Wired Intelligent Edge

I currently have a standalone Aruba 3600 controller sitting at our Data Center that all of our Aruba RAP-155s connect up to.  The profile is just set up for an LMS1.  We bought a second controller controller for failover which we would like to just configure as a second LMS (no VRRP necessary). Right now the standalone controller has one physical interface going to the internal network and one going to the DMZ.  It also has a public IP on the firewall natted to the controller IP.

I have not connected the new controller up.  It's going to sit on the same subnet at the data center.  I got a new public IP on the firewall natted to an unused IP on the same subnet just like before.  I also have a new interface mirroring the configurations of the existing interfaces on the internal and DMZ switches the standalone is connected to.  Lastly,  I got an unused IP for the guest VLAN for the captive portal to connect to.

Since it's on the same subnet, can I just copy the standalone configuration, change the name and IP information, cable up the controller and syncronize in a master/local setup?  Then add the second IP under the profile for LMS2?

I just want to make sure there isn't any pieces I am missing.

Thanks in advance everyone!

Yes you can.

The problem is, that you would need to have DNS-Based redundancy instead of VRRP redundancy.  If the first controller is not up, APs that point to that ip address when they boot will simply fail.  APs need to contact a working controller to get their LMS or backup LMS.  Instead you need to have two public ip addresses; one for the master and one for the backup.  You need to point to an external DNS fqdn that has both of the ip address defined that it will supply to raps either in a round robin fashion or both ip addresses when the RAP requests an ip address from the FQDN.  Either way, the raps should point to a dns fqdn.  The fqdn will supply ip addresses either one at a time, or both, and the RAP will connect to either controller for redundancy.

The part I'm unclear on is why would the APs simply fail if the first controller goes down?

As it is now the profile is downloaded with only one LMS on its profile which is the public IP.  The RAP tries to pin up the IPSec tunnel, hits the public IP of the firewall and gets forwarded to the controller. 

After making this, won't the profile on the RAPs just be pushed out with the second public IP?  Then when the first controller becomes unreachable it wll try and pin up an IPSec tunnel to the second controller? 

The RAP has to be provisioned with an ip address or fqdn so that when it first boots up, it finds a controller  If it is provisioned for an ip address but the controller that corresponds to that ip address not there, it will simply reboot forever.

Ok, I understand.  So we have many RAPs which were provisioned with the IP address when it was a standalone.  If I update the controller as I'm explaining, what you're saying is that all of the previously provisioned RAPs will not know to point to the second LMS in the event of failure?  Is that because that's a configuration that's done locally meaning it can't be pushed from the controller?

The RAP only knows of its provisioned address when it boots up.  If the controller at that address does not exist, it cannot get its configuration, which is the LMS or the Backup LMS.  Using DNS allows your DNS server to give that RAP either both addresses or one and then the other, for redundancy.