Original Message:
Sent: Nov 04, 2024 12:00 PM
From: chulcher
Subject: RAP Configuration - Clustered Controllers and 2 ISPs
I'd test that, see if the IP addressing from two separate ISPs works as you're expecting.
No...LMS/B-LMS should only be used for failover from one cluster or standalone controller to another. Failover within the cluster is automatically handled via the node list. For a single cluster setup the LMS should point at either a VRRP IP or one of the cluster nodes. For a RAP setup this would mean having to use another public IP NAT pointing at the VRRP IP. The discovery configuration for a RAP should, ideally, be configured in Activate so that the AP will either a) from factory settings be able to discover the proper target for operating as a RAP by using a round-robin DNS entry that includes any/all of the cluster public IP address or b) the RAP already has configuration from the cluster and will just re-connect.
The separate configuration of a manual VRRP instance (L2 redundancy) on a cluster is completely optional. For a campus setup I usually have one configured and use that as the discovery target.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 04, 2024 11:41 AM
From: RyanNetEng
Subject: RAP Configuration - Clustered Controllers and 2 ISPs
Thank you for your reply. So to make sure I have this correct, you're suggesting this (pic below), with a 1-to-1 NAT for each on the firewall:
And on the RAP I'd have the primary LMS IP to ISP #1 and the backup LMS IP to ISP #2, correct?
And lastly, this would also eliminate the need for the controller-to-controller L2 redundancy VRRP (below)?
Original Message:
Sent: Nov 01, 2024 07:38 PM
From: chulcher
Subject: RAP Configuration - Clustered Controllers and 2 ISPs
If you are running a cluster for the RAPs, each node in the cluster must either have a public IP address assigned and configured as the controller-ip or there must be a 1:1 NAT of a public IP to each controller. VRRP-IP in the cluster configuration is used for the same thing in RAP as CAP, communication with the RADIUS server for high-availability of a dynamic authorization target.
If you want to configure a VRRP pair, and allow VRRP to failover between two controllers, that is a completely different setup. You can also utilize two separate controllers and configure the RAP with LMS/B-LMS.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 01, 2024 04:18 PM
From: RyanNetEng
Subject: RAP Configuration - Clustered Controllers and 2 ISPs
Architecture:
What is the best way to configure this very-highly redundant architecture for RAPs? Don't cluster the controllers and just use standard VRRP redundancy, pointing the firewall NAT to VRRP IP (10.1.15.72), also use backup LMS IP on the AP system profile for the second ISP? Or cluster the controllers, and use 1 x Public IP from each ISP?
I have another pair of 7210 controllers that can terminate RAPs, but I'm not using it for that. These controllers are on 8.x and have this cluster configuration:
Each controller has a VRRP-IP in the cluster configuration above, however they also have a VRRP-IP in the redundancy configuration, which is the IP that the firewall NAT points to:
So what is the purpose of the VRRP-IPs in the cluster configuration? Are they ever used for RAP communication? Nothing points to them.
So here is what I'm thinking:
Controller A
IP Address: 10.1.15.69....VRRP-IP: 10.1.15.193.....RAP Public IP: x.x.x.x (ISP #1) <--Configure backup LMS IP with Public IP from ISP #2
Controller B
IP Address: 10.1.15.70....VRRP-IP: 10.1.15.194....RAP Public IP: x.x.x.x (ISP #2) <--Configure backup LMS IP with Public IP from ISP #1
I'm up for any corrections or alternate suggestions. Thanks in advance for the help!