I have a remote facility with a single Aruba controller (650) and 2 redundant firewalls that auto-switch if one is unavailable. I would like to set up a guest wireless network that only has access to the internet with no access to my internal networks.
I am doing this at my primary facility that has 2 Aruba controllers (master & local) and 2 redundant firewalls. I have port 3 on the master and port 3 on the local configured for my guest VLAN, and those are plugged into a small switch. Both of the firewalls are also plugged into the switch, so no matter which firewall is active, the guest VLAN has access to the internet. Access is then controlled via the firewall settings.
At my remote facility, I'd like to accomplish the same thing, without the use of a small switch. So I'm thinking that I set up 2 ports on the Aruba controller that are both configured for the guest VLAN. I plug one of those ports into the "active" firewall and one into the "backup" firewall.
My question is what, if anything, do I need to do on these ports to make them act as redundant/failover ports instead of them both being active at the same time?
Thanks for your help.
You should use LACP (Port channel / group ) :smileytongue:
Start read here:
Then take a look on those posts:
I hope u will find some idea - or an answer to your question - your should do LACP/port group.(read the userguide)
*be sure your external sw is supporting those options.
have a great evening.
Thanks for the info!
Does it work properly in your primary site? I.e. have you tested the failover? Assuming yes (and without knowing the firewall make/model), the following applies I think.
You shouldn't have to do anything on the controller after setting two ports on the controller as trusted, in the guest VLAN and plugging them in.
I'm further assuming you trust the firewalls, only use the wired side of that VLAN for the firewall attachment (nothing else), and that the firewalls act directly as the guest default gateway? I.e. the guests don't IP route into the controller first, before being routed outbound to the firewall do they?
If I assume the firewalls are providing failover by way of a VRRP/HSRP, rather than something layer 2, you should be fine in the way you suggest.
@ kdisc98 - Thanks for the info!
@The.racking.monkey - Yes, it works at my primary site. So you're saying that I do not need to use LACP as long as the 2 Aruba ports are trusted and set up in the guest VLAN? You are correct in your firewall assumptions as well - the firewalls are trusted, the wired side of the guest VLAN is only being used to attach to the firewall and the firewall is the default gateway for the guest VLAN.
I think what I've suggested should work. Give it a try (in a period where issues with testing won't affect users of course)?
I don't think you'd need LACP personnally. LACP is for two interconnected devices, used to dynamically create a single logical link with multiple aggregated physical ports. As the firewalls likely act independantly (with an IP failover/heartbeat of sorts), LACP probably doesn't apply?
That's what I was thinking as well - that LACP is used to aggregate two ports, not really for failover.
The biggest issue with making the change is that this is at a site that's halfway around the world, with an IT "staff" that's really nothing more than a desktop support person. Had this been somewhere more local to me, I would have plugged stuff in and tried it already. But, since I'm dealing with a 13 hour time difference, a language barrier and someone without quite as much technical expertise as I'd prefer, I wanted to make sure I've got it as close to perfect in my head before I start directing someone to make connection changes. Luckily, this is only for a guest network, so it's not critical to our production evironment in case there are issues.
Thanks again for your help. I will give it a shot and will post the results here.
If it was UK based, I could offer you a price for a guy to site! ;-)
LACP can be used for failover/resilience as well as aggregation, but typically it connects between two logical devices. In your case, one end of the link is two different firewalls, so it doesn't really apply. Some devices in the market can do things like this, but they're uncommon.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.