Wireless Access

 View Only
last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

RAP cluster creation without having to zeroise the controllers

This thread has been viewed 39 times
  • 1.  RAP cluster creation without having to zeroise the controllers

    Posted Dec 12, 2023 12:11 PM

    Trying to get RAPs operational but struggling.

    I've read the articles on Flomain and the guide Aruba Remote Access Point Solution Guide for Tele workers and Home Offices, but I just can't get a win here.
    Aruba Remote Access Point Solution Guide

    Basic RAP Setup with ArubaOS 8 - Flomain Networking

    RAP Cluster is 8.10.0.8
    The RAP cluster sits under a higher config level as a separate 'RAP' folder, with the 2 hardware nodes in it. (Higher up are 3 Campus AP clusters)

    The problem is our internal design - NAT off the border firewall can't work because the network the controllers are on is not routed to the border. Using an NSX load balancer doesn't work for NAT, because although the LB can host the public address and the LB has access to the controller's network, NSX wants to own the VPN endpoint, and we don't seem to be able to work around that.

    So I'm going to have to put a public IP on the 2 controllers that I'm going to use for the RAP cluster.
    Presently all our controllers only have one IP interface to which the Conductor, the APs, and the admins connect. 

    Will the RAP part work if I leave the controllers are they are, but create a new interface on the controllers for the public IP, and leave everything else as it is? Or do I have to zeroise the controllers and start again? The current IP config isn't referred to as 'interface mgmt.'  

    controller-ip vlan 628

    vlan-name wifiag01-wifimgmt1
    vlan wifiag01-wifimgmt1 628

    interface vlan 628
        ip address xxx.xxx.xxx.xxx

    My thought is to just add a new 'interface vlan xxx' using a public IP,  trunk it in, and specify that in the RAP-IP when I add the controllers to the RAP cluster
    Can that work, or am I just smoking crack? 

    If it doesn't work, is it a case of zeroise the the controllers, rebuild following the cli wizard, and the Conductor has to talk to the RAP controllers via their public IP, and at some point I set up a management interface?

    Are any more ports than UDP 4500 required inbound on the perimeter, as I saw Florian mention 69 and 500, but I didn't spot that in the Aruba guide.

    Thanks.



    ------------------------------
    Nathan
    ------------------------------


  • 2.  RE: RAP cluster creation without having to zeroise the controllers

    EMPLOYEE
    Posted Dec 12, 2023 12:42 PM

    I don't know that using separate interfaces, one privately addressed and the other with a public IP, is a tested or supported configuration.  Expectation is that either the public IP address is used as the controller-ip (this was originally the only supported configuration for AOS 8 clusters and RAPs) or that a public IP address is configured to 1:1 NAT with the controller-ip and the cluster configuration has the "RAP public IP" specified.

    UDP 4500 is the only port required to be opened to support RAP operation.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: RAP cluster creation without having to zeroise the controllers

    Posted Dec 13, 2023 08:47 AM

    Thanks for posting, Carson.

    We've got to a point now where the incoming RAP is seen by the controller, but the association isn't getting very far.

    My earlier problem was that I was landing the incoming traffic on the LMS VIP - wrong. That's been changed to the controller's internal controller IP (same as the Conductor talks to).

    I'm sure I read that I should be provisioning the RAP at the MN level. But the MN level doesn't contain the AP Groups  (only the group the AP is presently in), so I can't select the RAP group.  



    So I'm provisioning down a level, and I can see what I need to see

    In the Provision dialogue, I'm selecting 'static' and entering the public IP that is specified as the RAP-Public-IP in the cluster config. 

    On the Conductor CLI I see the AP now in show whitelist-db rap, but no Remote-IP is specified. Should that be the controller's public IP, as specified during provisioning?
    I can see that I can set is explicitly by modifying the whitelist, but doing so hasn't yielded any success.

    When I look at the Remote AP Whitelist, should there be a defined entry in the IPv4 address field?

    I've tried provisioning with certificate auth and with PSK auth. No joy with either.

    I've tried provisioning with a Trust Anchor of none and self-signed. No joy with either.

    When looking at the connected controller security log, I just can't get past "IKE SA Deletion: IKE2_delSa peer:...."

    Further thoughts?

    Thanks



    ------------------------------
    Nathan
    ------------------------------



  • 4.  RE: RAP cluster creation without having to zeroise the controllers

    EMPLOYEE
    Posted Dec 13, 2023 09:33 AM