Wireless Access

We currently have a working 7210 on our campus.  We want to add a second controller and get VRRP working between the two.  What pitfalls do i need to look out for?  Ideally this setup would cause as little downtime as possible.

#7210

Pitfalls.. Well - knowing the steps in detail helps, but can't really avoid some downtime.

 

First prepare your Standby controller with all necessary config (basically just IP/network) and correct AOS.

Activate Centralized Licensing on the Master..

 

If you re-use the current master IP as VIP

* Change Master IP to new IP1, reboot

* Add VRRP on Master, verify that the VIP is up and running again in VRRP Master state

 -> At this time the AP's will start connecting to Master again.

* Add VRRP on Standby, verify that it has VRRP Backup state

* Add Master Redundancy settings on Master

* Add Master Redundancy settings on Standby

* Verify that database is in sync, or force a database sync. Verify that all settings/config are on the Standby

 

Or - use a new IP as VRRP and prepare everything as mentioned above. When you're ready to do the switch change your DNS entry for aruba-master (or dhcp options) towards the new VIP. At this time all the AP's will reboot, and connect to the new VIP. Some delay in updating DNS might occur..

 

And if you're using RAP's just make sure you update DNS and/or NAT ip's ..

 

 

Will I need to setup user roles and auth parameters on the second controller or will it happen automagically?

Also I will be using a new IP for the VIP.  So i would just have to change the aruba-master IP when the time comes right?

jsolb has it right.

 

If you (1) Setup the VRRP so that the active master has greater priority (2) Setup master redundancy on top of that ...  Master redundancy will synch the configurations.

 

When you confirm that is done, you can change the aruba-master DNS entry to that of the VRRP, once you know the controllers answer to that new VRRP address.

so the only downtime will be when the AP rediscover the new dns entry right?

 

Also when it does the database sync will it migrate all the Profile settings?

---

@JoshMaryville wrote:

so the only downtime will be when the AP rediscover the new dns entry right?

 

Also when it does the database sync will it migrate all the Profile settings?

---

The configuration is where all the the profiles are located.  That will be synched when you complete the master/backup master configuration.   After that, every time you type "write mem" or save configuration on the master it will be synchronized to the backup master.

 

You have to type "database synchronize" on the master to synchronize other things in the database (guest users, internal database users, AP database).  You can also type "config t database synchronize period x" on the master to have the database synchronize periodically.

In a redundant master setup, would you still have to export the local user database, I'm specifically concerned with the RAP whitelist, and import into the backup master then use the "aaa authentication-server internal use-local-switch" for local authentications?

Matt Finnie,

Database synchronize will take care of the rap whitelist and the local user database.

In addition to ip/port settings note that custom captive portal uploads and SSL certificates isn't replicated.

we run a radius auth against an external server.  will the auth settings replicate?

---

@JoshMaryville wrote:

we run a radius auth against an external server.  will the auth settings replicate?

---

Yes,

 

But the radius requests will come from that local controller, so you will have to setup that local controller as a radius client on your radius server.

 

It wont come from the VRRP address?

 

Thx for the heads up on that!

No.

 

A VRRP only handles incoming traffic.  The outgoing traffic is sourced by the controller.