Controllerless Networks

I am trialling some monitoring of an Instant deployment on 6.2.1.0-3.4.0.4. We are trying to do some remote snmp polling, however it seems that the VC address does not respond to snmp. If I use the address of the master AP it's ok, but the problem is the APs are on DHCP and behind a NAT gateway so we don't know what address the master will have and we won't have nat translations set up if it changes.

Can you configure the VC to respond to snmp or is there another workaround to this?

regards

B

If you have a NAT boundary, you should use Airwave to monitor those access points.

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/What-protocol-does-Aruba-Instant-APs-use-to-communicate-with-the-Airwave-server

Hi cj,

Bit confused about this answer mate. This is nothing to do with airwave, separate NMS system for graphing parts of the mib not shown in airwave.

This is just a general question about IAP. The snmp service appears not to listen on the VC address, is this configurable or fixed in newer code?

cheers,

B

BGC IT,

What I should have said is that there is no evidence that SNMP for any devices (much less Aruba devices) can be supported over a NAT boundary from a protocol perspective.  I was proposing Airwave an alternative, where you can monitor an IAP through a NAT boundary on port 443.

No evidence? :smileysurprised: I do it all the time. You just set up port forwarding. In fact on this customer I am polling a bunch of stuff including Aruba kit. For example to remote poll a mobility switch I poll the gateway IP on port 10761 which port forwards to the switch ip on port 161. 

Understand now you're proposing an alternative but the only issue seems to be which interfaces the IAP is listening for snmp on. There is a published MIB for IAP so I am sure we are expected to use it :)

BGC IT,

If you can get it to work with all of the IAPs that is awesome.  Doing this for awhile I realize that it is not worth it for me to encourage anyone to do something that is not supported or tested, because there is no telling when that functionality will be suddenly blocked or revoked without warning.  I always offer the scalable approach so that there are no problems later with the OP or anybody who would read what I am saying years after.  With that being said, I will allow others who have ideas on how this would work to contribute their opinions.

SNMP most definitely is supported on every single Aruba device I am aware of and always has been.

I don't understand the distinction you are making. Anything that applies to IP through a NAT gateway also applies to SNMP. 

Moreover the problem is there with or without the traffic going through a NAT gateway. The central problem is not knowing for sure which AP is the virtual controller at any time and therefore which address to poll.

BGC IT,

It is not me saying it.  It is others:

-- "You can deduce from this very basic description that many MIBs can contain one or more IP addresses. Because of the many messages, formats, and variables possible with SNMP, NAT cannot easily examine the contents of an SNMP message for IP addresses. Therefore, NAT does not support the translation of IP addresses within SNMP messages."

No-one is talking about translating the IP address WITHIN SNMP messages. Read again that quote you pasted in with no source. WITHIN the SNMP message. Not applicable. In fact way off the mark.

Please take some time to fully understand the problem if you're planning on commenting further, or ask for some clarification. 

BGC IT,

This is exactly why you are having the problem you are having.  If you poll a VC over NAT on SNMP, the VC will return private addresses for the other access points to your NMS.  If your NMS even knows how to handle the reurned addresses, it will blindly poll for the private addresses returned and fail.   For other protocols that pass a firewall boundary, the firewall will fix this up and pass a translated address.  SNMP is not one of those protocols, because it is not easy to implement over NAT for multiple devices, much less be "fixed up" by a firewall.

Later when your NMS references those private addresses, they are not translated or "fixed up" by the firewall, so that the NMS ends up attempting to poll private addresses.  The quote that I reference was from a Cisco Press book here:  http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=3 

Nope, this is not the problem I am having.

I don't want to poll all IAPs based on information returned from the VC. I want to poll the VC itself. I can very easily poll the IAP address of the VC (or any other IAP if I wanted to). But these IPs changes from time to time. I cannot poll the virtual address itself. 

NAT is really irrelevant to this problem. I only mentioned it as an illustration of one reason why it is difficult to deal with dynamic IP addressing on IAPs if there was no consistent IP to the poll the VC on - because of the problem of maintaining static port forwarding for a changing IP.

The latest software appears to have a 'preferred master' option to increase your chances of finding the current VC however this is not really a solution. An ideal solution would be for the VC to listen to snmp on it's virtual address.