ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Our new setup

Hi all,

I did a bit of work with a pair of Aruba controllers a few months ago whilst evaluating it. I am now working through how I'm going to configure the equipment we have just purchased. My main question is will what I am proposing work, and a secondary question is are there any comments on how I'm thinking of doing it?

The initial purchase is for 2x6000 controllers and I will put 1 at siteA (master) and 1 at siteB (local). APs at siteA will be connected to vlanA and vlanB at siteB. Both vlans will be available on both controllers and will be using VRRP - controllerA will have VRRP priority on vlanA and vice-versa for vlanB.

DHCP and default gateway services will be provided by an external server.

What I am expecting to happen is - regardless of which vlan an access point is connected to it will talk to the master controller and get an AP group of either siteA or siteB (as I provision it in the controller, not based on which vlan it is connected to!). These groups will be configured so the LMS address is the VRRP address for the vlan of the site.

If the master controller becomes unavailable, existing access points will failover to the controller at siteB. Am I correct in thinking an AP which is connected when the master is unavailable (already provisioned in an AP group) the siteB controller will provide the initial ADP response and the access point will 'just work' - or will there be problems for APs which come online whilst the master is unavailable?

At a later date, we might add controllerC at siteC (and controllerD at siteD), this would be configured as another local and there would be vlanC (and vlanD) for access points. All access point vlans would be configured over all controllers with VRRP addresses in each vlan, and the master controller probably won't be in the VRRP group for each vlan.

In the case of the master being unavailable, and there being multiple local controllers, I presume a connected access point will continue to 'just work' and there won't be issues with multiple local controllers without the master all trying to respond to ADP?

I realise this might seem like an 'overengineered' way of going about setting this up, but it is the most logical way I can see of doing it for our network.
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Adp


Hi all,

I did a bit of work with a pair of Aruba controllers a few months ago whilst evaluating it. I am now working through how I'm going to configure the equipment we have just purchased. My main question is will what I am proposing work, and a secondary question is are there any comments on how I'm thinking of doing it?

The initial purchase is for 2x6000 controllers and I will put 1 at siteA (master) and 1 at siteB (local). APs at siteA will be connected to vlanA and vlanB at siteB. Both vlans will be available on both controllers and will be using VRRP - controllerA will have VRRP priority on vlanA and vice-versa for vlanB.

DHCP and default gateway services will be provided by an external server.

What I am expecting to happen is - regardless of which vlan an access point is connected to it will talk to the master controller and get an AP group of either siteA or siteB (as I provision it in the controller, not based on which vlan it is connected to!). These groups will be configured so the LMS address is the VRRP address for the vlan of the site.

If the master controller becomes unavailable, existing access points will failover to the controller at siteB. Am I correct in thinking an AP which is connected when the master is unavailable (already provisioned in an AP group) the siteB controller will provide the initial ADP response and the access point will 'just work' - or will there be problems for APs which come online whilst the master is unavailable?

At a later date, we might add controllerC at siteC (and controllerD at siteD), this would be configured as another local and there would be vlanC (and vlanD) for access points. All access point vlans would be configured over all controllers with VRRP addresses in each vlan, and the master controller probably won't be in the VRRP group for each vlan.

In the case of the master being unavailable, and there being multiple local controllers, I presume a connected access point will continue to 'just work' and there won't be issues with multiple local controllers without the master all trying to respond to ADP?

I realise this might seem like an 'overengineered' way of going about setting this up, but it is the most logical way I can see of doing it for our network.




First things first:

VRRP only operates at layer 2, so if the two controllers are at different sites, that layer 2 VLAN must be extended to both sites to back each other up over VRRP (the controllers participating in the VRRP must share the same layer 2 VLAN on some interface). If you have that taken care of, t"aruba-master" DNS entry must point to that VRRP for high availability so that no matter what controller is up or down, at minimum all access points have a controller to give them initial instructions when they boot up. Next, in the AP-Group of each set of APs, you should put a LMS IP and a Backup LMS IP. The LMS or Local Mobility Switch IP is the initial controller that that group of APs should connect to. The Backup LMS IP is the secondary controller those APs should connect to in production, in case the initial controller is either NOT up, or has failed while those APs are connected to it.

This is how it could go:

APs boot up and look for "aruba-master.". This address points to VRRP between two controllers and the controller that has control of the VRRP will accept the AP's initial connection. The AP will tell the controller its ap-name and AP-group. The controller will then send to the AP the LMS IP and the Backup LMS ip of the two controllers it should be connecting to. The AP will redirect to the LMS controller and if it is not there, it it will connect to the backup LMS IP, instead.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Our new setup


First things first:

VRRP only operates at layer 2, so if the two controllers are at different sites, that layer 2 VLAN must be extended to both sites to back each other up over VRRP (the controllers participating in the VRRP must share the same layer 2 VLAN on some interface). If you have that taken care of, t"aruba-master" DNS entry must point to that VRRP for high availability so that no matter what controller is up or down, at minimum all access points have a controller to give them initial instructions when they boot up. Next, in the AP-Group of each set of APs, you should put a LMS IP and a Backup LMS IP. The LMS or Local Mobility Switch IP is the initial controller that that group of APs should connect to. The Backup LMS IP is the secondary controller those APs should connect to in production, in case the initial controller is either NOT up, or has failed while those APs are connected to it.

This is how it could go:

APs boot up and look for "aruba-master.". This address points to VRRP between two controllers and the controller that has control of the VRRP will accept the AP's initial connection. The AP will tell the controller its ap-name and AP-group. The controller will then send to the AP the LMS IP and the Backup LMS ip of the two controllers it should be connecting to. The AP will redirect to the LMS controller and if it is not there, it it will connect to the backup LMS IP, instead.




Thanks for the reply. Layer 2 connectivity between the controllers isn't a problem - we have fibre between the sites.

I was under the impression that obtaining the master controller via DNS was secondary to discovering the controller via ADP? Or are you saying that if the master is unavailable, local controllers will NOT respond to ADP? We could have DNS for 'aruba-master.aruba-siteA...', ''aruba-master.aruba-siteB...' etc where that address resolves to a VRRP address for the master and the site local controller (the master may not form part of the LMS for each site). I would prefer to avoid doing this if it can be done via ADP.

If the primary LMS address is a VRRP address, we already have redundancy from a controller failing. We would only use a backup address if we wanted a 3rd/4th redundant controller?
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Our new setup

"I was under the impression that obtaining the master controller via DNS was secondary to discovering the controller via ADP?"

Jnfern - You are correct, ADP is first, so if multicast is enabled across your network DNS will not come in to play and your APs will connect the first controller that responds back to an AP's ADP multicast. The AP will then connect to the primary LMS defined in that controller's AP "default" group and be ready for provisioning. If there is nothing defined in the AP "default" group, it AP will stay attached to whatever controller responded to ADP first, but that controller (let's say if it's a local controller) will tell the active master that he has an AP ready for provisioning. Then you can connect to the master and provision that AP to the appropriate group. So, regardless if the first ADP responder is a master or a local and regardless of whether the AP "default" group as a primary LMS assigned, you can provision the AP on the master. The reason I put my master in as the primary LMS in the AP "default" group is because I don't want new APs connecting to random local controllers and chewing up its AP licenses.

However, what you are trying to do with VRRP isn't really necessary and I'm not sure if you really want to do that and all the VLAN work you're doing is probably not necessary either, but you obviously know your network better than I do, so that's up to you.

I think what I would do in your case is forget about VRRP and having both controllers as part of the same VLANS and simply have the master at site A in VLAN A and let it terminate the APs for site A. Have the local at site B in VLAN B and let terminate the APs at site B. Have the site A APs use the site B local control as their backup, and have the site B APs use the master at site A as their backup.

Site A: Primary LMS = the master controller at site A
Site A: Backup LMS = the local controller at site B

Site B: Primary LMS = the local controller at site B
Site B: Backup LMS = the master controller at site A

In the future, if you buy another local for site C, follow the same configuration as you did with site B. I think once you start expanding with more locals, using VRRP and extending VLANs to all controllers is going to become an administrative headache for you and be difficult to troubleshoot.
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Our new setup

As we have layer 2 connectivity between the controllers, I like the idea of doing VRRP to reduce the failover time of the AP. In the evaluation tests, it took ~3 seconds between unplugging the master controller and the AP being associated with the backup. My understanding of using a backup LMS, the AP will do a reboot before trying to associate with the backup.

I like the idea of having seperate VLANs for each site and it does fit in with how the rest of out network is designed, but I can see how this could get over complicated and confusing.

The AP initially connects to whichever controller responds to ADP first. If this controller's default AP group has no LMS configured, the AP will stay here and consume a license. If the default AP group has a default LMS, does it need a spare AP license whilst it gives the AP the LMS details?
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Our new setup




Correct. The AP stays on that controller and consumes a license on that controller until it's provisioned to its local controller.




No, the controller that first responds to ADP will not need a spare license in this case.

Search Airheads
Showing results for 
Search instead for 
Did you mean: