Introduction- The controller supports redundancy for L3 Generic Routing Encapsulation (GRE) tunnels. Starting with ArubaOS, the controller supports redundancy for L2 GRE tunnel as well. This feature enables automatic redirection of the user traffic to a standby tunnel when the primary tunnel goes down. Creating multiple L2 tunnels to the remote site may result in network loops. To mitigate this issue, tunnel group provides an active-standby mechanism where only one member tunnel is active at a time.

To enable this functionality, we must:

  • Configure the member tunnel and add them to the appropriate VLAN.
  • Enable tunnel keepalives on the tunnel interface.
  • Configure the tunnel-group and set the group type to L2.
  • Add the member tunnel to the group.

Feature Notes- Important Points to Remember:

  • When an L2 member tunnel is added to the tunnel-group, the tunnel is used for data traffic only if it is the active member in the group. Standby member tunnels do not carry any data traffic. However, all member tunnels in the group continue to send and receive keepalive packets.
  • The default value of tunnel group type is L3. When creating an L2 tunnel-group, set the tunnel-group type to L2. Only one type of member tunnels can be part of a tunnel-group, either L2 or L3.
  • All member tunnels in a group must have the same VLAN membership.
  • An L2 member tunnel can only be part of one tunnel-group. 
  • L2 tunnel-group is not interoperable with other vendors. You must setup L2 tunnel-groups between Aruba devices only.
  • Tunnel-groups are required only for the member tunnels and not for the remote end points.

Configuration Steps- Creating an L2 Tunnel Group:

A tunnel-group is identified by a name or number. You can add multiple tunnels to a tunnel-group. The order of the tunnels defined in the tunnel-group configuration specifies their standby precedence. The first member of the tunnel-group is the primary tunnel. When the first tunnel fails, the second tunnel carries the traffic. The third tunnel in the tunnel-group takes over if the second tunnel also fails. In the mean time, if the first tunnel comes up, it becomes the most eligible standby tunnel. 

We can also enable or disable pre-emption as part of the tunnel-group configuration. Pre-emption is enabled by default. The pre-emption option automatically redirects the traffic whenever it detects an active tunnel with a higher precedence in the tunnel-group. When pre-emption is disabled, the traffic gets redirected to a higher precedence tunnel only when the tunnel carrying the traffic fails.

We can configure an L2 tunnel-group using the CLI.

In the CLI
To configure an L2 tunnel-group, issue the following commands:
(host) (config) #tunnel-group <tungrpname>
(host) (config-tunnel-group)#group type l2

Answer- Example:

Following is the sample configuration:
(host) (config) #tunnel-group branch_1
(host) (config-tunnel-group)#group type l2

Verification- To view the operational status of all the tunnel-groups and its members, issue the following command:

(host) #show tunnel-group


Following is the sample output of the show tunnel-group command:

(host) #show tunnel-group
Tunnel-Group Table Entries
Tunnel Group Type Tunnel Group Id Preemptive Failover Active Tunnel Id Tunnel Members
------------ ---- --------------- -------------------- ---------------- --------------
branch_1 L2 16385 enabled 1 10 11


To view the active member tunnel and all the member tunnels of the respective tunnel-group, issue the following command:

(host) #show datapath tunnel-group

Following is the sample output of the show datapath tunnel-group command:

(host) #show datapath tunnel-group
Datapath Tunnel-Group Table Entries
Tunnel-Group Active Tunnel Members
------------ ------------- -------------------
16385 10 10 11

Troubleshooting- To view the standby member tunnels of the tunnel-group, issue the following command:

(host) #show datapath tunnel

Following is the sample output of the show datapath tunnel command:

(host) #show datapath tunnel
|SUM/| | | |
|CPU | Addr | Description Value |
| | | |
| G | [00] | Current Entries 10 |
| G | [02] | High Water Mark 10 |
| G | [03] | Maximum Entries 32768 |
| G | [04] | Total Entries 31 |
| G | [06] | Max link length 1 |
Datapath Tunnel Table Entries
Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK
W - WEP, K - TKIP, A - AESCCM, G - AESGCM, M - no mcast src filtering
S - Single encrypt, U - Untagged, X - Tunneled node, 1(cert-id) - 802.1X Term-PEAP
2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Unknown Mcast,
D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only
C - Prohibit new calls, P - Permanent, m - Convert multicast
n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
V - enforce user vlan(open clients only)
H - Standby (HA-Lite) <<<<
# Source Destination Prt Type MTU VLAN Acls
------ -------------- -------------- --- ---- ---- ---- -------------------
10 47 1 1100 0 0 0 0 0
11 47 1 1100 0 0 0 0 0
BSSID Decaps Encaps Heartbeats Cpu QSz Flags EncapKBytes DecapKBytes
----------------- ---------- ---------- ---------- --- --- ----- ------------- -----------
00:00:00:00:00:00 0 5 0 22 0 TEFPR
00:00:00:00:00:00 0 0 0 23 0 LEFPRH <<<<<

In this example, the member tunnel 11 is a standby tunnel which is denoted by the H flag.


Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.