Wireless Access

Reply
Contributor I
Posts: 20
Registered: ‎10-19-2011

RAP internet access without controller

We have set up a RAP-3 with a client to provide connectivity on a local site.

The rap is configured in split-tunnel mode. Internet traffic has a local breakout while the rest will be tunneled.

Is there a way for the clients connected to the RAP (wired) to keep their internet connection when the controller fails?

MVP
Posts: 1,399
Registered: ‎05-28-2008

Re: RAP internet access without controller

[ Edited ]

Hi,

 

Fallback Mode

The fallback mode (also known as backup configuration) operates the remote AP if the master controlleror the configured primary and backup LMS are unreachable. The remote AP saves configuration information that allows it to operate autonomously using one or more SSIDs in local bridging mode while supporting open association or encryption with PSKs. You can also use the backup configuration if you experience network connectivity issues, such as the WAN link or the central data center becomes unavailable. With the backup configuration, the remote site does not go down if the WAN link fails or the data center is unavailable.

You define the backup configuration in the virtual AP profile on the controller. The remote AP checks for configuration updates each time it establishes a connection with the controller. If the remote AP detects a change, it downloads the configuration changes.

The following remote AP backup configuration options define when the SSID is advertised

  • Always—Permanently enables the virtual AP. Recommended for bridge SSIDs.

  • Backup—Enables the virtual AP if the remote AP cannot connect to the controller. This SSID is advertised until the controller is reachable. Recommended for bridge SSIDs.

  • Persistent—Permanently enables the virtual AP after the remote AP initially connects to the controller. Recommended for 802.1x SSIDs.

  • Standard—Enables the virtual AP when the remote AP connects to the controller. Recommended for 802.1x, tunneled, and split-tunneled SSIDs. This is the default behavior.

 

You can configure you VAP profile that this RAP3 unit is connected to - to a diffrent Remote-AP operation mode:

*just be aware ,some service like DNS/DHCP come directly trought the tunnel...so if no controller - no users or release/renew will not work*

 

 

Untitled.pngMore info regarding all the rap workng opertaion methods can be found here: (TABLE 38)

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Remote_AP.php#XREF_90223_Advanced

 

 

have a lovley day.

 

me

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: RAP internet access without controller

[ Edited ]

I'm currently facing a similar issue. I think as far as the wired access ports are concerned, the following part from the manual holds the solution:

 

QUOTE

Backup Configuration Behavior for Wired Ports If the connection between remote AP and the controller is disconnected, the remote AP will be exhibit the following behavior:

  • All access ports on the remote AP, irrespective of their original forwarding mode will be moved to bridge forwarding mode.
  • Clients will receive IP address from the remote AP's DHCP server.
  • Client will have complete access to Remote AP's uplink network. You cannot enforce or modify any access control policies on the clients connected in this mode.

UNQUOTE

 

As you are using a split tunnel config, the first aspect of the behavior seems important, as the RAP will change to bridge-mode. The connected client will then possibly have a DHCP address from it's original server and may not recognize that the IP range has changed due to the loss of the controller connection (as the RAP will now be the DHCP server). Maybe a reduction of the lease time on the original DHCP server can do the trick ...

Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

Re: RAP internet access without controller

If you have the "Remote-AP Backup"  enabled in the enet profile of that ethernet port:

 

The client traffic will survive, regardless of how the wired profile was configured when connected to the controller.  When the AP is coming up, before it connects to the controller, if remote-ap backup is configured, it will automatically give a client an ip address out of its pool in the ap system profile and source-nat all traffic out.  Even if the client is hardcoded with an address that does not match that pool, it will source nat all of its traffic out with no ACL.

 

Long story short, with that parameter enabled, it does not matter what ip address the wired client has.  If the access point is up, and has an  ip address, but cannot contact the controller, it will source-nat and forward all wired client traffic out of its routed interface.  Many times there is a switch between the wired client and RAP, so the client does not "see" the interface go down and retains its existing wired ip address.  That traffic will be forwarded out of the RAP to the internet.

 

The idea is to allow any wired device access to the internet, even though the AP does not have connectivity to the controller.  It would be for devices that need internet connectivity, even though the controller is down.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: