Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

vrrp for user vlan

This thread has been viewed 1 times

  • 1.  vrrp for user vlan

    Posted Mar 06, 2016 08:34 AM

    Dear Aruba Guys,

     

    I have a question, and I think my deployment is not the best practise, so hope if anyone can help me in this senario and I will be so happy to hear any recommendation in our deployment

     

    We have two controllers (master/master-backup) with 6 SSIDs.

     

    DHCP, GWs on the controller.

     

    I think we must configure vrrp for each vlan (managment vlan for the redandancy, and vrrp for each user vlan)

     

    when I configured the vrrp for user vlan it still as vrrp operetional state=Master in both controller.

     

    Thanks in advance

    Regards,



  • 2.  RE: vrrp for user vlan

    EMPLOYEE
    Posted Mar 06, 2016 11:03 AM

     

    How many access points do you have and why do you need 6 SSIDs?

     

     

     

     

     

     

     



  • 3.  RE: vrrp for user vlan

    Posted Mar 06, 2016 12:31 PM

    Dear Colin, 

     Hope you in good health and good mood. 

     

    I am writing insted of Omar,  he seems offline. 

     

    We have 72 access points disributed on branch offices and show rooms (customer service).

     

    These SSIDs are AS follows: 

    2 for Employees(1 with internet access only and one for getting into enterprise network)

    1 for Bussiness cutomers

    1 for high managment

    1 for HQ Guests

    1 for show rooms guests

     

    And ech SSID goes from a different VLAN and a different method of authentication. 

     

    your kind advise. 

     

     

     

     

     

     

     

     



  • 4.  RE: vrrp for user vlan

    EMPLOYEE
    Posted Mar 06, 2016 03:50 PM

    Okay.  Each SSID that you broadcast decreases performance.  That is why I was asking.

     

    You should use a layer 3 switch to be the default gateway of your clients....NOT the controller.  You should also use an external DHCP server instead of the controller.  

     

    Why?  Because a layer 3 switch will present a consistent default gateway if a controller fails.  The client will know the default gateway and that will not change when there is a controller failure.  You should use an external DHCP server, so that when a client fails over to a second controller, the lease table will be consistent, and that client can use the same ip address.  If you host DHCP on the controller, both controllers will attempt to provide DHCP for each request, so they must be deployed with a "split scope" to avoid conflicts.  External DHCP servers are also more flexilble than the DHCP server that is in the controller.

     

    You should still have a VRRP between the master and backup master's management address and point your access points at that ip address using DNS discovery (aruba-master.<domain>.com).



  • 5.  RE: vrrp for user vlan

    Posted Mar 06, 2016 04:54 PM
    @cjoseph wrote:

    Okay.  Each SSID that you broadcast decreases performance.  That is why I was asking.

     

    You should use a layer 3 switch to be the default gateway of your clients....NOT the controller.  You should also use an external DHCP server instead of the controller.  

     

    Why?  Because a layer 3 switch will present a consistent default gateway if a controller fails.  The client will know the default gateway and that will not change when there is a controller failure.  You should use an external DHCP server, so that when a client fails over to a second controller, the lease table will be consistent, and that client can use the same ip address.  If you host DHCP on the controller, both controllers will attempt to provide DHCP for each request, so they must be deployed with a "split scope" to avoid conflicts.  External DHCP servers are also more flexilble than the DHCP server that is in the controller.

     

    You should still have a VRRP between the master and backup master's management address and point your access points at that ip address using DNS discovery (aruba-master.<domain>.com).

    So as understood know from you that to insure the consitant gateway for users in case of the primary controller goes down we must be used external router, that is mean there is no way to configure vrrp in user vlan.

     

    and regarding DHCP split scope, is it supported by Aruba Mobility Controller ?? if yes could you please share a configuration guied.

     

    Any way nowadays we are in proof of concept phase, and I would like to thank you for your explanation and recommendation.



  • 6.  RE: vrrp for user vlan
    Best Answer

    EMPLOYEE
    Posted Mar 06, 2016 06:16 PM

    You can configure a VRRP in the user vlan((s) and configure that for every Vlan on the controller, but that is alot to manage.

    Split dhcp scope only means that on each controller you exclude the top half or bottom half of the dhcp range so that borh controllers are not giving out the same IP addresses; because that would cause a conflict if they gave out the same ip addresses.

    It is much easier to manage all your scopes on an external Dhcp server instead of setting up 2 scopes on each subnet on a controller. It is also easier to have the default gateway of your clients be an external router interface, rather than setup two vrrp instances on each controller for each user subnet.  If you don't have a captive portal on a VLAN, you don't need an ip address on a VLAN on the controller; that would save you more time...



  • 7.  RE: vrrp for user vlan

    Posted Mar 08, 2016 12:57 AM

    .But when I configurd the virtual router related to vrrp for user vlan, it did not work, nad it seems there is no way to configure peer IP address except to managment vlan for HA between the controllers.



  • 8.  RE: vrrp for user vlan

    Posted Mar 08, 2016 05:59 AM

    Hi Colin,

    Sorry for this, issue related to vrrp is solved.

     

    it was routing and switching issue.

     

    Many thanks for your awesom cooperation

     

    Have a nice day,



  • 9.  RE: vrrp for user vlan

    EMPLOYEE
    Posted Mar 06, 2016 03:57 PM
    @Mahmoud Azem wrote:

    Dear Colin, 

     Hope you in good health and good mood. 

     

    I am writing insted of Omar,  he seems offline. 

     

    We have 72 access points disributed on branch offices and show rooms (customer service).

     

    These SSIDs are AS follows: 

    2 for Employees(1 with internet access only and one for getting into enterprise network)

    1 for Bussiness cutomers

    1 for high managment

    1 for HQ Guests

    1 for show rooms guests

     

    And ech SSID goes from a different VLAN and a different method of authentication. 

     

    your kind advise. 

     

     

     

     

     

     

     

     

    You have 2 SSIDs for Employees -  If your policy does not allow internal users to connect to the internet, maybe you should have your employees connect to the guest network for internet access, so that you do not have to broadcast two employee SSIDS..

    If your business customers can only get to the internet using the "Business Customer" SSID, they should just get on the guest network, right?

    What access does high management have that is different from the Employee SSID?  Maybe they should use the employee SSID...

    The show room guest SSID, does it provide more than internet access?  Maybe the showroom guest should just connect to the guest SSID...