Wireless Access

 View Only
last person joined: 11 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Redundancy with two 9240 Gateways across Datacenters

This thread has been viewed 14 times
  • 1.  Redundancy with two 9240 Gateways across Datacenters

    Posted Apr 12, 2024 08:42 AM

    Hello,

    I am tasked to implement a wireless network. The (already bought) equipment is comprised of 2 x 9240 Gateways, as well as 1 x Conductor license and ~50 APs.

    The task is now to setup both gateways in different locations, which are connected via an IPSec-Tunnel with a bandwidth of 2.5Gbit/s.

    The plan is to setup 2 conductors on Hypervisors, one in the ESXi on either side and put those into HA. Also 1 Gateway will be placed on either side. All 4 devices will be put into the same VLAN.

    Now my question is: how do I make the Gateway-01 (in site 1) the AAC - AP-Anchor-Controller, Gateway-02 (in site 2) the S-AAC - Standby AP Anchor Controller for all the devices at site 1?

    And simultaneously: how do I make the Gateway-02 (in site 2) the AAC - AP-Anchor-Controller, Gateway-01 (in site 1) the S-AAC - Standby AP Anchor Controller for all the devices at site 2?

    Both in a way that there is as little interruption as possible for end-users, should one of the Gateways say bye-bye.

    I've also read about AP Failover to Different Cluster - which would also be an appropriate option. Just make each Gateway their own cluster and the APs on the other side fail over to that one?

    Einlightenment on that topic is highly appreciated.

    With kind regards,

    Mark

    PS: In case it's not obvious: the software version is AOS 8.10.



  • 2.  RE: Redundancy with two 9240 Gateways across Datacenters

    EMPLOYEE
    Posted Apr 12, 2024 11:07 AM

    Splitting a cluster across a WAN is not a supported setup.  You'll need to configure both controllers as standalone and utilize LMS/backup LMS to provide the APs with a primary and backup controller.

    As for Mobility Conductor redundancy, they should be installing two MCR at a single site with L2 redundancy (VRRP) and a third at the secondary datacenter utilizing L3 redundancy.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Redundancy with two 9240 Gateways across Datacenters

    Posted 29 days ago

    Thanks for this suggestion; this works surprisingly well. If one Gateway goes down the APs show up via the other Gateway.

    However, now I'm struggling to implement the WLAN itself. So far I gathered that hitless failover won't be possible, since I can't setup a cluster. But my major issue seems to be that I will have two separate next-hops, depending on which Gateway the APs will then sit on.

    I got it to work by setting up Inter-VLAN-Routing. Each WLAN I associated with a separate VLAN. Those VLANs are declared "Inside NAT" - the Interface connected with the Internet-running VLAN is then "Outside NAT".

    The alternative would be to setup a separate VLAN and attach that to the Firewall. And then define the DHCP-Servers on each Gateway to point to the Firewall on each side as default router. The question is here, should I define an identical IP-Address on both Firewalls - that's only visible from the respective Gateway? Or should I define distinct DHCP-pools, each with their own range and default gateway - since with a Gateway Failover a new DHCP-lease is required anyway.

    Input and opinions are welcome.




  • 4.  RE: Redundancy with two 9240 Gateways across Datacenters

    EMPLOYEE
    Posted 29 days ago

    Normal practice would be to set the default gateway on an upstream device, i.e., router or firewall.  DHCP should be handled by the network with the default gateway either providing said DHCP or acting as a DHCP relay.

    When the APs failover from LMS to B-LMS, or failback from B-LMS to LMS, all of the wireless connections should be dropped, forcing clients to reconnect and grab a new IP address in the new VLAN.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------