Understanding IAP-VPN Architecture

The IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. architecture includes the following two components:

  • Instant APs at branch sites
  • Controller at the datacenter

The conductor Instant AP at the branch site acts as the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and the controller at the datacenter acts as the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator. When an Instant AP is set up for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., it forms an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel to the controller to secure sensitive corporate data. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. authentication and authorization between the controller and the Instant APs are based on the RAP whitelist configured on the controller.

From the controller perspective, the conductor Instant APs that form the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel are considered as VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients. The controller terminates VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels and routes or switches the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. traffic. The Instant AP cluster creates an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel from the virtual controller to a Mobility Controller in a branch office. The controller only acts as an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. or GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and it does not configure the Instant AP.

IAP-VPN Scalability Limits

The controller scalability in IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. architecture depends on factors such as IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. branches, route limit, and VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. limit.

Table 1: IAP-VPN Scalability

Platforms

IAP-VPN Branches (Preferred)

Route Limit

User Limit (L2 Mode)

VLAN Limit

7280

8,192

32,769

16,384

4,094

7240XM

8,192

32,769

16384

4,094

7220

4,096

16,384

16,384

4,094

7210

2,048

8,192

12,228

4,094

7205

1,024

8,192

8,192

2,048

7030

256

8,189

3,582

256

7024

128

4,093

1,792

128

7010

128

4,093

1,792

128

7008

64

4,093

896

128

7005

64

4,093

896

128

The following table provides the IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. scalability information for various controller platforms:

IAP-VPN Forwarding Modes

The forwarding modes determine whether the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server and default gateway Gateway is a network node that allows traffic to flow in and out of the network. for clients reside in the branch or at the datacenter. These modes do not determine the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. processing or traffic forwarding functionality. The virtual controller enables different DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  pools (various assignment modes) in addition to allocating IP subnets Subnet is the logical division of an IP network. for each branch.

The virtual controller allows different modes of forwarding traffic from the clients on a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. based on the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  scope configured on the Instant AP.

For the IAP-VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. deployments, the following forwarding modes are supported:

  • Local mode
  • L2 Switching mode
  • L3 routing mode

The DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  scopes associated with these forwarding modes are described in the following sections.

Local Mode

In this mode, the Instant AP cluster at that branch has a local subnet Subnet is the logical division of an IP network. and the conductor Instant AP of the cluster acts as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server and gateway Gateway is a network node that allows traffic to flow in and out of the network. for clients. The local mode provides access to the corporate network using the inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and is forwarded through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The traffic destined to the non-corporate network is translated using the IP address of the Instant AP and is forwarded through the uplink.

When the local mode is used for forwarding client traffic, hosts on the corporate network cannot establish connections to the clients on the Instant AP, because the source addresses of the clients are translated.

Local, L2 Mode

In this mode, the Instant AP cluster at that branch has a local subnet Subnet is the logical division of an IP network. and the conductor Instant AP of the cluster acts as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server. The default gateway Gateway is a network node that allows traffic to flow in and out of the network. is located outside the Instant AP and the network address for the client traffic is not translated at source. In the Local, L2 mode, access to the corporate network is supported only in a single Instant AP cluster. The traffic to the non-corporate network is locally bridged.

Local, L3 Mode

In this mode, the network address for traffic destined to the corporate network is translated at the source with the inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel and is forwarded through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The traffic destined to the non-corporate network is routed.

Distributed, L2 Mode

In this mode, the Instant AP assigns an IP address from the configured subnet Subnet is the logical division of an IP network. and forwards traffic to both corporate and non-corporate destinations. Clients receive the corporate IP with virtual controller as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server. The default gateway Gateway is a network node that allows traffic to flow in and out of the network. for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to remote site. Either the controller or an upstream router can be the gateway Gateway is a network node that allows traffic to flow in and out of the network. for the clients. Client traffic destined to datacenter resources is forwarded by the conductor Instant AP (through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel) to the client's default gateway Gateway is a network node that allows traffic to flow in and out of the network. in the datacenter.

When an Instant AP registers with the controller, the controller automatically adds the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel associated to this Instant AP into the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. multicast table. This allows the clients connecting to the L2 mode VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to be part of the same L2 broadcast domain on the controller.

Distributed, L3 Mode

The Distributed, L3 mode contains all broadcast and multicast traffic to a branch. The Distributed, L3 mode reduces the cost and eliminates the complexity associated with the classic site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.. However, this mode is very similar to a classic site-to-site IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. where two VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoints connect individual networks together over a public network.

In Distributed, L3 mode, each branch location is assigned a dedicated subnet Subnet is the logical division of an IP network.. The conductor Instant AP in the branch manages the dedicated subnet Subnet is the logical division of an IP network. and acts as the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server and gateway Gateway is a network node that allows traffic to flow in and out of the network. for clients. Client traffic destined to datacenter resources is routed to the controller through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel, which then routes the traffic to the appropriate corporate destinations.

When an Instant AP registers with the controller, the controller adds a route to enable the routing of traffic from the corporate network to clients on this subnet Subnet is the logical division of an IP network. in the branch.

Centralized, L2 Mode

The Centralized, L2 mode extends the corporate VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or broadcast domain to remote branches. The DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server and the gateway Gateway is a network node that allows traffic to flow in and out of the network. for the clients reside in the datacenter. Either the controller or an upstream router can be the gateway Gateway is a network node that allows traffic to flow in and out of the network. for the clients. For DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  services in Centralized, L2 mode, Aruba recommends using an external DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server and not the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server on the controller. Client traffic destined to datacenter resources is forwarded by the conductor Instant AP (through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel) to the client's default gateway Gateway is a network node that allows traffic to flow in and out of the network. in the datacenter.

Centralized, L3 Mode

For Centralized, L3 clients, the virtual controller acts as a DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  relay agent that forwards the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic to the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server located behind the controller in the corporate network and reachable through the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel. The Centralized, L3 VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. IP is used as the source IP. The IP address is obtained from the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server.

DHCP Scope and VPN Forwarding Modes Mapping

The following table provides a summary of the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  scope and VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. forwarding modes mapping:

Table 2: DHCP Scope and VPN Forwarding Modes Matrix

Options

Local

Local, L2

Local, L3

Centralized, L2

Centralized, L3

Distributed, L2

Distributed, L3

DHCP server

Virtual controller

Virtual controller

Virtual controller

 

DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  Server in the Datacenter

DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  Server in the Datacenter and virtual controller acts as a relay agent

Virtual controller

Virtual controller

Default Gateway for clients

Virtual controller

Default Gateway Gateway is a network node that allows traffic to flow in and out of the network. in the local network

Virtual controller

Controller or a router in the Datacenter

Virtual controller

Controller or a router in the Datacenter

Virtual controller

Corporate Traffic

Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel

Not applicable

Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with inner IP of the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel

L2 reachable

Routed

L2 reachable

Routed

Internet Traffic

Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with local IP of the Virtual controller

Locally bridged

Routed

CL2 full tunnel mode—ource-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with local IP of controller or a router in the datacenter.

 

CL2 split-tunnel mode—Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with local IP of the Virtual controller

Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with local IP of the Virtual controller

Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with local IP of the Virtual controller

Source-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is performed with local IP of the Virtual controller

Branch access from datacenter

No

No

No

Yes

Yes

Yes

Yes