Wireless Access

Reply
Aruba
Posts: 1,287
Registered: ‎08-29-2007

can Instant GRE VPN terminate on a controller VRRP address?

I've tried to do this once before, but didn't work at the time.  I have to set the VPN host to be the physical address of the controller and in the event of a failure we need to manually change the address in the Instant config.  This is not ideal for a large distributed enterprise.

 

Unfortunately I don't have a chance to test again.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: can Instant GRE VPN terminate on a controller VRRP address?

Yes...this should work.  HOWEVER, in the routing table config for VPN on the IAP, you MUST define the physical interfaces for that detination subnet.  

 

For example

 

Consider an organization with 2 datacenters: DC1 and DC2: Each datacenter has a pair of VRRP based redundant controllers.

    • Primary datacenter (DC1)
      • The physical IP of the master controller in the primary datacenter is 10.68.33.6
      • The physical IP of the VRRP backup controller in the primary datacenter is 10.68.33.7
      • The Virtual IP between the master and VRRP backup controller in the primary datacenter is 10.68.33.8
    • Backup datacenter (DC2)
      • The physical IP of the master controller in the backup datacenter is 10.68.48.6
      • The physical IP of the VRRP backup controller in the backup datacenter is 10.68.48.7
      • The Virtual IP between the master and VRRP backup controller in the backup datacenter is 10.68.48.8
    •  In this case the routing profile on a IAP branch that wants to tunnel 10.0.0.0 /8 will be :
      • 10.0.0.0 255.0.0.0 10.68.33.6
      • 10.0.0.0 255.0.0.0 10.68.33.7
      • 10.0.0.0 255.0.0.0 10.68.48.6
      • 10.0.0.0 255.0.0.0 10.68.48.7
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: can Instant GRE VPN terminate on a controller VRRP address?

excellent, that's great to know. Thanks Seth.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: can Instant GRE VPN terminate on a controller VRRP address?

Seth,

 

What about on the controller end for the GRE tunnel?  Can it terminate on the VC address, or does it still need to be the IAP address?

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: can Instant GRE VPN terminate on a controller VRRP address?

The tunnel is initiated by the vc. No need to worry about the address of the vc. It is assigned an inner ip from the controller's l2tp pool.

Sent from my iPad
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: can Instant GRE VPN terminate on a controller VRRP address?

for a GRE?  I didn't think it needs an inner ip for that.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: can Instant GRE VPN terminate on a controller VRRP address?

I don't believe so.

Sent from my iPad
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: