Reset Search
 

 

Article

How to Configure APs to register to ExtremeWireless or XCA controllers over WAN and/or VPN from remote locations

« Go Back

Information

 
TitleHow to Configure APs to register to ExtremeWireless or XCA controllers over WAN and/or VPN from remote locations
Objective
Be able to properly stage, prepare and configure the end-to-end elements required between ExtremeWireless or Extreme Cloud Appliance controllers, and APs located in remote locations
Environment
  • ExtremeWireless 
  • ExtremeCloud Appliance
  • VPN
Procedure
There are 4 key elements that need to be configured, sized and put in place properly to allow APs to register to Extreme Wireless or Extreme Cloud Appliance controllers over WAN/VPN/Low-bandwidth links

1. MTU Sizing. Getting the MTU sized properly over your WAN/VPN links to avoid packet fragmentation of controller <> AP traffic over those links. 
Follow the steps below until you identify an MTU size that lets packets get through from remote locations back to where the controller is located, without requiring fragmentation and you then adjust the MTU for APs on a location specific basis as needed, down from the default of 1500 as may be required: 

Find out what the MTU size is you need to statically set 
Ping from a DOS prompt on the local/controller side to the AP in the remote on the remote side: ping x.x.x.x -f -l 1500 (where x.x.x.x is the IP address of the AP being pinged and -f indicates not to fragment the packet being sent and -l indicates the size packet to use when pinging)
If you ping first with a packet size of 1500 the ping will most likely fail in this scenario with error messages resulting indicating the the packet would need to have been fragmented in order to be sent successfully but the do not fragment bit has been set
Continue to ping with various lower sizes  (1400, etc ) until packets get through without having to be fragmented (1450 is a very common packet size that works but we have had customers that had to drop the MTU down as low as sub 1000 to avoid packet fragmentation on occasion).  Once you have determined a packet size that should get through then,
Apply the correct adjusted MTU to the APs in the branch locations for which you tested
Click AP tab > APs dropdown list > select the AP in question 
Click Static Configuration tab 
Change Tunnel MTU setting from value found in your ping test. Example: 1500 to 1400 
Click Save 
Perform separate tests and make MTU adjustments accordingly, for each separate location in question
You should be sure to perform this process for each individual link you may have to different locations as potentially different WAN/VPN hardware and/or software may be in place to various links and what may work between NYC and Chicago may not work between NYC and Dallas for instance, as a result

The following KCS article touches on how to properly size the MTU but in regard to another aspect of our solutions but the technique is the same: 
https://gtacknowledge.extremenetworks.com/articles/Solution/IdentiFi-Wireless-AP-s-do-not-have-backup-data-tunnels-and-uptime-is-not-displaying-in-AP-Availability-report 

2. Required Ports. Be sure you are allowing all required ports to be open through any firewalls and/or content filters that may sit between the controller(s) and AP(s).

Those ports are identified in the following KCS article: 
https://gtacknowledge.extremenetworks.com/articles/Q_A/What-are-the-tcp-udp-ports-used-between-IdentiFi-Wireless-Controller-and-AP-s 

3. AP Discovery.  If the APs in your remote locations will end up in a different subnet or subnets, than what the controller is in, as with all APs that "live" in a different VLAN from the controller LAN or VPN based, you will need an AP discovery strategy in place that "points" the APs to the IP address of the controller ... either via the addition of a DHCP Option 78 or a DNS A record that can be added.

The following KCS links provide more detail on that: 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-AP-to-find-the-IdentiFi-Wireless-Controller-from-a-DNS-server-entry 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-AP-to-Find-the-IdentiFi-Wireless-Controller-with-DHCP-Option-78-on-a-Linux-Server 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-an-AP-to-Find-the-IdentiFi-Wireless-Controller 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-DHCP-option-78-on-EXOS-switch-for-Identifi-Wireless-AP-discovery-to-locate-controller 
https://gtacknowledge.extremenetworks.com/articles/Solution/Using-H3C-switch-as-dhcp-server-for-Identifi-wireless-AP 
https://gtacknowledge.extremenetworks.com/articles/Q_A/Can-the-IdentiFi-wireless-appliances-DHPC-server-support-advance-DHCP-options 
https://gtacknowledge.extremenetworks.com/articles/Solution/Access-points-failing-the-IdentiFi-Controller-discovery-process 
https://gtacknowledge.extremenetworks.com/articles/Solution/AP-will-not-connect-to-the-controller-after-power-loss 

4. Controller Default Gateway.  Lastly, it will be critical if you your APs are in a different subnet from the controller, that you have a default gateway defined for your controller to the router that is the next hop away from whatever the Physical port you have defined in ExtremeWireless or XCA, for both Management and AP registration.

The following KCS article links provides more detail about that: 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-default-route-gateway-for-an-Extreme-Cloud-Appliance-XCA-controller-through-the-XCA-GUI
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-the-default-route-on-the-IdentiFi-Wireless-Appliance
 
Additional notes
If Wing APs are being deployed with the ExtremeCloud Appliance port 443 will need to be allowed through the VPN/firewall. 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255