Wireless Access

This is my first time configuring MASTER-MASTER redundancy, so I'm not sure if the behavior I'm seeing is correct for the configuration I have.

 

I have 2qty  7200 series controllers.  One is a 7210, the other is a 7240.

There are no local controllers.

 

Running AOS 6.3.1.2

 

 

See attachment Preferred Master.txt,  for vrrp config 

See attachment Backup Master.txt,  for vrrp config 

 

When I break all links to the Preferred MASTER, instead of seeing "backup" in the vrrp status it shows the following:

 

 

Virtual Router 99:
Description Preferred-Master
Admin State UP, VR State MASTER
IP Address 10.1.100.3, MAC Address 00:00:5e:00:01:63, vlan 100
Priority 120, Advertisement 1 sec, Preemption Disable Delay 0
Auth type PASSWORD, Auth data: ********
tracking is not enabled

Virtual Router 157:
Description NMS-VLAN57-Master
Admin State UP, VR State INIT
IP Address 10.1.57.3, MAC Address 00:00:5e:00:01:9d, vlan 57
Priority 120, Advertisement 1 sec, Preemption Disable Delay 0
Auth type NONE ********
tracking is not enabled

Virtual Router 205:
Description user-VLAN5-master
Admin State UP, VR State INIT
IP Address 10.1.5.3, MAC Address 00:00:5e:00:01:cd, vlan 5
Priority 120, Advertisement 1 sec, Preemption Disable Delay 0
Auth type NONE ********
tracking is not enabled

Virtual Router 206:
Description user-VLAN6-Master
Admin State UP, VR State INIT
IP Address 10.1.6.3, MAC Address 00:00:5e:00:01:ce, vlan 6
Priority 120, Advertisement 1 sec, Preemption Disable Delay 0
Auth type NONE ********
tracking is not enabled

Virtual Router 207:
Description user-VLAN7-Master
Admin State UP, VR State INIT
IP Address 10.1.7.3, MAC Address 00:00:5e:00:01:cf, vlan 7
Priority 120, Advertisement 1 sec, Preemption Disable Delay 0
Auth type NONE ********
tracking is not enabled

 

 

Also notice that I do not have preemtion enabled. 

However, when I reconnect the links to the Preferred MASTER, the Preferred Master takes back over as the MASTER again.  I would expect the units to not switch back to the initial state given preemtion is not enabled.

 

I'm not sure if I'm missing a key configuration for my topology.

I've tried putting in preemption and also tracking on the vrrp 99.  No difference in behavior.

 

I also have centralized licensing enabled if that makes a difference.

 

The controllers are hooked to 2 Aggregration switches by LAG/LACP 10GigE DAC.

The aggregation switches are peered with MLAG/VPC link between them.  The aggregation switches also use vrrp.

 

Regards,

Colin

#7210
#7240

 

Are you trying to setup redundancy for your APs ? 

Do you want to have Active / Standby controllers ?

 

In reality if you need redudancy between a master/backup all you need is your master-redundancy configured

 

Master config:

vrrp 100

ip address 192.168.100.3

vlan 100

priority 150

!

master-redudancy 

master-vrrp 100

peer-ip-address 192.168.100.2 ipsec <key>

 

Master Backup:

vrrp 100

ip address 192.168.100.3

vlan 100

priority 110

!

master-redudancy 

master-vrrp 100

peer-ip-address 192.168.100.1 ipsec <key>

 

 

And then use the VRRP VIP under the AP System Profile

 

 

 

 

Victor,

 

I have the other vrrp configured for two reasons.

 

1. I have multiple user vlans, and use the dhcp internal to the controller.  On the dhcp, I use the vip of the individual vlans as the gateway.  So I need vrrp for each user vlan if I'm thinking correctly

 

2. I have a vlan just for NMS. I have airwave and another vendor's NMS on this VLAN.  I point the NMS to the vip.

 

 

Question:

Does the fact I have multiple vrrp for the user and NMS VLANs affect the MASTER/BACKUP behavior?

 

Regards,

Colin

---

@Colin_King wrote:

 

Victor,

 

I have the other vrrp configured for two reasons.

 

1. I have multiple user vlans, and use the dhcp internal to the controller.  On the dhcp, I use the vip of the individual vlans as the gateway.  So I need vrrp for each user vlan if I'm thinking correctly

 

2. I have a vlan just for NMS. I have airwave and another vendor's NMS on this VLAN.  I point the NMS to the vip.

 

 

Question:

Does the fact I have multiple vrrp for the user and NMS VLANs affect the MASTER/BACKUP behavior?

 

Regards,

Colin

---

Colin,

 

I will try to help you, because your name is Colin and you only spell it the right way, with only one "l". :)

 

1.  You should always have DHCP external to the controller

2.  You should always have an external router be the default gateway to your users

3.  The VRRP should  be deployed as a redundant ip address for access points to find the controller, NOT on the user VLANs.

 

Why?

 

1.  You don't have the issue of losing your DHCP or half of your scope when a controller goes down.  If a controller goes down the external DHCP will work fine and give users their same ip address back, for seamless failover.

2.  Having an external router or layer 3 switch as the default gateway of the clients, means that you can leverage the redundancy of your wired network without even trying.  The controller would simply be bridging users to a wired VLAN that already has your level of redundancy built into it.

3.  The VRRP is mandatory for Master/back up master functionality, but also doubles as the LMS-IP or the HA address that the access points to go look for their controller.  Any other HA on user VLANs should be done by simply bridging the users to the same wired VLAN on both controllers and if your wired VLAN has HSRP or VRRP between two layer 3 switches, that is the default gateway for your clients.

 

cjoseph,

 

Thanks for the info.  And hopefully you pronounce Colin the right way, not like some famous general in the news/politics.  :)

 

 

I agree with everything you said.

I have to say that my setup is a proof of concept.  Not actual production.  

But, I'll be writing a reference architecture paper off of it.  I'm assuming DHCP placement is somethig the reader will make their own decsion on.    

I can implement all of you recommendations at a later time.  I'm concerned there is a bug, or that my config is off.  Or possibly the peered switches are contributing.  

So my main objective is to see if any else is seeing this with the same config and AOS version.  

 

 

 

For a quick test, I shutdown all the vrrp configurations except the main one on the controller ip.

(This is to simulate that I'm moving the gateway's down to the router like you recommended)  

 

I still get the same behavior.

 

 

My config for the preferred Master is now:

 

 

master-redundancy
master-vrrp 99
peer-ip-address 10.1.100.12 ipsec 6869838c08ccd8325e95edf5075a4b7fba7146e3daa8c2b4
!
vrrp 99
priority 120
authentication password
ip address 10.1.100.3
description "Preferred-Master"
vlan 100
no shutdown

 

 

Config for the Backup is:

 

master-redundancy
master-vrrp 99
peer-ip-address 10.1.100.11 ipsec 676bce1c2a29f4c6113f982653d0341c1dbb9f98babcda3b
!
vrrp 99
authentication password
ip address 10.1.100.3
description "Backup-Master"
vlan 100
no shutdown
!

 

 

I still have the Preferred Maset showing Master when all the links are removed.

It still takes back the MASTER control when reconnected, even though preemption is not enabled.

 

 

Regards,

Colin

 

 

 

On each controller, do this:

Config t
Logging level debugging network.

When you test fail over do "show log network 50" after to see what is going on

 

 

only line of interest looks to be:

 

Feb 28 16:35:25 :208008: <INFO> |fpapps| No change in the Vlan Interface 100 state UP Can't Change Vlan Interface state to Down, Vlan Has Switch IP

You may have to do a "show log network all | include vrrp"  It looks like that is a fairly busy switch and it only has one second of data.

 

ok, better info this time.  See attached.

 

These are just for the Preferred MASTER, directly after the failure is implemented.

 

Note: the other vrrp instances are still in the logs since I only shutdown the config, I did not completely delete the vrrp from the config.

 

So I'm assuming since vrrp 99 is the only one that is active, then that's the one to look at in the logs.

 

 

I just re-read your initial post.  

 

When a VRRP instance comes up, it is in "init".  It looks for two seconds to see if an instance is advertising itself as master.  If not, it makes itself the master.  Simply separating the link between one VRRP and another creates a separation which will make both of them master.  The only way one instance will make itself backup, is if a master is already advertising itself.

 

We can get into preemption in a second...

Well, in my first implementation I had a problem because the routers on the existing LAN were already running VRRP. And as a "good practice", everyone sets the VRRP ID to the VLAN number. So I end up having 4 VRRP instances, same VRRP ID, diferent VIPs. Also, consider that VRRP will depend on multicast.

 

If you have 2 controllers being the master for the same VRRP it is for sure because they can't see each other (multicast? firewalls? bad config on VLAN tagging on the uplink?). But in this case you should also see the efects of "brain split" where both controllers would "think" they are controlling the network.

 

Mo

You can put a "password" or key on each VRRP so even if the number matches something else in the infrastructure, it will ignore VRRP advertisements unless they key on the other side is the same.

True! But if you don't, then you can have something like being reported.

 

Mo

 

Couple things from the previous posts:

 

As you may have seen in my config, I used Vrrp 99 on my VLAN 100.  As mentioned, most people call the vrrp the same as the vlan number.  In my case the switch I was used was translating the vrrp number into mac addresses for the vip's.  So when I had a vrrp as 100 on the controller and the switch, there was 2 identical mac addresses.  All sorts of routing confusion.  Making sure the vrrp numbers were different solved the issue for me.

 

 

Second, if I'm reading it right, if the controller loses conneciton, it's expected behavior they will both think they are Master?  I could live with that, except for the issue I have with preemtion.  Is there any way around that?  Should I place a 1 GigE link between the conntrollers for the purpose of only having them track MASTER status and to force the disabled preemption?

 

Regards,

Colin

 

Colin,

 

There are two possible scenarios here:

 

1 - If the only existing Ethernet port running the VLAN 100 went down, then VRRP will also go down as the VLAN will go down.

2 - If the VLAN has any active port, then the VLAN will not go down and so VRRP will be active. If it finds no neighbor, then it will become tha master of the VRRP instance.

 

If, for somehow, VRRP A can not see VRRP B, then it will make itself the owner on the VIP. Depending on your physical design you make "track" an uplink to prevent this.

 

Mo