Question: How do I configure VRRP (Layer 2) active-active local controller redundancy?
Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x and later.
Local controllers that terminate wired and wireless remote access points (RAPs) at the Aggregation layer use Virtual Router Redundancy Protocol (VRRP) instances for redundancy. However, they use VRRP instances in a different model than the master controllers at the Management layer. In this case, the controllers operate in what is known as "active-active" redundancy.
Using this model, two local controllers each terminate individual RAP tunnels on two separate VRRP VIP addresses. Each controller is the active local for one VIP address and the standby local for the other VIP. The controllers each terminate 50% of the AP load by specifying alternate virtual IP (VIP) addresses when configuring the
Local Mobility System (LMS) IP addresses during the RAP provisioning process.
When the active VIP for either local controller becomes unreachable, APs connected to the unreachable controller failover to the standby local through the VRRP Standby VIP mechanism and load that controller to 100% capacity. Therefore, each controller must have sufficient processing power and licenses to accommodate all of the APs served by the entire cluster.
In this model, Aruba recommends that customers enable "preemption" to force the APs to fail back to the original controller when it comes back online. This is VRRP preemption, as opposed to LMS preemption. With VRRP preemption, when the VRRP instance of a controller comes back online, the controller listens for 3 times the VRRP advertisement interval, and if its VRRP priority is higher than the priority in received VRRP advertisements, the controller immediately begins advertising and becomes master. For more information on other redundancy cases, see the references at the end of this article.
The configuration for each local controller is a mirror image of the other. In the following example, the first controller is primary on 23 and standby on 24:
vrrp 23
vlan 23
ip address 10.200.23.254
priority 100
preempt
authentication <password>
description initial-primary-23
no shutdown
!
vrrp 24
vlan 24
ip address 10.200.24.254
priority 110
preempt
authentication <password>
description initial-standby-24
no shutdown
!
The second local controller has an opposite configuration:
vrrp 24
vlan 24
ip address 10.200.24.254
priority 100
preempt
authentication <password>
description initial-primary-24
no shutdown
!
vrrp 23
vlan 23
ip address 10.200.23.254
priority 110
preempt
authentication <password>
description initial-standby-23
no shutdown
!
Local controllers typically need much more horsepower than masters, because they terminate the RAPs. This validated reference design recommends using the MMC-6000 chassis with redundant power supplies connected to at least two independent power sources and the M3 Series controller blade. Configure these controllers with a "one-armed" connection to DMZ or distribution layer switches.
For more information, see: