Understanding IAP-VPN Architecture
The IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. architecture includes the following two components:
Instant APs at branch sites
Controller at the datacenter
The master Instant AP at the branch site acts as the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and the controller at the datacenter acts as the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator. When a
From the controller perspective, the master Instant APs that form the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel are considered as VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients. The controller terminates VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels and routes or switches the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. traffic. The Instant AP cluster creates an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel from the virtual controller to a Mobility Controller in a branch office. The controller only acts as an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and it does not configure the Instant AP.
IAP-VPN Scalability Limits
The controller scalability in IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. architecture depends on factors such as IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. branches, route limit, and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. limit.
|
Platforms |
IAP-VPN Branches (Preferred) |
Route Limit |
User Limit (L2 Mode) |
VLAN Limit |
|---|---|---|---|---|
|
7280 |
8,192 |
32,769 |
16,384 |
4,094 |
|
7240XM |
8,192 |
32,769 |
16384 |
4,094 |
|
7220 |
4,096 |
16,384 |
16,384 |
4,094 |
|
7210 |
2,048 |
8,192 |
12,228 |
4,094 |
|
7205 |
1,024 |
8,192 |
8,192 |
2,048 |
|
7030 |
256 |
8,189 |
3,582 |
256 |
|
7024 |
128 |
4,093 |
1,792 |
128 |
|
7010 |
128 |
4,093 |
1,792 |
128 |
|
7008 |
64 |
4,093 |
896 |
128 |
|
7005 |
64 |
4,093 |
896 |
128 |
The following table provides the IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. scalability information for various controller platforms:
—The number of IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. branches that can be terminated on a given controller platform.
—The number of L3 routes supported on the controller.
—The number of VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. supported on the controller.
IAP-VPN Forwarding Modes
The forwarding modes determine whether the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and default gatewayGateway is a network node that allows traffic to flow in and out of the network. for clients reside in the branch or at the datacenter. These modes do not determine the firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. processing or traffic forwarding functionality. The virtual controller enables different DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. pools (various assignment modes) in addition to allocating IP subnetsSubnet is the logical division of an IP network. for each branch.
The virtual controller allows different modes of forwarding traffic from the clients on a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scope configured on the Instant AP.
For the IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. deployments, the following forwarding modes are supported:
Local mode
L2 Switching mode
L3 routing mode
The DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scopes associated with these forwarding modes are described in the following sections.
Local Mode
In this mode, the Instant AP cluster at that branch has a local subnetSubnet is the logical division of an IP network. and the master Instant AP of the cluster acts as the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and gatewayGateway is a network node that allows traffic to flow in and out of the network. for clients. The local mode provides access to the corporate network using the inner IP of the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and is forwarded through the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The traffic destined to the non-corporate network is translated using the IP address of the Instant AP and is forwarded through the uplink.
|
|
When the local mode is used for forwarding client traffic, hosts on the corporate network cannot establish connections to the clients on the Instant AP, because the source addresses of the clients are translated. |
Local, L2 Mode
In this mode, the Instant AP cluster at that branch has a local subnetSubnet is the logical division of an IP network. and the master Instant AP of the cluster acts as the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server. The default gatewayGateway is a network node that allows traffic to flow in and out of the network. is located outside the Instant AP and the network address for the client traffic is not translated at source. In the Local, L2 mode, access to the corporate network is supported only in a single Instant AP cluster. The traffic to the non-corporate network is locally bridged.
Local, L3 Mode
In this mode, the network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and is forwarded through the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The traffic destined to the non-corporate network is routed.
Distributed, L2 Mode
In this mode, the Instant AP assigns an IP address from the configured subnetSubnet is the logical division of an IP network. and forwards traffic to both corporate and non-corporate destinations. Clients receive the corporate IP with virtual controller as the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server. The default gatewayGateway is a network node that allows traffic to flow in and out of the network. for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to remote site. Either the controller or an upstream router can be the gatewayGateway is a network node that allows traffic to flow in and out of the network. for the clients. Client traffic destined to datacenter resources is forwarded by the master Instant AP (through the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel) to the client's default gatewayGateway is a network node that allows traffic to flow in and out of the network. in the datacenter.
When a
Distributed, L3 Mode
The Distributed, L3 mode contains all broadcast and multicast traffic to a branch. The Distributed, L3 mode reduces the cost and eliminates the complexity associated with the classic site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.. However, this mode is very similar to a classic site-to-site IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. where two VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoints connect individual networks together over a public network.
In Distributed, L3 mode, each branch location is assigned a dedicated subnetSubnet is the logical division of an IP network.. The master Instant AP in the branch manages the dedicated subnetSubnet is the logical division of an IP network. and acts as the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and gatewayGateway is a network node that allows traffic to flow in and out of the network. for clients. Client traffic destined to datacenter resources is routed to the controller through the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel, which then routes the traffic to the appropriate corporate destinations.
When a
Centralized, L2 Mode
The Centralized, L2 mode extends the corporate VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or broadcast domain to remote branches. The DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and the gatewayGateway is a network node that allows traffic to flow in and out of the network. for the clients reside in the datacenter. Either the controller or an upstream router can be the gatewayGateway is a network node that allows traffic to flow in and out of the network. for the clients. For DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. services in Centralized, L2 mode,
Centralized, L3 Mode
For Centralized, L3 clients, the virtual controller acts as a DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. relay agent that forwards the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. traffic to the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server located behind the controller in the corporate network and reachable through the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The Centralized, L3 VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. IP is used as the source IP. The IP address is obtained from the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server.
DHCP Scope and VPN Forwarding Modes Mapping
The following table provides a summary of the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scope and VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. forwarding modes mapping:
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!