Hi,
In this tutorial I will show you how to build a master controller from scratch as well as how to build a local controller from scratch and then how to link them together. I know I had a lot of questions on how to build a local controller initially so hope this helps. The first part shows how to build a master (steps 1-9) and the second part below that shows how to build a local controller.
As a side note it also shows you have to build port channels to bond interfaces together for HA and performance reasons. Please kudo if you found this helpful.
Initial Configuration of a Master Controller
1) Bootup the controller with a console cable connected to the serial port
ArubaOS Version 6.3.1.2 (build 41362 / label #41362)
Built by p4build@corsica.arubanetworks.com on 2013-12-18 at 16:43:23 PST (gcc version 3.4.3)
Copyright (c) 2002-2013, Aruba Networks, Inc.
<<<<< Welcome to Aruba Networks - Aruba A3400-US >>>>>
Checking Inventory...OK
Performing CompactFlash fast test... Checking for file system...
Passed.
Performing integrity check on Ancillary partition 1...passed.
Watchdog processes Starting ...
Watchdog processes running ...
Reboot Cause: User reboot.
Downloading SOS for A3400... done.
Deleting the Databases
Restoring the database...done.
Tuning IPv4 route cache...done.
Generating SSH Keys......done.
Initializing TPM and Certificates
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a 2048 bit RSA private key
.................................................+++
..............................+++
writing new private key to '/tmp/tempCertKey/priveKeyGen.pem'
-----
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
TPM and Certificate Initialization successful.
Reading configuration from factory-default.cfg
2) Follow the startup wizard to enter in your system name, timezone, date, time and other details.
I accept the defaults for the IP address and mask for vlan 1 as I'll change it later anyway.
Once you enter the details it asks for confirmation in case you need to change something.
Then it will reboot with the new settings.
***************** Welcome to the Aruba3400 setup dialog *****************
This dialog will help you to set the basic configuration for the switch.
These settings, except for the Country Code, can later be changed from the
Command Line Interface or Graphical User Interface.
Commands: <Enter> Submit input or use [default value], <ctrl-I> Help
<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end
<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line
<ctrl-P> Previous question <ctrl-X> Restart beginning
Enter System name [Aruba3400]: 3400-col-1
Enter Switch Role (master|local|standalone|remote-node) [master]:
Enter VLAN 1 interface IP address [172.16.0.254]:
Enter VLAN 1 interface subnet mask [255.255.255.0]:
Enter IP Default gateway [none]: 172.16.0.1
This controller is restricted to Country code US for United States, please confirm (yes|no)?: yes
Enter Time Zone [PST-8:0]: EST-5:0
Enter Time in UTC [13:13:27]: 13:15:00
Enter Date (MM/DD/YYYY) [3/5/2014]:
Enter Password for admin login (up to 32 chars): ************
Re-type Password for admin login: ************
Enter Password for enable mode (up to 15 chars): ************
Re-type Password for enable mode: ************
Do you wish to shutdown all the ports (yes|no)? [no]:
Current choices are:
System name: 3400-col-1
Switch Role: master
VLAN 1 interface IP address: 172.16.0.254
VLAN 1 interface subnet mask: 255.255.255.0
IP Default gateway: 172.16.0.1
Time Zone: EST-5:0
Ports shutdown: no
If you accept the changes the switch will restart!
Type <ctrl-P> to go back and change answer for any question
Do you wish to accept the changes (yes|no)yes
Creating configuration... Done.
System will now restart!
Shutdown processing started
Syncing data...done.
Sending SIGKILL to all processes.
Please stand by while rebooting the system.
0:<7>ide-disk 0.0: shutdown
0:<0>Restarting system.
0:.
0:<2>Performing hard reset...
Reading configuration from default.cfg
Retrieving Configuration...will take approximately 1 minute
(3400-col-1)
User:
3) Log into the controller with a username of admin and the password you set above
Then type enable and type in your enable password you set above
(3400-col-1)
User: admin
Password: ************
(3400-col-1) >
(3400-col-1) >enable
Password:************
(3400-col-1) #
4) If you have licenses you should add them or import them at this time. You can get them from the
licensing portal (licensing.arubanetworks.com) and import one at a time using license add xxxxxxxx.
Or if you exported them from a previous system you can import them all at once.
(3400-col-1) #dir
-rw-r--r-- 1 root root 2341 Mar 5 08:07 licenses (this is a file containing licenses from a previous export)
-rw-r--r-- 2 root root 11458 Mar 5 08:18 original.cfg
drwx------ 2 root root 1024 Mar 5 08:14 tpm
(3400-col-1) #show license
License Table
-------------
Key Installed Expires Flags Service Type
--- --------- ------- ----- ------------
License Entries: 0
(3400-col-1) #license import licenses
Successfully imported 3 licenses to the license database from licenses; please reload to make licenses take effect
(3400-col-1) #show license
License Table
-------------
Key Installed Expires Flags Service Type
--- --------- ------- ----- ------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER Access Points: 16
11:08:39
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER RF Protect: 16
11:09:02
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2011-04-08 Never ER Next Generation Policy Enforcement Firewall Module: 16
11:09:22
License Entries: 3
Flags: A - auto-generated; E - enabled; R - reboot required to activate
5) Reload the controller after importing the licenses and issue a show license after the reboot to confirm the licenses.
6) Now we need to configure the network portion of the controller to assign IP addresses, vlans, port channels, etc.
Here is the network configuration after a reboot - type the following: show running-config | begin interface
interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
!
interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
!
interface gigabitethernet 1/2
description "GE1/2"
trusted
trusted vlan 1-4094
!
interface gigabitethernet 1/3
description "GE1/3"
trusted
trusted vlan 1-4094
!
interface vlan 1
ip address 172.16.0.254 255.255.255.0
!
ip default-gateway 172.16.0.1
7) I like to bond two interfaces together for speed and redundancy to two upstream switches for our corp wifi. Then I do
the same for our guest wifi. To do this I create port channels and assign the interfaces to the port channels.
If you prefer you can do it without port channels. Just don't configure interface port-channel or the lacp under the interfaces.
When complete the first two interfaces are for our corp traffic and the other two for guest traffic. They use different vlans
and different subnets and route out our network differently to keep guest traffic off our corporate network as much as possible.
I also split up corp users into different vlans and subnets based on AD membership so you will see multiple vlans below.
Of course replace the vlan numbers with your preferred vlan numbers and replace the IP addressing with your specific IP's.
vlan 110 "int-wifi-dev01"
vlan 111 "ext-wifi-guest01"
vlan 113 "int-wifi-it01"
vlan 115 "int-wifi-std01"
vlan 117 "int-wifi-exec01"
vlan 118 "int-wifi-devices01"
no spanning-tree
interface port-channel 0
trusted
trusted vlan 110,113,115,117,118
switchport mode trunk
switchport trunk allowed vlan 110,113,115,117,118
!
interface port-channel 1
trusted
trusted vlan 111
switchport mode trunk
switchport trunk allowed vlan 111
interface gigabitethernet 1/0
description "uplink to col01svcsw1 port 0/1 pc0 for corp"
trusted
trusted vlan 110,113,115,117,118
switchport mode trunk
switchport trunk allowed vlan 110,113,115,117,118
no spanning-tree
lacp port-priority 32768
lacp group 0 mode active
!
interface gigabitethernet 1/1
description "uplink to col01svcsw1 port 0/2 pc0 for corp"
trusted
trusted vlan 110,113,115,117,118
switchport mode trunk
switchport trunk allowed vlan 110,113,115,117,118
no spanning-tree
lacp port-priority 32768
lacp group 0 mode active
!
interface gigabitethernet 1/2
description "uuplink to col01svcsw1 port 0/3 pc1 for guests"
trusted
trusted vlan 111
switchport mode trunk
switchport trunk allowed vlan 111
no spanning-tree
lacp port-priority 32768
lacp group 1 mode active
!
interface gigabitethernet 1/3
description "uplink to col01svcsw1 port 0/4 pc1 for guests"
trusted
trusted vlan 111
switchport mode trunk
switchport trunk allowed vlan 111
no spanning-tree
lacp port-priority 32768
lacp group 1 mode active
!
interface vlan 111
ip address 10.1.82.4 255.255.254.0
!
interface vlan 115
ip address 10.1.84.4 255.255.252.0
!
interface vlan 1
no ip address
shutdown
exit
no ip default-gateway 172.16.0.1
ip default-gateway 10.1.84.1
!
8) The following is to setup DHCP on the controller for the guest wifi. I exclude some addresses for network devices.
Once added then exit out of configuration mode and save the configuration then reload the controller once more.
ip dhcp excluded-address 10.1.82.1 10.1.82.9
ip dhcp pool ext-wifi-guest01
default-router 10.1.82.1
dns-server 4.2.2.2 8.8.8.8
lease 1 0 0 0
network 10.1.82.0 255.255.254.0
exit
exit
write mem
reload
y
9) The controller can now be plugged into your network and should be reachable via the IP address assigned to vlan 115 for example. You should then proceed to upgrade/downgrade the software to your preferred version through the GUI or cli. Then proceed with configuring the wifi specific aspects such as AP groups, Virtual AP's, AAA profiles, SSID parameters, etc.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This section is for building a local controller
Creating a Local Controller (Converting a Master to a Local)
1) Take a new controller and build it as a master controller initially (reference the how to for building a master controller)
2) Ensure the code version is the same between the new temporary master and your production master controller.
3) Verify IP connectivity between the new temporary master and your production master controller (ping for example)
Also ensure your firewall is configured to allow traffic between the two controllers (papi udp 8211, tcp 4500, etc.
4) On the new temporary master type the following to point to the IP of the production master controller. Note you can use
a preshared key or a certificate based solution.
conf t
masterip 1.2.3.4 ipsec keytexthere
exit
write mem
5) on the production master controller type the following to point to the IP of the new local controller. Note you can use
a preshared key or a certificate based solution.
conf t
localip 2.3.4.5 ipsec keytexthere
exit
write mem
6) To verify they have synced up, issue the following and ensure it says update successful. Also you can look at the config
on the local controller and you should see lots of extra configuration pushed down from the master to the local.
(7210-hq-1) # show switches
All Switches
------------
IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
10.9.0.4 7210-hq-1 3rd Floor DC master Aruba7210 6.3.1.2_41362 up UPDATE SUCCESSFUL 0 53
172.17.36.4 3600-sd-1 San Diego Local Controller local Aruba3600 6.3.1.2_41362 up UPDATE SUCCESSFUL 10 53
7) Now you can reconfigure your AP profiles for your AP's to point to the IP of the local controller for the primary LMS
and the AP's will build their tunnel to the local controller versus the master.
If you found this helpful please give kudos - thanks.