Wireless Access

Reply
Contributor II
Posts: 61
Registered: ‎02-20-2012

VRRP IP cannot be L2 GRE tunnel endpoint

[ Edited ]

I configure two 3400 controllers with Master-Master - Master-Standby Redundancy using VRRP shown below.

Also I configure Local controller 3200 for Master-Local redundancy. Local's loopback IP is 10.200.170.1.

There is MPLS network in between Master-Master/Backup-Master and Local controller, therefore layer 3 (IP layer) can only be transparent.

 

I need to establish L2 GRE tunnel for VLAN184 between Master-Master/Backup-Master and Local.

I choose Local controller's loopback IP 10.200.170.1 as a start point of L2 GRE tunnel, and I choose VRRP IP 10.200.175.254 as endpoint. But L2 GRE tunnel cannot be established.

If I choose Master-Master's vlan 10 interface IP address 10.200.175.1 as endpoint, L2 GRE is established.

I have read that VRRP IP can be used for L2 GRE tunnel endpoint, but it cannot.

Do you have a good solution?

 

When I established L2 GRE between 10.200.175.1 and 10.200.170.1(tunnel 1 for VLAN184) also L2 GRE between 10.200.175.2 and 10.200.170.1 (tunnel 2 for VLAN184), VLAN184 can go through between Master-Master, Backup-Master, and Local controller.

 

 

(Master-Master)

vlan 10

interface vlan 10

    ip address 10.200.175.1 255.255.255.0

interface Gi 1/0

    switchport access vlan 10

    switchport mode access

    trusted

 

vrrp 10

     vlan 10

     ip address 10.200.175.254

     priotity 110

     preempt

     tracking master-up-time 30 add 20

     no shutdown

 

Master-redundancy

     master-vrrp 10

     peer-ip-address 10.200.175.2

 

 

(Backup Master)

vlan 10

interface vlan 10

   ip address 10 200.175.2  255.255.255.0

interface gi 1/0

   switchport access vlan 10

   switchport mode access

  trusted

 

vrrp 10

   vlan 10

   ip address 10.200.175.254

   priority 100

   preempt

   tracking master-ip-up-time 30 add 20

   no shutdown

 

master-redundancy

    master-vrrp 10

    peer-ip-address 10.200.175.1

 

 

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: VRRP IP cannot be L2 GRE tunnel endpoint

On each master, the tunnel source must be literal ip address, not the VRRP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: VRRP IP cannot be L2 GRE tunnel endpoint

On each master, the tunnel source must be literal ip address, not the VRRP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VRRP IP cannot be L2 GRE tunnel endpoint

[ Edited ]

>On each master, the tunnel source must be literal ip address, not the VRRP

 

What we need to define is to provide DHCP server for VLAN184 at each master, for example:

 

Tunnel1   Source (Master-Master) 10.200.175 1   Destination(Local)  10.200.170.1   VLAN184

                  Master-Master's IP address in VLAN184 is  10.200.184.1 

                  DHCP server range 10.200.184.50 - 10.200.184.99

 

Tunnel2   Source (Backup-Master) 10.200.175 2   Destination(Local)  10.200.170.1   VLAN184

                  Backup-Master's IP address in VLAN184 is  10.200.184.2

                  DHCP server range 10.200.184.100 - 10.200.184.149

 

In 10.200.170.1 VLAN184, define DHCP helper IP address 10.200.175.1 and 10.200.175 2

 

The client which connects to Local 10.200.170.1, the client sends DHCP Request broadcast, then the client may receive DHCP Reply from Master-Master 10.200.184.1 and Backup-Master 10.200.184.2

But this is not a good idea.

 

In the situation above, can I define VRRP between Master-Master and Backup-Master through L2 GRE tunnel to show only one DHCP source and default gateway, 10,200,184.1?

 

This is exactly trial to create redundancy two Masters with several Local controllers. Aruba documents mentioned that they can do, but how? Especially in this case - Captive portal in VLAN184 is very typical configuration that everyone would like to try.

 

In the past I tried to create L3 GRE and set up static to route, but DHCP broadcast did not go through even I specified DHCP helper address ... in Cisco products DHCP helper works like let DHCP broadcast goes through L3 network, but I do not know what Aruba provides, since I cannot find a specification document what DHCP Helper functionality provides.

 

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: VRRP IP cannot be L2 GRE tunnel endpoint

You cannot do this.  Both controllers will ALWAYS provide DHCP on the same layer2 VLAN, even if it is a backup master.  It is better to have an external DHCP source that will provide consistent DHCP.

 

If you want a local controller to provide redundancy for a master controller and the local controller does not have access to the same VLANs, instead of tunneling traffic back, you should use NAMED vlans to accomplish what I think you are trying to do.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VRRP IP cannot be L2 GRE tunnel endpoint

>You cannot do this.  Both controllers will ALWAYS provide DHCP on the same layer2 VLAN, even if it is a backup master.  It is better to have an external DHCP source that will provide consistent DHCP.

 

VLAN184 is "logical" VLAN which does not have interface. My original configuration with just one 3200 controller was that I configured DHCP on Master 3200 controller with VLAN184 interface IP 172.200.184.1, and default gateway for VLAN184 user is 172.200.184.1 , so that I could set static route very easily.

 

Now, external DHCP source is recommended - but where. Both 3400 Master-Master and Master-Standby controller will be installed at Data Center, so assign one Interface Gi 1/1 for just VLAN184 external DHCP server ..? I think this is not a good picture; many users may expect Aruba controller to provide DHCP server functionality too.

 

Regarding NAMED VLAN, I am sorry that I am new for NAMED VLAN. My version is 5.0.4.6. Which version of ArubaOS for 3000 series controller the NAMED VLAN was implemented?  I assume that using NAMED VLAN, local controller can point Master-Master if Master-Master takes priority, and if Master-Standby takes priority, local controller can point Master-Standby. Is this a brief how it works?

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VRRP IP cannot be L2 GRE tunnel endpoint

I tried your suggestion - NAMED VLAN, but it does not work.

 

Master-Master has VLAN184 (Interface 172.200.184.1) DHCP range 172.200.184.100-110

Guest virtual AP has "VLAN184(184)" named vlan.

Named vlan VLAN184 = 184

 

Master-Standby has VLAN185 (Interface 172.200.185.1) DHCP range 172.200.185.100-110

Guest virtual AP has "VLAN184()" named vlan

 

This is a problem. Even If I make different vlan for Master-Master and Master-Standby, configuration can have only one NAMED VLAN or actual VLAN number.

 

What I am trying to do is - using server derivation rule, if Local controller is connected with Master-Master, choose VLAN184, and if Local controller is connected to Master-Standby, choose VLAN185. I thought the matching condition is Tunnel-Endpoint-Server IP address, I tried, but has not been successful.

 

Do you know a good idea for server derivation rule to choose VLAN?

 

 

 

 

 

 

 

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: VRRP IP cannot be L2 GRE tunnel endpoint

Let me understand what you are trying to do:

 

You have a guest Vlan that you are trying to tunnel back to a master/backup master pair.

You want to terminate that VLAN on the VRRP between the master/backup master pair.

 

Is that correct?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎02-20-2012

Re: VRRP IP cannot be L2 GRE tunnel endpoint

>Let me understand what you are trying to do:

 

>You have a guest Vlan that you are trying to tunnel back to a master/backup master pair.

>You want to terminate that VLAN on the VRRP between the master/backup master pair.

 

>Is that correct?

 

Yes, correct.

 

If it is imposible to choose VRRP IP addres as a L2 GRE endpoint,

only way to establish L2 GRE tunnel is to use Master-Master or Master-Standby's VLAN interface IP address as a endpoint.

 

Guru Elite
Posts: 20,768
Registered: ‎03-29-2007

Re: VRRP IP cannot be L2 GRE tunnel endpoint

It is not impossible, and this should work.

 

On local:

 

GRE tunnel source = ip address of local

GRE tunnel destination = ip address of VRRP

 tunnel vlan 184:

 

On Master:

 

Gre tunnel source = ip address of master

Gre tunnel destination =  ip address of local

tunnel vlan 184:

 

On Backup master:

 

Gre tunnel source = ip address of backup master

Gre tunnel destination = ip address of local

 

The master and backup master do not refer to the VRRP interface in the tunnel definitions; they just handle the incoming GRE.

 

The tunnel will ONLY terminate on one device at a time (the controller that has control of the VRRP), so you can run DHCP on BOTH master/backup pair on Vlan 184

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: