Wireless Access

Reply
New Contributor

Fast Failover Design with Guest DHCP Pools and NATTing

I have two controllers in fast failover and I want to protect guest users in the event of a controller failover to standby (FF mode). 

 

1> Can I create identical VLAN interfaces and DHCP pools in both controllers (in the fast failover pair)? Bear in mind these VLANS are not on physical interfaces and are NAT’D VLANs?

 

2> Do the two controllers (in the HA/FF pair) sync IP DHCP assignments so if the AP needs to switch to the standby, DHCP leases of guests clients are not lost?  

 

3> Is there a better way to handle DHCP pools for guest SSIDs with two (or more) controllers in HA FF mode? Under the condition where the guest VLAN is within the controller(s) and NAT'D on another vlan.

 scenario details related to this question:
 two 7205s controller running AOS 6.5.4.0
 100 APs.

controller 1> The Master controller’s "aruba-master" IP (controller-ip) interface is on VLAN 3.  10.10.3.1/24

controller 2> The Local’s controller IP interface (controller-ip) is on VLAN 22.   10.10.22.21/24

conditions

> master local ipsec is up and working fine.  ("show switches" on master shows both controllers)
> HA group is up and working fine.   ("show ap database" shows APs on both active and standby just fine and "show ha ap table" on both controllers shows all aps).
>sync is enabled in HA group and controller heartbeats are configured. 


The AP group

   > lms is 10.10.22.21 (local)
   > blms is 10.10.3.1 (master)
 

GUEST SSID:
The GUEST SSID is on VLAN 4. Both controllers have identical IPs and DHCP pools - exactly same config for VLAN 4..
No physical interfaces assigned to VLAN 4. Instead,  VLAN 4 is natted through VLAN 22  on the local controller and VLAN 3 on the master controller.
captive portal hosted on the controllers.  

Let me know if I missed something that’s needed to answer this question.

 

Thx!!

Tony Molica

Re: Fast Failover Design with Guest DHCP Pools and NATTing

Your best bet is to offload DHCP from the controller since it limits you to 512 addresses only.

On one of my customer networks, I have an external DHCP server and the controllers are in HA-FF mode.

The guest network is vlan 108 on both controllers with 2 different layer 3 interface addresses. We are using Clearpass for the guest captive portal.

For #1, yes you can create identical vlan interfaces but unsure of the dhcp pool. your guest VLAN will require an IP address for captive portal delivery.

For #2, maybe with database synchronization enabled but i cannot be sure, I know that client-states don't sync unless you are using 802.1x. When we performed a failover between controller 1 and 2, the guests, roles did not sync so they performed a mac auth since they already had a session. Again, our DHCP server was not on the controller for this case.

For #3, again you should probably look at moving your guest dhcp pool off the controller
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
New Contributor

Re: Fast Failover Design with Guest DHCP Pools and NATTing

Thanks Pasquale. If fast failover requires a guest deployment design restriction, sure would help to document it. Argh.  thank you for response.  I'm hoping possibly others can testify to some success keeping NAT'd vlans behind controllers and sync'd across failover controller pairs.

Re: Fast Failover Design with Guest DHCP Pools and NATTing

There is no such restrictions technically, there is nothing saying you cant use a dhcp server a controller but best practice is technically to use an external dhcp server.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Contributor II

Re: Fast Failover Design with Guest DHCP Pools and NATTing

I have a similar setup. Since my guest network is a /24, I setup a pool on each controller and restricted the usable range to a /25 on each.


#AirheadsMobile
Contributor II

Re: Fast Failover Design with Guest DHCP Pools and NATTing

I have a similar setup. Since my guest network is a /24, I setup a pool on each controller and restricted the usable range to a /25 on each.


#AirheadsMobile
Highlighted

Re: Fast Failover Design with Guest DHCP Pools and NATTing

The 7205 controllers support a max leases of 4000 so you could have the dhcp on the controller.

 

In that case the best thing to do is to split the scope between controller (bottom half on one and top half on the other), so that in the even of a failover you don't have duplicate ip addresses creeping in.  The client subnet is nat'd and as such can be identical.

 

As others have mentioned, the best and most scalable solution is to use an external dhcp server BUT you should note some complications that will/can arise in your setup.

 

The unicast dhcp will have a src.ip of the guest vlan interface.  As this is nat'd you need a static route pointing to the controller for the response to get back to the controller/client.  Given your controllers are in different L3 networks this could get very complicated.  These complications may mean that the simplest is to have the dhcp on the controller.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: