Incontrol2 - Working with groups


#1

Hi!

I am just trying to find a good initialsetup for my infrastructure.

The goal is:

  • 2 Hubs
  • 5 Devices as “test-group”
  • 50 Devices as “production-group”
  • 50 Devices as “production-group2”

Test and production-devices have to connect to the two hubs.

My Problem:
Managing PepVPN/Speedfusion seems to be only possible inside ONE group. Is there any possibility to change this?

Background:
I want to rollout firmware-upgrades on a testgroup in the first step…
I want to configure independent settings for some devices like schedules.

Thank you
Regards,
KPS


#2

Hello KPS,

Are these devices Peplink/Pepwave products or are these computer/laptops/tablets/etc?

Can you please elaborate on this? Is the test network inside of another network? Can a diagram please be provided?


#3

Hi!

Sorry, if this was not clear.
I am JUST speaking about Peplink-Devices:

HQ has 2 710s as Hub
Branch-offices need to accesss servers in the HQ.
5 branch-offices should be my “test-group” for firmware-updates, etc (each with Peplink balance one)
50 branch-offices are my default-branchoffices (each with Peplink balance one)
50 branch-offices do have some special demands like schedules(each with Peplink balance one)

One big star, but 3 different demands…


#4

Hello @KPS,
What is preventing you from running three separate “Star” SpeedFusion groups?
We recently posted about using groups for different security levels, you can also apply this concept with SpeedFusion too.

Lets take your “test-group” (and I’m going to work on the basis you have everything within InControl2):

  • Create within your organsiation your “test-group”, add one device and ensure it is all setup how you need, then add the remaining four devices
  • Create another “HQ” group for your 710s, again adding one first and getting all of your setting good before adding the second unit
  • At the Organisational Level, enable SpeedFusion and then create your first SpeedFusion Star for the “test-group”
  • Check everything is working as required then repeat the process for the other two setups across the 100 branches.

This is just an overview and your would need to schedule a network outage of your SpeedFusions links to set this up as when you move the SpeedFusion Management from the Balance 710s to InControl2 it is possible InControl2 may overwrite the existing SpeedFusion settings.

We highly recommend working closely with your experienced & trained local Authorised Peplink Partner for specialised assistance in getting this working the way you need, it certainly can be done.

Your local Certified Peplink Partner can help you with a detailed plan to get this done and will be able to bring there expertise into make it work with you. There is also lots of the Peplink team and Peplink Partners here in the forum that are able to guide you also.
Happy to Help,
Marcus :slight_smile:


#5

Hi!

@mldowling
Thank you for the hint. I only found the possibility to create a PepVPN-Star-Config on group-level - not on Organization-level.

But:
The biggest problem stays: There is no possibility to use all the functions with InControl2 (like sub-tunnels), as they are not fully supported.
And: I cannot mix InControl2 and “manually” added peers. That makes it very unflexible…

Regards


#6

You should be able to create the a star topology from the Org Level as well.

You are correct about this. I will reach out to the engineers to see if support for this is on the road map.


#8

Hi KPS,

Org level profiles that span multiple groups has been a feature for several years now. I know of at least one org that puts it’s fusionhubs in an ‘HQ’ group and several hundred transit devices in a second ‘vehicles’ group.
If, for some odd reason, you’re unable to create an org profile, please create a support ticket. Being able to see the pepvpn management page from group but not org level would normally only occur if your admin rights were restricted to the group level.

Subtunnel support is definitely on the roadmap for the very near future.

IC2 actually DOES support a mixed mode for Star & PtoP topologies where some subset of the endpoints are managed via firmware or a different organization. Please see:

As of the upcoming 2.8.0 version, we’re planning to allow for the ability to have profiles managed from both the firmware and IC2 interfaces. Please see:


(actually, you should already have seen this, as it was a reply to your posting, but it should help anyone else following this thread in future)

Regards,
-James