Wireless Access

I just setup 2 x guest captive portals on our system; but, I want to make sure that both Aruba Local Controllers (Leader Controller & Member Controller) are able to work in case the leader controller is unavailable.

 

Our layout is as follws:

 

2 x Mobility Masters (VRRP enabled)

2 x Local Controllers (VRRP enabled).

 

Each local Controllers has 2 x DHCP scopes enabled.  

Controller1 (Leader):1 for Guest WLAN Access (exclude IP Address 192.XX.XX.1 - 192X.XX.XX.5,   .127 - .254)

1 for BYOD WLAN Access (excludeIP Address 172.XX.XX.1 - 172.XX.XX.5,  .127 - .254)

 

Controller2 (Member):

1 for Guest WLAN Access (exclude IP Address 192.XX.XX.1 - 192X.XX.XX.126)

1 for BYOD WLAN Access (excludeIP Address 172.XX.XX.1 - 172.XX.XX.126)

 

The idea is to use both Controllers and to avoid duplicate IP address confilicts on the same Guest or BYOD VLans.  That ios why dhcp pools are on each controller.  We have separate VLans for each WLAN and the DHCP Pool's gateway IP assigned to that VLan.

 

When I have the test devices login it appears that they have always connected to the leader controller.  

 

How can I properly test to make sure if Controller 1 (Leader) is off-line that Controller 2 (member) will work correctly?  I am afraid that there might be a problem because if I disconnect the leader controller (uplug all ethernet connections) then the captive protal pages do not come up even though the Member Controller is available.

 

Please refer to: https://community.arubanetworks.com/t5/Wireless-Access/How-to-setup-a-guest-SSID-to-distribute-DHCP-from-the-local/m-p/485213  for background on how the guest access is setup.  Again if the Leader controller is on-line the guest access is working great. 

 

I wonder if I am missing a setting to enable the member controller to work?  I wonder if the DHCP scopes are not working correctly on the member controller.  It does not appears that the clients are getting Ip addresses from the member controller.

 

The Captive Portal will be served from the controller the AP is connected to. Swing the AP over to the controller and Captive Portal you want to test.

How can I move the AP from controller 1(leader) to controller2 (member)?

It depends on your environment but you can adjust the VRRP, change the LMS IP, block the AP to controller connectivity etc.

Sent from my iPhone

If I take Controller1 (Lader) off-line by disvonnecting the network connections sholdn't that force the Access Point to go to the other controller (member)?

 

I think I tested other corporate connections that way and the cliets and Access POints moved.  I will have to try that again and see.

Correct providing your APs are set up correctly to fail over.

Sent from my iPhone

I found this article:

 

https://community.arubanetworks.com/t5/Wireless-Access/How-to-manually-failover-AP-in-High-Availability-Fast-Failover-w/td-p/140919

 

ou can use the following CLI command to manually trigger a move of one or more APs from their current active controller to their current standby controller.

 

'ap-move all' - Moves all APs currently active on that controller to their standby

 

'ap-move ap-group <group-name>' - Moves all APs belonging to that AP group on that controller to their standby

 

'ap-move ap-name <ap-name>' - Moves only that AP to its standby

 

I will need to check if this os setup to fail over correctly.

 

Hello zalion0.

 

You are correct, as soon as I moved the Access POint over to the other controller the captive portal came up with teh other controller's IP address.

 

I did notice that I needed to 'forget' / 'remove' the SSID from my laptop's cache and then relogon.  This is because the laptop kept wanting to use the IP address from the previous controller.  Once I did that then the logon process worked well.

 

I just question if my desigmn is correct.  I was told to have a DHCP scope on the controller level instead of the MD 'Group' level to avoid diplicate IP addresses for the same WLAN.

 

For example, the Guest SSID has half of the DHCP class-c subnet on 1 controller and the other half of the same DHCP scope on the other controller.  But both contrllers are referencing teh same VLAN ID (assigned from the group level).  And each controller has their one unique IP address for the Guest VLAN.

 

Is tehre a better way to make things easier for guest users?

If this is for Guest? Do you have an external DHCP server which can manage the guest pool? I believe best practice recommends using an external DHCP server as opposed to the controller one. This would allow you to have a single location to distribute DHCP in the event of a failover.

Sent from my iPhone

Can I force all of the Access Points (28) to be on the Leader controller?  Or at least most of the Access Points in the office area to use the leader controller?  Then if a failover happens they will just move over to the standby controller?  That may be the easiest design.

 

The problem is only with capitive portal.  They other SSIDs use an enternal DHCP server and those do tno have any problems.

You can, however it’s less on the controller if half the APs failover as opposed to the entire estate. Depending on your version, clustering or HA are good options for failover. Have you read the Campus Redundancy VRD, they are very good and detail the options.

Sent from my iPhone

Hello Zallion0,

 

Thank you for your help. Yes our local controllers (2) are setup for culsters and are setup with VRRP (Virtual IP address).  This sounds like a design situaton.

 

I wonder what how other companies are designing their guest access.  It sounds as if they have a separate DHCP server for this. Or a dhcp router plugged in for small environments.  I will take a look at the Campus WLAN Redundancy VRD.pdf as well.  https://community.arubanetworks.com/t5/Validated-Reference-Design/Campus-WLAN-Redundancy/ta-p/287454

Or, how about this on page 36 of the attached docment, there is a deployment model called Active/Standby.

 

Active / Standby — Although both controllers are deployed in HA Dual role, only one controller acts as the LMS
that terminates all APs. 
The other controller acts as HA Standby that terminates all standby tunnels from all deployed APs. If the Active
controller becomes unreachable, all APs fail over to the Standby controller.  // I actually prefer this method of deplyment.

 

I think this might be already setup?  How can I determine this?  We currenlty have only 1 AP in our test group and that has controller1 (leader in cluster) as the active controller and controller2 (member in the cluster) as the standby controller.  How else can I verify that controller 2 will be the only take APs if controller1 is unavailable?  I knwo that clients Wilreless conenctiopns do get load balanced betweeen the 2 controllers even if they are using 1 access point (so far).  We currentlyonly have 1 Virtual IP address for teh Local Contortller Cluster, can anyone confirm if that means we are setup with active/standy by setup (page 31).

 

I have noticed that the wireless clients tend to be split up automatically from teh other non-captive portal Wlans.

This question can be colsed  It has been answered.