Wireless Access

Reply
Frequent Contributor II
Posts: 110
Registered: ‎01-25-2013

IP Dependent Backup Scenario

Hey Airheads,

 

I'm trying to POC a backup solution for the company I work for and I'm having a bit of an issue coming up with a viable solution. I feel as though I have parts to the solution, but not the entire solution. It utilizes part of an LMS and L3 mobility solution, but each solution by itself won't cut it. Let me explain.

 

Let's say for examples sake that I have 4 locations; Location A, B, C, and D. Each location is as follows:

 

Location A (10.100.(vlan).(supplicant) on a /23 or /24

Controller: 7000 Series (Active Master and LMS Controller)

VLAN 10: 10.100.10.x (Employee-SSID_prof / Employee-aaa_prof)

VLAN 11: 10.100.11.x (Employee2-SSID_prof / Employee2-aaa_prof)

VLAN 12: 10.100.12.x (Voice-SSID_prof / Voice-aaa_prof)

AP-Group: LocA-AP-Group

#show ap essid

Employee

Employee2

Voice

 

Location B (10.101.(vlan).(supplicant) on a /23 or /24

Controller: 3000 Series (Active Master pointing to Controller A for LMS)

VLAN 10: 10.101.10.x (Employee-SSID_prof / Employee-aaa_prof)

VLAN 11: 10.101.11.x (Employee2-SSID_prof / Employee2-aaa_prof)

VLAN 12: 10.101.12.x (Voice-SSID_prof / Voice-aaa_prof)

AP-Group: LocB-AP-Group

#show ap essid

Employee

Employee2

Voice

 

Location C (10.102.(vlan).(supplicant) on a /23 or /24

Controller: 3000 Series (Active Master pointing to Controller A for LMS)

VLAN 10: 10.102.10.x (Employee-SSID_prof / Employee-aaa_prof)

VLAN 11: 10.102.11.x (Employee2-SSID_prof / Employee2-aaa_prof)

VLAN 12: 10.102.12.x (Voice-SSID_prof / Voice-aaa_prof)

AP-Group: LocC-AP-Group

#show ap essid

Employee

Employee2

Voice

 

Location D (10.103.(vlan).(supplicant) on a /23 or /24

Controller: 3000 Series (Active Master pointing to Controller A for LMS)

VLAN 10: 10.103.10.x (Employee-SSID_prof / Employee-aaa_prof)

VLAN 11: 10.103.11.x (Employee2-SSID_prof / Employee2-aaa_prof)

VLAN 12: 10.103.12.x (Voice-SSID_prof / Voice-aaa_prof)

AP-Group: LocD-AP-Group

#show ap essid

Employee

Employee2

Voice

 

Let's assume that Location A's controller is serving as the backup controller for the other locations, and has all AP-Groups created on it (LocA-AP-Group, LocB-AP-Group, LocC-AP-Group, LocD-AP-Group).

 

Let's also assume that each location has specific application servers, and that the supplicants are IP dependent. If Location B's controller goes down, the APs at Location B will reference the IP address of the LMS controller (in this case, it's Location A) and, if it finds its AP-Group, will start broadcasting again. Once the APs rebootstrap and come up, supplicants will rejoin and get connected. However, the supplicants will now have new IP addresses in the same address space as Location A's location, NOT at its own home location. Also, since the use of non-unique VLANs at each location is present, if more than one site fails over, all will share the same address space, which may or may not be desired. This is where, I believe, L3 Mobility comes into play.

 

With L3 Mobility, I can have all Location(x) controllers join the same mobility group and, using the home and care-of features built within it, allow supplicants access to their home resources from different locations. However, I think that that solution depends on the home controller being up; what happens if it goes down? From what I understand, whatever controller is serving as the LMS backup controller for all other locations needs to have all AP-Groups within it, but how do you accomplish that? I found that using unique VLANs for each desired SSID would work, as detailed in the L3 Mobility VRD. Example below will simply be for the controller serving as the main backup controller for each location (Location A)

 

LocA-AP-Group

VLAN 10
VLAN 11

VLAN 12

 

LocB-AP-Group

VLAN 100

VLAN 110

VLAN 120

LocC-AP-Group

VLAN 200

VLAN 210

VLAN 220

 

LocD-AP-Group

VLAN 300

VLAN 310

VLAN 320

 

(I realize that using VLANs that spread out isn't a good idea typically, but it'll serve for the above listed example).

 

So, if Location C fails over to Location A's controller, supplicant devices will now route out of Location A's network on VLANs 200, 210, and 220.

 

This is where it gets hazy for me.

 

L3 Mobility relies on the controllers actually being up in order to work, and LMS failover will allow those APs to move over to the new controller, but it won't take into account for the new VLANs. I suppose that if Controller A has the AP-Groups setup how I have it listed above it won't matter too much, but will L3 Mobility be needed at that point? Setting up the IP profiles for the different VLANs with their respective DHCP IP helper addresses will help supplicants get the right IPs, but will that "parent" VLAN need to be tagged on Location A's router(s) / switch(es), as well as its home location? Also, what if there were a hundred locations? Would the LMS master-controller (we'll call it) need to have hundreds of VLANs added to it? Some of my constituents have asked me to find a simpler solution, but I'm not sure if there is one since we're using non-unique VLANs. Anyway, another set of eyes / brain would help me in figuring this out.

 

Thank you in advance!

 

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: IP Dependent Backup Scenario

L3 mobility is definitely out. It isn't designed to be a redundancy solution.

 

Have you considering use named VLANs? You can assign the VLAN name to the VAP and then each controller can have different VLANs mapped to that name/tag.

 

Alsok what forwarding mode are you using? Sounds like tunnel?

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎01-25-2013

Re: IP Dependent Backup Scenario

Hey Tim,

 

Thanks for the fast reply.

 

I haven't looked at "named VLANs" yet, but it sounds promising. I'll have to read about it. Would this enable supplicants from Location C connecting to failed-over APs still reach out to their local resources? Also, what impact would this have on the routers in place at each location? Would the local router have to have the sense to stop broadcasting controller traffic to the downed controller, and have Location A's router pick it up? Is this possible? Does it even happen this way?

 

How would I check the forwarding mode? I believe it's tunnel, but it could be something else. I feel like I should know this ...

 

Thanks

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: IP Dependent Backup Scenario

The only way they'd have access to the same resources would be if the resources were routable from the network at the backup location.

 

Your other option would be to use bridge mode which keeps traffic local to the AP but you'll want to do some research before making that change as there is some functionality you lose.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 110
Registered: ‎01-25-2013

Re: IP Dependent Backup Scenario

Ok, which means a whole lot of vlan creation on the master (unless named VLANs solve that), but I'll still have to trunk all of those vlans, right? And add the appropriate "parent" vlans at their respective locations?

Search Airheads
Showing results for 
Search instead for 
Did you mean: