Controller Based WLANs

Do we support HA for Bridge mode VAP?

Environment- No special environment required for this config to work

Answer- Yes, Bridge Mode VAP is supported from 6.4.1.0 and above. Find below for more details.
 

  • Up to 6.4 the High Availability feature is supported only with tunnel & De-tunnel forward modes
  • From 6.4.1.0, the High Availability feature support is extended to standard bridge VAP on CAPs.
  • All the APs will be marked for Inter-controller heartbeat including those with bridge VAPs
  • All the bridge VAP tunnels are considered for the computation of  oversubscription of the APs on the standby controller
  • PMK and key cache will be synced between Active and Standby controllers for dot1x bridge clients as well.
  • Full dot1x will not take place for bridge clients on an HA failover from Active to Standby.
  • To achieve state sync for bridge mode VAP, acls and roles in auth process are re-designed.
  • ACLs or Roles are referred with names instead of IDs. It will keep acls/roles in sync between master-local and AP datapath as well.
  • Now acls and roles can be retrieved from AP datapath using name itself instead of respective IDs.

 
“show datapath acl ap-name” is new command introduced to verify acls and roles on AP datapath.
 
(Aruba7210) #show datapath acl ?
       ap-name                 Name of AP
       id                      <1-2703> ACL number
       ip-addr                 IP Address of AP
 
(Aruba7210) #show ha group-profile test-ha
HA group information "test-ha"
------------------------------
Parameter                     Value
---------                     -----
Preemption                    Enabled
Over-subscription             Disabled
State Synchronization         Enabled
Pre-shared Key                ********
Inter Controller heartbeat    Disabled
Heartbeat Threshold           5
Heartbeat Interval            100
HA group-member IP address    10.15.40.5 dual
HA group-member IP address    10.15.43.2 dual
HA group-member IPv6 address  N/A
 
 
(Aruba7210) # show ap bss-table standby ap-name ap134-2
fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always)
 
Aruba AP BSS Table
------------------
bss                ess                           port  ip            phy   type  ch/EIRP/max-EIRP  cur-cl  ap name  in-t(s)  tot-t    mtu   acl-state  acl  fm
---                ---                           ----  --            ---   ----  ----------------  ------  -------  -------  -----    ---   ---------  ---  --
d8:c7:c8:8b:73:10  testAP-134-tunnel-aes2-dot1x  N/A   10.15.40.248  a-HT  ap    157+/9/0          0       ap134-2  0        39m:23s  1500  -          2    T
d8:c7:c8:8b:73:00  testAP-134-tunnel-aes2-dot1x  N/A   10.15.40.248  g-HT  ap    11/9/0            0       ap134-2  0        39m:23s  1500  -          2    T
d8:c7:c8:8b:73:01  testAP-134-bridge-std-dot1x   N/A   10.15.40.248  g-HT  ap    11/9/0            0       ap134-2  0        39m:23s  1500  -          2    Bs
d8:c7:c8:8b:73:11  testAP-134-bridge-std-dot1x   N/A   10.15.40.248  a-HT  ap    157+/9/0          0       ap134-2  0        39m:23s  1500  -          2    Bs
Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.
Num APs:4
Num Associations:0
(Aruba7210) #
 
(Profidio) (config) #show user-table
Users
-----
    IP             MAC            Name       Role                    Age(d:h:m)  Auth    VPN link  AP name  Roaming             Essid/Bssid/Phy                                     Profile           Forward mode  Type  Host Name
----------    ------------       ------      ----                    ----------  ----    --------  -------  -------             ---------------                                     -------           ------------  ----  ---------
10.15.40.244  12:cc:00:00:01:00  testprasad  testAP-134-bridge-role  00:00:00    802.1x            ap134-2  Associated(Remote)  testAP-134-bridge-std-dot1x/d8:c7:c8:8b:73:11/a-HT  testAP-134-dot1x  bridge
User Entries: 1/1
 Curr/Cum Alloc:15/39 Free:0/24 Dyn:15 AllocErr:0 FreeErr:0
 
(Profidio) (config) #show gsm debug channel key_cache
key_cache Channel Table
-----------------------
state  sta_mac_address    essid                        name        role                    server                   vlan  reauth_interval  vlanhow  rolehow  kcache_flag  xxkey_len  pmk_r0_name  ucast_encr_alg  mcast_encr_alg  usergroups
-----  ---------------    -----                        ----        ----                    ------                   ----  ---------------  -------  -------  -----------  ---------  -----------  --------------  --------------  ----------
ACTV   12:cc:00:00:01:00  testAP-134-bridge-std-dot1x  testprasad  testAP-134-bridge-role  testAP-134-mauth-server  0     0                0        2        0            0                       0               0
 
Total Num of Objects            :1
Total Num of Active Objects     :1
Total Num of Replicated Objects :0
 
(Profidio) (config) #show gsm debug channel pmk_cache
pmk_cache Channel Table
-----------------------
state  bssid              sta_mac_address    ft  pmk_r1_name  expire
-----  -----              ---------------    --  -----------  ------
ACTV   d8:c7:c8:8b:73:11  12:cc:00:00:01:00  0                1400791359
Total Num of Objects            :1
Total Num of Active Objects     :1
Total Num of Replicated Objects :0
 
 
(Profidio) (config) #show datapath  user ap-name ap134-2
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
       N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
       S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
       C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor
FM(Forward Mode): S - Split, B - Bridge, N - N/A
       IP              MAC           ACLs                                                                           Contract  Location  Age    Sessions   Flags   Vlan   FM  IdleTMO
---------------  -----------------  ------------------------------------------------------------------------------  --------- --------  ---    ---------  -----   ----   --  -------
0.0.0.0          12:CC:00:00:01:00  testAP-134-bridge-role[653] / [0]                                                   0/0    0         0        0/65535  P          1  B     300
10.15.40.248     D8:C7:C8:C0:B7:30  acl_2700[2700] / [0]                                                                0/0    0         111      0/65535  P          1  N     300
10.15.40.244     12:CC:00:00:01:00  testAP-134-bridge-role[653] / [0]                                                   0/0    0         0        6/65535             1  B     300
192.168.11.1     D8:C7:C8:C0:B7:30  acl_2700[2700] / [0]                                                                0/0    0         111      0/65535  P       4095  N     300
 
(Profidio) (config) #show datapath  user ap-name ap134-2
(Profidio) (config) #show datapath  user ap-name ap134-2
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
       N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
       S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
       C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor
FM(Forward Mode): S - Split, B - Bridge, N - N/A
       IP              MAC           ACLs                                                                           Contract  Location  Age    Sessions   Flags   Vlan   FM  IdleTMO
---------------  -----------------  ------------------------------------------------------------------------------  --------- --------  ---    ---------  -----   ----   --  -------
0.0.0.0          12:CC:00:00:01:00  testAP-134-bridge-role[653] / [0]                                                   0/0    0         0        0/65535  P          1  B     300
10.15.40.248     D8:C7:C8:C0:B7:30  acl_2700[2700] / [0]                                                                0/0    0         112      0/65535  P          1  N     300
10.15.40.244     12:CC:00:00:01:00  testAP-134-bridge-role[653] / [0]                                                   0/0    0         0        5/65535             1  B     300
192.168.11.1     D8:C7:C8:C0:B7:30  acl_2700[2700] / [0]                                                                0/0    0         112      0/65535  P       4095  N     300
(Profidio) (config) #
 
Debugging to troubleshoot
 

  • logging level debugging system process ha_mgr
  • logging level debugging system sub-cat ha
  • show log all | include ha

 
Notes

  • HA is not supported for persistent bridge mode VAP and RAPs
  • Bridge Mode HA is supported only on 72xx  platforms

 

 

Version history
Revision #:
1 of 1
Last update:
‎04-03-2015 12:42 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.