Controllerless Networks

Reply
Contributor II
Posts: 111
Registered: ‎10-04-2012

can you terminate Instant clusters on the VC address

we have a customer with several Instant clusters with VPN tunnels back to a Aruba 6000.

We appear to have a problem whereby clients associated to the master get pushed down the tunnel are ok.

If clients are associated to any of the other AP's in the cluster they appear to work.

I was wondering if you could terminate on the VC??

REGARDS

Pete

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: can you terminate Instant clusters on the VC address

I'm not sure I understand but the VC is the device terminating the VPN tunnel to the 6000.  Not any other AP in the cluster.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 111
Registered: ‎10-04-2012

Re: can you terminate Instant clusters on the VC address

Hi Seth,

that's what i thought but it appears to be terminating on the master!!

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: can you terminate Instant clusters on the VC address

The master is your VC

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 111
Registered: ‎10-04-2012

Re: can you terminate Instant clusters on the VC address

HI Seth,

what is happening is that the VPN's are up and visible to the central controller.

There are two or three IAP's in the cluster however it is only clients that are associated to

the master IAP that are getting their traffic pushed down the VPN tunnel.

I am sure it's a config thing but TAC have checked the config and say it's ok.

The IAP's are connected to an access port on a switch but the guest VLAN is pushed down the tunnel.

So no need to make the ports trunk ports.

I am at a bit of a loss.

cheers

Pete

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: can you terminate Instant clusters on the VC address

Ah!!!  The VLAN that is being used for the DHCP profile for the VPN traffic MUST be trunked on the wired network between the master IAP and the other IAPs

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 735
Registered: ‎12-01-2010

Re: can you terminate Instant clusters on the VC address

Otherwise each iAP will have to build it's own tunnel.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: can you terminate Instant clusters on the VC address

That can only happen if each AP is in standalone mode...thereby defeating the purpose of IAPs and virtual controller clusters.  

 

I wouldn't recommend that.  If you are using VPN, make sure the LAN is set to have that VLAN id trunked between all IAPs at the site.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 735
Registered: ‎12-01-2010

Re: can you terminate Instant clusters on the VC address

I don't quite agree. I have a remote office from which I GRE-tunnel the guest-wireless VLAN back to HQ for internet handoff. The DHCP and routing for the Internet connection is past the master controller at the HQ.

 

The solution per TAC was to trunk the VLAN throughout the remote office or set up a tunnel for each iAP. Security concerns said no trunking, so...

 

The cluster has just one tunnel configured, but the 3600 at headquarters has one tunnel defined for each iAP.

(Messy in my opinion, but it's working fairly well)

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: can you terminate Instant clusters on the VC address

If you could paste your IAP config, I'd appreciate it.  I might have to ahem - edit - my last statement!

 

Thanks for the info!

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: