Understanding IAP-VPN Architecture
The IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. architecture includes the following two components:
- Instant APs at branch sites
- Controller at the datacenter
The conductor Instant AP at the branch site acts as the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and the controller at the datacenter acts as the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator. When a
Only the conductor Instant AP in a
From the controller perspective, the conductor Instant APs that form the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel are considered as VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients. The controller terminates VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels and routes or switches the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. traffic. The Instant AP cluster creates an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel from the virtual controller to a Mobility Controller in a branch office. The controller only acts as an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and it does not configure the Instant AP.
IAP-VPN Scalability Limits
The controller scalability in IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. architecture depends on factors such as IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. branches, route limit, and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. limit.
Platforms |
IAP-VPN Branches (Preferred) |
Route Limit |
User Limit (L2 Mode) |
VLAN Limit |
---|---|---|---|---|
7280 |
8,192 |
32,769 |
16,384 |
4,094 |
7240XM |
8,192 |
32,769 |
16384 |
4,094 |
7220 |
4,096 |
16,384 |
16,384 |
4,094 |
7210 |
2,048 |
8,192 |
12,228 |
4,094 |
7205 |
1,024 |
8,192 |
8,192 |
2,048 |
7030 |
256 |
8,189 |
3,582 |
256 |
7024 |
128 |
4,093 |
1,792 |
128 |
7010 |
128 |
4,093 |
1,792 |
128 |
7008 |
64 |
4,093 |
896 |
128 |
7005 |
64 |
4,093 |
896 |
128 |
The following table provides the IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. scalability information for various controller platforms:
- VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. branches that can be terminated on a given controller platform. —The number of IAP-
- controller. —The number of L3 routes supported on the
- User Limit—For extended VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
- VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. supported on the controller. —The number of
IAP-VPN Forwarding Modes
The forwarding modes determine whether the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and default gateway Gateway is a network node that allows traffic to flow in and out of the network. for clients reside in the branch or at the datacenter. These modes do not determine the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. processing or traffic forwarding functionality. The virtual controller enables different DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. pools (various assignment modes) in addition to allocating IP subnets Subnet is the logical division of an IP network. for each branch.
The virtual controller allows different modes of forwarding traffic from the clients on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scope configured on the Instant AP.
For the IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. deployments, the following forwarding modes are supported:
- Local mode
- L2 Switching mode
- L3 routing mode
The DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scopes associated with these forwarding modes are described in the following sections.
Ensure that VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 1 is not configured for any of the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scopes as it is reserved for a different purpose.
Local Mode
In this mode, the Instant AP cluster at that branch has a local subnet Subnet is the logical division of an IP network. and the conductor Instant AP of the cluster acts as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and gateway Gateway is a network node that allows traffic to flow in and out of the network. for clients. The local mode provides access to the corporate network using the inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and is forwarded through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The traffic destined to the non-corporate network is translated using the IP address of the Instant AP and is forwarded through the uplink.
When the local mode is used for forwarding client traffic, hosts on the corporate network cannot establish connections to the clients on the Instant AP, because the source addresses of the clients are translated.
Local, L2 Mode
In this mode, the Instant AP cluster at that branch has a local subnet Subnet is the logical division of an IP network. and the conductor Instant AP of the cluster acts as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server. The default gateway Gateway is a network node that allows traffic to flow in and out of the network. is located outside the Instant AP and the network address for the client traffic is not translated at source. In the Local, L2 mode, access to the corporate network is supported only in a single Instant AP cluster. The traffic to the non-corporate network is locally bridged.
Local, L3 Mode
In this mode, the network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and is forwarded through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The traffic destined to the non-corporate network is routed.
Distributed, L2 Mode
In this mode, the Instant AP assigns an IP address from the configured subnet Subnet is the logical division of an IP network. and forwards traffic to both corporate and non-corporate destinations. Clients receive the corporate IP with virtual controller as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server. The default gateway Gateway is a network node that allows traffic to flow in and out of the network. for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to remote site. Either the controller or an upstream router can be the gateway Gateway is a network node that allows traffic to flow in and out of the network. for the clients. Client traffic destined to datacenter resources is forwarded by the conductor Instant AP (through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel) to the client's default gateway Gateway is a network node that allows traffic to flow in and out of the network. in the datacenter.
When a
Distributed, L3 Mode
The Distributed, L3 mode contains all broadcast and multicast traffic to a branch. The Distributed, L3 mode reduces the cost and eliminates the complexity associated with the classic site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.. However, this mode is very similar to a classic site-to-site IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. where two VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoints connect individual networks together over a public network.
In Distributed, L3 mode, each branch location is assigned a dedicated subnet Subnet is the logical division of an IP network.. The conductor Instant AP in the branch manages the dedicated subnet Subnet is the logical division of an IP network. and acts as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and gateway Gateway is a network node that allows traffic to flow in and out of the network. for clients. Client traffic destined to datacenter resources is routed to the controller through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel, which then routes the traffic to the appropriate corporate destinations.
When a
Centralized, L2 Mode
The Centralized, L2 mode extends the corporate VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or broadcast domain to remote branches. The DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server and the gateway Gateway is a network node that allows traffic to flow in and out of the network. for the clients reside in the datacenter. Either the controller or an upstream router can be the gateway Gateway is a network node that allows traffic to flow in and out of the network. for the clients. For DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. services in Centralized, L2 mode,
Centralized, L3 Mode
For Centralized, L3 clients, the virtual controller acts as a DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. relay agent that forwards the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. traffic to the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server located behind the controller in the corporate network and reachable through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The Centralized, L3 VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. IP is used as the source IP. The IP address is obtained from the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. server.
DHCP Scope and VPN Forwarding Modes Mapping
The following table provides a summary of the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. scope and VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. forwarding modes mapping: