Controllerless Networks

antone set up a instant cluster with IPSEC Tunnel back to an Aruba controller.

config on the IAP cluster for dhcp is layer 2 distributed.

when i look on the controller "show iap table long" there is no BID(subnet name).

anu ideas?

cheers

pete

show iap table long should show the BID, if you have configured a distributed DHCP server on the IAP.

BID can be seen in the following logs:

IAP#show log vpn-tunnel

controller:

(Controller) #show logging level verbose

(Controller) (config) #logging level debugging system process iapmgr

After debugging remove via, (Controller) (config) #no logging level debugging system process iapmgr

to check logs on controller:

(Controller) #show log system 500 | include IAP <- use include to avoid chatty kernel level logs

Jan 25 12:37:50 :342006:  <DBUG> |IAP manager Pro|  papi_rcv_cb, Recvd auth Message

Jan 25 12:37:50 :342005:  <DBUG> |IAP manager Pro|  handle_iap_up:109 !!!new IAP branch up with inner IP 172.16.1.101

Jan 25 12:37:50 :342005:  <DBUG> |IAP manager Pro|  handle_auth_msg:729 tip ac100165

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  rx_raw_message:624 MASTER received reg-req, going to process itself

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  register_iap_bid:313 switch_role is 2 

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  register_iap_bid:349 Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  register_iap_bid:381 Received from IAP - key='8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec'; ip='172.16.1.101'; mac_addr='aca31ec2d596'; subnet_count='0';  back_up='no';trusted_branch=no

Adding in inrIPandBrnchID ip 172.16.1.101 brkey 8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec 

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  handle_iap_dpp_branch_add: new branch 8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec/172.16.1.101

Jan 25 12:37:55 :342005:  <DBUG> |IAP manager Pro|  handle_iap_dpp_branch_add: added branch 8339f2a0015feed8e090cbb79f3a7ae9204eed130c095af3ec

however out of curiosity. why are you going for distributed L2. The same aim can be fulfilled via CL2 and DL3. Do you really want the same subnet/layer 2 domain, on all the sites?

hello Manishval,

thank you for your reply.

i will run these debugs and see what is going on.

With regard to using centralised L2 or distributed L3.

I have looked at L3 this morning and it would appear the guest traffic gets source natted to

the IAP management address for a local breakout.

Can guest traffic be tunnelled back to the core with the L3 method?

All traffic has to go back to the core because this is where they have their websense we filtering

happening. We cant have local breakout.

With regard to centralised L2 are we any better off with regard to containment of broadcast/multicast traffic?

cheers

pete

1. routing profile of 0.0.0.0 0.0.0.0 <VPN head end IP> is the answer to routing all traffic to controller, and having no traffic leak out via split tunnel's NAT to IAP mgmt IP. Read IAP VRD's chapter 4's section "configuring a routing profile".

http://community.arubanetworks.com/t5/Validated-Reference-Design/Aruba-Instant-Validated-Reference-Design/ta-p/258782

for centralized L2, disable split tunnel knob is present, to blindy tunnel traffic to the tunnel, irrespective of the routing profile. For ease of configuration.

2. in upcoming software we are coming up with a feature where broadcast from one tunnel/one site in centralized L2, will not be pushed to another tunnel/site. As of now this is not available. But soon to come.

thanks Manishval,

works a treat appreciate you taking the time for this one.

cheers

again

pete