Wireless Access

Most of the deployments I will be involved with will require 2 controllers, doing load balance. As the centralized licensing brings a nice cost reduction in licensing, then most of the time I will also use it. Now, I would like to challenge the community to create a “cook book”, including the minimum steps to achieve a “well know good” configuration of an All Masters model for this specific scenario. This said, my steps for the first (and only one) deployment I did were:

 

1 – Set controller’s A and controller’s B basic L2 and L3 services (IP addresses, STP, NTP, DNS, etc.);

 

2 – As the default is to have Control Plane activated, create a cluster where controller A is the “Cluster Root” and controller B is a “Cluster Member”. This will make controller A create a self-signed certificate and publish to the members, allowing the APs to fail-back and create an IPSec session with controller B, and vice versa, in case one of the controllers fails.

 

3 – Create 2 VLANs, one for “AP domain A” and another for “AP domain B”. On each VLAN create an instance of VRRP where controller A is the master of VLAN A virtual IP and controller B is the master of VLAN B virtual IP.

 

4 – Create a HA – High Availability cluster and define both controller on this group using the “dual” mode definition. At the same screen, configure the database replication to 20 minutes.

 

5 – As the configurations must be equal on both controllers, use AirView where controller A is on “monitoring mode” and controller B is on “managed mode”. In this way, all changes made on controller A can be imported into AirView and then automatically published into controller B so the configuration between them will be always synchronized.

 

6 – Provision domain A APs pointing to the VRRP IP of controller A and domain B APs pointing to the VRRP IP of controller B.

 

This above configuration is in place and working properly. Should you have any comment about it, just share with the community.

 

Now, I want to disable the Control Plane to avoid unnecessary IPSec burden to the APs. When I did it, the controllers got instable. Controller A would not see the PEFN licenses and not enable these services. So I just flipped back until I understand where I am doing something wrong. And yes, I am suing 6.3.1.3.

 

So, I ask the community two questions/feedback:

 

1 – Although it produces a “working configuration”, are my steps above correct or I am missing something?

 

2 – What would be the steps to disabled Control Plane and have the system working still?

 

Cheers!

 

Mo

personally I think you'd be better off with a master-local setup.

Yes, you are right! That is what I would do if I could. However, my scenario is:

 

A - Two buildings separated about 2Km;

B - Both have a data center;

C - Although interconnected, they have limited bandwidth between them (1G);

D - Low cost solution was "the way" to win the project;

 

If Aruba had a promotion like "buy one controller, get the second one free", then active/passive would be great. But it is not the case. Also, we get competitive just because we can do this "magic": sharing licenses while active/active.

 

Now considering the above, what would you do? (This is just a "request for comments" thread, so do it!)

 

Mo

Mo,

 

There is alot to go through in your description.  Like Michael_Clarke says, if you are going through the exercise of attempting to synchronize configurations, you should have a master and locals which will do automatic synchronization without a third device like Airwave in the middle.

 

Control Plane Security is needed for a couple things, really :  (1) Bridging Local users on access points, which is not used terribly much and (2) Decrypt-Tunnel, which is useful only in specific situations.  If you are not doing either, there is no need to have Control Plane Security enabled.  If you do not need control plane security, turn it off and do not bother attempting to create an entire infrastructure for something that is not needed.

 

Turning off control plane security should take about 10 minutes for all of the access points to timeout connecting the  IPSEC method and connect using the Papi method.  If it does not stabilize in 10 minutes, you should open a support case.

 

With regards to the redundancy, most businesses rely on wireless more and more, not less and less, so having "hot" redundancy when a part fails becomes more important.  With centralized licensing, the cost of physical redundancy is now power and another controller SKU.  For alot of businesses, if they had only a single controller and they had to wait the next day for a replacement controller to be shipped from TAC or two days for a replacement to be provisioned, their lost productivity will cost more than a duplicate piece of hardware in the network.  Some businesses can accept the lost productivity, but others cannot.  That is a question for the business and how they use wireless.

 

Joseph,

 

I would agree with the approach of a Master/Local if I have a single site. However, in my case the project may extend to 5-6 locations, all of them having the same need: high availability, load balance (active/active) as they have two building close to each other with a datacenter but low speed connection between them (+/- 1Gbps). Extremelly key: Very low cost implementation. So in this case, I "guess" I had no choice. And yes I totally agree that more and more wireless is not a "gadget plus" but a key point in many production networks.

 

But all models have pluses and minuses. So, in my case I will have to deal with no sync in between user databases. But honestly, I think that user databases should not be handled by the wireless controller. In this "IT World" we have RADIUS, AD, LDAP, etc., that allows for this and you don't have to keep another database just for this. But if becomes a must, then we have ClearPath, right?

 

Thanks for the feedback on Control Plane. My question now is that if it not really necessary meaning only on especific situations, why it does not come disabled by default... I give it a try and disable it, wainting the 10 minutes you said. Let's see what happens.

 

Finally, do you see anything "wrong" on my configuration or this is the way to do it in my case?

 

Thanks again for everybod's feedbacks!

 

Mo

 

 

Mo,

 

If you have multiple sites, do they have ip connectivity between each other?  If so, there is nothing stopping you from the master/local configuration.  That is strictly for configuration replication.

 

With regards to redundancy, again, this is a business decision.  If there is low bandwidth between sites, there is no reason to have access points fail over to another site, because that will affect performance and is not the best solution.  The best thing is to either have controller backing up the primary controller onsite, or just waiting for replacement hardware.  Again, this is a business decision.

 

The question is, what user databases need synchronization?  If the customer is using active directory authentication, each controller can query active directory itself and no synchronizations needs to takeplace with regards to the wireless LAN controller.  If the sites are truly isolated and you do not need guests to roam from one site to another, again you do not need synchronization, and each guest database can be managed on each individual controller.  If you need that synchronization, or if you want an easier guest approach that can be managed by fewer administrators in a multi-site situation, the user should consider ClearPass guest.

 

I do not know why control plane security is enabled by default..  If I were to guess, it is so that only approved devices can connect to your controller initially is the third and most important reason that I omitted.  You have the option of relaxing that during a rollout, if you  wish for many devices to connect.

 

Nothing is inherently "wrong" with your configuration.  You need to choose what makes sense for the business and your way of managing things.  We can only offer suggestions that you can accept or reject.

 

Very good thoughts Joseph...

 

The issue with the database was just because guest management in between the 2 controllers. But for sure there are many ways to overcome it.

 

But your feedback called my attention to another specific subject: When we should and when we should not use the All Masters model. In a "straight" point of view, master/local would do the same. But if so, why have Aruba created the All Masters?

 

In my mind, VRRP was much, much more effective for HA then other models implemented till now...

 

Thanks again for your very valuable feedbacks.

 

Mo

 

 

All masters is for admins who do not need or want to run the same version of code between controllers.

Quite frankly VRRP and backul LMS pretty much perform the same except backup LMS has the flexibility of not needing the controllers to be on the same layer 2 vlan.