Owners manual

ManualsBrandsARUBA NETWORKS ManualsComputers & LaptopsAruba Instant IAP-325 IEEE 802.11ac 1.69 Gbit/s Wireless Access Point - 2.40 GHz, 5 GHz - 8 x Antenna(s) - 8 x Internal Antenna(

221

222

223

224

225

226

227

228

229

230

225 | IAP-VPN Deployment Aruba Instant 6.4.0.2-4.1 | User Guide

l L3 mode and NAT mode users—The number of trusted users supported on the controller. There is no scale

impact on the controller. They are limited only by the number of clients supported per IAP.

l L2 mode users—The number of L2 mode users are limited to 128000 for 7220/7240 and 64000 across all

platforms.

IAP-VPN Forwarding Modes

The following forwarding modes are supported in the IAP-VPN scenario.

l Local mode

l Centralized L2 mode

l Distributed L2 mode

l Distributed L3 mode

The forwarding modes determine whether the DHCP server and default gateway for clients reside in the branch or at

the datacenter. These modes do not determine the firewall processing or traffic forwarding behavior. The Virtual

Controller enables different DHCP pools (various assignment modes) in addition to allocating IP subnets for each

branch. The Virtual Controller allows different modes of forwarding of traffic from the clients on a VLAN with a VPN

tunnel. The forwarding modes are associated with various modes of DHCP address assignment modes.

Local or NAT Mode

In this mode, the IAP cluster at that branch has a local subnet and the master IAP of the cluster acts as the DHCP

server and gateway for clients. The local mode provides VPN capabilities using the inner IP of the IAP-VPN IPsec

tunnel. The source IP for all client traffic is translated and the traffic destined for the corporate network is translated

using the VPN tunnel IP address of the IAP, and is forwarded through the IPsec VPN tunnel. The traffic destined for

the non-corporate network is translated using the IP address of the IAP and is forwarded through the uplink.

When the local mode is used for forwarding client traffic, hosts on the corporate network cannot establish

connections to the clients on the IAP, because the source address of the clients is translated.

L2 Switching Mode

In this mode, the traffic destined for the corporate network is bridged through the VPN tunnel to the controller. The

traffic destined for the non-corporate network is translated using the IP address of the IAP and is forwarded through

the uplink.

When an IAP registers with the controller, and is configured to use the L2 DHCP scope, the controller automatically

adds the VPN tunnel associated to this IAP into the VLAN multicast table. This allows the clients connecting to the

L2 mode VLAN to be part of the same L2 broadcast domain on the controller.

Distributed L2 Mode

In this mode, the IAP assigns an IP address from the configured subnet and forwards traffic to both corporate and

non-corporate destinations. Clients receive the corporate IP with Virtual Controller as the DHCP server. The default

gateway for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLAN to

remote site. Either the controller or an upstream router can be the gateway for the clients. Client traffic destined to

datacenter resources is forwarded by the Master AP (through the IPSec tunnel) to the client's default gateway in the

datacenter.

Centralized L2 Mode

The centralized L2 mode extends the corporate VLAN or broadcast domain to remote branches. The DHCP server

and the gateway for the clients reside in the datacenter. Either the controller or an upstream router can be the

gateway for the clients. For DHCP services in centralized L2 mode, Aruba recommends using an external DHCP