Owners manual

Aruba Instant 6.4.0.2-4.1 | User Guide IAP-VPN Deployment | 224

Chapter 15

IAP-VPN Deployment

This section provides the following information:

l Understanding IAP-VPN Architecture on page 224

l Configuring IAP and Controller for IAP-VPN Operations on page 226

Understanding IAP-VPN Architecture

The IAP-VPN architecture includes the following two components:

l IAPs at branch sites

l Controller at the datacenter

The master IAP at the branch acts as the VPN endpoint and the controller at the datacenter acts as the VPN

concentrator. When an IAP is set up for VPN, it forms an IPsec tunnel to the controller to secure sensitive corporate

data. IPsec authentication and authorization between the controller and the IAPs is based on the RAP whitelist

configured on the controller.

Only the master AP in an IAP cluster forms the VPN tunnel.

From the controller perspective, the master IAPs that form the VPN tunnel are considered as VPN clients. The

controller terminates VPNtunnels and routes or switches VPN traffic. The IAP cluster creates an IPSec or GRE

VPNtunnel from the Virtual Controller to a mobility controller in a branch office. The controller only acts an IPSec or

GRE VPN end-point and it does not configure the IAP.

IAP-VPN Scalability Limits

The controller scalability in IAP-VPN architecture depends on factors such as IPsec tunnel limit, Branch ID limit and

datapath route table limit. The following table provides the IAP-VPN scalability information for various controller

platforms:

Platforms Branches Routes L3 Mode Users NATUsers Total L2 Users

3200 1000 1000

N/A N/A

64000

3400 2000 2000 64000

3600 8000 8000 64000

M3 8000 8000 64000

7210 8000 8000 64000

7220 16000 16000 128000

7240 32000 32000 128000

Table 42:

IAP-VPN Scalability

l Branches—The number of IAP-VPN branches that can be terminated on a given controller platform.

l Routes—The number of L3 routes supported on the controller.