Wireless Access

We are currently usng a 3200 controllers where all our Guest tunnels terminate to from each location.  We want to setup a redundant controller as well.  Is there a specific way of setting this up since each remote location is pointing to the IP address of that single controller for the tunnel termination?

 

#3200

All these tunnels are over a L3 link.  Can the tunnels terminate on a VRRP address of the paired controllers?

 

You can user the LMS backup ip option under the AP System profile

I think hes asking about GRE tunnels for guest wireless users -- tunnelling from remote controllers back to a central one for captive-portal and drop off on the Internet (or whatever)

 

Even if he's not, I will -- I'd like to have Guests able to get to the internet over the "primary" controller with an egress, and have a "secondary" controller as well.

 

With two controllers at my HQ, would I put them both on my internet facing VLAN and just tunnel each remote controller to both of them?

You can terminate a tunnel on a VRRP, yes.

We have a controller dedicated for RAPs and tunnel termination from each of the local controllers in the enterprise.

 

This controller is located in the DMZ of the data center.  We want to have this controller be redundant with another same controller.  

 

We want to be able to only modify one controller and the changes to replicate to the redundant one.  

 

Seeing how tunnels can terminate on a VRRP, we can solve the tunnel redundancy that way. We should be able to use the same for the RAP redundancy correct?  We would just nat the outside IP to the inside VRRP address right?

You cannot terminate a Rap on a vrrp if it is behind a stateful firewall, no.

The RAPs are connection from the outside using a public IP.  Could we not just nat that address to the VRRP on the inside?

 

If not, what't he best solution to provide redundant RAP controllers for outside RAP connections and redundant tunnel connections for inside tunnels?

Stateful firewalls do not like vrrp behind them.

I would give each controller a matted public IP address then use DNS to distribute the two addresses to the rap.

Using the DNS option, the RAPs would have both DNS names and try the second one if the first of the list fails?

 

We also have an F5 device in the DMZ, would it be best to place the controllers behind the F5 and having it do the load balancing?

With DNS, you put a DNS hostname in the rap.  On the DNS server you put two addresses.  The rap will receive both addresses and try the first one and then the second one.

 

I have never tried the load balancer. I will let others comment.