we do have two aruba 7205 controllers with NO master controller
i'm trying to figure out the best way to deploy them to acheive redundancy
i read that i can just configure them as standlaone and configure VRRP between them and the APs should just terminate to the VRRP IP ?
my question : if i did the above then i'll need to configure double the license one on each controller per AP ?
if the above is true then that's not applicable since we do have100 APs and 100 Licenses only
what i'm trying to achieve is
-one controller will serve all aps and user traffic, the other is standy
-if active controller fails aps should termiante on the stadnby one and continue working as normal
-we dont need to add more licneses per controller only 100 license per 100 aps
what would be the optimal redundancy soultion for that setup without mobility master
i came across the master controller local design but most of it refering to version 6.x
i'm not sure if that fits on the arubaos8 or not since i'm new to aruba and only deployed standalone deployments
looking for clarifications
thanks in advance
If you do not have an MM, your redundancy options in 8.x are virtually identical to those in 6.x (licensing, standby controller, vrrp, etc).
so based on teh available option in this regard, what do you recommend that would be best based on our scenario here ?
You can configure master redundancy between two controllers and point your access point at the VRRP. Centralized licensing is enabled automatically.
There's a few options you have here, in short here is the following :
If using Master/Local or Master/Master you can enable Centralized Licensing to share the same pool of licenses between two controllers.
You can still use MCM/Standalone mode with AOS8. If you go for Master/Local and you lose the Master, you will need to replace/configure a new master before further changes can be implemented.
If you go for a Master/Master deployment you can still make changes to the environment in the event of a controller failure.
Take a look at the Campus Redundancy VRD, this explains all the options in more depth. It is written for AOS6 but the concepts still apply to AOS8 in MCM/Standalone mode.
Just to add to and highlight some of what has been stated.
With 2 controllers, you can create a standalone, and then set up the other standalone as it's VRRP backup. You can have APs point to the VIP, and the APs will terminate on the primary controller. If the primary controller fails, the APs will terminate to the secondary controller, which will have become the primary. The VRRP failover is 3 heartbeats, and the AP PAPI failover is 8 heartbeats. Heartbeats are 1 second. Clients will disconnect and have to reconnect, and firewall states are not preserved. I refer to this as AP preservation, not client preservation.
Instead of doing a standalone configuration, you can set up one controllers as a Master Controller Mode (MCM) Master controller. You can then set up one (or more if you had more) controllers as Mobility Controllers (MCs). APs can only terminat to MCs. The Master controller is "ONLY" a management device. So with 2 controllers, one as the Master and the other as an MC, you would not have any failover for the APs, since as I just stated, APs cannot terminate to the Master controller.
If you did add an additional controller to the MCM configuration, you would then have the Master controller, and 2 MCs. At this point, you could set up VRRP between the 2 MCs, LMS-IP and Backup LMS-IP, or High Availability (HA). All three of these will provide redundancy. How quickly the failover occurs varies between the 3 solutions, however clients most likely will be disconnected and firewall states will not be preserved. Again, each of these will do AP preservation, not really client preservation.
If you want client preservation, where the client continues and firewall state is preserved, then you need to run a Mobility Master (MM).
I hope this helps,
thanks guys for your feedback
so jusst to be on the same page i believe for my setup i'll go with installing to standalone controllers and configure VRRP between them
as stated above centralized licensing will work
but what about configuration ? will the configuration be sybchronized between the primary standlaone and the backup ?
i'm running code 8.4.2
Hey axai1 I will be doing the same scenario as yours but using a VMC and a 7200.
What documentation did you consulted to achieve this configuration ? I tried looking at the fundamentals guide but I didn't find the know-how.
And what about the configuration synchronization ? Did you discover the answer ? Based in previous posts here in the airheads community looks like it doesn’t have the synchronization...
Although, in my case I have Airwave in my environment, I don’t know if its capable to improve something or maybe bringing the configuration sync feature ?
If VRRP is configured between 2 standalone controllers, both the licenses and configuration is synchronized between the active controller and the standby controller. Point the APs to the virtual IP (VIP) and if the active goes down, when the standby takes over, the APs will reconnect to the standby (which is now the active). Failover between the active and standby should occur in about 4-5 seconds. Failover time for the APs can vary depending upon how many APs you have failing over. Clients will be disconnected and will have to reconnect and will lose any stateful connection. AirWave does not provide any benefit or features in this design regarding the failover.
Thanks for the clarification westcott !!
Can you help me, saying to what term or chapter should I look at in the User Guide documentation, that show me how to configure as the best practice this "High Availability" scenario ?
And about the configuration sync, are you saying that even after the VRRP is done and the controller is connect to my primary controller, if I change the configuration in my primary controller, my other standalone controller, in this case the VMC, will have its configuration updated ???
Or are you just saying that for the VRRP to happened they both will need to have equal configuration ?
In a standalone redundancy configuration, using VRRP, the steps almost identical to configuration redundancy of a Mobility Master. If you look in the User's Guide for the section "Configuring Standby Mobility Master Using Layer 2 Redundancy" this will guide you to what needs to be done. There are two key tasks that must be performed. First, VRRP must be configured on each of the standalone controllers. This simply configures a Virtual IP (VIP) that is shared between the controllers. The next step, which is critical is to configure database synchronization between the two controllers. Database synchronization can be verified using the "show database synchronize" command. Once the VIP and database synchronization is enabled, the two controllers are identical to each other (excepting their IP addresses). Any configuration changes made to the active is synchronized to the standby.
Westcott... thank you very much for your instructions, unfortunately, I need more explicit help...
I am able to configure the VIP and make the access point use its IP as the master but I am not able to configure the database synchronization.
In this chapter "Configuring Standby Mobility Master Using Layer 2 Redundancy" There are three sessions, VRRP, Master redundancy and Data Base synchronization.
I am aware that as I have only 2 controller in my setup as standalone is not possible to configure Master redundancy. Just to check I did tried but it didn't work or it supposed to correct ?
In the third section, is very direct, only showing that is only need toggle a button enabling the database synchronization and set the synchronization time.
But checking the show database synchronization command I get the following situation.
(Aruba-VMC-VA [mynode] #show roleinfo
(WLC-7005) [mynode] #show roleinfo
(Aruba-VMC-VA) [mynode] #database-synchronizeCannot start database synchronization: peer is not configured.
(Aruba-VMC-VA) [mynode] #
So, the third section or is incomplete or I am doing something wrong.
I configure the peer as the command is saying, this configure is about the second session of the chapter, Master Redundancy. Because is only permit that I configure the peer and the password not in the local node, but in the mobility controller level.
and as I told before, configuring the Master redundancy with two standalone controller it’s not working...
Can you point the way of how to make the database sync work ?
Two thoughts. One, I'm not sure VRRP redundancy between a physical controller and a VM is allowed. Hopefully, someone else can answer this. The other is that in a standalone environment the node hierarchy is as shown below
(7010-3a) [mynode] #show configuration node-hierarchyDefault-node is not configured. Autopark is disabled.Configuration node hierarchy----------------------------Config Node Type Name----------- ---- ----/ System/mm System/mm/mynode System
Typically, in an MM environment, the VRRP is configured at the /mm/mynode level on each of the controllers. Then the database synchronization is configured at the /mm level. This is how it is done on an MM managed platform, and it may need to be configured this way also on a standalone platform.
westcott... I was able to advance. Unfortunately another problem shows up.
The correct way to configure is:
First configure the VRRP as the configuration guide says.
between the VMC and the physical controller there is no problem with changing master(standalone) and standby(standalone) role with each other. Although I did not test the preempt function.
(Aruba-MC-VA) [mynode] #show vrrp
Virtual Router 180:
Admin State UP, VR State MASTER
IP Address 172.16.1.150, MAC Address 00:00:5e:00:01:b4, vlan 172
Priority 201, Advertisement 1 sec, Preemption Disable Delay 0
Auth type PASSWORD, Auth data: ********
tracking is not enabled
(WLC-7005) [mynode] #show vrrp
Admin State UP, VR State BACKUP
Priority 101, Advertisement 1 sec, Preemption Disable Delay 0
Both rolesinfo in this configuration still says switchrole:standalone
So, the second step is to configure the database synchronization as you told.
To do that, is necessary to level up in the hierarchy and in the level Mobility Controller activate the database synchronization toggle and set a sync period and then in the local node level, the toggle and the sync period will be the same as the one settled in the mobility controller level. So this time in the local level, It will be need to fill in Master VRRP, the peer ip and the IPsec peer passphrase. So the section about Master Redudancy of the chapter is partly correct to my scenario.
Now, with this setup complete, in show roleinfo, the backup VRRP controller will be called standbye and with show swiches both controller are showing up their respective information.
(Aruba-MC-VA) [mynode] #show switches
IP Address IPv6 Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ------------ ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
172.16.1.131 None Aruba-MC-VA Building1.floor1 standalone ArubaMC-VA 220.127.116.11_68953 up UPDATE SUCCESSFUL 0 14
172.16.1.132 None WLC-7005 Building1.floor1 standby Aruba7005 18.104.22.168_68953 up CONFIG FAILURE(14) 0 14
But, with this setting, the database synchronization will not work.
(Aruba-MC-VA) [mynode] #show database synchronize
Last L2 synchronization time: Fri Jan 31 14:33:44 2020
Last L3 synchronization time: Secondary not synchronized since last reboot
To Master Switch at 172.16.1.139: *** FAILED ***
WMS Database backup file size: 40266 bytes
Local User Database backup file size: 41647 bytes
Global AP Database backup file size: 23061 bytes
IAP Database backup file size: 3760 bytes
Airgroup Database backup file size: 3062 bytes
License Database backup file size: 5323 bytes
CPSec Database backup file size: 3224 bytes
L2 Synchronization took 10 second
L3 Synchronization took less than one second
Last failure cause: Standby switch did not acknowledge the CPSec database transfer
(Aruba-MC-VA) [mynode] # show log errorlog all
Jan 31 14:27:34 <dbsync 307273> <5520> <ERRS> |dbsync| dbsync: failed to start db sync on standby (handle_start_sync_reply_receive)
WLC-7005) [mynode] # show log errorlog all
Jan 31 14:27:34 dbsync: <307319> <3834> <ERRS> |dbsync| dbsync: Can not start db sync on backup Master Switch: (SYNC_WAIT_WMS_DB)
So, I discover that to resolve this error, it was necessary to configure the Cluster WhiteList propagation settings, so I set the master as the root and the standbye as the member.
Unfortunately the problem with synchronization will continue, and new error shows up….
(WLC-7005) [mynode] # show log errorlog all
Jan 31 14:48:29 <dbsync 307335> <3834> <ERRS> |dbsync| dbsync: Can not receive file on backup Master Switch: (SYNC_WAIT_BOCMGR_DB)
Jan 31 14:48:29 <dbsync 307398> <5520> <ERRS> |dbsync| dbsync: failed to receive CPSEC db sync on standby (handle_send_cpsec_db_ack)
Last L2 synchronization time: Fri Jan 31 14:48:29 2020
Local User Database backup file size: 41649 bytes
L2 Synchronization took 11 second
57 L2 synchronization attempted
57 L2 synchronization have failed
0 L3 synchronization attempted
0 L3 synchronization have failed
L2 Periodic synchronization is enabled and runs every 1 minute
L3 Periodic synchronization is disabled
Synchronization doesn't include Captive Portal Custom data
(Aruba-MC-VA) [mynode] #
(WLC-7005) [mynode] #show database synchronize
From Master Switch at 172.16.1.131: *** FAILED ***
CPSec Database backup file size: 0 bytes
Bocmgr Database backup file size: 0 bytes
Last failure cause: Unknown error
(WLC-7005) [mynode] #
So.... Any help ? Is this a bug ?
Just to put more information. In my lab I have the VMC and two physical controllers. So as the VMC is showing this error I decide to try the same configuration using the two physical controllers, so without the Clustering whitelist (because it not asked) and the two physical controller It is partially working, as there is no error message showing up, but the configuration are is not been replicated to the standby controller… I check it by removing the master and AP did go the standby but there is no config in the standby, so even with the database synchronization not showing error with two physical controller there is no replication of the configuration….
Is there any way to do Active-Active without doubling the AP licenses, and without a MM?
The licensing is centralized, so you do not need to double it. However, ArubaOS 8 requires a management machine. That is either an MM, or a controller in Master Controller Mode (MCM). In either case, the management machine is strictly that, management, no termination of APs. In MCM mode or MM mode, you can have active/active, but that is done with two additional MCs (controllers). You can run standalone, however that is active/standby. The second controller is strictly a hardware failover.
So, I would need another controller to do Active/Active?
I happen to have one old 7005 and two new 9004.
Can I use the 7005 as the master controller and then use the two 9004 in active active? And what happens if the 7005 goes down? Would you do it or go with Active/Standby?
You could set up a controller as the management MCM and the other two could be set up with active-active redundancy, such as HA. Realize that these controllers will essentially be operating like OS 6, without the new features of OS 8, but they will work. If the MCM machine went down, it is like in OS 6, you lose your management machine and some features, but the wireless will still work.
Why do you not want to set up an MM? As for whether I would do it or not, there are too many variables for me to ponder to make that call.
I would be happy with an MM if I already had it, but now with AOS 10 I don't want o invest in a dying architecture.
Guess I will go with Active/Standby for now.
Check out if the "Controller IP" IP-address is the same IP addresses you build syncronization upon
I had problem with sync too, but i had another error appearing.
P.S. Also I had 2 hardware 7205 contollers
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.