Instant AP VPN Overview
As Instant APs use a virtual controller architecture, the Instant AP network does not require a physical controller to provide the configured WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. services. However, a physical controller is required for terminating VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels from the Instant AP networks at branch locations or data centers, where the Aruba controller acts as a VPN Concentrator.
When the VPN is configured, the Instant AP acting as the virtual controller creates a VPN tunnel to Aruba Mobility Controller in your corporate office. The controller acts as a VPN endpoint and does not supply the Instant AP with any configuration.
The VPN features are recommended for:
Enterprises with many branches that do not have a dedicated VPN connection to the corporate office.
Branch offices that require multiple APs.
Individuals working from home, connecting to the VPN.
Supported VPN Protocols
Instant APs support the following VPN protocols for remote access:
|
VPN Protocol |
Description |
|---|---|
|
|
IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session. You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic. When IPsec is configured, ensure that you add the Instant AP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses to the whitelist database stored on the controller or an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN operations. The Instant APs support IPsec only with Aruba Controllers. |
|
|
GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an endpoint. Instant APs support the configuration of L2 GRE (EthernetEthernet is a network protocol for data transmission over LAN. over GRE) tunnel with an Aruba Controller to encapsulate the packets sent and received by the Instant AP. You can use the GRE configuration for L2 deployments when there is no encryption requirement between the Instant AP and controller for client traffic. Instant APs support two types of GRE configuration: —The manual GRE configuration sends unencrypted client traffic with an additional GRE header and does not support failover. When manual GRE is configured on the Instant AP, ensure that the GRE tunnel settings are enabled on the controller. —With Aruba GRE, no configuration on the controller is required except for adding the Instant AP MAC addresses to the whitelist database stored on the controller or an external server. Aruba GRE reduces manual configuration when configuration is required and supports failover between two GRE endpoints. Instant APs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba GRE configuration is supported only with Aruba Controllers. |
|
|
The L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. version 3 feature allows Instant AP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNSL2TP Network Server. LNS is an equipment that connects to a carrier and handles the sessions from broadband lines. It is also used for dial-up and mobile links. LNS handles authentication and routing of the IP addresses. It also handles the negotiation of the link with the equipment and establishes a session.. In a centralized L2 model, the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on the corporate side are extended to remote branch sites. Wireless clients associated with Instant AP gets the IP address from the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel. |
