and for thebackup route, configure the gateway as the IP address of the backup controller. The route that is selected fromthe routing profile is based on theWLAN controller with which the VPN tunnel is established.

If a pair of controllers is configured for VRRP-basedmaster-backup redundancy, every controller has a physical IPaddress and there is a single virtual IP address. If the VPN host (primary or backup) is represented by a redundantVRRP controller pair, the routing profile must have routes to the physical IP addresses of the VRRP master andbackup controllers or the virtual IP address of the VRRP redundant controllers. The following examples illustrate thisconfiguration:

Controller Redundancy Example 1

Consider an organization with two data centers: DC1 and DC2. TheWLAN controller in the primary data center(DC1) has a physical IP address of 10.68.33.6 and the public IP address of the firewall that is assigned to thiscontroller is 199.xx.xx.137. (The firewall forwards the traffic from 199.xx.xx.137 to 10.68.33.6). The controller in thebackup data center (DC2) has a physical IP address of 10.68.48.6 and the public IP address of the firewall that isassigned to this controller is 199.xx.xx.138. (The firewall forwards the traffic from 199.xx.xx.138 to 10.68.48.6). Inthis situation, the routing profile for an IAP branch that must establish a tunnel to 10.0.0.0 /8 contains these routes:

l 10.0.0.0 255.0.0.0 10.68.33.6

l 10.0.0.0 255.0.0.0 10.68.48.6

Themaster AP in the IAP cluster selects the route depending on whether the VPN tunnel is terminating on theprimary or backup host. The primary and backup host configurations under the VPN host settings are 199.xx.xx.137for the primary host and 199.xx.xx.138 for the backup host.

Controller Redundancy Example 2

Consider an organization with two data centers: DC1 and DC2. Each data center has a pair of VRRP-basedredundant controllers.

l Primary data center (DC1)

n The physical IP address of the VRRP master controller in the primary data center is 10.68.33.6.

n The physical IP address of the VRRP backup controller in the primary data center is 10.68.33.7.

n The virtual IP address between the VRRP master and backup controller in the primary data center is10.68.33.8.

n The public IP address that is used for the primary host configuration is 199.xx.xx.137

l Backup data center (DC2)

n The physical IP address of the VRRP master controller in the backup data center is 10.68.48.6.

n The physical IP address of the VRRP backup controller in the backup data center is 10.68.48.7.

n The virtual IP address between the VRRP master and backup controller in the backup data center is10.68.48.8.

n The public IP address that is used for the backup host configuration is 199.xx.xx.138.

l In this situation, the routing profile for an IAP branch that must establish a tunnel to 10.0.0.0 /8 contains theseroutes:

n 10.0.0.0 255.0.0.0 10.68.33.6

n 10.0.0.0 255.0.0.0 10.68.33.7

n 10.0.0.0 255.0.0.0 10.68.48.6

n 10.0.0.0 255.0.0.0 10.68.48.7

Themaster AP in the IAP cluster selects the route depending on which controller is terminating the VPN tunnel. Theprimary and backup host configurations under VPN host settings are 199.xx.xx.137 for the primary host and199.xx.xx.138 for the backup host.

An alternative routing profile configuration for the above-mentioned example includes the gateway IP address as thevirtual IP address of the VRRP redundant controllers. In this situation, the routing profile for an IAP branch that mustestablish a tunnel to 10.0.0.0 /8 contains these routes:

l 10.0.0.0 255.0.0.0 10.68.33.8

l 10.0.0.0 255.0.0.0 10.68.48.8

Below figure shows controller redundancy example 2 that is described above.

Figure 62 Routing profile configuration with VRRP-based redundant controllers

The routing profile on an IAP allows a total of 32 entries.

The routing profile is universal and applies to all SSIDs and wired ports that you configure in local mode,centralized L2mode and distributed L3mode. For example, a routing profile that is configured to tunnel to 10.0.0.0/8 applies to both the employee SSID that is configured for L3mode and a guest SSID that is configured for localmode. However, you can set up a user role to deny guests access to the 10.0.0.0 /8 network and source NAT allother traffic locally to the Internet. User roles and firewall policies are applied to client traffic before the routingprofile is applied.

Below figure, is an example of the screen that lets you configure the routing profiles that are associated withcontroller redundancy example 2 that is described above:

l 10.0.0.0 255.0.0.0 10.68.33.6

l 10.0.0.0 255.0.0.0 10.68.33.7

l 10.0.0.0 255.0.0.0 10.68.48.6



Figure 63 Configuring routing profiles

Configuring DHCP Profiles for Instant-VPN ModesThe DHCP server menu of the Instant WebUI lets you create DHCP profiles that determine the Instant-VPN modeof operation. An Aruba Instant network can havemultiple DHCP profiles configured for different modes of Instant-VPN. You can create a total of 16 DHCP profiles for each Aruba Instant cluster and the DHCP profile definitionvaries, based on the Instant-VPN mode. For information about the different Instant-VPN modes, see UnderstandingInstant-VPN Modes.

The DHCP menu in Aruba Instant has three sections:

l Distributed DHCP Scopes: This section includes the DHCP profile configuration for distributed L2mode anddistributed L3mode.

l Centralized DHCP Scopes: This section includes the DHCP profile configuration for centralized L2mode andcentralized L3mode.

l Local DHCP Scopes: This setting includes the DHCP profile configuration for Local mode.

Below Configuring an IAP for Instant-VPN Deployment is an example of the screen that lets you configure DHCPserver scopes.

Figure 64 Configuring DHCP server scopes

DHCP Profile for Local Mode

In local mode, themaster AP in an IAP cluster is both the default gateway and DHCP server for clients that connectto an SSID or wired port that operates in this mode. In local mode, themaster AP assigns an IP address from aconfigured local subnet. The subnet is not a Layer 2 or Layer 3 extension of the corporate subnet and theWLANcontroller in the data center has no visibility to this subnet. Client traffic that must be forwarded to corporatedestinations is source NATed by themaster AP using the inner IP address of the IPSec tunnel. Traffic that isdestined for the Internet or local destinations is source NATed using the physical IP address of themaster AP.

The following configuration settings are used for a local mode DHCP profile:

l Name: This setting defines a unique name for the DHCP profile.

l Type: This setting defines the Instant-VPN mode for the DHCP profile. The available options are Local and LocalL3.

l VLAN: This setting defines the VLAN ID for the subnet that is used in the DHCP profile. This VLAN ID must bedefined in the VLAN settings of an SSID or wired port to allow it to operate in the appropriate Instant-VPN mode.This VLAN ID should also be configured on the switches and allowed on the trunk links, between VC/master &slave IAPs.

l Network: This setting defines the subnet that is used by the DHCP profile.

l Netmask: This setting defines the netmask of the subnet that is defined in the Network field.



l Excluded Address: This setting defines the IP addresses that must be excluded from the DHCP lease. Thevalue that you enter in the field determines the exclusion range of the subnet. Specify a range of IP addresses toexclude. You can add up to two exclusion ranges. Based on the size of the subnet and the value configured forExcluded Address, the IP addresses either before or after the defined range are excluded. Excluded range shouldhave either the start IP of the subnet or the last IP of the subnet. For example:

Figure 65 Configuring a DHCP scope for local mode

This configures a DHCP scope of 192.168.12.12 – 192.168.12.199.

l DNS server: This optional setting defines the DNS server IP address that is provided to the clients by the DHCPserver for this DHCP profile. If you do not configure a DNS server, client DNS requests are resolved by the DNSserver of the IAP (that is, the DNS server information that an IAP receives from the DHCP server in the branch orfrom an ISP).

l Domain name: This optional setting defines the domain name that is provided to the clients by the DHCP serverfor this DHCP profile.

l Lease time: This optional setting defines the lease time for clients.

l Option: This optional setting defines additional DHCP options. You can configure a total of eight DHCP options.

One IP address from the configured network is used as the default gateway for clients. In most cases, the firsthost IP address on the configured subnet is the default gateway. In the above example, the client got a defaultgateway of 192.168.12.11.

DHCP Profile for Centralized L2 Mode

In centralized L2mode, the DHCP server and gateway for the clients reside in the data center. The subnet that isused in this mode is a Layer 2 extension of a corporate subnet. The client traffic that is destined for corporateresources is forwarded to theWLAN controller with the appropriate VLAN tags inside an IPsec-GRE tunnel. Anytraffic that is destined for the Internet or a local resource is source NATed using the physical IP address of themaster AP.

These configuration settings are used for a centralized L2mode DHCP profile:


l VLAN: This setting defines the VLAN ID for the subnet that is used in the DHCP profile. The VLAN ID must bedefined in the VLAN settings of an SSID or wired port to allow it to operate in the appropriate Instant-VPN mode.The VLAN must exist on theWLAN controller. The DHCP broadcasts from the clients are forwarded through theIPsec-GRE tunnel to theWLAN controller in the data center. Any client traffic that is destined for corporateresources is tagged with this VLAN ID and forwarded through the IPsec-GRE tunnel. This VLAN ID should alsobe configured on the switches and allowed on the trunk links, between VC/master & slave IAPs.

l Split tunnel: If split tunnel feature is disabled, (enabled by default), then inspite of any configuration under routingprofile, all traffic will be sent to the data center over IPSec tunnel. This feature was introduced as centralized L2mode, most of the time has use case, where all the traffic needs to be tunneled over IPSec tunnel to the datacenter and no traffic should be split tunneled and source NATed over VC IP. To achieve this objective, moreeasily for a particular VLAN, this feature was introduced.

l Option 82: This setting defines amethod to enforcemore security in the DHCP infrastructure. By default, theDHCP server is vulnerable to a number of security threats, such as an attacker attempting to exhaust the DHCPpool addresses by sending fake DHCP client packets. Enabling Option 82 ensures that the DHCP client isauthentic. Also, Option 82 allows the DHCP server to be anywhere in the intranet or cloud, while still assigningaddresses with the local context, that is, centralized control with local address assignment. For Option 82 to takeeffect, the DHCP server must also be configured for Option 82.

The DHCP profile definition for centralized L2mode does not require a network configuration, but the VLAN IDdetermines the functionality. The VLAN ID that is defined in the DHCP profile configuration for centralized L2modemust exist on theWLAN controller as a Layer 2 VLAN (that is, no IP address configured on the VLANinterface) or a Layer 3 VLAN (that is, an IP address configured on the VLAN interface). In the data center, ensurethat inter-VLAN routing is enabled between the VLAN that is used for centralized L2mode and other VLANs.

Below figure is an example of a screen that lets you configure a DHCP profile for centralized L2mode using VLANID 30.

Figure 66 Configuring a DHCP scope for centralized L2mode



In distributed L3mode, themaster AP in an IAP cluster is the default gateway and DHCP server for clients. Unlike inlocal mode, the subnet that is used in this mode is a Layer 3 extension of a corporate subnet and, therefore, theWLAN controller and other upstream routers in the data center can reach this subnet. The client traffic that isdestined to corporate resources is routed through the IPsec tunnel to theWLAN controller. The traffic that is destinedto the Internet or local resources is source NATed using the physical IP address of themaster AP.

In distributed L3mode, you usually configure a large network, which is automatically broken down into smallersubnets based on the client count configuration. The subnet that is dedicated to each branch depends on the clientcount and network settings in the DHCP profile configuration. Themaster AP andWLAN controller use the BranchID (BID) process to determine the Layer 3 subnet that is used in a branch. For more information about the BIDprocess and distributed L3mode, see Branch-ID Allocation Algorithm and Instant-VPN: Distributed L3Mode.

Aruba Instant allows you to configure a dedicated Layer 3 subnet for each branch. Instead of configuring a largesubnet that is then divided into smaller subnets based on client count, you can definite a unique Layer 3 subnet foreach branch with the required subnet. However, this process slightly increases themanagement overheadbecause the IP address range configurationmust bemodified on a per-branch basis.

The distributed scope configuration has three tabs: Network, Branch Size, and Static IP. These tabs are described inthe following three sections.

Network Tab

As part of the configuration of a DHCP profile for distributed L3mode, the following configuration settings areavailable under the Network tab:


l Type: This setting defines the Instant-VPN mode for the DHCP profile. Available options are Distributed L3 andDistributed L2. Select Distributed L3 for distributed L3mode.

l VLAN: This setting defines the VLAN ID for the subnet that is used in the DHCP profile. The VLAN ID must bedefined in the VLAN settings of an SSID or wired port to allow it operate in the appropriate Instant-VPN mode.The distributed L3mode VLAN need not be configured on theWLAN controller. Themaster AP replies to DHCPbroadcasts from the clients. Any client traffic with a corporate destination is routed through the IPsec tunnel.

l Netmask: This setting defines the netmask for the DHCP profile.

l DNS server: This optional setting defines the DNS server IP address that is provided to the clients by the DHCPserver for this DHCP profile. If you do not configure a DNS server, client DNS requests are resolved by the DNSserver of the IAP (that is, the DNS server information that an IAP receives from the DHCP server in the branch orfrom an ISP). If you define a corporate DNS server in the data center, the Enterprise domain configuration (underthe Enterprise domain tab) of the IAP WebUI determines whether the DNS traffic is forwarded to this DNS serveror is source NATed to the DNS server of the IAP. For more information, see DNS Handling in an Aruba Instant-VPN Network.

l Domain name: This optional setting defines if the domain name is provided to the clients by the DHCP server forthis DHCP profile.

l Lease time: This optional setting defines the lease time for clients.

l IP Address Range: This setting defines the IP address range that is divided into smaller subnets based on theClients per branch setting under the Branch Size tab (see Branch Size Tab).

For example, an organization uses subnet 10.68.0.0 /16 with 250 clients per branch in a distributed L3modeconfiguration to support 256 branches. (250 over here is taken as an example. One /24 subnet can fit in 253 IPaddresses. You can use 253 here as well.) This organization configures the IP Address Range setting as 10.68.0.0 -10.68.255.255. In this configuration, if the IP address range is configured as 10.68.0.1 - 10.68.255.254, only 254branches can be supported because in Layer 3mode each branch requires a /24 subnet to support 250 clients. Withan IP address range configuration of 10.68.0.1 - 10.68.255.254, subnets 10.68.0.0/24 and 10.68.255.0 /24 cannot beused because 10.68.0.0 and 10.68.255.255 are not included in the IP address range. Instead of a single contiguousaddress space, you can configuremultiple address spaces (use the + icon).

If an organization requires a specific subnet at a specific branch, it is not useful to define a large subnet that isautomatically divided into smaller subnets based on client count. For example, an organization wants subnet10.68.0.0 /24 at Site A and subnet 10.68.1.0 /24 at Site B. If they define a single large subnet that is automaticallyallocated to the branches based on the BID algorithm, that configuration cannot guarantee that Site A is assignedsubnet 10.68.0.0 /24 and Site B is assigned subnet 10.68.1.0 /24. This requirement is very common amongorganizations that want to upgrade their existing branch infrastructure and keep the same address scope becausethose branches contain devices with static IP addresses. Aruba Instant 3.3 and greater support this requirement byallowing you to define a pre-determined subnet on a per-branch basis. To achieve this subnet configuration, configurethe IP Address Range settings to include only the IP address range and client count for a specific branch. Forexample, an organization wants subnet 10.68.0.0 /24 at Site A and subnet 10.68.1.0 /24 at Site B. The IP addressallocation and branch size configuration for the IAP network in Site A must be 10.68.0.0 – 10.68.0.255 with 253clients per branch and in Site B must be 10.68.1.0 – 10.68.1.255 with 253 clients per branch.

Youmust include the network and broadcast address in the IP address range configuration for distributed L3mode.For example, if Site B is configured as 10.68.1.1 – 10.68.1.254 with 253 clients instead of 10.68.1.0 – 10.68.1.255with 253 clients, then a /24 subnet cannot be formed and the clients at Site B cannot receive an IP address.

The BID allocation process is essential even if a predefined subnet is configured for a branch. Clients cannotreceive an IP address until the BID allocation process is successful.

The first host IP address in the subnet that is allocated to a branch is used as the default gateway for clients.

l Option: This optional setting defines additional DHCP options. You can configure a total of eight DHCP options.



Configuring an IAP for Instant-VPN Deployment figure is an example of the Network tab of the screen that lets youconfigure a DHCP profile for distributed L3mode.

Figure 67 Configuring the network settings for a DHCP scope for distributed L3mode

Branch Size Tab

The Branch Size tab lets you define the number of client IP addresses that are required for each IAP branch in thedistributed L3mode. This setting determines the number of distributed L3 branches that the network that you definedunder “Network” tab can support. For example, a configuration of 10.68.0.0 /16 with 250 clients per branch cansupport a total of 256 branches. For more information, see Branch-ID Allocation Algorithm.

Configuring an IAP for Instant-VPN Deployment figure is an example of the Branch tab of the screen that lets youconfigure a DHCP profile for distributed L3mode.

Figure 68 Configuring the branch size settings for a DHCP scope for distributed L3mode

Static IP Tab

The Static IP tab lets you reserve a set of IP addresses from the subnet that is allocated to a branch for devices thatrequire static IP addresses. For example, if a branch is assigned a /24 subnet, based on a distributed L3configuration of 10.68.0.0 /16 with 250 clients per branch, you can reserve a set of IP addresses at the start and atthe end of the subnet that is allocated to that branch.

Below figure is an example of the Static IP tab of the screen that lets you configure a DHCP profile for distributed L3mode.



Figure 69 Configuring the static IP settings for a DHCP scope for distributed L3mode

Configuring an SSID or Wired Port for Instant-VPNFor a client to be able to connect to an Instant-VPN network, youmust configure an SSID or wired port on an IAP forthe appropriate Instant-VPN mode of operation. The VLAN configuration for an SSID or wired port determineswhether an SSID or wired port is set up for the Instant-VPN. When you configure an SSID or wired port for a specificInstant-VPN mode, the VLAN ID that is defined in the configuration of the SSID or wired port must match the VLANID that is defined in the DHCP profile. An Instant-VPN cannot function if the VLAN configuration on an SSID orwired port is set to Virtual Controller assigned, Default, or Static with a VLAN ID that does not match the VLAN ID inthe DHCP profile. For example, consider an IAP configuration with these DHCP profiles:

l Distributed L3 DHCP profile with VLAN ID 50

l Local DHCP profile with VLAN ID 60

l Centralized L2 DHCP profile with VLAN ID 30

To configure an SSID or wired port for distributed L3mode on the IAP, set the VLAN configuration on the SSID toStatic with VLAN ID 50. Similarly, to configure an SSID or wired port in local mode, set the VLAN configuration toStatic with VLAN ID 60.

Below are examples of these VLAN configurations on theWebUI of an IAP. Note that once you create appropriateDHCP profiles in DHCP server section, they come up in the drop down options, under “Custom” field.

Figure 70 Configuring an SSID for VPN modes

In ArubaOS 6.3 and greater, all Instant-VPN tunnels are considered trusted. Therefore, the users in Instant-VPNbranches do not display in the user table of theWLAN controller. However, the users in the Instant-VPN branchesare always visible on AirWave and the Instant WebUI in each branch.

Enabling Dynamic RADIUS Proxy (DRP)The location of the RADIUS server that is used to authenticate users in branch locations varies from organization toorganization. Most organizations have a centralized RADIUS server in the data center to authenticate remote users,but some organizations might use a local RADIUS server at each location. Other organizations might also use alocal RADIUS server for employee authentication and a centralized RADIUS server with a captive portal for guestauthentication.

Enable DRP to ensure that RADIUS traffic is routed to the appropriate RADIUS server. When enabled, DRP alsoensures that the source address for all RADIUS traffic is the VC IP address or the inner IP address of the IPsectunnel from themaster AP, depending on the IP address of the RADIUS server and the routing profile. If the routingprofile is configured to set up a tunnel to the 10.0.0.0 /8 network and if the RADIUS server has IP address10.68.32.40, the RADIUS traffic is forwarded through the IPsec tunnel using the inner IP address of the IPsec tunnelfrom themaster AP. However, if the IP address of the RADIUS server is 192.168.32.40, the RADIUS traffic isbridged locally using the VC IP address.

If you configure DRP, youmust assign a static IP address to the VC. This IP address cannot be 0.0.0.0. In branchoffice deployments that do not use local RADIUS resources, it might not be possible to determine the IP addressrange that is used locally. In such a situation, configure the IP address of the VC as a random static IP address ina non-corporate private IP address range (for example, 192.168.137.139, if the corporate network is 10.0.0.0 /8).Such a configuration enables DRP to tunnel the RADIUS traffic to the central RADIUS server in the data center.DRP is not required in single-AP Instant-VPN deployments. However, if DRP is disabled in single APdeployments, the NAS-IP attribute in RADIUS packets that are destined for the RADIUS server in the data center



is set to the local IP address of the IAP and not to the inner IP address of the IPsec tunnel. Therefore, Arubarecommends that you enable DRP in single AP deployments with RADIUS servers that use the NAS IP attributeas a filter for authentication.

Configuring Enterprise Domains (Split-DNS)By default, all DNS requests from a client are forwarded to the DNS server of the client. In a typical IAP deploymentwithout VPN configuration, client DNS requests are resolved by the DNS server of the client. However, thisbehavior changes if an IAP is configured for Instant-VPN.

The DNS behavior of an IAP network (with SSIDs or wired ports) that is configured for Instant-VPN is determined bythe enterprise domain settings. The enterprise domain setting on the IAP defines the domains for which the DNSresolutionmust be forwarded to the default DNS server of the client. For example, if the enterprise domain isconfigured for arubanetworks.com, the DNS resolution for host names in the arubanetworks.com domain isforwarded to the default DNS server of the client. The DNS resolution for host names in all other domains is sourceNATed to the local DNS server of the IAP. This configuration can provide faster DNS response times, and extraprivacy.

If you configure an asterisk (*) instead of a domain name in the enterprise domain list, all DNS requests areforwarded to the default DNS server of the client. If you want all DNS requests to be processed by the DNS serverof the client, configure an asterisk (*) in the enterprise domain setting.

Below is an example of a screen that lets you configure enterprise domains.

Figure 71 Configuring enterprise domains

Aruba Instant Validated Reference Design Aruba Instant management using Aruba AirWave | 152

Chapter 5Aruba Instant management using Aruba AirWave

Communication ConceptsEssentially, all communication between Aruba Instant and AirWave occurs through standard HTTPS traffic on port443 and is always initiated by the virtual controller (VC).This type of communication allows devices to be deployedquickly and without changing firewall rules. During normal operation, the VC sends updates to AirWave everyminute. While an AirWave user is making configuration changes or running diagnostic commands, the VC checks inevery 5 seconds to improve the responsiveness for the user.

IAP can also communicate with AirWave on a specified port. In IAP side, configure Airwave IP as IP:Port,meanwhile, set communication port in AMP Setup.

In an environment where the IAPs and data center are all on the same network you can deploy AirWave securelyinside the firewall. Below figure is an example of such a deployment.

Figure 72 IAPs and data center are all on the same network

In a distributed network, the AirWaveManagement Platform (AMP) needs to be reachable from outside the firewall,to allow IAPs to communicate with the AMP through HTTPS. Below figure, is an example of such deployment.

The AirWaveWebUI can also display data obtained through HTTPS traffic on port 443. Most network administratorsdo not want their NMS systems to be exposed outside. To ensure that theWebUI is accessible only to users on atrusted network, AirWave has an AMP whitelist feature. When you add internal networks to the whitelist and enablethe whitelist, networks that are not on the whitelist are denied access to the AirWaveWebUI.

153 | Aruba Instant management using Aruba AirWave Aruba Instant Validated Reference Design

Figure 73 Adding a network to the AMP whitelist

Figure 74 Distributed network with IAPs outside the firewall

Adding IAPs to AirWaveYou can add an IAP to AirWave by adding the AirWave communication parameters to the VC. These parametersinclude the AirWave IP address, a shared secret, and the organization string, which is a colon-separated list ofstrings that define the group and folder in which the device is placed. You can add these parameters through the VCWebUI, through Aruba Activate, or through DHCP options. These options are described in the following sections.

For more information about the organization string and how it is used to authorize and place devices into groups andfolders in AirWave, see Provisioning an IAP through DHCP Options andOrganization String.

Manually Adding an IAP through the VC WebUI You can add the AirWave communication parameters through the VC WebUI. The organization field hascommunication parameters for group & folders.

Figure 75 Adding AirWave communication parameters to the VC WebUI

Provisioning an IAP through Aruba ActivateAruba Activate is a secure, cloud-based system that enables efficient deployment andmaintenance of Arubadevices, and is available online at https://activate.arubanetworks.com.

There are two key services offered by Aruba Activate:

l Provisioning Service – Activate Provisioning service helps end users reduce cost and time to successfully deployInstant Access Points any place with network access.

l Firmware Distribution Service – New Firmware are added by Aruba to remote servers for all versions of IAPs.IAPs once provisioned and connected to the Internet, check in every 7 days to see if a new firmware is available.Instant Access Points (IAPs) can utilize the remote server to download and automatically upgrade firmwarebased on the device type.

Add Devices in Activate

When you order a new device from Aruba Networks, that device is automatically added to your inventory in ArubaActivate. You need to create an account on activate.arubanetworks.com. You can also add an IAP into activateusing the “add device” option, if it’s not automatically added to your account. It will need you to add your IAP’s macaddress and Cloud activation key, which can be found in theMaintenance tab of IAP:

When a device is in your inventory, it can be automatically or manually associated with a folder and a provisioningrule.

After a remote technician connects the IAP to the Internet, the IAP securely connects to Aruba Activate, retrieves itsprovisioning information, uses the provisioning information to connect to either its AirWave server or to ArubaCentral, and updates its configuration and firmware.


https://activate.arubanetworks.com/


Key information such as Serial, MAC address, Status, IAP model number, and PO number are all listed in the Homescreen for easy access to users. Devices in the Activate home screen are either listed as shipped or provisioned.Shippedmeans the devices have been shipped from Aruba but have not yet made contact with the Activate server.All IAPs with status “Shipped” are part of the default folder. A device that is provisioned will have it listed under adifferent user defined folder.

Figure 76 Provisioning an IAP through Aruba Activate

Create Folders in Activate

In order for the IAPs to receive the appropriate information from Activate, they must be part of a non-default folderwith at least one Provisioning Rule bound to this folder. Once you have your provisioning rules established in theirrespective folders, you can start moving IAPs into these folders. When an IAP checks into Activate, the cloudsystem will know that it belongs to a certain folder with provisioning rules that need to be applied to the device.

To create a new folder, click on the “Setup” icon and then, you can see three window boxes across the top - Folders,Rules, and Users. Click on the New link in the “Folder” box and enter the following information:

l Name - To keep it consistent, enter the same name as defined for the Group in AirWave. However, this does notneed tomatch.

l Select parent folder - It can either be the default folder, or you can create a parent folder with customer name orregion and then all different templates that belong to the customer/region can reside under different foldersreferenced to the parent folder. For most deployments, the default folder will be the parent folder. However, youcan create users with roles and assign them to certain folders. This couldmake sense if the customer wants todelegate Activate responsibility for other regions or administrators.

l Enter any Notes for future reference.

Create provisioning rules in Activate

The next step is to create Provisioning Rules and apply them to this new folder. The rule specific to this use casewill be "IAP to AirWave". Note the other types available in Activate for other use cases likeMAS wired switches,IAP to CAP, and IAP to RAP.

To create a new provisioning rule, click on the New link in themiddle box labeled Rules and supply the followinginformation:

l Under Rule Type, select Provisioning Rule

l Under Parent Folder, select the new folder that was created in the previous step

l Under Provisioning type, select IAP to AirWave

l Under AMP IP, enter the AirWave IP address. This should be a public IP address if provisioning home IAPsusing the RAP-NG architecture (IAP+VPN). If this is an IAP deployment with AirWave accessible from the APs,then a public IP address on AirWave isn't needed.

l Under Shared Secret, enter an alphanumeric key that will act as a trust mechanism between the Instant AP andAMP. There is no requirement to set the same value anywhere in AMP. The first IAP to connect with secretconfigured will set the secret on AirWave for all future connections. This cannot be changed (youmust contactTAC to reset the secret).

l Under Organization, enter the exact same (case sensitive) value that is created (or will be created) on AMP. Thisis one of themost important aspects of zero touch provisioning. In addition to this value, you can colon separateadditional values to create subfolders in AMP for further granularity in the AP/Devices tab. For example, if Iwould like to create the group "US-East" but then have subfolders for smaller regions, I can do the following inthis field. "US-East:MA:Boston" This would create/provision from the US-East Group in AMP as well ascreate/add folders as such in AMP - Top --> US-East --> MA --> Boston.



From 4.2.0.1 onwards, you can also specify VPN server IP address in the “IAP to AirWave” provisioning rule. IAPcreates an IPSec tunnel to the IP of the controller you provide in VPN server field. Confirm that IAP has got theVPN server info by, “show vpn config”..

Another rule you can apply to this folder is an email notification when a device gets provisioned. To create this rule,select New again in the Rules box and provide the following information:

l Under Rule Type, select Notification

l Under Email On, select Provisioning

l Under For Rule, select the provisioning rule from the previous step

l Under Email to, enter an email address(es)

Weare now at a stage where the provisioning rules are complete. If required, repeat the process above to createother folders and rules for different groups within AirWave. For RAP-NG, this would logically map to differentfunctional groups within the company or different regions where RAPs would be deployed. A sample Folder/Grouplist may look like the following:

l US-East

l US-Central

l US-West

l EMEA

l APAC

l IT-Group

Folders contain provisioning rules for Instant devices.

Assign Devices to Folders in Activate

After the folders and rules are created, the next step is to return to the Device table on the Activate home screen andassign devices into their respective folders. If the customer has a large amount of devices, it may help to filter usingthe filter icon located to the right of each column header on this screen. For example, if you know the hardware type,serial number, a portion of theMAC address, and/or a ship date after a specified date or within a date range, thesefilters can help narrow down a large list of devices for assigning to folders. If filters are in use, you can easily see thatas the filter icon will change from its default grey color to a navy blue color.

An example of using filters is shown below:

Once you have the specific device you want to move or a list of devices you want to move, you can then assignthem to a folder. There are twomethods to accomplish this.

1. If you want to move a single device, select it from the devices table and a Device Detail window will appear in thebottom left of the screen with one clickable button. Click Edit and you will be able to select a Folder for this one



device.

2. Most of the time, customers will want to move a whole list of devices. In order to select the right list of devices,the use of filters is imperative. You use the filters to only display the devices you wish tomove. Once you havethe desired list, you can click on theMove to Folder button at the top right and bulk move all devices listed on thisfiltered screen.

TheMove to Folder button invisible in certain browsers. If you are unable to see it (as shown below), please tryanother browser.

Following CLI outputs on themaster can show the status of provisioning & information received.IAP# show log provision

Provisioning Log----------------Time State Type Log Message---- ----- ---- -----------Tue Oct 13 20:43:20 2015 DHCP Option In progress Performing DHCP discoveryTue Oct 13 20:43:20 2015 DHCP Option In progress DHCP lease of 192.168.200.106obtained, lease time 3600 secondsTue Oct 13 20:44:55 2015 AirWave Auto Discovery In progress Performing DNS based AirWaveauto discovery, AMP Domain: aruba-AirWaveTue Oct 13 20:44:55 2015 AirWave Auto Discovery Warning Failed to resolve AMP Domainaruba-AirWave during AirWave auto discoveryTue Oct 13 20:44:55 2015 DHCP Option Fail through No DHCP Option-basedprovsioning information are present, failing-through to other provisioning optionsTue Oct 13 20:44:55 2015 Activate In progress Attempting provisioning viaActivate server: device.arubanetworks.comTue Oct 13 20:44:55 2015 Activate Debug Sent challenge response toActivate Server: device.arubanetworks.comTue Oct 13 20:44:56 2015 Activate Completed Received instruction fromActivate Server to connect to AMP server at aruba using organization '2.2.2.2'

IAP# show activate status

Activate Server :device.arubanetworks.comActivate Status :successOrganization :arubaAirWave Server :2.2.2.2AirWave Shared Key :9243aeb0e944e53a50f0ad38ae603ecba20c33621b13ab07

Other useful commands on IAP:

l Show datapath session | include 443

l Show ap debug AirWave

l AirWave Server List-------------------Domain/IP Address Type Mode Status----------------- ---- ---- ------199.127.100.100 Primary Manage Login-done

l Show ap debug AirWave-data-sent

l If there is no communication, you will see "cat: /tmp/awc_buf.txt: No such file or directory"

l Show log ap-debug

Useful tools on AirWave:

l Check the System --> Event Log for any messages or communication timeouts

l Check the System --> Status --> /var/log/pound (direct link - [https://]<amp IP>/display_log?log=%2Fvar%2Flog%2Fpound)

l This is a log for all HTTP/HTTPS communication into AirWave. Check to see that the IAP's public NAT'ed IP isseen here and any errors encountered. Very useful to troubleshoot from AirWave if the IAP is even reachingAirWave if there is no direct access to the IAP remotely.

l In a working scenario, you should see this every minute or so:

Feb 4 04:02:25 amp pound: <public IP of IAP> POST /swarm HTTP/1.1 - HTTP/1.1 200OK

Provisioning an IAP through DHCP OptionsIf a device does not have Internet access during initial provisioning, you can specify AirWave communicationsettings to be configured through vendor class identifier (VCI) DHCP options 60 and 43. There can be potentialcharacter limits for option 43 on the DHCP server, please keep them inmind during the deployment. An IAP receivesits AirWave settings from aDHCP server in the following way:

1. The DHCP client on the IAP adds DHCP option 60 to its DHCP request. The value of this option isArubaInstantAP.

2. The DHCP server detects DHCP option 60 in the request and checks for DHCP option 43. If the DHCP servercan locate DHCP option 43, the server sends it to the client. The value of this option is the organization string,AirWave IP address, and shared secret.

3. If the IAP detects DHCP option 43 in the response from the DHCP server, the IAP contacts AirWave at thesupplied IP address and uses the shared secret and organization string.

Use the following values for the DHCP options:

l For DHCP option 60, use ArubaInstantAP.

l For DHCP option 43, use <organization string,AirWave IP address,shared secret>



An example of VCI option 43 is: ArubaRetail:Sunnyvale:Store0001

Adding IAPs to AirWave shows the communication flow between the IAP, DHCP server, and AirWave.

Figure 77 Provisioning an IAP through DHCP options

Below figure shows the configuration of DHCP option 60 in aMicrosoft Windows Server 2008.

Figure 78 Configuring DHCP option 60 in aWindows Server 2008

Below figure shows the configuration of DHCP option 43 in aMicrosoft Windows Server 2008.

Figure 79 Configuring DHCP option 43 in aWindows Server 2008

Formore about DHCP options, see the Aruba Instant User Guide that is available at the Aruba support website.

AirWave prerequisites

If the devices are communicating from the Internet, AirWavemust be visible with a public IP address on the internet.The only port that needs to be open is 443.

AMP must have the sameGroup names configured as the provisioning rules in the Organization value in Activate. Inthe example above, AMP must have a "US-East" Group. This is assuming that the devices are getting automaticallyprovisioned using an already establishedGroup configuration.

If this is the first device to check into AirWave, then there are some special caveats to be aware of.

l The first IAP will automatically create the group in AMP if it's not already created. This Group will be whatever isthe Organization value as entered in Activate.

l If the first IAP has the desired config, it can be used as a "golden" template for subsequent IAPs following alongin the same group. This would entail configuring the IAP traditionally using the VC GUI on the IAP itself beforecommunicating with AMP. Then, when it does communicate with AMP for the first time, AMP will create thisgroup and use the configuration on the IAP as theGroup config, which then the subsequent IAPs will getprovisioned with.

l If the first IAP doesn't have a desired config, a new Group can be created and an existing config copied from analready established IAP group within AMP. Let's say you already have a known, working IAP group within AMP.You can create a new Group and then using Instant Config (IAP GUI in AMP), copy the config from the first groupinto the newly created second group. This is done in the AirWave --> AirWave Settings screen. Use the field"Copy Policy from Group" and select the first group with the existing desired config.




l If multiple IAPs communicate with AMP at the same time and there is noGroup template or config, AMP will usethe first IAP that checked in as the "golden" template for the group. This introduces a bit of chance and a bestpractice suggestion would be to have one IAP communicate first into a newly created group before the floodgatesare opened for the other IAPs.

AirWave whitelist

Traditionally, when Instant devices first communicate with AirWave, they have been authenticated using a sharedsecret. That's still possible, and is the default behavior. But it's also possible to let them authenticate by whitelistingthem. This adds a level of security beyond what a shared secret provides. More importantly, since devices areknown to AirWave before they ever connect to it, it's possible to define configuration parameters before they areonline, providing a flexible and scalable way to do zero-touch provisioning of Instant.l To enable whitelisting, Go to the AMP Setup page and set "Authorize Aruba Instant APs connecting to AirWave"

to "Whitelist". Save the setting.

l If you plan to use the custom variable feature, all the devices must go into groups using template-basedconfiguration rather than Instant GUI config.

Adding devices to the whitelist

When you enableWhitelist authorization, the APs/Devices>New page adds the below mentioned buttons:

Manually on AMP GUI

From APs/Devices>New>Instant AP whitelist, if you choose “Add an Instant AP to the whitelist”, below screen shotcomes up:

For each record, the required fields are:

l Name

l Either serial number or MAC address

All other fields are optional.

Import through Activate

From APs/Devices>New>Instant AP whitelist, if you choose “Import Instant whitelist from Activate”, below screenshot comes up:



In bulk through CSV file

From the New Devices page, click Import Instant AP Whitelist from CSV. On the subsequent page, upload your csvfile. The file should be in the below format:

Name,LAN MAC Address,Serial Number,Virtual Controller Name,Group Name,Folder Name,custom_variable_1,custom_variable_9

IAP_Canada_1,ff:c7:c8:c4:21:ff,BD0086086,Canada-Office,Canada,Vancouver:Downtown,abc,456

IAP_US_1,F0:0B:86:CF:93:FF,BE0542245,US-Office,US,San Fancisco:CenterTown:HillTop,cde,789

AirWave in DMZ

With RAP-NG architectures, there is a requirement to have AirWave available to IAPs on the public internet. Thispresents some security concerns from our customers. In order to alleviate some of these concerns, there are twooptions available to you.

1. Use the AMPWhitelist feature. AirWave 7.7.3 introduced support for AMP whitelists. On the AMP Setup >Authentication page, you can now include a list of subnets that are able to log in to AMP. If this option is enabled,then by default, the current client network will appear as the first entry in the list of subnets. Additional entries canbe added, one per line, in the text entry box. A customer would normally add their internal networks to this list.Any access outside of this list will only be allowed from IAPs. Any user attempting access will get an errormessage (see below). This feature effectively allows IAPs access to AirWave while only allowing browseraccess to the hosts/subnets in the whitelist.

Do not delete the current client network line from the AMP whitelist. Doing so can result in the loss of access to theAMP user interface.

2. Use two AirWave servers. If the security requirements are strict, then there is another alternative to use a"provisioning" AMP server in the DMZ and the "real" AMP server in the internal network. Here is how thatprocess would look like:

n The provisioning AMP server would have the sameGroup names as the internal AMP server. However, theprovisioning AMP server would only configure the IAPs with the VPN peer address(es) and the internalAirWave server.

n The IAPs, when provisioned from Activate would be told where the Provisioning AMP server is located plusthe intended group.

n The Provisioning AMP server would automatically provision and sync firmware but it would only pass alongthe VPN information and internal IP address of the internal AirWave server (non-routable on public internet).

Once the IAP comes up with this configuration, it creates a VPN tunnel and communicate with the internal AMPserver for the remainder of its configuration.

In this option, you reduce the risk of a public AMP server with the entire configuration in the DMZ. Since thecontroller has to also whitelist the device terminating the VPN tunnel, there is an additional level of authenticationavailable as well before the IAP gets the rest of its configuration.

If IAP configuration is sending all traffic into the VPN tunnel, this may cause an issue with the firewall located atdatacenter. Consider that before the IAP has its config, it is using the local ISP connection to talk with AirWave.After it gets its config, it will use the tunnel to talk with AirWave. This may introduce a spoofing error on the firewalland block the traffic to AirWave. Starting in 4.0, IAP introduced an exception route in the VPN routing profile. Forexample, you can have all traffic tunneled except for the AirWave host IP address which will workaround thisdesign. Below is the screen shot of VPN configuration on the IAP, which can be used to route traffic to199.127.100.100 outside VPN tunnel.



When the device is turned on, it communicates with Aruba Activate at https://device.arubanetworks.com, receivesits provisioning settings based on the rules that you defined, and starts to communicate with AirWave. For example:

The rule above will instruct the IAP to create a tunnel to 3.3.3.3. Connect to AirWave on 2.2.2.2, with “aruba” asorganization string.

Organization String

When an IAP is added to AirWave, the device is authorized based on its organization string. The organization stringis a list of colon-separated strings that define the group and folder that the device is placed into. Additionally, a role iscreated that gives access only to this folder.

This example is a very simple organization string:

US

A device with an organization string of “US” is placed in an AirWave group that is called “US” and in a folder that iscalled “US.” The folder is one level beneath the top folder. In addition, a role is created that grants access to devicesin the “US” folder.

This example is a slightly more complex organization string:

US:California:Sunnyvale

A device with an organization string of “US:California:Sunnyvale” is placed in an AirWave group that is called “US”and that has the below mentioned folder hierarchy:

In addition, a role is created that grants access to devices in the “US” group and all its subfolders.

Setting up Groups, Folders and Roles in AirWaveWhen a device is added to AirWave, it is placed in a group and a folder, each of which has a different purpose.

https://device.arubanetworks.com/

GroupsAirWave groups are primarily for configuration. Devices that have the same configuration should be placed in thesame group. In a typical group configuration, youmight have one group for IAPs, including the VC and one for third-party switches. When AirWave has toomany groups for similar devices, managing configurations can become achallenge. Youmight have difficulty determining if devices conform to a common standard, which can increase thechance that youmake a configuration error. To simplify configurationmanagement, create as few groups aspossible. Groups within AirWave can be thought of as containers for common configuration profiles or templates.With IAPs and RAP-NG architectures, each IAP that is part of a Group will have the same configurationminus someobvious IAP settings that are unique to each device/cluster like virtual controller name and IP address as well as IAPhostnames. These are accounted for in AirWave's Instant Config. The advantage of this solution is that once aGroup is established, the configuration and any future additions and/or changes are applied seamlessly to all virtualcontrollers in that Group. Any new virtual controllers added through Activate or manually will obtain these settingsautomatically.

It is recommended that a user configure a VC/IAP first using the IAP UI and once the configuration is certified, add itmanually into AirWave. First ensure that all SSIDs, RF settings, VPN settings, plus anything else you wish tomirrorto other VCs/IAPs are fully configured and working as expected. Once satisfied, navigate to System (top right) >Admin.

This should look familiar as it's the same information Activate asks for when adding an IAP to AirWave provisioningrule (see above).

Once you enter the AirWave settings, you should see this IAP contact AirWave in a few minutes. It will show up inthe New Devices List. If the Group is not created yet, the value placed in the Organization field from above will beused as the Group name. For example, if you entered US-IAP:East, the Group namewill be "US-IAP".

When you add this new IAP, the Group and Folder selectable values on this screen shouldn't be altered. Just leavethem at their defaults. TheGroup and Folder additions will be based on theOrganization value entered either throughActivate or manually in the screen shown above. So, click Add and then Apply to fully add this IAP into AirWave.

FoldersAirWave folders are hierarchical and are used for these purposes:



l Controlling which AirWave users have access to which devices

l Reporting

l Alerting

You can organize folders in any way that makes sense to you. Typically, folders are organized by geography orbusiness unit as is shown in below figures:

Figure 80 Folder structure organized by geography

Figure 81 Folder structure organized by line of business

RolesEach AirWave user is assigned a role, which is either created by an administrator, or created automatically based onthe organization string of a new IAP. The role determines the following user capabilities:

l Devices that the user can view

l Permissions that the user has, including whether the user can configure devices or reboot them

l Access that the user has to VisualRF or information about rogue APs

Below is an example of a role that grants a user read-only access to devices in the Distribution Centers folder and itssubfolders.

Figure 82 Configuring an AirWave role

Managing Device Firmware with AirWaveWhen youmanage a large network, youmust maintain common firmware versions for ease of troubleshooting andmaintenance. AirWave can automatically upgrade or downgrade IAP firmware as IAPs are added to AirWave. Afterdevices have been added, you can upgrade firmware in schedulable, multicluster jobs.

The first step in planning firmware updates is to load the required firmware version to the AirWave server. You caneither pick from the stable, generally available releases that are hosted in the cloud by Aruba Activate, or you canmanually upload any firmware version AirWave. If you select themanual method, youmust load the correct firmwareimage for each device type in your network.

New firmware images are added to Aruba Activate when Aruba determines that they are stable, typically a fewweeks after they are released.

Setting up AirWave to Automatically Update Firmware on New DevicesClick on the Firmware tab on the topmenu bar within the Instant Group. On this screen, be sure to toggle "EnforceGroup Firmware Version" to Yes and if desired, allow downgrades of devices. In the Desired Version box, select thecode version that the customer wants to standardize on for this Group. Once AirWave sees the IAPs show up in thegroup, it will compare firmware versions, detect that the firmware version is not the same as the desired, and thendesignate the next communication from the VC to be an attempt to upgrade firmware. During the upgrade, the VCand APs will bemarked as down (though youmay see that you still have access while the APs are downloading theimage – so the downmessage is somewhat premature). Once all devices in the cluster are upgraded, then AirWavewill get amessage to return the devices to up status.



There are two places where Firmware files are stored - the image server in the cloud and in AirWave's localdatabase. There currently is a delay when Aruba released a code version until it is shown in the image server list. Ifa desired version is not listed but is known to beGA, youmust manually download all Instant firmware files relatedto the specific release and upload them into AirWave.

If you select a file from the image server, AirWave will grab those files automatically, download them, and placethem in its local database. Any Instant AP that needs an upgrade from AirWave will be handled by AirWave and notfrom the cloud service.

Bulk Upgrades of IAPsMost device lists in AirWave have aModify Devices feature that allows you to perform actions such as auditing,rebooting, and reporting on any set of devices. TheModify Devices feature is the best way to perform and schedulefirmware upgrades on an unlimited number of devices, as shown in below figure.

Figure 83 Configuring AirWave bulk firmware upgrade options

In groups that have the “Instant GUI Config” feature enabled, all devices must run the same firmware version.Therefore, firmwaremust be updated on every cluster in a group.

When Instant devices aremanaged by AirWave, each device downloads its own image from the AirWave server. Make sure that each AP in a cluster has access to AirWave through HTTPS or HTTP for firmware updates.

Monitoring Firmware Upgrade JobsYou can track the status of current and scheduled upgrade jobs on the Firmware Upgrade Jobs screen of theAirWaveWebUI, as shown in below figure.

Figure 84 Displaying AirWave firmware upgrade jobs



Managing Device Configurations with AirWaveManaging device configurations is one of the biggest challenges in a large network deployment. Nonstandardconfigurations make it hard tomaintain and troubleshoot the network. To adapt to the complexity of a large network,a network administrator needs a simple way to configure some devices in a way that deviates from the standardconfiguration policy. In addition, when a network administrator must make complicated changes in toomany places,there is always the risk of human error.

AirWave offers a GUI-based tool and a legacy template system for centralizedmanagement of Aruba Instantconfigurations. This section describes configuration with the GUI-based tool.

First, the Instant Config needs to be enabled. This is done in the per Group Basic Settings. In AirWave, navigate toGroups, hover over the wrench icon next to the Instant Group, and click "Basic".

Enable the Instant GUI Config. Wait a few minutes for the Instant Config service to start and you should be able toclick on "Instant Config" in the Group to enter the IAP GUI.

Second, on this same page, ensure that the Group Display options are set to "Only Devices in this Group" or"Selected Device Types" with the selection set to Aruba Instant.

After you add devices to an IGC group, you can no longer use the internal device GUI to change the configuration, allconfiguration changes are executed through AirWave.

At this point, AirWave has its first group created and the desired configuration from the first IAP. Subsequent InstantAPs should now automatically provision, sync firmware, and get the needed configuration.

For this AirWave IGC capability, youmust run Aruba Instant 3.2 or greater and all devices in a groupmust be

running the same firmware version.

IGC has a very similar look and feel to the VC WebUI and includes wizards such as the New Wireless SetupWizard. An important addition to IGC is the context. A user in IGC is either in a group context or in a cluster-specificcontext. The current context is displayed at the top of the left panel in IGC.

Tomake configuration changes to every cluster in the group, start in the group context and select the settings thatyou want to apply. Managing Device Configurations with AirWave shows how you canmake changes to theAirGroup settings for an entire group.

Figure 85 AirWave IGC: changing AirGroup settings for an entire group

After youmade the change, AirWave immediately queues up the appropriate commands to send to each cluster. Thenext time a cluster contacts AirWave (which it typically does every minute), the commands are sent, and thedevices start to check in every 5 seconds to speed up the confirmation and subsequent configuration changes.

If one cluster in a group has a different requirement and requires you tomake cluster-specific overrides to the grouppolicy, enter cluster-specific mode by selecting the group name in the left pane and selecting the cluster to modify.

Figure 86 AirWave IGC: Overriding a group policy for a cluster



By dragging the sticky note icon to a field, you can add notes to any setting. (This method works for most fields.)After you apply and confirm the override of the device, the override is highlighted in groupmode with a yellowasterisk.

Figure 87 AirWave IGC: Override with a sticky note

IGC ignore country code by default, for US/Japan/Israel code IAPs, users do not need to care about country code.

For non-US/Japan/Israel code IAPs, user needs to turn on [Allow Configuration of Country Code] under IGC->Airwave->Airwave Setting, then set correct country code under System->General page.

AirWave use cases

AirWave for the Distributed EnterpriseIn a public facing deployment, such as a coffee shop chain or hotspot provider, a large number of users might accessthe network. AirWave stores historical data, including usage and signal quality, on a per-user basis. This data isstored in round-robin database (RRD) files that are created as users are detected. You can configure how many daysthe data is stored, which impacts the size of the RDD files. In an environment with many unique users, it is criticalthat you do not store the data too long to prevent the RDD files from becoming too large. Aruba recommends astorage time of 4 weeks or shorter.

The AirWave Rogue Access Point Intrusion Detection System (RAPIDS) lets you to create customized rules toidentify and act upon rogue access points. If users have access to an open or captive-portal wireless network, it isimportant to prevent an attacker from spoofing the network. Use a RAPIDS rule to identify such a network and takeaction if necessary, as shown in below figure.

Figure 88 Configuring a RAPIDS classification rule

AirWave for the Small and Medium EnterpriseIf IAPs are deployed in clusters rather than as standalone devices, youmust be able to receive cluster reports. Byplacing each cluster in its own folder, reports and alerts can be generated for each individual folder.

If a user experiences connectivity problems and contacts the IT help desk, the IT engineer can search for the user inAirWave throughmany fields, including user name andMAC address fields. Near-real-time information is availableabout the status of the user connection, including the status of the user device and the VC. This capability can helpthe IT engineer to quickly identify the source of a connectivity problem, as shown in below figure.

Figure 89 AirWave diagnostic capabilities

In amulti-AP environment, youmust be able to check on the status of the RF. A common source of user complaintsstems from RF saturation. AirWave can provide reports and alerts that allow you to be informed about the health ofthe network and be notified of unusual situations before problems occur.



Below figure is a screen shot of the RF Health dashboard, which can help you to identify areas with excessive radioutilization.

Figure 90 AirWave RF Health dashboard

Aruba recommends that you set up triggers to enable AMP to send alerts when a particular radio utilization thresholdis exceeded. Each RF environment is different. One common recommendation is to set up a trigger for interferenceof over 50% or a busy time of over 75% for a 15-minute interval.

Figure 91 Setting up alert triggers in AirWave

AirWave for a Home OfficeAirWave can display the VPN IP address of an AP and link to it as well.

Figure 92 Viewing VPN IP addresses in AirWave

The AirWave Run command provides CLI access to remote networks and allows the network administrator to viewdetailed network information such as VPN status of a RAP.

Figure 93 Displaying the VPN status with the AirWave Run command


Aruba Instant Validated Reference Design NetworkVisibility using AppRF on Aruba Instant | 179

Chapter 6Network Visibility using AppRF on Aruba Instant

AppRF on Instant Access Points

IntroductionAppRF is Aruba's custom-built Layer 7 (L7) firewall capability. It is introduced in Instant OS 4.1 and consists of anon-board Deep Packet Inspection (DPI) and a cloud-basedWeb Policy Enforcement (WPE) service.

TheWPE is hosted by aruba.brightcloud.com and allows creating local firewall policies based on the types of trafficidentified. TheWPE capabilities require the IAP to have aWPE subscription.

IAPs with DPI capability analyze data packets to identify applications which are in use and allow creation of accessrules, to determine client access to applications, application categories, web categories, and website URLs basedon security ratings. You can also define traffic shaping policies such as bandwidth control andQoS per application,for client roles. For example, you can block bandwidthmonopolizing applications on a guest role within an enterprise.In K-12, web-filtering is required for Children’s Internet Protection Act (CIPA) compliance and is amandate for E-ratefunding.

The AppRF feature provides application visibility for analyzing client traffic flow. IAPs support both, the powerof in-device packet flow identification and dynamically updated cloud-based web categorization.

For application traffic, the initial packets pass through the DPI engine residing on the IAP for classification. Once thesession is classified, firewall actions are applied to that traffic based on the ACLs created by the admin. For webURL traffic, IAP searches on BrightCloud, and gets theWebCategory andWebReputation information about thesessions. Once the sessions are classified, we can create an ACL to perform the following actions on traffic:

l Permit/Deny

l Bandwidth Contracts

l Log

l Blacklist

l DSCP Tag

l 802.1p priority

l Disable Scanning

The universal knob to turn on AppRF is on Virtual Controller (VC):-

IAP UI - System > General > AppRF visibility

180 | NetworkVisibility using AppRF on Aruba Instant Aruba Instant Validated Reference Design

IAP # configure tIAP (config) # dpiIAP (config) #endIAP # commit apply

AppRF visibility configuration is enabled if visibility is required. Enforcement does not require this knob to beenabled.

DPI

AppRF DPI is supported only on 32MB platforms like IAP 103, 108, 109, 114, 115, 155, 204, 205, 214, 215, 224,225, and 275. Due to hardwarememory limitation, it is not supported on IAPs with 16MB flashmemory whichincludes IAP 104, 105, Rap3, 134, 135 and 175. AppRF DPI engine resides on IAP and supports predefined appsand app categories. The number of supported apps increases with upgrades. To view the list of applications andapplication categories execute the following CLI command:-

IAP# show dpi app allIAP# show dpi appcategory all

Formixed-class deployments (web-filtering-only-supported-APs and full-apprf-supported-APs) works as follows.

While configuring, there is no explicit check for AP capabilities. That is, you can configure application rules even onan AP which supports only web filtering, but enforcement or visualization will take place only for web traffic.

Each AP visualizes and enforces the traffic as per its capability.

On IAPs that support only web filtering, for example, IAP 105, if application classification rules are configured, it isconsidered a NO-OP; as if that rule does not exist.

On IAPs that support all AppRF functions, for example, IAP-225, the same application classification rules areenforced.

For visualization, it is on a per-ap basis. You have to click on per ‘AP or client’ view to see the AppRF charts.

In IAP-105, the AppRF shows only 2 graphs – the web-category and web-reputation

In IAP-225, all the four charts such as Application, Application category, web-category and web-reputation areshown.

When clients roam, sessions are transferred from old AP to new AP. It works on already classified sessions. Ifclients roam before the flow is classified, app classification will take longer because the new AP needs to reclassifythe session.

Web Content Filtering

WebContent Filtering orWebURL filtering is the ability to classify and enforce policies on web based traffic, that is,all browser based URLs, HTTP, and HTTPS traffic accessed by the users on the network. It is managed on cloud byBrightCloud, which updates its database real-time.

Categories

WebURLs are classified into one or more categories out of the existing 81 different web categories. For example,Facebook can be classified into social-media, instant-messaging or gaming depending on what the user does withthe network. Current number of categories can be identified using:

IAP# show dpi webcategory all

Reputation

WebURLs are also classified into 5 web reputation groups based on the web reputation index score:

Reputation WRI Score

Trustworthy 81-100

Moderate Risk 41-60

Moderate Risk 41-60

Suspicious 21-40

High Risk 1-20

Trustworthy: These are well-known sites with strong security practices and rarely exhibit characteristics thatexpose the user to security risks. There is a low probability that a user will be exposed to amalicious payload.

Low Risks: These are benign sites, and rarely exhibit characteristics that expose the user to security risks. There isa low probability that a user will be exposed to amalicious payload.

Moderate Risks: These sites have exhibited some characteristics that suggest security risk. These is someprobability that user will be exposed tomalicious payload.

Suspicious Sites: There is a higher than average probability that the user will be exposedmalicious links orpayloads.

High Risks: There is a high probability that the user will be exposedmalicious links or payloads.

The current reputation and category of a site can be found out on link.


http://www.brightcloud.com/tools/url-ip-lookup.php


The current reputation and category of a site can also be found out using IAP CLI:-

Here, we will try for www.cnn.com, which is already queried by the IAP due to previous traffic.

IAP# show dpi webcategory-lookup www.cnn.comInput URL: www.cnn.comFound CACHED RESULT:URL: cnn.com REP: 81 A1: 0, Serial = 0x200001Index: 0 Category: news-and-media (63) Confidence level: 99

Now, wewill try a new site.

IAP# show dpi webcategory-lookup www.bbc.comInput URL: www.bbc.comRequest sent for CLOUD LOOKUP, please try again.

Which is cached now.

IAP# show dpi webcategory-lookup www.bbc.comInput URL: www.bbc.comFound CACHED RESULT:URL: bbc.com REP: 96 A1: 0, Serial = 0x200001Index: 0 Category: news-and-media (63) Confidence level: 99

The high-end 256MB+ memory variant IAPs (115, 135, RAP-155, 215, 225) cache 500k (1/2Million) entries, and thelow-end 128MB memory variant IAPs (103, 105, RAP-109, 205) cache 100k entries. These entries expire by defaultafter four days, or are dynamically replaced when under cache pressure.

http://www.cnn.com/

The webURL database is maintained by BrightCloud. Each IAP in the cluster can independently access thedatabase on aruba.brightcloud.com andmaintain its own cache.

Any classification anomalies can be directly reported on BrightCloud’s online URL categorization and reputationchange request page.

URL categorization change request link.

URL reputation change request link.

Classification failure can happen if:

l DPI engine fails

l WAN uplink issues affect web classification

If sessions are not classified, they will follow the default rule specified in your user role. To create a strictenforcement of unclassified session, you canmanually create a rule to deny an "unknown" session.


http://www.brightcloud.com/tools/change-request-url-categorization.php

http://www.brightcloud.com/tools/change-request-url-reputation.php


Configuration

Enforcement through policies

IAP UI-SSID Wizard > Access TabOR IAP UI > Security > Roles and apply to SSID

The image below shows how to clubmultiple applications together.

The first image below provides instructions on how to deny Facebook and enable log. The second image providesinstructions on how to deny high risk websites and blacklist the user.

If you enable log, the output of the show log security command displays the logs details as shown in the followingexample:-

IAP# show log security 10

Oct 16 22:30:20 stm[2242]: <124006> <WARN> |AP 94:b4:0f:cb:dc:[email protected] stm| TCPsrcip=199.59.149.198 srcport=443 dstip=192.168.200.109 dstport=50925, dpi-dst=facebook, action=deny

The below image provides instructions on how to throttle YouTube traffic and prioritize Lync.

Visibility in UI

Per AP view

Click on AP name and AppRF tab at the bottom right, as shown in the image below.



Per client view

Click on client name and AppRF tab at the bottom right, as shown below.

Per SSID view

Click on SSID and AppRF tab at the bottom right, as shown below.

App RF tab details

Four charts for App, App Category, Web category, Web reputation. See image below.

Hover themouse over “Category” to see data utilization for a category/app. See image below.

Click on “Chart” to expand and see a table/chart view. See image below.

Click to filter on per-app and to see per-user data. See image below.



Toggle to switch between list and chart view. See image below.

For more configuration examples, refer to the Aruba Instant User Guide that is available at the Aruba supportwebsite.

Troubleshooting

Show commands

“show dpi app” showing a static list of supported apps

IAP# show dpi app allPre-defined Application List----------------------------01net 050plus 0zz0 10050net 10086cn104com 1111tw 114la 115com 118114cn::<truncated>::zol zonealarm-update zoo zoznam zsharezum zyngaTotal applications = 1957

“Show dpi app <app-name>” shows app category for specific apps:-IAP# show dpi app facebookPre-defined Application-----------------------Name App ID App Category Default Ports---- ------ ------------ -------------facebook 244 social-networking tcp 80 443IAP# show dpi app bittorrentPre-defined Application-----------------------Name App ID App Category Default Ports---- ------ ------------ -------------bittorrent 15 peer-to-peer tcp 1024-65535 udp 1024-65535



To analyze the IAP and client traffic data when deep packet inspection is enabled, execute the “show data pathsession dpi” command at the IAP CLI. The Show data path session dpi* command displays the flags in output thatallows you to analyze session classification. Use this command in conjunction with the “include” filter to see theenhanced outputs.

To clear these sessions and see fresh sessions created by client, use:-

IAP#clear datapath session

You can always use the “Include” commandwith “Show” command to filter specific outputs.

Traces

Check the current trace settings through:

Show trace info

Turn on the sub components “BCA DATA” and “BCA CONTROL”. You will notice that there are other sub-components as well.

IAP# trace component DPIMGR sub-component x

Invalid sub-component name(x). Valid sub-components for DPIMGR are:

GENERAL,

CLI,

QOSMOS DATA,

QOSMOS CONTROL,

DPIMGR CONTROL,

FW VISIBILITY,

BCA DATA,

BCA CONTROL,



SYSLOG,

ALL

IAP# trace component DPIMGR sub-component "BCA DATA"IAP# trace component DPIMGR sub-component "BCA CONTROL"

Perform a lookup as shown below:IAP# show dpi webcategory-lookup www.time.comInput URL: www.time.comRequest sent for CLOUD LOOKUP, please try again.IAP# show trace log DPIMGR 100 Oct 15 19:50:30 trace_on: Tracing to "/var/log/trace/dpimgr.log" startedbcaruba: DPIMGR got trace config: mac(00:00:00:00:00:00), ip(0.0.0.0), level(7), sub_comp_flag:0x00000000bcaruba: <358000> <ERRS> |AP 94:b4:0f:cb:dc:[email protected] dpimgr| ^[func bca_syslog] [line209] [msg Upating smart cache to version 0.1]bcaruba: DPIMGR got trace config: mac(00:00:00:00:00:00), ip(0.0.0.0), level(7), sub_comp_flag:0x00000040bcaruba: Tracing enabled for BCA DATAbcaruba: DPIMGR got trace config: mac(00:00:00:00:00:00), ip(0.0.0.0), level(7), sub_comp_flag:0x000000c0bcaruba: Tracing enabled for BCA DATAbcaruba: Tracing enabled for BCA CONTROLOct 15 23:21:24|94:b4:0f:cb:dc:98|---.---.---.---|BCA DATA|dpimgr_handle_brightcloud_data:416|REQ URI:www.time.com for id = 0x200001Oct 15 23:21:24|94:b4:0f:cb:dc:98|---.---.---.---|BCA DATA|bca_lookup:211|sent for cloud/cachelookup.Oct 15 23:21:25|94:b4:0f:cb:dc:98|---.---.---.---|BCA CONTROL|bca_print_req:123|URL: time.comREP: 50 A1: 0, Serial = 0x200001Oct 15 23:21:25|94:b4:0f:cb:dc:98|---.---.---.---|BCA CONTROL|bca_print_req:133|Index: 0Category: news-and-media(63) Confidence level: 93

If traffic flow is huge, set filters using client mac or IP through:

IAP# trace mac 11:11:11:11:11:11Got trace config for CLI_2: mac(11:11:11:11:11:11), ip(0.0.0.0), level(7), sub_comp_flag:0x00000000

IAP# trace ip 1.1.1.1Got trace config for CLI_2: mac(11:11:11:11:11:11), ip(1.1.1.1), level(7), sub_comp_flag:0x00000000

Remove the trace filter by:IAP# trace mac 00:00:00:00:00:00IAP# trace ip 0.0.0.0

Disable the subcomponent trace through:IAP# no trace component DPIMGR sub-component "ALL"

Aruba Instant Validated Reference Design Appendix | 191

Appendix

Performance impact due to DPIThe Virtual Controller shows management information pulled in from each IAP in a cluster. However, the DPI, WebPolicy Enforcement, and firewall policies are independently executed on each IAP in a cluster. Hence, the size of theIAP cluster does not impact AppRF scalability.

Performance of an IAP is not affected due to its dynamic CPU management. Under normal network load, typicaldeployments with 16 clients per AP, DPI module’s CPU utilization is very minimal even while classifyingmanysessions. However, DPI processing is tied to IAP’s dynamic CPU management to ensure that this processing in aloaded system does not affect control plane or management plane traffic. For example, on a heavily loaded IAP,where IAP CPU becomes 80% busy, dynamic CPU management stops DPI/classifying sessions to allow other highpriority tasks to continue. The stopped sessions aremarked as “incomplete”, while enforcement and visibility ofpreviously classified sessions are not affected. The classification is a function of a new session creation rate andAPs’ CPU capability. Hence, a higher end IAP 225 can classify 50 new sessions per second, while IAP 109 can onlyclassify 20 new sessions per second.

Custom error pageUsing this feature starting 4.2 onwards, we can set redirect URL, when client access URL, which is denied by IAP.

Step 1:

Add a Custom Blocked Page URL “https://www.sohu.com/”

IAP UI - Security > Custom Blocked Page URL

192 | Appendix Aruba Instant Validated Reference Design

URLmust be absolute URLwhich starts with a scheme “http://” or “https://”.

Step2：binding the URL to a Roles “example”

IAP UI - Security > Roles > Rule type > Blocked Page URL

Step3: Also need to configure DPI ACL deny rule

IAP UI - Security > Roles > Rule type > Access control

If the clients access www.baidu.com, the following redirect URL “www.sohu.com” will happen on the browser asmentioned below:-

http://www.sohu.com/?user_ip=%3C192.168.1.105%3E&dest_ip=%3C115.239.210.27%3E&app_name=%3Cbaidu%3E&web_rep=%3Ctrustworthy-sites%3E&web_cat=%3Csearch-engines%3E

Check redirect URL for packet captured on the client:-

Custom error page feature only works for http sites as follows:

Send HTTP 302 with “Location” redirect URL to clients

Send HTTP 200 with deny page as HTML body to clients

It doesn’t work for https sites.

If the client has a standard browser, it could analyze HTTP 302/200 packets, and perform redirecting or displaying.

If the client has an app, it cannot process HTTP 302/200 as a standard browser.

Websites dependency on web categoryA few websites initiate sessions to, many URLs and not just a few, which keep on changing dynamically. Let’s takean example of bbc. If one wants to block www.bbc.com, using the application DPI rule, one would use the belowconfiguration:-







http://www.bbc.com/

194 | Appendix Aruba Instant Validated Reference Design

However, if the client opens www.bbc.com, it still works. This is because the browser initiates TCP connection to anumber of URLs, which spawn as a result. You can use “show datapath session dpi”, to find out all the TCPconnections initiated by client and how they are classified if blocked.

For example, below is the screen shot of when a client opens www.bbc.com. DNS query gets a resolution answer to23.235.47.81. As you notice, the TCP connection starts smoothly and not blocked, despite the rules to block app,bbc, and bbc-player.

If you look at show datapath session dpi for IP 23.235.47.81:

IAP205# show datapath session dpi

Datapath Session Table Entries

------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT

D - deny, R - redirect, Y - no syn

H - high prio, P - set prio, T - set ToS

C - client, M - mirror, V - VOIP

http://www.bbc.com/

http://www.bbc.com/

I - Deep inspect, U - Locally destined

s - media signal, m - mediamon, a - rtp analysis

E -Media Deep Inspect, G - media signal

A - Application Firewall Inspect

RAP Flags: 0 - Q0, 1 - Q1, 2 - Q2, r - redirect to master, t - time based

Source IP Destination IP Prot SPort Dport App Webcat WebRep Packets Bytes PktsDpi Flags

---------------- -------------- ---- ----- ----- -------------------------- ------------------------- ------ ------- ----- ------- -----

23.235.47.81 192.168.3.100 6 80 50841 http [67 ] news-and-media [63 ] 5 0 0 6

192.168.3.100 23.235.47.81 6 50841 80 http [67 ] news-and-media [63 ] 5 0 0 1 C

If you notice, the session has been classified as an app http and not as bbc or bbc-player. However, Webcategory isnews-and-media. Flags field indicates that this connection is not denied.

DPI signatures are not updated in real time and get updated when IAP code is upgraded. However, theWeb contentfiltering database, hosted by bright cloud, is amore up-to-date version of it. Hence, to block access towww.bbc.com, in this case, we identified the other TCP connections that the client created to open up the webpage.Found out that they were not getting blocked but were resulting in page being opened up on the browser. Also theyare being classified as HTTP in app category but as news-and-media in web category. Ideally it should have beenclassified as bbc in app category, but due to limited signatures in inbuilt DPI engine, it could not be so.

These cases would always arise as numerous sites update their IP address and DNS resolutions quickly. To workaround these scenarios, please use web category to identify and block it. In the above scenario, the below rule wouldwork, and result into the “HTTP status 403 – Access is denied” webpage if client tries to access www.bbc.com:


http://www.bbc.com/

Aruba Instant Validated Reference Design Terminology | 196

Terminology

Acronyms and AbbreviationsThe following table lists the abbreviations used in this document.

Abbreviation Expansion

AMP AirWave Management Platform

ARM Adaptive Radio Management

ARP Address Resolution Protocol

BSS Basic Server Set

BSSID Basic Server Set Identifier

CA Certification Authority

CLI Command Line Interface

CoA Change of Authorization

CL3 Centralized Layer 3

CL2 Centralized Layer 2

DL3 Distributed layer 3

DL2 Distributed layer 2

DPI Deep Packet Inspection

DHCP Dynamic Host Configuration Protocol

DMO Dynamic Multicast Optimization

DMZ Demilitarized Zone

DNS Domain Name System

DRP Dynamic Radius Proxy

EAP-TLS Extensible Authentication Protocol- Transport Layer Security

EAP-TTLS Extensible Authentication Protocol-Tunneled Transport

Layer Security

GRE Generic Routing Encapsulation

Table 19: List of abbreviations

197 | Terminology Aruba Instant Validated Reference Design

Abbreviation Expansion

IAP Instant Access Point

IDS Intrusion Detection System

IGC Instant GUI Config

IEEE Institute of Electrical and Electronics Engineers

ISP Internet Service Provider

LEAP Lightweight Extensible Authentication Protocol

MX Mail Exchanger

MAC Media Access Control

NAS Network Access Server

NAT Network Address Translation

NS Name Server

NTP Network Time Protocol

PEAP Protected Extensible Authentication Protocol

PEM Privacy Enhanced Mail

PoE Power over Ethernet

QoS Quality of Service

RADIUS Remote Authentication Dial In User Service

UI User Interface

VC Virtual Controller

VPN Virtual Private Networks

VSA Vendor-Specific Attributes

WLAN Wireless Local Area Network

Table 19: List of abbreviations

GlossaryThe following table lists the terms and their definitions used in this document.

Term Definition

802.11 An evolving family of specifications for wireless LANs developed by aworking group of the Institute of Electrical and Electronics Engineers(IEEE). 802.11 standards use the Ethernet protocol and CSMA/CA (carriersense multiple access with collision avoidance) for path sharing.

802.11a Provides specifications for wireless systems. Networks using 802.11aoperate at radio frequencies in the 5GHz band. The specification uses amodulation scheme known as orthogonal frequency-division multiplexing(OFDM) that is especially well suited to use in office settings. Themaximum data transfer rate is 54 Mbps.

802.11b WLAN standard often called Wi-Fi; backward compatible with 802.11.Instead of the phase-shift keying (PSK) modulation method historicallyused in 802.11 standards, 802.11b uses complementary code keying(CCK), which allows higher data speeds and is less susceptible tomultipath-propagation interference. 802.11b operates in the 2.4 GHz bandand the maximum data transfer rate is 11 Mbps.

802.11g Offers transmission over relatively short distances at up to 54 Mbps,compared with the 11 Mbps theoretical maximum of 802.11b. 802.11goperates in the 2.4 GHz band and employs orthogonal frequency divisionmultiplexing (OFDM), the modulation scheme used in 802.11a, to obtainhigher data speed. Computers or terminals set up for 802.11g can fallback to speeds of 11 Mbps, so that 802.11b and 802.11g devices can becompatible within a single network.

802.11n Wireless networking standard to improve network throughput over the twoprevious standards 802.11a and 802.11g with a significant increase in themaximum raw data rate from 54 Mbps to 600 Mbps with the use of fourspatial streams at a channel width of 40 MHz. 802.11n operates in the 2.4and 5.0 bands.

AP An access point (AP) connects users to other users within the network andalso can serve as the point of interconnection between the WLAN and afixed wire network. The number of access points a WLAN needs isdetermined by the number of users and the size of the network.

access point mapping The act of locating and possibly exploiting connections to WLANs whiledriving around a city or elsewhere. To do war driving, you need a vehicle,a computer (which can be a laptop), a wireless Ethernet card set to work inpromiscuous mode, and some kind of an antenna which can be mountedon top of or positioned inside the car. Because a WLAN may have a rangethat extends beyond an office building, an outside user may be able tointrude into the network, obtain a free Internet connection, and possiblygain access to company records and other resources.

Table 20: List of Terms



Term Definition

ad-hoc network A LAN or other small network, especially one with wireless or temporaryplug-in connections, in which some of the network devices are part of thenetwork only for the duration of a communications session or, in the caseof mobile or portable devices, while in some close proximity to the rest ofthe network.

band A specified range of frequencies of electromagnetic radiation.

DHCP The Dynamic Host Configuration Protocol (DHCP) is an auto-configurationprotocol used on IP networks. Computers or any network peripherals thatare connected to IP networks must be configured, before they cancommunicate with other computers on the network. DHCP allows acomputer to be configured automatically, eliminating the need for anetwork administrator. DHCP also provides a central database to keeptrack of computers connected to the network. This database helps inpreventing any two computers from being configured with the same IPaddress.

DNS Server A Domain Name System (DNS) server functions as a phonebook for theInternet and Internet users. It converts human readable computerhostnames into IP addresses and vice-versa.

A DNS server stores several records for a domain name such as anaddress 'A' record, name server (NS), and mail exchanger (MX) records.The Address 'A' record is the most important record that is stored in a DNSserver, because it provides the required IP address for a networkperipheral or element.

DST Daylight saving time (DST), also known as summer time, is the practice ofadvancing clocks, so that evenings have more daylight and morningshave less. Typically clocks are adjusted forward one hour near the start ofspring and are adjusted backward in autumn.

EAP Extensible authentication protocol (EAP) refers to the authenticationprotocol in wireless networks that expands on methods used by the point-to-point protocol (PPP), a protocol often used when connecting acomputer to the Internet. EAP can support multiple authenticationmechanisms, such as token cards, smart cards, certificates, one-timepasswords, and public key encryption authentication.

fixed wireless Wireless devices or systems in fixed locations such as homes and offices.Fixed wireless devices usually derive their electrical power from the utilitymains, unlike mobile wireless or portable wireless which tend to bebattery-powered. Although mobile and portable systems can be used infixed locations, efficiency and bandwidth are compromised compared withfixed systems.

frequency allocation Use of radio frequency spectrum regulated by governments.

frequency spectrum Part of the electromagnetic spectrum.


Term Definition

hotspot A WLAN node that provides Internet connection and virtual privatenetwork (VPN) access from a given location. A business traveler, forexample, with a laptop equipped for Wi-Fi can look up a local hot spot,contact it, and get connected through its network to reach the Internet andtheir own company remotely with a secure connection. Increasingly, publicplaces, such as airports, hotels, and coffee shops are providing freewireless access for customers.

IEEE 802.11 standards The IEEE 802.11 is a set of standards that are categorized based on theradio wave frequency and the data transfer rate.

POE Power over Ethernet (PoE) is a method of delivering power on the samephysical Ethernet wire used for data communication. Power for devices isprovided in one of the following two ways:

l Endspan— The switch that an AP is connected for power supply.

l Midspan— A device can sit between the switch and APs

The choice of endspan or midspan depends on the capabilities of theswitch to which the IAP is connected. Typically if a switch is in place anddoes not support PoE, midspan power injectors are used.

PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a method of connectingto the Internet typically used with DSL services where the client connectsto the DSL modem.

QoS Quality of Service (QoS) refers to the capability of a network to providebetter service to a specific network traffic over various technologies.

RF Radio Frequency (RF) refers to the portion of electromagnetic spectrum inwhich electromagnetic waves are generated by feeding alternating currentto an antenna.

TACACS Family of protocols that handle remote authentication and related servicesfor network access control through a centralized server.

TACACS+ Derived from TACACS but an entirely new and separate protocol tohandle AAA services. TACACS+ uses TCP and is not compatible withTACACS. Because it encrypts password, username, authorization, andaccounting, it is less vulnerable than RADIUS.

VPN A Virtual Private Network (VPN) network that uses a publictelecommunication infrastructure, such as the Internet, to provide remoteoffices or individual users with secure access to their organization'snetwork. A VPN ensures privacy through security procedures andtunneling protocols such as the Layer Two Tunneling Protocol ( L2TP ).Data is encrypted at the sending end and decrypted at the receiving end.




Term Definition

W-CDMA Officially known as IMT-2000 direct spread; ITU standard derived fromCode-Division Multiple Access (CDMA). Wideband code-division multipleaccess (W-CDMA) is a third-generation (3G) mobile wireless technologythat promises much higher data speeds to mobile and portable wirelessdevices than commonly offered in today's market.

Wi-Fi A term for certain types of WLANs. Wi-Fi can apply to products that useany 802.11 standard. Wi-Fi has gained acceptance in many businesses,agencies, schools, and homes as an alternative to a wired LAN. Manyairports, hotels, and fast-food facilities offer public access to Wi-Finetworks.

WEP Wired equivalent privacy (WEP) is a security protocol specified in 802.11b,designed to provide a WLAN with a level of security and privacycomparable to what is usually expected of a wired LAN. Data encryptionprotects the vulnerable wireless link between clients and access points;once this measure has been taken, other typical LAN securitymechanisms such as password protection, end-to-end encryption, virtualprivate networks (VPNs), and authentication can be put in place to ensureprivacy.

wireless Describes telecommunications in which electromagnetic waves (ratherthan some form of wire) carry the signal over part or all of thecommunication path.

wireless network In a Wireless LAN (WLAN), laptops, desktops, PDAs, and other computerperipherals are connected to each other without any network cables.These network elements or clients use radio signals to communicate witheach other. Wireless networks are set up based on the IEEE 802.11standards.

WISP Wireless ISP (WISP) refers to an internet service provider (ISP) that allowssubscribers to connect to a server at designated hot spots (access points)using a wireless connection such as Wi-Fi. This type of ISP offersbroadband service and allows subscriber computers, called stations, toaccess the Internet and the web from anywhere within the zone ofcoverage provided by the server antenna, usually a region with a radius ofseveral kilometers.

wireless service provider A company that offers transmission services to users of wireless devicesthrough radio frequency (RF) signals rather than through end-to-end wirecommunication.

WLAN Wireless local area network (WLAN) is a local area network (LAN) that theusers access through a wireless connection.
