Requirement:To provide redundancy in a remote location when using the Aruba 600 Series Controllers and to ensure that IP routing information is current within the customer’s network and that the proper path is selected for routing traffic back to the remote location.
In order to advertise remote networks back into the Customer’s IGP and also retract such advertisements, OSPF is used to establish adjacencies through redundant paths. When one adjacency is terminated at the far end, the remote network is no longer advertised from that router. Using dual IPSec tunnels terminating at disparate far end routers, primary and secondary paths can be identified on both end. This satisfies the router redundancy issue for connectivity.
To provide link redundancy, the 600 Series controller can utilized a primary and backup uplink functionality. Unfortunately, these links are not active simultaneously. Link redundancy will be solved by specifying uplink priorities. When the primary link loses connectivity, the secondary wired link will activate the link to the second ISP and the IPSec tunnels can be reestablished through the internet.
The following configuration snippet will set up IPSec tunnels and OSPF adjacencies from the remote office. The additional snippets identify the two termination points or Aruba Controllers. The network is static, but as long the terminating routers or Aruba Controllers are statically addressed, the 600 controller can be DHCP addressed.
This actually works in our favor by allowing the remote office to initiate the tunnels to the termination points when the uplink is activated. The test involved static addressing, but when using dual uplinks, the recommendation is to us DHCP on the dual links. This means that only two IPSec tunnels need to be configured since the remote endpoints are dynamic and it does not matter when the second uplink comes up with a different IP address. An important note to remember is that only one endpoint can be a dynamically addressed host and the FDQN parameter must match at both ends.
The OSPF adjacencies are established through GRE tunnels encapsulated in the IPSec.
Solution:Solution is to provide redundancy in a remote location when using 600 series controller and to ensure IP routing info is current and proper path is selected for routing traffic back to remote location.
Configuration:Configuration for Remote Doctor Office:
- Remote Office
- Remote Doctor Office
- 600 Controller
interface loopback
ip address 6.6.6.6
!
vlan 111
vlan 192
interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
switchport access vlan 192
!
interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
switchport access vlan 111
!
interface vlan 192
ip address 192.168.1.1 255.255.255.0
ip ospf area 8.8.8.8
!
interface vlan 111
ip address 1.1.1.1 255.255.255.0
!
interface tunnel 4
description "Tunnel Interface"
ip address 10.4.0.2 255.255.255.252
tunnel source 6.6.6.6
tunnel destination 5.5.5.5
trusted
ip ospf area 8.8.8.8
ip ospf cost 10
!
interface tunnel 5
description "Tunnel Interface"
ip address 10.5.0.2 255.255.255.252
tunnel source 6.6.6.6
tunnel destination 4.4.4.4
trusted
ip ospf area 8.8.8.8
!
ip default-gateway 1.1.1.2
no uplink wired vlan 1
uplink disable
ip route 4.4.4.4 255.255.255.255 ipsec To_DC1
ip route 5.5.5.5 255.255.255.255 ipsec To_DC2
!
crypto-local isakmp key "68d527b828fd42e937715ab6b626e9afa7043865d9739176" address 2.2.2.1 netmask 255.255.255.255
crypto-local isakmp key "f33ed8a4219b4e5d01bfdd9294ecf510f195ec4bf119a4ac" address 3.3.3.1 netmask 255.255.255.255
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
set transform-set "default-transform" "default-aes"
!
crypto-local ipsec-map To_DC1 100
peer-ip 2.2.2.1
vlan 111
src-net 192.168.1.0 255.255.255.0
dst-net 10.1.0.0 255.255.255.0
set transform-set "default-transform"
set security-association lifetime seconds 0
pre-connect enable
trusted enable
force-natt disable
!
crypto-local ipsec-map To_DC2 100
peer-ip 3.3.3.1
vlan 111
src-net 192.168.1.0 255.255.255.0
dst-net 10.2.0.0 255.255.255.0
set transform-set "default-transform"
set security-association lifetime seconds 0
pre-connect enable
trusted enable
force-natt disable
!
router ospf
router ospf area 8.8.8.8
!
Configuration for Datacenter 1:
!
interface loopback
ip address 4.4.4.4
!
vlan 2
no spanning-tree
interface gigabitethernet 1/0
description "GE1/0"
trusted
trusted vlan 1-4094
switchport access vlan 1
!
interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
switchport access vlan 2
!
interface vlan 1
ip address 2.2.2.1 255.255.255.0
!
interface vlan 2
ip address 10.1.0.2 255.255.255.0
ip ospf area 8.8.8.8
!
interface tunnel 5
description "Tunnel Interface"
ip address 10.5.0.1 255.255.255.252
tunnel source 4.4.4.4
tunnel destination 6.6.6.6
trusted
ip ospf area 8.8.8.8
!
ip route 1.1.1.0 255.255.255.0 2.2.2.2
uplink disable
ip route 6.6.6.6 255.255.255.255 ipsec ToSiteX
!
crypto-local isakmp key "a868c18f8094de535eeacaacaa26a8a2f155d09ac5d3eaed" address 1.1.1.1 netmask 255.255.255.255
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
set transform-set default-transform default-aes
!
crypto-local ipsec-map ToRemoteDR 100
peer-ip 1.1.1.1
vlan 1
src-net 10.1.0.0 255.255.255.0
dst-net 192.168.1.0 255.255.255.0
set transform-set default-transform
set security-association lifetime seconds 0
pre-connect disable
trusted enable
force-natt disable
!
router ospf
router ospf default-information originate always
router ospf area 8.8.8.8
!
Configuration for Datacenter 2:
Datacenter 2
!
interface loopback
ip address 5.5.5.5
!
vlan 3
no spanning-tree
!
interface gigabitethernet 1/1
description "GE1/1"
trusted
trusted vlan 1-4094
switchport access vlan 3
!
!
interface gigabitethernet 1/2
description "GE1/2"
trusted
trusted vlan 1-4094
switchport access vlan 1
!
interface vlan 1
ip address 3.3.3.1 255.255.255.0
!
interface vlan 3
ip address 10.2.0.2 255.255.255.0
ip ospf area 8.8.8.8
!
interface tunnel 4
description "Tunnel Interface"
ip address 10.4.0.1 255.255.255.252
tunnel source 5.5.5.5
tunnel destination 6.6.6.6
trusted
ip ospf area 8.8.8.8
ip ospf cost 10
!
ip route 1.1.1.0 255.255.255.0 3.3.3.2
uplink disable
ip route 6.6.6.6 255.255.255.255 ipsec ToRemoteDR
!
crypto-local isakmp key "fbb4bce5b20a36873775aa37480b85f3b7c1da066736a5ff" address 1.1.1.1 netmask 255.255.255.255
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
set transform-set default-transform default-aes
!
crypto-local ipsec-map ToRemoteDR 100
peer-ip 1.1.1.1
vlan 1
src-net 10.2.0.0 255.255.255.0
dst-net 192.168.1.0 255.255.255.0
set transform-set default-transform
set security-association lifetime seconds 0
pre-connect disable
trusted enable
force-natt disable
!
router ospf
router ospf default-information originate always
router ospf area 8.8.8.8
!
VerificationFew commands to verify on controllers
- show crypto ipsec sa
- show crypto isakmp sa
- show datapath tunnel table
- show ip route