Wireless Access

Lets try to answer your questions.

• Our controllers are currently all managed on public IPs, we would like to move them to private IPs when we convert them to gateways. Can we do that? Does Central ever initiate connections to the gateways or is it always the gateways talking to Central (which sounds like it is mostly HTTPS)?
  
  That is not a problem. Gateways will only initiate outbound connections to Central. Most traffic is indeed HTTPS traffic. Inbound traffic can be blocked (best practise). 
• We currently run a centralized cluster with APs out in departments and colleges (we are a university) on many sites. As far as I can tell we could just replicate this model in AOS10, are there any problems with doing this? We aren't running a fabric on any sites yet - we will probably experiment with this in future, I understand that for true wired and wireless integration on-site gateways are necessary, but this kind of set-up is a long way off for us at the moment, so will probably be part of a test further down the line).
  
  In theory you can replicate this model. But the recommendation is to have the APs and gateways on the same site / campus. So no WAN connection between AP and gateway. Reason is latency and MTU. Best practice (but not required) is to enable jumbo frames between AP and Gateways to prevent fragmentation. A fabric is not required. We can build an unified solution using Dynamic Segmentation (centralized using gateways, or de-centralized using a fabric). With the Centralized option than traffic from Aruba switches will be tunneled to gateways using UBT. 
  
  
• As far as I can tell resiliency arrangements are similar to AOS 8 in that in-cluster failover is hitless. But Cluster to cluster failover is not, it seems this is configured on a WLAN VAP level but otherwise is like the AOS 8 system profile LMS IP and bkup LMS IP. Is there any option to have an active-active arrangement with 2 clusters (that would otherwise be active/standby)?
  
  The cluster concept in AOS10 is the same as with AOS8. Within a cluster, hitless failover is possible. Yes, per SSID you configure how to handle the traffic, bridge, tunneled or mixed mode. When you tunnel the traffic you can define where to terminate the traffic. So, SSID A can be terminated on another cluster then SSID B.
  
  Between clusters, hitless failover is not possible. The reason is quite simple. When you do a failover to another cluster, in most cases clients will have another IP address assigned.  Think like, cluster A is placed in datacenter A with subnet A. For DR reasons, cluster B is placed in datacenter B with subnet B. 
  
  Important note from the documentation:
  Failover between a primary and secondary cluster is supported with a foundation AP license. An advanced AP license is only required if separate wired port or WLAN profiles within a configuration group are configured with separate primary cluster assignments in a MultiZone environment.

Also, take a look in our Validated Solution Guides (VSG) and also the AOS10 documentation. 

Hope this will help you

I see @chulcher also replied, while I was writing my response

Lets try to answer your questions.

• Our controllers are currently all managed on public IPs, we would like to move them to private IPs when we convert them to gateways. Can we do that? Does Central ever initiate connections to the gateways or is it always the gateways talking to Central (which sounds like it is mostly HTTPS)?
  
  That is not a problem. Gateways will only initiate outbound connections to Central. Most traffic is indeed HTTPS traffic. Inbound traffic can be blocked (best practise). 
• We currently run a centralized cluster with APs out in departments and colleges (we are a university) on many sites. As far as I can tell we could just replicate this model in AOS10, are there any problems with doing this? We aren't running a fabric on any sites yet - we will probably experiment with this in future, I understand that for true wired and wireless integration on-site gateways are necessary, but this kind of set-up is a long way off for us at the moment, so will probably be part of a test further down the line).
  
  In theory you can replicate this model. But the recommendation is to have the APs and gateways on the same site / campus. So no WAN connection between AP and gateway. Reason is latency and MTU. Best practice (but not required) is to enable jumbo frames between AP and Gateways to prevent fragmentation. A fabric is not required. We can build an unified solution using Dynamic Segmentation (centralized using gateways, or de-centralized using a fabric). With the Centralized option than traffic from Aruba switches will be tunneled to gateways using UBT. 
  
  
• As far as I can tell resiliency arrangements are similar to AOS 8 in that in-cluster failover is hitless. But Cluster to cluster failover is not, it seems this is configured on a WLAN VAP level but otherwise is like the AOS 8 system profile LMS IP and bkup LMS IP. Is there any option to have an active-active arrangement with 2 clusters (that would otherwise be active/standby)?
  
  The cluster concept in AOS10 is the same as with AOS8. Within a cluster, hitless failover is possible. Yes, per SSID you configure how to handle the traffic, bridge, tunneled or mixed mode. When you tunnel the traffic you can define where to terminate the traffic. So, SSID A can be terminated on another cluster then SSID B.
  
  Between clusters, hitless failover is not possible. The reason is quite simple. When you do a failover to another cluster, in most cases clients will have another IP address assigned.  Think like, cluster A is placed in datacenter A with subnet A. For DR reasons, cluster B is placed in datacenter B with subnet B. 
  
  Important note from the documentation:
  Failover between a primary and secondary cluster is supported with a foundation AP license. An advanced AP license is only required if separate wired port or WLAN profiles within a configuration group are configured with separate primary cluster assignments in a MultiZone environment.

Also, take a look in our Validated Solution Guides (VSG) and also the AOS10 documentation. 

Hope this will help you

Thank you all - that's very useful information. I'm sure there will be other questions as we get going on this but this is a good start!

Since you are a university, and it's common for higher education institutions to use AirGroup device registration with ClearPass, please note that AirGroup device registration via ClearPass is no longer supported in AOS10.

For additional information regarding this I recommend you reach out to your HPE/Aruba account team.

Original Message:
Sent: Mar 10, 2025 10:43 AM
From: cauliflower
Subject: AOS 10 architecture

Thank you all - that's very useful information. I'm sure there will be other questions as we get going on this but this is a good start!

Hi, thanks for this. Yes, you're right we do use AirGroup with device registration on ClearPass. It sounds like the current limit for device registration on Central is 5,000 MPSKs which will be an issue for us, but I'm told that that limit is expected to increase. However the other worry is that that (I believe) discovery of AirGroup servers is limited to 1 AP hop, which again is not great for us. Is that information correct? We will definitely be reaching out to our partners.

Since you are a university, and it's common for higher education institutions to use AirGroup device registration with ClearPass, please note that AirGroup device registration via ClearPass is no longer supported in AOS10.

For additional information regarding this I recommend you reach out to your HPE/Aruba account team.

Original Message:
Sent: Mar 10, 2025 10:43 AM
From: cauliflower
Subject: AOS 10 architecture

Thank you all - that's very useful information. I'm sure there will be other questions as we get going on this but this is a good start!

Hi, thanks for this. Yes, you're right we do use AirGroup with device registration on ClearPass. It sounds like the current limit for device registration on Central is 5,000 MPSKs which will be an issue for us, but I'm told that that limit is expected to increase. However the other worry is that that (I believe) discovery of AirGroup servers is limited to 1 AP hop, which again is not great for us. Is that information correct? We will definitely be reaching out to our partners.

Since you are a university, and it's common for higher education institutions to use AirGroup device registration with ClearPass, please note that AirGroup device registration via ClearPass is no longer supported in AOS10.

For additional information regarding this I recommend you reach out to your HPE/Aruba account team.

Original Message:
Sent: Mar 10, 2025 10:43 AM
From: cauliflower
Subject: AOS 10 architecture

Thank you all - that's very useful information. I'm sure there will be other questions as we get going on this but this is a good start!