ArubaOS and Controllers

Reply
New Contributor
Posts: 4
Registered: ‎01-08-2010

VRRP on untrusted vlan

Hi,

I'm attempting to use VRRP for a vlan used to authenticate clients from non-aruba access points. After enabling VRRP on both controllers for the vlan, both controllers believe they are the master. "sh vrrp statistics" indicates that neither switch is receiving any vrrp packets... Could this be due to an ACL? I'm not too familiar with the Aruba technology so any pointers would be appreciated.
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

VRRP on Untrusted VLAN


Hi,

I'm attempting to use VRRP for a vlan used to authenticate clients from non-aruba access points. After enabling VRRP on both controllers for the vlan, both controllers believe they are the master. "sh vrrp statistics" indicates that neither switch is receiving any vrrp packets... Could this be due to an ACL? I'm not too familiar with the Aruba technology so any pointers would be appreciated.




When you create an untrusted VLAN any traffic on that VLAN puts a user in the user table. if you see users in the "logon" role, you need to add a firewall policy in the logon role that allows protocol 112 (vrrp) from any to any. This will allow VRRP messages to be passed back and forth between controllers.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎01-08-2010

Re: VRRP on untrusted vlan

Thanks,

That suggestion worked great... I ended up adding it to the logon-control access list and that did the trick.

Regards,

-Mark
Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Re: VRRP on untrusted vlan

Hi everyone,

You have an other solution :

1) create a netdestination that contain ips of your controler :
netdestination aruba-controler
host X.X.X.X
host X.X.X.X

2) create an ip access-list allowing vrrp between them :
ip access-list session allow-vrrp
any alias aruba-controler 112 permit

3) applicate this access-list to vlan/interface that is untrusted
interface gigabit 1/0
untrusted vlan 1
ip access-group session allow-vrrp vlan 1

or

interface gigabit 1/0
no trusted
ip access-group session allow-vrrp

that's all.

I hope this ca help you...
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Untrusted and Access List on the same interface

There are two issues with that solution:

1. Putting an access list AND making an interface untrusted at the same time creates an inconsistency that may be hard to troubleshoot. When putting an access list on an interface, any traffic that is coming IN to the controller is subject to that ACL. So according to your ACL, you are allowing VRRP, but you are dropping everything else... No inbound SSH sessions to manage the controllers, No access point traffic, etc. You would have to add rules for all that traffic in addition to any inter-controller traffic that would need to be sent.

2. VRRP being sent as protocol 112 is not sent unicast to each controller's interface, it is a multicast. So if you only allow VRRP to each controller's interface it will be dropped.

So, as written, that solution will not work. You can make changes to it so that it WILL work, but it is harder than the previous solution.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 28
Registered: ‎07-29-2009

Re: VRRP on untrusted vlan

Yes it's rights but the question was "how to make a vrrp between two controlers on untrusted interface/vlan", not vrrp + master-local redundancy or else. If you want you can add ssh, https access in acl.

I use this solution just for a management interface which must follow another vrrp state to always administrate the good master (with master-master redundancy) and its work well. OK I make a mistake in the acl :(, VRRP use multicast, but the source is the controler ip :

so the correct version

1) create a netdestination that contain ips of your controler :
netdestination aruba-controler
host X.X.X.X
host X.X.X.X

2) create an ip access-list allowing vrrp between them :
ip access-list session acl
any any svc-ssh permit
any any TCP 4343 permit
alias aruba-controler any 112 permit
.....

3) applicate this access-list to vlan/interface that is untrusted
interface gigabit 1/0
untrusted vlan 1
ip access-group session acl vlan 1

or

interface gigabit 1/0
no trusted
ip access-group session acl
Search Airheads
Showing results for 
Search instead for 
Did you mean: