Campus Switching and Routing

Reply
Contributor I
Posts: 25
Registered: ‎05-03-2015

vrrp for user vlan

Dear Aruba Guys,

 

I have a question, and I think my deployment is not the best practise, so hope if anyone can help me in this senario and I will be so happy to hear any recommendation in our deployment

 

We have two controllers (master/master-backup) with 6 SSIDs.

 

DHCP, GWs on the controller.

 

I think we must configure vrrp for each vlan (managment vlan for the redandancy, and vrrp for each user vlan)

 

when I configured the vrrp for user vlan it still as vrrp operetional state=Master in both controller.

 

Thanks in advance

Regards,

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: vrrp for user vlan

 

How many access points do you have and why do you need 6 SSIDs?

 

 

 

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎03-02-2016

Re: vrrp for user vlan

Dear Colin, 

 Hope you in good health and good mood. 

 

I am writing insted of Omar,  he seems offline. 

 

We have 72 access points disributed on branch offices and show rooms (customer service).

 

These SSIDs are AS follows: 

2 for Employees(1 with internet access only and one for getting into enterprise network)

1 for Bussiness cutomers

1 for high managment

1 for HQ Guests

1 for show rooms guests

 

And ech SSID goes from a different VLAN and a different method of authentication. 

 

your kind advise. 

 

 

 

 

 

 

 

 

Mahmoud Azem
System Engineer
Badawi Information Systems
Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: vrrp for user vlan

Okay.  Each SSID that you broadcast decreases performance.  That is why I was asking.

 

You should use a layer 3 switch to be the default gateway of your clients....NOT the controller.  You should also use an external DHCP server instead of the controller.  

 

Why?  Because a layer 3 switch will present a consistent default gateway if a controller fails.  The client will know the default gateway and that will not change when there is a controller failure.  You should use an external DHCP server, so that when a client fails over to a second controller, the lease table will be consistent, and that client can use the same ip address.  If you host DHCP on the controller, both controllers will attempt to provide DHCP for each request, so they must be deployed with a "split scope" to avoid conflicts.  External DHCP servers are also more flexilble than the DHCP server that is in the controller.

 

You should still have a VRRP between the master and backup master's management address and point your access points at that ip address using DNS discovery (aruba-master.<domain>.com).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: vrrp for user vlan


Mahmoud Azem wrote:

Dear Colin, 

 Hope you in good health and good mood. 

 

I am writing insted of Omar,  he seems offline. 

 

We have 72 access points disributed on branch offices and show rooms (customer service).

 

These SSIDs are AS follows: 

2 for Employees(1 with internet access only and one for getting into enterprise network)

1 for Bussiness cutomers

1 for high managment

1 for HQ Guests

1 for show rooms guests

 

And ech SSID goes from a different VLAN and a different method of authentication. 

 

your kind advise. 

 

 

 

 

 

 

 

 


You have 2 SSIDs for Employees -  If your policy does not allow internal users to connect to the internet, maybe you should have your employees connect to the guest network for internet access, so that you do not have to broadcast two employee SSIDS..

If your business customers can only get to the internet using the "Business Customer" SSID, they should just get on the guest network, right?

What access does high management have that is different from the Employee SSID?  Maybe they should use the employee SSID...

The show room guest SSID, does it provide more than internet access?  Maybe the showroom guest should just connect to the guest SSID...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 25
Registered: ‎05-03-2015

Re: vrrp for user vlan


cjoseph wrote:

Okay.  Each SSID that you broadcast decreases performance.  That is why I was asking.

 

You should use a layer 3 switch to be the default gateway of your clients....NOT the controller.  You should also use an external DHCP server instead of the controller.  

 

Why?  Because a layer 3 switch will present a consistent default gateway if a controller fails.  The client will know the default gateway and that will not change when there is a controller failure.  You should use an external DHCP server, so that when a client fails over to a second controller, the lease table will be consistent, and that client can use the same ip address.  If you host DHCP on the controller, both controllers will attempt to provide DHCP for each request, so they must be deployed with a "split scope" to avoid conflicts.  External DHCP servers are also more flexilble than the DHCP server that is in the controller.

 

You should still have a VRRP between the master and backup master's management address and point your access points at that ip address using DNS discovery (aruba-master.<domain>.com).


So as understood know from you that to insure the consitant gateway for users in case of the primary controller goes down we must be used external router, that is mean there is no way to configure vrrp in user vlan.

 

and regarding DHCP split scope, is it supported by Aruba Mobility Controller ?? if yes could you please share a configuration guied.

 

Any way nowadays we are in proof of concept phase, and I would like to thank you for your explanation and recommendation.

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: vrrp for user vlan

[ Edited ]

You can configure a VRRP in the user vlan((s) and configure that for every Vlan on the controller, but that is alot to manage.

Split dhcp scope only means that on each controller you exclude the top half or bottom half of the dhcp range so that borh controllers are not giving out the same IP addresses; because that would cause a conflict if they gave out the same ip addresses.

It is much easier to manage all your scopes on an external Dhcp server instead of setting up 2 scopes on each subnet on a controller. It is also easier to have the default gateway of your clients be an external router interface, rather than setup two vrrp instances on each controller for each user subnet.  If you don't have a captive portal on a VLAN, you don't need an ip address on a VLAN on the controller; that would save you more time...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 25
Registered: ‎05-03-2015

Re: vrrp for user vlan

.But when I configurd the virtual router related to vrrp for user vlan, it did not work, nad it seems there is no way to configure peer IP address except to managment vlan for HA between the controllers.

Contributor I
Posts: 25
Registered: ‎05-03-2015

Re: vrrp for user vlan

Hi Colin,

Sorry for this, issue related to vrrp is solved.

 

it was routing and switching issue.

 

Many thanks for your awesom cooperation

 

Have a nice day,

Search Airheads
Showing results for 
Search instead for 
Did you mean: