Wireless Access

Reply
Frequent Contributor II
Posts: 124
Registered: ‎05-31-2015

Backup IPsec tunnel

We have two separate master/local controller pairs on a customer network, one at the core containing a DMZ and one at a branch office. Guest at the branch office are routed to the core through an IPsec tunnel. In the event of a failure of one of the controllers is there a way for the core controller to bring up a new tunnel to the other branch controller. Currently I think i can only configure routing to the branch guest subnet on one tunnel. Is there any way to configure resilience in this scenario?

Diagram attached.

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Backup IPsec tunnel

As per your diagram, if you are using VRRP between the core master/local controllers and the IPSEC tunnel is targetting the VRRP IP address does this not provide the resiliency you require?

 

If not, what breaks when the master controller fails??

David
ACDX #98 | ACMP | ACCP
Frequent Contributor II
Posts: 124
Registered: ‎05-31-2015

Re: Backup IPsec tunnel

Unfortunately you cannot configure both ends on VRRP addresses so one end has to terminate on a static address.

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Backup IPsec tunnel

 

Each edge controller should have its own IPSEC tunnel to the core controller VRRP address. In the event of a core controller failure, VRRP should handle the failover to the other controller and the tunnels should be rebuilt. 

If an edge controller fails, either VRRP or HA fast failover can handle the APs failing over to the other edge controller and the Guest traffic can utilise the IPSEC tunnel for this controller.

 

Does this make sense or am I missing something obvious?

I have done the above set-up for a customer using GRE tunnels over IPSEC and it worked without issue.

David
ACDX #98 | ACMP | ACCP
Frequent Contributor II
Posts: 124
Registered: ‎05-31-2015

Re: Backup IPsec tunnel

Each controller is configured to have a connection back to the core controller - one solid blue line and one blue dotted line. The configuration issue is at the core end - I cannot configure two tunnels with the same subnet (branch guest) routed down both. Are you saying GRE over IPsec will allow this configuration?

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: Backup IPsec tunnel

I would consider the Tunnel Groups feature here:  http://www.arubanetworks.com/techdocs/ArubaOS_6.4.4.x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Network_Parameters/Configuring_GRE_Tunnel_Group.htm

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Backup IPsec tunnel

Yes. Create the same VLAN on all controllers and then add GRE tunnels between the edge controllers and the core VRRP. The tunnels can just be L2 with the Guest VLAN on them. The GRE tunnel config on the edge controllers would look similar to the below:

 

interface tunnel 1
description "Tunnel Interface"
tunnel mode gre 0
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel keepalive
trusted
tunnel vlan zzz
!

 

where x.x.x.x is the edge controller IP, y.y.y.y is the VRRP of the core controllers and zzz is your Guest VLAN number.

David
ACDX #98 | ACMP | ACCP
Frequent Contributor II
Posts: 124
Registered: ‎05-31-2015

Re: Backup IPsec tunnel

Sounds like a good suggestion, I will try and lab this up to see if everything works as expected.

Thanks.

Search Airheads
Showing results for 
Search instead for 
Did you mean: