Method of connecting remote AP to SZ 100

  • 1
  • Question
  • Updated 4 years ago
Hello everyone!
I still don't understand the method of connection the remote AP(at branch office, for example) to the SZ 100 controller at main office (or at datacenter).
Could it be done just with Ruckus devices?
 Or do I need a VPN server at controller side to build tonnels between remote AP and controller?
Thanks in advance.
Photo of Alexander Moiseiev

Alexander Moiseiev

  • 32 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 1
Photo of Dionis

Dionis, AlphaDog

  • 80 Posts
  • 48 Reply Likes

AP does the tunneling to the controller for the client data.  AP needs to be able to communicate with the controller from whichever location the AP is at.  Once connected to the controller and proper firewall configuration is in place to allow the required ports, the AP will form a GRE tunnel with the SZ100 and data will be transmitted within this tunnel.  VLAN for each WLAN service can be sent to the core (datacenter) for processing of the client data. 


Hope this helps.

Photo of Alexander Moiseiev

Alexander Moiseiev

  • 32 Posts
  • 2 Reply Likes
Thanks, Dionis! 
But the question is - what ports  on the firewall should I  forward to controller? 
And on the AP I need just to input the controller external IP?
Photo of Dionis

Dionis, AlphaDog

  • 80 Posts
  • 48 Reply Likes

Here are the ports you need for the SmartZone 100 to communicate with the AP effectively and other things.

AP to SmartZone Control Plane communication needs TCP port 443 for registration using certificate

AP to SmartZone Control Plane SSH Tunnel requires TCP port 22

AP to SmartZone CP for firmware updates and more needs TCP port 91

AP to SZ-CP for time sync requires UDP port 123

AP to RADIUS server if needed requires UDP port 1812 and 1813 and can be changed as needed

AP to SmartZone Data Plane for R-GRE tunnel formation and maintenance needs port 23233 and can be changed as needed in the SZ-100

AP to SmartZone DP for R-GRE traffic transmission of client data requires TCP port 23232.  This is not configurable.

IP on SZ-DataPlane needs to be able to reach SZ-Control Plane IP on port 80 for internal communication - Just FYI

SZ-D to SZ-CP requires ports 443 and 6868 for other services internal to the controller, again these are FYI as both refer to internal controller functions

Hope this helps.

Photo of Alexander Moiseiev

Alexander Moiseiev

  • 32 Posts
  • 2 Reply Likes
Thank you!
But how does it work? AP establishes the connection to SZ via GRE tonnel? 
And then, how does the same remote connection work with ZoneDirector?
(Edited)
Photo of Dionis

Dionis, AlphaDog

  • 80 Posts
  • 48 Reply Likes

To put it simply and in a way I can post it in a short reply here, with the SZ, the AP forms two separate tunnels.  One is SSH and the other is GRE (if required). 

The SSH tunnel is used to communicate with the controller securely and for the AP to download configuration, firmware and send stats, etc.. 

The GRE tunnel is formed when you chose to send the data of wireless clients to the controller via a GRE tunnel instead of sending it locally to a switch in what we call Local Break Out (LBO).  During this process, the AP forms a tunnel with the controller using a Ruckus proprietary process that allows the AP to be behind NAT if needed.  The data from the clients is encapsulated into a VLAN and sent via this tunnel to the controller where the VLAN is then removed from the tunnel and sent natively to the switch attached at the core, behind the SZ100 or SCG-200 controller.  Effectively, this creates a layer 2 tunnel over layer 3 and preserves the client MAC addresses and other needed information.  Which means, that this client can now have IPs from the core DHCP server, be sent to a session manager or gateway, sent to NAT, AAA, Active Directory or whatever you need to do the same way you would do if the client was connected locally to a switch port in your enterprise network.

Here is the datasheet for this controller. 

http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/datasheets/ds-smart...


The ZD however uses LWAPP (Lightweight Access Point Protocol) as its tunneling mechanism.  That is a bit different than GRE and can be read about briefly in this Wiki page.

https://en.wikipedia.org/wiki/Lightweight_Access_Point_Protocol

It is a standard protocol a bit older and uses more overhead than SSH which is why it is not being used in our newer controllers today.

Hope this helps!

Photo of Alexander Moiseiev

Alexander Moiseiev

  • 32 Posts
  • 2 Reply Likes
Thank you very much! :) Now I understand the mechanism.
Also, if we are talking about GRE tonnel, how much users can sz-100 work with? 20000?
Photo of Dionis

Dionis, AlphaDog

  • 80 Posts
  • 48 Reply Likes

No problem.  The SZ100 is built to handle 1024 APs per Unit and up to 25k clients per unit.  However, it can also be cluster with up to three more other units for a total of 3k AP capacity and 60k clients with up to 2k WLAN per node.  The infrastructure can grow as needed.

Photo of Alexander Moiseiev

Alexander Moiseiev

  • 32 Posts
  • 2 Reply Likes
Thank you again! Remote AP is connected and working right now!
Photo of Alexander Moiseiev

Alexander Moiseiev

  • 32 Posts
  • 2 Reply Likes
Hehe, It is not the end.:)
Everything worked fine, until the SZ is connected directly to provider port without any firewall.
We put SZ behind Mikrotik 2011, open all ports according to the manual. And what happens next: AP migrating -> AP migrated -> AP discovery sucseeded -> AP connected ... one minute passed.. -> AP heartbeat lost -> AP disconnected.
Photo of Com1 NL - Bas Sanders

Com1 NL - Bas Sanders

  • 32 Posts
  • 9 Reply Likes
Can you check the UDP "session" timers in the Mikrotik? Does it do stateful inspection? 

A quick sniffertrace should point you in the right direction as to what happens..
Photo of Dionis

Dionis, AlphaDog

  • 80 Posts
  • 48 Reply Likes
Couple of things that could happen here. One: You could be blocking some ports for FTP passive if you are connecting APs from the internet into your network. If this is the case, make sure that passive FTP is supported and that you open or allow port range 16384-65000 for FTP passive dynamic port allocation to the AP and SZ data session. Two: Your firewall may be blocking or incorrectly routing the traffic to the internal IP of your SZ. Let me know what you find. Like Bas stated, a trace may be helpful. Regards,