03-12-2013 01:14 PM
I have a remote facility with a single Aruba controller (650) and 2 redundant firewalls that auto-switch if one is unavailable. I would like to set up a guest wireless network that only has access to the internet with no access to my internal networks.
I am doing this at my primary facility that has 2 Aruba controllers (master & local) and 2 redundant firewalls. I have port 3 on the master and port 3 on the local configured for my guest VLAN, and those are plugged into a small switch. Both of the firewalls are also plugged into the switch, so no matter which firewall is active, the guest VLAN has access to the internet. Access is then controlled via the firewall settings.
At my remote facility, I'd like to accomplish the same thing, without the use of a small switch. So I'm thinking that I set up 2 ports on the Aruba controller that are both configured for the guest VLAN. I plug one of those ports into the "active" firewall and one into the "backup" firewall.
My question is what, if anything, do I need to do on these ports to make them act as redundant/failover ports instead of them both being active at the same time?
Thanks for your help.
03-12-2013 01:45 PM - edited 03-12-2013 01:48 PM
You should use LACP (Port channel / group ) :smileytongue:
Start read here:
Then take a look on those posts:
I hope u will find some idea - or an answer to your question - your should do LACP/port group.
(read the userguide)
*be sure your external sw is supporting those options.
have a great evening.
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
03-13-2013 01:21 AM
Does it work properly in your primary site? I.e. have you tested the failover? Assuming yes (and without knowing the firewall make/model), the following applies I think.
You shouldn't have to do anything on the controller after setting two ports on the controller as trusted, in the guest VLAN and plugging them in.
I'm further assuming you trust the firewalls, only use the wired side of that VLAN for the firewall attachment (nothing else), and that the firewalls act directly as the guest default gateway? I.e. the guests don't IP route into the controller first, before being routed outbound to the firewall do they?
If I assume the firewalls are providing failover by way of a VRRP/HSRP, rather than something layer 2, you should be fine in the way you suggest.
03-13-2013 12:32 PM
@ kdisc98 - Thanks for the info!
@The.racking.monkey - Yes, it works at my primary site. So you're saying that I do not need to use LACP as long as the 2 Aruba ports are trusted and set up in the guest VLAN? You are correct in your firewall assumptions as well - the firewalls are trusted, the wired side of the guest VLAN is only being used to attach to the firewall and the firewall is the default gateway for the guest VLAN.
03-13-2013 03:15 PM
I think what I've suggested should work. Give it a try (in a period where issues with testing won't affect users of course)?
I don't think you'd need LACP personnally. LACP is for two interconnected devices, used to dynamically create a single logical link with multiple aggregated physical ports. As the firewalls likely act independantly (with an IP failover/heartbeat of sorts), LACP probably doesn't apply?
03-14-2013 07:59 AM
That's what I was thinking as well - that LACP is used to aggregate two ports, not really for failover.
The biggest issue with making the change is that this is at a site that's halfway around the world, with an IT "staff" that's really nothing more than a desktop support person. Had this been somewhere more local to me, I would have plugged stuff in and tried it already. But, since I'm dealing with a 13 hour time difference, a language barrier and someone without quite as much technical expertise as I'd prefer, I wanted to make sure I've got it as close to perfect in my head before I start directing someone to make connection changes. Luckily, this is only for a guest network, so it's not critical to our production evironment in case there are issues.
Thanks again for your help. I will give it a shot and will post the results here.
03-14-2013 11:38 AM
If it was UK based, I could offer you a price for a guy to site! ;-)
LACP can be used for failover/resilience as well as aggregation, but typically it connects between two logical devices. In your case, one end of the link is two different firewalls, so it doesn't really apply. Some devices in the market can do things like this, but they're uncommon.