ArubaOS and Controllers

Contributor II

Complicating it a bit. Need tunnels to Master / Backup-Master

So if I want to do this for a local controller and I have a Master & Backup-Master in my architecture (and both are cabled to the centralized "guest" VLAN), can I simply use the VRRP address as the peer endpoint on the local, or is this a scenario I have to manually intervene and manually move the tunnel peer-point to the backup master's physical IP in the event of a failure?

Any feedback would be greatly appreciated.
Guru Elite

Re: Using GRE Tunnels to centralize L3 access

Since 3.x, you can terminate a GRE tunnel on a VRRP instance, yes.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Contributor II

Very Close

Have user traffic flowing over tunnel, Controller B has AP on Guest VLAN, get's IP address from DHCP Guest Network on Controller A's Guest VLAN, can send traffic in the initial role, but never get's redirected to start auth via Captive Portal.

Both sides of tunnel are trusted, so I believe this is to be expected. With PEFNG on both Controller B & A (Not to mention the C-F controllers I'll configure once testing is complete), where should the untrust side be? I want the local's (B-F) which do not have a connection to the isolated Guest VLAN (tunneled) to get redirected to an Amigopod HA bundle that's on the isolated Guest VLAN on Central controller (A). I can hit the pages manually via browser on AP connected to controller B, and client get's IP assigned from network connected only to A, so I know the tunnel works. Have Visio and am about to open TAC/ACE case to see if someone can eyeball my configs.

Re: Using GRE Tunnels to centralize L3 access

Assuming controller A is your central controller, then controller A's tunnel interface should be untrusted so that it challenges users for authentication there. It would be the same configuration for controllers C-F ... Controller A would always be set untrusted for it's tunnel interfaces pointing to the remote controllers, so that Controller A handles the user authentication piece.

Charlie Clemmer
Aruba Customer Engineering
Search Airheads
Showing results for 
Search instead for 
Did you mean: