Gateway Deployments

Use cases, personas, and roaming considerations for Gateway deployments.

Gateways are high-performance appliances that have evolved to support a wide range of use cases and can act as (1) the wireless control plane for greater security and scalability or (2) SD-Branch device with intelligent routing and tunnel orchestration software. Gateways are not a refresh of wireless controllers; they are expressly designed to be both cloud and IoT ready.

Use Cases

While Gateways are optional, they offer certain features and capabilities that are not available in AP-only deployments. There are deployment scenarios when Gateways should be considered to provide a better end-user experience, simplify operations, or take advantage of advanced features. There are also scenarios where Gateways are mandatory and required.

The following are some common features and use cases for Gateway deployments:

  • LAN Architecture — The LAN architecture does not permit management and user VLANs to be extended between the APs, and seamless roaming is required.

  • Roaming Domain Scaling — Gateways and tunneled WLANs are required to establish roaming domains that exceed 500 APs and 5,000 clients.

  • Layer-3 Mobility — Gateways and tunneled WLANs are required to centralize wireless-user VLANs and permit client devices to seamlessly roam between APs, across layer 3 network boundaries.

  • RADIUS Proxy - One does not want to configure large numbers of APs as clients on their RADIUS server. If Gateways are deployed, RADIUS messages can be proxied through the Gateway cluster.

  • Security & Policy - For policy and compliance, user traffic needs to be segmented and/or terminated in different zones within the network where user VLANs are deemed insufficient. Newer Gateways could also help in enhancing the security further by enabling IDS/IPS. The IDS/IPS engine performs deep packet inspection to monitor network traffic for malware and suspicious activity. When either of the two is detected, the IDS function alerts network administrators, while the Intrusion Prevention System (IPS) takes immediate action to block threats.

  • Traffic Optimization - For high broadcast or multicast environments, Gateways offer more granular controls that can be enabled per VLAN to prevent unwanted broadcast or multicast frames and/or datagrams from reaching the APs.

  • Data Plane Termination - Gateways are required to terminate tunnels from Aruba devices. This includes APs, Gateways and Switches.

  • Solutions - Gateways are required for Aruba SD-Branch, Microbranch and VIA deployments.

  • MultiZone - Two or more clusters of Gateways are required to deploy MultiZone when separate tunneled WLANs are terminated on different Gateway clusters within the network.

  • Datacenter Redundancy - If layer 3 mobility and failover between datacenters is required.

  • Dynamic Segmentation - Dynamic Segmentation unifies role‑based access and policy enforcement across wired, wireless, and WAN networks with centralized policy definition and dedicated enforcement points, ensuring that users and devices can only communicate with destinations consistent with their role. Gateways play an essential role in policy enforcement – keeping traffic secure and segregated.

Personas

An AOS 10 Gateway can operate in one of the three personas i.e., a Mobility, Branch or VPN Concentrator. These personas could be set while creating a new group in Aruba Central. Setting a group type to any of the personas essentially dictates what configuration options would be exposed in the group settings. For example, if the group type is set to Mobility, then only WLAN related configuration options are available in that group whereas if the type is set to Branch, then in addition to the WLAN configuration options, other SD-Branch specific Branch Gateway options are also available for configuration.

The Mobility persona is used for WLAN deployments whereas the Branch and VPN Concentrator personas are used for SD-Branch deployments.

Gateway Personas

Mobility

The Mobility persona configures a Gateway to support wireless (WLAN) and wired (LAN) functionalities in a campus network. When a Mobility Gateway is used in a WLAN deployment, all APs will form Internet Protocol security (IPsec) and Generic Routing Encapsulation (GRE) tunnels to the Gateways when a tunneled or a mixed mode WLAN is created.

Gateways in this mode do not provide any WAN capabilities.

Branch

The Branch persona sets a Gateway to operate as an SD-Branch Gateway, supporting the optimization and control of WAN, LAN, WLAN, and cloud security services. The Branch Gateway provides features such as routing, firewall, security, Uniform Resource Locator (URL) filtering, and compression. With support for multiple WAN connection types, the Branch Gateway routes traffic over the most efficient link based on availability, application, user-role, and link health. This allows organizations to take advantage of high-speed, lower-cost broadband links to supplement or replace traditional WAN links such as MPLS.

In addition to providing Branch functionalities, Branch Gateways also support all of the WLAN functionalities of a Mobility Gateway.

VPN Concentrator

The VPN Concentrator persona sets a Gateway to act as a headend Gateway, or Virtual Private Network Concentrator (VPNC) for all branch offices. Branch Gateways establish IPsec tunnels to one or more headend Gateways over the Internet or other untrusted networks. High Availability options support either multiple headend Gateways deployed at a single site or headend Gateways deployed in pairs at multiple sites for the highest availability. The most widely deployed topology is the dual hub-and-spoke where branches are multi-homed to a primary and backup data center. Any of the headend Gateways can perform the function of VPNC at the hub site. These devices offer high-performance and support a large number of tunnels to aggregate data traffic from hundreds to thousands of branches.

VPNCs can act as headend Gateways for either other Branch Gateways or Microbranch APs.

Role Matrix

Some Gateways do not support all available personas and this restriction should be taken into account when choosing a Gateway model.

Platform Mobility VPNC Branch
7000 Series
7005 Yes No Yes
7008 Yes No Yes
7010 Yes Yes Yes
7024 Yes Yes Yes
7030 Yes Yes Yes
7200 Series
7205 Yes Yes Yes
7210 Yes Yes Yes
7220 Yes Yes Yes
7240XM Yes Yes Yes
7280 Yes Yes Yes
9000 Series
9004 Yes Yes Yes
9004-LTE No Yes Yes
9012 Yes Yes Yes
9100 Series
9106 Yes Yes Yes
9114 Yes Yes Yes
9200 Series
9240 Yes Yes Yes

Roaming With Gateways

An AOS 10 deployment with Gateways supports the ability to configure WLAN profiles to tunnel the user traffic to a cluster of Gateways where the user VLANs reside. Client devices are statically or dynamically assigned to a user VLAN that is extended between all the Gateway nodes in the cluster. The user VLANs either terminate on the core switching layer or a dedicated aggregation switching layer that is also the default Gateway for the Gateway management and user VLANs.

For more details on Gateway clustering, refer to the Clusters topic.

With a centralized forwarding architecture, client devices can seamlessly roam between APs that are tunneling user traffic to a common Gateway cluster. The client devices can maintain their VLAN membership, IP addressing, and default Gateway since the user VLANs and broadcast domains are common between the cluster members. With the clustering architecture, the client’s MAC address is also set to a single cluster member irrespective of the AP that the client device is attached to. The client MAC address will only move in the event of a cluster node upgrade or outage.

Hard roaming is required in AP-Gateway deployments if a client device transitions between APs that tunnel the user traffic to separate Gateway clusters. While the user VLAN IDs may be common between clusters, the IP subnets or broadcast domains must be unique per cluster. Any client device that moves between Gateway clusters must obtain a new IP address and default Gateway after the roam.

AP-Gateway Roaming

Gateway Scaling with AOS 10

Scaling numbers related to clients, AOS 10 devices, tunnels and cluster sizes for various Gateway models can be accessed in the Capacity Planning section of the Validated Solution Guide.

Gateway Cluster Scaling Calculator

This calculator is used to determine the number of gateways required for AOS 10 tunneled WLAN and user based tunneling (UBT) deployments.

The calculator can be accessed in the Capacity Planning section of the Validated Solution Guide.


Last modified: September 9, 2024 (6b61dd8)