Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Aruba MM and MD with RAP deployment

Jump to Best Answer
  • 1.  Aruba MM and MD with RAP deployment

    Posted Mar 08, 2018 02:21 PM

    Hello,

    In my lab environment I tested Aruba products. Currently I tested Remote Access Points (RAP) over IPSec.
    When I deploy standalone wireless controller (VMC) and provisioning RAP on remote location everything works ok and I can connect to RAP SSID and have access to my central location where I have controller.


    In another scenario I deploy 2 Mobility Masters (virtual) in VRRP and 2 Mobility Controllers (VMC) in cluster and with VRRP for AP. But if I now provisioning RAP on remote location, RAP cannot connect to my controller (via IPSec) in central location. The configuration is the same as in standalone controller.


    Is this scenario with MM and MD in cluster and RAP supported in version 8.2.0.2? If it is supported, do I need to configure any additionally settings compare with standalone configuration? Do I need any special licenses for this implementation (currently I have PEF and RF Protect licenses).


    I follow User Guide from Aruba support website.


    If somebody have similar design scenario please help me with configuration.

    Thank you.



  • 2.  RE: Aruba MM and MD with RAP deployment
    Best Answer

    Posted Mar 08, 2018 02:25 PM

    NAT is not supported on a cluster because of how the clustering works.

    You will need to assign public addresses (not ideal) so best to deploy a managed controller (not part of a cluster) just for the RAPs




    Pardon typos sent from Mobile



  • 3.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 02:45 AM

    Thank you Victor Fabian for answer.

     

    I have another question.

    If I have following design:

    - 2 Mobility Masters in VRRP and 1 Mobility Controller (MD) ( Everything behind firewall) and then RAP in remote location (via IPSec).

     

    Is this deployment supported or need Mobility Controller with public IP Address to work RAP on remote location?

     

    Thank you.



  • 4.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 05:22 AM
    2 Mobility Masters in VRRP and 1 Mobility Controller (MD) ( Everything behind firewall) and then RAP in remote location (via IPSec)

    This is a valid design , a non cluster controller can use NAT



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 08:39 AM

    Hello,

     

    I tested this design with 2 MM (in VRRP) and 1 Mobility Controller managed by Mobility Master. And then deploy RAP on remote location (via IPSec). But do not work.

     

    If I have Mobility Master, did I need to configure any additionally settings to work properly?

     

    Thank you.



  • 6.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 08:48 AM

    @Victor Fabianwrote:

    NAT is not supported on a cluster because of how the clustering works.

    You will need to assign public addresses (not ideal) so best to deploy a managed controller (not part of a cluster) just for the RAPs




    Pardon typos sent from Mobile


    Are you saying you cannot have a cluster of 2 MDs for redundancy as a RAP deployment?

    What is the AOS 8 redundancy solution for RAPs?



  • 7.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 10:31 AM
    Are you saying you cannot have a cluster of 2 MDs for redundancy as a RAP deployment?

    Not saying that, you can terminate RAPs on cluster MDs but you will need to assign a public IP address to each MD because in a cluster scenario NAT is not supported

    What is the AOS 8 redundancy solution for RAPs?

    You can use the same Redundancy mechanisms used in 6.x with non-cluster controllers and NAT at your firewall if your environment can’t use the above




    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 8.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 11:09 AM

    @Victor Fabianwrote:
    Are you saying you cannot have a cluster of 2 MDs for redundancy as a RAP deployment?

    Not saying that, you can terminate RAPs on cluster MDs but you will need to assign a public IP address to each MD because in a cluster scenario NAT is not supported


    Thank you

    Victor Fabian

    Pardon typos sent from Mobile

    I have deploy 2 Mobility Master (virtual) with VRRP IP (so controller is connecting to VRRP IP address) and 1 Mobility controller (virtual) managed by Mobility Master.

    And the RAP still not working.

    If I deploy standalone Mobility controller (virtual). Everything works.

    Do I have to configure additionally settings on Mobility Master to RAP work via IPSec on remote location.



  • 9.  RE: Aruba MM and MD with RAP deployment

    Posted Mar 13, 2018 11:31 AM

    @Victor Fabianwrote:
    Are you saying you cannot have a cluster of 2 MDs for redundancy as a RAP deployment?

    Not saying that, you can terminate RAPs on cluster MDs but you will need to assign a public IP address to each MD because in a cluster scenario NAT is not supported

    What is the AOS 8 redundancy solution for RAPs?

    You can use the same Redundancy mechanisms used in 6.x with non-cluster controllers and NAT at your firewall if your environment can’t use the above




    Thank you

    Victor Fabian

    Pardon typos sent from Mobile

    We currently only have one standalone RAP controller for 6.x.

    Our 8.x plan is to have a cluster of 2 MDs., each with public IP addresses and a cluster public IP address. I assume this is supported?



  • 10.  RE: Aruba MM and MD with RAP deployment

    Posted Aug 27, 2018 01:00 AM

    Hi Guys,

     

    I'm curious to know if this has been addressed. Based on the design guide, NAT is not supported for RAP to terminate on cluster MCs. However, I'm puzzled as this is not very clear. What if we have one-to-one NAT rule on DC firewall which maps each MC's private IP to public and another mapping for VRRP IP? Does RAP redundancy still work (or supported) in this case?



  • 11.  RE: Aruba MM and MD with RAP deployment

    Posted Aug 27, 2018 01:09 PM

    NAT and Clusters for RAPs are still not supported as of 8.3.x.x.

     

    The issue has to do with how the nodelist for the cluster gets sent to the AP/RAP for controller selection in a cluster environment. If the public IPs do not live on the controllers themselves, then the initial controller that pushes the nodelist to the RAP is unaware of the NAT environment. Consequently, the RAP gets pushed a set of private IPs that it is unable to connect to.

     

    If 1:1 NAT is required in order to reach a controller for RAP connectivity, then today that controller can not be a cluster member.



  • 12.  RE: Aruba MM and MD with RAP deployment

    Posted Aug 29, 2018 09:49 PM

    Thanks. It's a lot clearer now.

    The question is, perhaps can we use FQDNs for nodelist?



  • 13.  RE: Aruba MM and MD with RAP deployment

    Posted Aug 30, 2018 05:35 PM

    So to summarize. 

    There is no RAP redundancy with cluster connected MD's.  

    Redundancy can be achieved using non-clustered MD's where you push the public IP (or NATed IP) as LMS-IP/ BKUP-LMS-IP in the AP System profile to the RAP.

    Obviously not ideal, is cluster redundancy for RAPs a roadmap item?



  • 14.  RE: Aruba MM and MD with RAP deployment

    Posted Aug 31, 2018 08:50 AM

    dwright@structured.com wrote:

    So to summarize. 

    There is no RAP redundancy with cluster connected MD's.  

    Redundancy can be achieved using non-clustered MD's where you push the public IP (or NATed IP) as LMS-IP/ BKUP-LMS-IP in the AP System profile to the RAP.

    Obviously not ideal, is cluster redundancy for RAPs a roadmap item?


    For roadmap details, contact your Aruba sales team.

     

    Your redundancy summary is pretty complete. Two further additions... VRRP can be run on the RAP controllers for increased availability. DNS can also be used to return multiple IPs for the RAP controllers to a RAP that’s booting. 



  • 15.  RE: Aruba MM and MD with RAP deployment

    Posted Aug 31, 2018 08:51 AM

    @RobinHulk wrote:

    Thanks. It's a lot clearer now.

    The question is, perhaps can we use FQDNs for nodelist?


    The nodelist uses IP rather than FQDN.