@ailart wrote:
Hi,
I'm in the phase of doing test with 2xVMM and 3x7210 controllers in a single cluster with AOS8.3.0.10. All the controllers are in L2 mode.
Regarding the clustering of 7210 controllers, bit confused. How the vrrp should be configured in each of the controllers. Is VRRP IP and LMS-IP be the same IP address. Is it mandatory to have LMS-IP for a single cluster?
In this scenario CoA will be used pointing to external Radius server. Is CoA ip address be the VRRP/lms-ip ..?
Can someone help with configs mentioned below for each of the 7210 controllers
Configs
-----------
Controller1: 10.1.1.1
Controller2: 10.1.1.2
Controller3: 10.1.1.3
VRRP: 10.1.1.254
!
lc-cluster group-membership "7210-Cluster"
!
vrrp xx
priority xxx
ip address xx
vlan xx
no shutdown
!
controller 10.1.1.1 priority 128 mcast-vlan 0 vrrp-ip <xx.xx.xx.xx> vrrp-vlan <x> group <x>
!
lms-ip <x.x.x.x>
Is there any valid config guide.
VRRPs and what you need them for when clustering are probably the most difficult things to explain in ArubaOS 8.x.
VRRP type 1 - For access points to discover a controller when they (the access points) come up for the first time.
A controller cluster would have two or more controllers that each have a management ip address. In the simplest deployment you would have a two controller cluster like this:
Controller1 - 192.168.1.7/24
Controller2 - 192.168.1.8/24
VRRP - 192.168.1.100/24
New Access Point1 - 192.168.2.1/24
Since the access point above does not share the same layer 2 subnet as the two controllers in a cluster, we would have to figure out a way for the access point to discover the controller cluster in a different subnet, when the access point is new (Note: after an access point discovers a cluster, it saves the management ip addresses of all of the controllers in the cluster into AP flash, and those ip addresses are used for discovery on subsequent reboots). Many people point the "aruba-master" dns a-record to a single ip address or use dhcp option 43 to point to a single ip address when an access point is new for it to discovery a cluster. Configuring the aruba-master a-record or dhcp option 43 to 192.168.1.100 will allow new access points to discover a cluster using a single ip address, regardless of which controller is currently "up". Again, after the initial discovery of a cluster, aruba-master and dhcp ooption 43/60 are not used. You would configure the VRRP for this function individually at the node (controller level) for each controller:
vrrp 20
priority 100
ip address 192.168.1.100
vlan 20
no shutdown
VRRP type 2 - For COA. THIS IS COMPLETELY OPTIONAL.
This is defined in the Cluster Configuration at the folder above the controllers. This VRRP is separate from the VRRPs used for initial controller discovery and consumes a separate ip address for each controller on your controller management subnet:
lc-cluster group-profile new-cluster
controller 192.168.1.7 vrrp-ip 192.168.1.20 vrrp-vlan 20
controller 192.168.1.8 vrrp-ip 192.168.1.21 vrrp-vlan 20
(the RFC 3576 configuration would also be needed to be configured in the AAA profile and on the radius server for COA to work, by the way).
The configuration above will automatically setup two VRRP instances starting with VRRP 220:
The example above automatically sets up VRRP 220, ip address 192.168.1.20, with controller 192.168.1.7 being the master of VRRP 220 and controller 192.168.1.8 being the backup on VRRP 220. It also automatically sets up VRRP 221, with ip address 192.168.1.21, with controller 192.168.1.8 being the master and controller 192.168.1.9 being the backup.
So this is what you have:
VRRP 220- 192.168.1.20: Controller 1 - 192.168.1.7 master, Controller 2 backup master
VRRP 221- 192.168.1.21: Controller 2 - 192.168.1.8 master, Controller 1 backup master
Why is the 220 and above VRRP necessary for COA? When a client is on a controller cluster and sends a radius request, the radius server would need to know later which controller (md) sent the first client request so that if the radius server later needs to send a COA, it would know which md to send it to. When a radius request is sent from a cluster MD, whatever VRRP 22x the cluster MD is the master of is sent as the source ip address of the radius request. For example if a radius request is sourced from the controller with ip address 192.168.1.7, the source ip address of the radius request is sent as 192.168.1.20. Later, if that client's state needs to be changed via COA, the radius server will send the COA to ip address 192.168.1.20 to execute the COA. Are you still following? Good. The multiple VRRPs above 220 are needed just in case a cluster controller goes away there will still be a controller available to answer COA requests for authentications that occurred before the controller went away. Using our current configuration as an example:
VRRP 220- 192.168.1.20: Controller 1 - 192.168.1.7 master, Controller 2 backup master
VRRP 221- 192.168.1.21: Controller 2 - 192.168.1.8 master, Controller 1 backup master
A client on controller 1 (192.168.1.7) sends a radius authentication to the radius server. Controller 1 sends the radius source ip address as 192.168.1.20 (the master of VRRP 220). If controller 1 goes down, Controller 2 will take over as the master of VRRP 220, and controller 1's clients will fail over to controller 2 and controller 2 will be able to answer COAs that were previously sent by controller 1 with a source ip address of 192.168.1.220. I hope that even make sense.
I do not typically advise setting up VRRP ip addresses in your cluster configuration because: putting a VRRP ip address in your cluster configuration (1) consumes more ip addresses on your management subnet and (2) It also introduces more multicast traffic (VRRP) on your management subnet that could be significant depending on how many controllers are in your cluster and how much other broadcast traffic is hitting the controller on client subnets (3) The majority of users either don't have COA configured properly or they simply do not use it often enough to justify the configuration complexity and maintenence moving forward.
tl;dr - Don't bother with adding VRRPs to a cluster configuration if you have not previously tested COA successfully or are not using it actively. You can always add it later if need be.
For more reading, please look at the thread here: https://community.arubanetworks.com/t5/Wireless-Access/Clustering-MD-in-8-x-The-need-for-VRRP-IP/td-p/303775