Configuring a Micro Branch with Instant APs

For small branch deployments, Aruba offers an Instant AP-based SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. solution. In a micro branch deployment, you do not require a Branch Gateway. If you have an Instant AP cluster deployed, the Instant AP acting as a Virtual Controller or a conductor AP can establish secure VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connections with VPNCs.

To get started with your Micro Branch deployment, complete the following tasks:

Before you begin, ensure that you have provisioned and configured the VPNCs in Aruba Central. If not, see Provisioning Aruba Gateways in Aruba Central.

  1. Tunnel Authentication—Validate that the VPNC group is using the default setup to authenticate IAP-VPN tunnels. For verification, the settings can be found under VPNC Group > Devices > Gateways > Security > L3 Authentication > VPN Authentication > default-iap > Server Group.
  2. Dynamic IP Assignment—When connecting to the VPNC, APs behave like dynamic VPN clients. This means that they are assigned a pool of Inner IP addresses, which can be configured in VPNC Group > Devices > Gateways > VPN > General VPN.
  3. Route Redistribution—The Aruba Micro-Branch architecture can work in layer 2 (L2) mode, where VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are L2 extended from the APs to the VPNC, or in layer 3 (L3) mode, where branch subnetsSubnet is the logical division of an IP network. are advertised upstream as part of the tunnel negotiation. When working in L3 mode, branch subnets should be redistributed into a dynamic routing protocol such as OSPFOpen Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS). and BGPBorder Gateway Protocol. BGP is a routing protocol for exchanging data and information between different host gateways or autonomous systems on the Internet. .

The following topics describe the various configurations that need to be done on Instant APs and VPNCs for deploying a Micro Branch solution:

For more information on how to configure IAP-VPN address pools, and enable OSPF and BGP routing protocols, see Aruba IAP-VPN Solution Guide for Teleworkers and Home Offices.