Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Master redundancy (VRRP) and DHCP.

This thread has been viewed 3 times

  • 1.  Master redundancy (VRRP) and DHCP.

    Posted Aug 27, 2012 08:45 AM

    Hello everyone

     

    I have a particular setup I want to discuss/get input from the community on. I have a customer in the works of moving from a VPN infrastructure to use Aruba and RAP-5. The customer have many offices geographically spread across out country. For the moment it's about 40-50 very small offices.

    We now have a RAP-5 in place at all the offices, running fine with WLAN and using the Ethernet ports for printers etc.

     

    The customer has insisted on having a separate IP subnet for WLAN and cable on each site. This totals a lot of VLAN and also wants to use Aruba as DHCP for these VLANs. The reason for using Aruba as DHCP is that the customer don't have a good infrastructure behind at the moment, but moving to a full AD, RADIUS etc.

    They also want to have separate VLAN for WLAN/cable for each site, for easier troubleshooting. If a customer with the given IP is having problems they will instantly know which location the problem is at. I have told them that this is not an optimal solution, but VLAN wise and DHCP wise.

     

    That have 2 3x00 controllers which shall be in a master-standby setup when things are up and running. But because of the sheer number of VLANs and especially DHCP scopes, I see a problem when running controllers in VRRP.

    The DHCP scopes with 254 hosts is clearly an overkill at each location, but for the standby to work correctly and not having 2 DHCP servers on the same VLAN, what is the recommended setup for this.

    If the master fails, the standby should have the same VLAN and same scope so that users can reach their local printer etc.

    I know this is not the ideal setup and I have made that clear to the customer, but as we know the customer always is correct :D

    I was thinking about splitting the scope in 2, putting the 2 parts on each controller.

    The real problem is that I might need to add one VRRP instance for each DHCP scope to have a VRRP IP for each DHCP to use as gateway.

     

    Hope anyone can brainstorm a bit with me to setup this in a somewhat sensible way.

     

    Roar Fossen

     

     



  • 2.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Aug 27, 2012 09:08 AM

    Okay.

     

    How many devices at each site?  Maybe the rule can be that only sites that rise above "x" number of clients deserve their own VLAN.  When a device or user associates to the WLAN, it says what AP they are connected to, so there is less value to dedicating a VLAN to each site, creating a vrrp, etc...

     

    The customer should use an external router at the headend site for routing because it is simpler to manage.

     

    If you have two controllers that use master-standby through a firewall, the firewall will NOT allow you to do a static NAT to a vrrp.  You will have to use an external DNS a-record and pre-populate the a-record two two addresses and point the AP to that a-record externally for redundancy.  Each controller will require its own statically Natted Public address.

     

    Aruba has written a Validated Reference Design on Remote APs.  It can be found here:  

    http://www.arubanetworks.com/technology/reference-design-guides/

     

    It has quite a few ideas about how to deploy Remote APs that you can use, in addition to what others will answer here.

     

     



  • 3.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 27, 2012 09:41 AM

    Hi

     

    Well, the number of devices at each site is very low, i would guess about 5 devices, most of them on cable behind the RAP-5. The customer is a company changing your front window on your car, so most of the users are just a few computers.

    On the WLAN it's mostly customers waiting for their car, so the guest network is in the air, but this network has only on VLAN and one DHCP scope.

     

    All the RAP's use a URL (no IP) for getting back to the designated master controller, so this part is covered with two firewalls, because the controllers will be placed at 2 geographically separated sites. So this bit i'm not concerned about.

     

    Idealy i would like to use one VLAN for the employee WLAN and one VLAN for cable serving employee computers and printers. And in turn only one DHCP scope for each VLAn aswell, but the customer is not convinced yet. They do have an evalution of AirWave, so troubleshooting should not be a problem, location wise.

    The point of this tread is to look at Aruba recommendations and show this to the customer for leverage, to maybe change the structure of the setup.

     

    I shall have a closer look at the RAP VRD to see if i can relate some of it to the customers setup.

     

    Another question for you, i have seen the recommendation from Aruba that one should not have a bigger DHCP scope than 512 hosts. I have not seen why this is so, and is there a recommendation of number of scopes? Is it processing power that is the problem or what?

     

    Roar Fossen



  • 4.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Aug 27, 2012 09:45 AM

    The internal DHCP server is only sized/designed for a guest network.  You can always point to an external DHCP server to handle that with no issue.



  • 5.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 27, 2012 09:55 AM

    I understand, the point is that the customer is rebuild their whole infrastructure at the moment, moving servers etc out of office.

     

    I would like to point out the same exact thing you said, by using an external DHCP. By using an external DHCP one would at all times have a DHCP on the VLAN, regardless of which controller is master.

     

    Thanks anyway Colin

     

    Roar



  • 6.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 28, 2012 02:39 AM

    Another question for you, i have seen the recommendation from Aruba that one should not have a bigger DHCP scope than 512 hosts. I have not seen why this is so, and is there a recommendation of number of scopes? Is it processing power that is the problem or what?

     

     

    I belive the main reason is to reduce broadcast domain as all the users will share the same air time/bandwidth. That is why ARUBA recommend using VLAN Pool.



  • 7.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 28, 2012 02:43 AM

    Hi

     

    I fully agree with Aruba regarding the size of the broadcast domain and I use VLAN pooling in those situations that I need more hosts than 512. I was also wondering if the same goes for the number of scopes.

    In my head the number of scopes should be limited, but for this setup we have a lot.

     

    Can this affect the DHCPd daemon or what?

     

    I will strongly ask the customer to reconsider the structure, but for as now the system looks to be running fine with the scopes at hand

     

    Thanks anyway guys

     

    Roar



  • 8.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 28, 2012 02:54 AM

    Hi Mosher,

     

    I found the following for you which might be a good start to go through:

     

    please note that those are information from Microsoft which they use in their own dedicated dhcp server (not a MC or router used for DHCP server).

     

    How to determine the number of DHCP servers to use

    Because there is no fixed limit to the maximum number of clients a DHCP server can service or to the number of scopes you can create on a DHCP server, the primary factors to consider when you determine the number of DHCP servers to use are network architecture and server hardware.  For example, in a single subnet environment, only one DHCP server is necessary, although you may want to use two servers or deploy a DHCP server cluster for increased fault tolerance. In multiple subnet environments, routers must forward DHCP messages between subnets, so router performance can affect your DHCP service. In both cases, DHCP server hardware affects service to clients.

    For more information on deploying a DHCP server cluster, see Cluster support for DHCP servers.

    When you determine the number of DHCP servers to use, consider the following:

    • The location of routers on the network and whether you want a DHCP server on each subnet. 
      When you extend the use of a DHCP server across more than one network, you often need to configure additional DHCP relay agents and, in some cases, use superscopes as well.
    • The transmission speed between the segments for which DHCP service is provided. 
      If you have slower WAN links or dial-up links, you may need a DHCP server on both sides of these links to service clients locally.
    • The speed of the server disk drives and the amount of random access memory (RAM) installed in the DHCP server computer.
      In order to maximize DHCP server performance, use the fastest disk drives and the most RAM possible. Carefully evaluate disk access time and average times for disk read and write operations when you plan for your DHCP server hardware needs.
    • Practical constraints based on the IP address class selected for use and other server configuration details.

    You can test your DHCP servers before deployment on the organization network in order to determine the limitations and abilities of your hardware and to see whether network architecture, traffic, and other factors affect DHCP server performance. Hardware and configuration tests also allow you to determine  the number of scopes to configure at each server.

    To provide a general idea of DHCP server performance, a DHCP server running Microsoft® Windows Server 2003  was run in a test lab environment, and a custom stress application was used against the server. The details of this lab test can help you configure your tests and determine how many DHCP servers to use on your network:

    Server and network configuration

    • Processors: Two x86 Family 6 Model 7 Stepping 3 GenuineIntel ~498 megahertz (MHz)
    • Total physical memory: 256.00 megabytes (MBs)
    • Network adapters: Three Ethernet 802.3 100 megabits per second (mbps)
    • Subnets serviced: Six, four of which are separated from the test server by routers running the DHCP Relay Agent service.
    • Operating system: Windows Server 2003, Enterprise Edition
    • Number of scopes: 5,155
    • DHCP database size at maximum load: 2 gigabytes (GBs)
    • Additional factors: Several thousand exclusion ranges, option values, and reservations are configured in the scopes on the server.

    Test details

    The DHCP server was hit with both valid and invalid DHCP client lease and renewal requests from a client/attack simulation stress application on six subnets for 1,152 hours (48 days).

    Test results

    The DHCP server provided clients with the following service during the test:

      DHCP server function Message and lease volume handled (1,152 hours)

    Lease assignments

    68,412,059

    DHCP discover messages

    20,039,592

    DHCP offer messages

    20,039,253

    DHCP request messages

    57,559,426

    DHCP acknowledgement messages

    57,470,934

    DHCP negative acknowledgement messages sent by the server

    484,012

    DHCP decline messages

    190,901

    Lease releases

    0

    Notes

    • These test results are intended to provide a general idea of DHCP server performance capacity. Tests were performed on average hardware and do not imply any limitation of the DHCP service. In addition, the large size of the test DHCP server database (2 GBs) is extremely unusual and was produced due to the high volume of DHCP traffic that the test application generated. In real world environments, typical database sizes are in the tens of MBs or less.
    • When you add a large number of scopes to the server, be aware that each scope creates a corresponding need for additional, incremental increases to the amount of disk space used for the DHCP server registry and for the server paging file. For more information, see Change the size of the virtual memory paging file.
    • DHCP servers running Windows Server 2003  provide performance monitoring tools that you can use to test and monitor your servers. For more information, see Monitoring DHCP server performance.


  • 9.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Aug 28, 2012 06:04 AM

    Aruba has limited the number of supported internal DHCP leases in their controller platforms to 512 because the internal DHCP server was only designed to support smaller guest networks,  not an enterprise.  It is not a problem to put a helper-address on a VLAN interface and have an external DHCP server provide services for thousands of clients in an Aruba System.  

     

    This is stated in the 6.1.3.x release notes under "Known Issues".

     

    The size of the broadcast domain is a separate network design issue.

     

     

     

     

     



  • 10.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 28, 2012 08:34 AM

    Hi

     

    Yes, I have seen the 512 limit. What do I do when I have a master-standby setup with say a guest net of 254 hosts?

     

    In this scenario Master is the DHCP for the guests, can I run the DHCP server on the standby with the same subnet? To have the guests in the same vlan/subnet I will need the same subnet on both controllers when the master fails.

     

    Roar



  • 11.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Aug 28, 2012 08:47 AM

    If you have a master/standby with DHCP you should use an external DHCP server.  If a single controller is providing DHCP and at one time, it goes away, none of your clients are going to get an ip address.  If you are using ip nat inside for your guest clients on both controllers, you can run dhcp on both controllers because the clients on either controller will never see each other (only one controller will be actively providing client access at a time).  If you are NOT running ip nat inside on your guest subnet, you need to use an external DHCP server to provide redundancy and consistency.



  • 12.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 28, 2012 09:08 AM

    Hi Joseph,

     

    I get your point in using DHCP in both MC if ip nat inside is enabled because the DHCP request will not reach the other controller.

     

    However, incase the 1st MC goes down and the 2nd MC take action as DHCP will it face any problem when it starts providing IP addresses to new users, will it try by mistake send already used IP-address or will it 1st check the availability of this address, in addition if it noticed that this ip address is being used will it blacklist it or something OR it will just jump to the next ip address ?



  • 13.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Aug 28, 2012 11:10 AM

    You will have duplicate address issues.  Best to use an external DHCP server.

     



  • 14.  RE: Master redundancy (VRRP) and DHCP.

    Posted Aug 28, 2012 12:04 PM

    I see. Ok, I have a solution on my mind to this and I want you to evaluate it, please.

     

    in case we need to have 254 guest users.

     

    we will create a vlan pool with two vlans inside.

    Vlan 2: 10.0.1.0 255.255.255.0

    Vlan 3:10.0.2.0 255.255.255.0

     

    MC-1 will assign IP address for both Vlan 2 and 3 as follow:

     

    Vlan 2 from 10.0.1.1 to 10.0.1.127

    Vlan 3 from 10.0.2.1 to 10.0.2.127

     

    MC-2 will assign IP address for both Vlan 2 and 3 as follow:

     

    Vlan 2 from 10.0.1.128 to 10.0.1.254

    Vlan 3 from 10.0.2.128 to 10.0.2.254

     

    this way, I belive, duplication will not exist.

     

    Can we specify the start and end of each DHCP and I hope that MC (1 and 2) will not exchange those information



  • 15.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Aug 28, 2012 12:06 PM

    That *might* work.

     

     



  • 16.  RE: Master redundancy (VRRP) and DHCP.

    Posted Sep 03, 2012 03:16 AM

    Hi

     

    About this 512 hosts limit for the DHCP. Is this a total limit for the whole system or just for each scope?

    If this is a total limit i will need to re-design the customers system with external DHCP servers (what i wanted in the first place).

     

    Roar



  • 17.  RE: Master redundancy (VRRP) and DHCP.

    EMPLOYEE
    Posted Sep 03, 2012 07:12 AM

    That is for each controller.  It WILL work with more than 512 clients using DHCP, but 512 is a safe number.