Concept Guide
Table Of Contents
- About this Guide
- About Instant
- Setting up a W-IAP
- Automatic Retrieval of Configuration
- Instant User Interface
- Initial Configuration Tasks
- Basic Configuration Tasks
- Additional Configuration Tasks
- Customizing W-IAP Settings
- Modifying the W-IAP Hostname
- Configuring Zone Settings on a W-IAP
- Specifying a Method for Obtaining IP Address
- Configuring External Antenna
- Configuring Radio Profiles for a W-IAP
- Configuring Uplink VLAN for a W-IAP
- Changing USB Port Status
- Master Election and Virtual Controller
- Adding a W-IAP to the Network
- Removing a W-IAP from the Network
- VLAN Configuration
- Wireless Network Profiles
- Configuring Wireless Network Profiles
- Configuring Fast Roaming for Wireless Clients
- Editing Status of a WLAN SSID Profile
- Editing a WLAN SSID Profile
- Deleting a WLAN SSID Profile
- Wired Profiles
- Configuring a Wired Profile
- Assigning a Profile to Ethernet Ports
- Editing a Wired Profile
- Deleting a Wired Profile
- Link Aggregation Control Protocol
- Understanding Hierarchical Deployment
- Captive Portal for Guest Access
- Understanding Captive Portal
- Configuring a WLAN SSID for Guest Access
- Configuring Wired Profile for Guest Access
- Configuring Internal Captive Portal for Guest Network
- wConfiguring External Captive Portal for a Guest Network
- Configuring Facebook Login
- Configuring Guest Logon Role and Access Rules for Guest Users
- Configuring Captive Portal Roles for an SSID
- Configuring Walled Garden Access
- Authentication and User Management
- Managing W-IAP Users
- Supported Authentication Methods
- Supported EAP Authentication Frameworks
- Configuring Authentication Servers
- Understanding Encryption Types
- Configuring Authentication Survivability
- Configuring 802.1X Authentication for a Network Profile
- Configuring MAC Authentication for a Network Profile
- FConfiguring MAC Authentication with 802.1X Authentication
- hConfiguring MAC Authentication with Captive Portal Authentication
- Configuring WISPr Authentication
- Blacklisting Clients
- Uploading Certificates
- Roles and Policies
- Firewall Policies
- Content Filtering
- Configuring User Roles
- Configuring Derivation Rules
- Using Advanced Expressions in Role and VLAN Derivation Rules
- DHCP Configuration
- VPN Configuration
- IAP-VPN Deployment
- Adaptive Radio Management
- Deep Packet Inspection and Application Visibility
- Voice and Video
- Services
- AirGroup Configuration
- Configuring a W-IAP for RTLS Support
- Configuring a W-IAP for Analytics and Location Engine Support
- Configuring OpenDNS Credentials
- Integrating a W-IAP with Palo Alto Networks Firewall
- Integrating a W-IAP with an XML API interface
- CALEA Integration and Lawful Intercept Compliance
- W-IAP Management and Monitoring
- Managing a W-IAP from W-AirWave
- Image Management
- Resetting a W-IAP
- W-IAP and Client Monitoring
- Template-based Configuration
- Trending Reports
- Intrusion Detection System
- Wireless Intrusion Detection System (WIDS) Event Reporting to W-AirWave
- RF Visualization Support for Instant
- PSK-based and Certificate-based Authentication
- Configurable Port for W-IAP and W-AirWave Management Server Communication
- Configuring Organization String
- Managing a W-IAP from W-AirWave
- Uplink Configuration
- Intrusion Detection
- Mesh W-IAP Configuration
- Mobility and Client Management
- Spectrum Monitor
- W-IAP Maintenance
- Monitoring Devices and Logs
- Hotspot Profiles
- Understanding Hotspot Profiles
- Configuring Hotspot Profiles
- Creating Advertisement Profiles for Hotspot Configuration
- Configuring an NAI Realm Profile
- Configuring a Venue Name Profile
- Configuring a Network Authentication Profile
- Configuring a Roaming Consortium Profile
- Configuring a 3GPP Profile
- Configuring an IP Address Availability Profile
- Configuring a Domain Profile
- Configuring an Operator-friendly Profile
- Configuring a Connection Capability Profile
- Configuring an Operating Class Profile
- Configuring a WAN Metrics Profile
- Creating a Hotspot Profile
- Associating an Advertisement Profile to a Hotspot Profile
- Creating a WLAN SSID and Associating Hotspot Profile
- Creating Advertisement Profiles for Hotspot Configuration
- Sample Configuration
- ClearPass Guest Setup
- IAP-VPN Deployment Scenarios
- Terminology
Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide IAP-VPN Deployment | 239
Chapter 16
IAP-VPN Deployment
This section provides the following information:
l Understanding IAP-VPN Architecture on page 239
l Configuring W-IAP and Controller for IAP-VPN Operations on page 242
Understanding IAP-VPN Architecture
The IAP-VPN architecture includes the following two components:
l W-IAPs at branch sites
l Controller at the datacenter
The master W-IAP at the branch acts as the VPN endpoint and the controller at the datacenter acts as the VPN
concentrator. When a W-IAP is set up for VPN, it forms an IPsec tunnel to the controller to secure sensitive
corporate data. IPsec authentication and authorization between the controller and the W-IAPs is based on the
RAP whitelist configured on the controller.
Only the master AP in a W-IAP cluster forms the VPN tunnel.
From the controller perspective, the master W-IAPs that form the VPN tunnel are considered as VPN clients.
The controller terminates VPNtunnels and routes or switches VPN traffic. The W-IAP cluster creates an IPSec or
GRE VPNtunnel from the VC to a mobility controller in a branch office. The controller only acts an IPSec or GRE
VPN end-point and it does not configure the W-IAP.
IAP-VPN Scalability Limits
The controller scalability in IAP-VPN architecture depends on factors such as IPsec tunnel limit, Branch ID limit
and datapath route table limit. The following table provides the IAP-VPN scalability information for various
controller platforms:
Platforms Branches Routes L3 Mode Users NATUsers Total L2 Users
W-3200 1000 1000
N/A N/A
64000
W-3400 2000 2000 64000
W-3600 8000 8000 64000
W-6000M3 8000 8000 64000
W-7210 8000 8000 64000
W-7220 16000 16000 128000
W-7240 32000 32000 128000
Table 45: IAP-VPN Scalability