ArubaOS and Controllers

Reply
Highlighted
Guru Elite

Re: Standby master and OSPF

If you deployed two low-end controllers as master-backup master, the RAPs would authenticate to the whitelist on those devices centrally and you would be free to deploy as many locals as RAP controllers as you wanted. By default RAP locals authenticate to the master or master/backup pair for their whitelist.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Aruba Employee

Re: Standby master and OSPF




I didn't know that, but the biggest reason we did not go with locals of any kind is because in practice, with a primary and backup LMS defined, there is the risk of a RAP not being able to connect to its primary LMS for whatever reason and connecting to its backup LMS instead. In that case, I have the same client VLAN being advertised out of two datacenters from two different controllers. Without L2 connections between every local LMS pair, I could potentially black-hole an entire AP group. Even with the L2 connection, traffic that came in to one controller, but out another would break because of the controller's stateful firewall. It's just really not worth the risk.

I've seen this a lot with other VPN solutions and have friend who have seen this with RAPs and it's not worth designing around. I want consistent and deterministic connections and traffic flow.

Highlighted
Guru Elite

Re: Standby master and OSPF

Yup. That is definitely a concern. Aruba has a feature called named VLANs where you would just name the VLAN that a client would be on. The virtual AP would point to the named VLAN, instead of a number. On rap controller 1, that named vlan would correspond to one VLAN. When the AP fails over the controller 2, that named vlan could correspond to a different vlan number.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Aruba Employee

Re: Standby master and OSPF

Yes, I do like that feature, but named or numbered, it's still the same subnet because of my statically configured printers and terminal servers.
Highlighted
Guru Elite

Re: Standby master and OSPF




Yes. That is the use case where you would make the controllers route the VLAN(s) and run OSPF to provide reachability for that subnet.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Aruba Employee

Re: Standby master and OSPF

Who's on first?