Wireless Access

Hello Everybody,

Just wondering if anybody could share any ideas I haven't thought of in terms of the following scenario please?

We have a customer with a pair of v6 7000 controllers in a large site, along with another pair of 7000 master/standby in a datacentre. In each datacentre, there is also a pair of Cisco ASA firewalls that we aim to use for WiFi guest user termination and internet egress.

When doing IPSEC tunnels (for the Guest WiFi egress, starting from the locals at the site) I'm pretty sure we can only set one IP peer in each IPSEC tunnel. This gives us a problem with resilience when targetting 2 data centre firewalls on different IP subnets (no layer2 between DCs).

Things that aren't a resilience problem are: resilience FROM the locals, as they run a v6 VRRP for AP termination (controllers AREN'T active/active therefore), and we will have another VRRP for IPSEC egress to the DCs, which tracks the AP VRRP. Also at the individual DC end, the ASAs work in resilent pairs with vitual interfaces. So the only issue should be failing between datacentres.

We could either...

1. Look at GRE over IPSEC and use tunnel-groups on the controllers, however, not sure if Cisco ASAs will cope with that? Sounds like lots of experimentation required? Outcomes should be nice and slick if they work though?

2. Setup a pair of default routes in the controllers with weighted metrics, which use a pair of IPSEC tunnels in order of priority. Having of course already taken into account other existing IPSEC tunnels and any "normal" controller IP traffic flows that must remain in tact (e.g. authenticiation/monitoring/management etc.) and prioritised with normal IP routes with better metrics. My big problem with this option is an operational one. Whilst it will be time consuming to "tweak-out" IP stuff that shouldn't be routed up the IPSEC tunnels and get the routing table "just right", it feels like one day, this setup is REALLY easy for somebody to make a mistake with and cause havoc?

Thoughts?

I haven't set up this specific scenario, but curious if you could use route policies in the guest user role to determine which IPSec tunnel the guest traffic gets routed down. 

Having looked into it quickly, not sure I can see a way to have route policies take into account when a particular tunnel is down?

Under Network -> IP -> NextHop

You can add a list, and select a list of available next hop IP addresses, along with whether preemptive failover. The nexthop list is then referenced in the route policy.

Hi,

Thanks for the suggestion. Are you sure that would work? I did a quick read up on it. The first thing that makes me think this might not be feasible, is in the information I read about it, it says "A nexthop IP is the IP address of a adjacent router or device with layer-2 connectivity to the controller.". If I have to do IPSEC with no GRE, I don't have a layer 2 adjacency. Also, I can't find any information regarding how the "Preemptive-Failover" feature actually establishes that any given next hop is "healthy/available"? I.e. what is the controller doing in order to work that out? I don't suppose you have an example configuration you could share?

I haven't done this specific scenario (tunneling from the WLC to an ASA), but have done site-to-site tunnels between WLCs with GRE over IPSec and done similar with route policies.

Another idea, depending on the HA functionality with the ASAs (can't remember if they are in the same DC, or different DCs) would be to use VRRP/HSRP between the ASAs so that tunnel failover is automatic between the ASAs, in which case the WLC does not know the tunnel has been moved to a different firewall.

The ASAs are in different DCs with no L2 between them. Which is part of the problem obviously.

Popped into the issue here: two separate destination for IPSec. I have PBR in place and tried to play with nexthop-list but for a reason or another traffic is not forwarded to correct IPSec tunnel. If I'm using just one IPSec map it works fine. show ip nexthop-list does show both destinations and IPSec SA is up.

#show ip nexthop-list

Nexthop-List Entries
--------------------
Name Type Dest Preemptive Failover Nexthop Nexthop Dest Nexthop Priority
---- ---- ---- ------------------- ------- ------------ ----------------
...
Mytest Active-Standby 0x4401 Enabled mysite-emea 128
mysite-apac 128

Any ideas?

ASA's don't do GRE.  You can use IPSEC.  I would setup a tunnel for one to one first.  On the ASA you can do failover and on the 7000 you can do VRRP.  You need to make sure that your VRRP brings both outside and inside down at the same time (Outside faces the ASA and inside faces your LAN).  The connect to IP on the ASA stays the same regardless of the failover state.  There is no active/active with ipsec.  On the Aruba side VRRP insures that your connect to IP is always available regardless of the state of the Interfaces (active/standby). 

Not sure this answers your question.