Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Anchor Controller HA via L3 DC interconnect

This thread has been viewed 2 times

  • 1.  Anchor Controller HA via L3 DC interconnect

    Posted Mar 16, 2016 06:19 PM
      |   view attached

    A common issue presented to my is Anchor controller HA being a manual failover process as opposed to automatic. 

     

    Scenario:

    > 2 DCs with an anochor controller within each DCs DMZ

    > DCs seperated via L3 interconnect

    > same VLAN number within each DC (for SSID) 

    > different subnet for said VLAN within each DC

     

    > local controller has 2 GRE tunnels, one to each Anchor controller

    > local controller has same VLAN number within the same subnet as the "primary anchor controller"

    > manual failover by having to change SVI IP address to bring up tunnel to secondary anchor controller

     

    network diagram of a demo network attached

     

    hoping to utilise the L3 GRE tunnel option available in 6.4 between the DCs

     

    Thoughts?



  • 2.  RE: Anchor Controller HA via L3 DC interconnect

    EMPLOYEE
    Posted Mar 16, 2016 07:05 PM

    There is a "Tunnel Groups" feature where you can have a single configuration, where two tunnels are configured:  One active and one standby.  Both tunnels must have the same VLAN configured.  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Network_Parameters/Configuring_GRE_Tunnel_Group.htm?Highlight=tunnel groups

     

    Your main issue is that since each site has different ip addressing, only new devices that come onto the network after failover will be able to pass traffic.  The devices that were on before the failover are not aware of the addressing at the new site, so they will not be able to pass traffic...  Tunnel groups only works if both sites are using the same ip addressing.



  • 3.  RE: Anchor Controller HA via L3 DC interconnect

    Posted Mar 16, 2016 07:14 PM

    Yea thought as much - so I am pretty much stuck.

     

    What is the recommended design for such an environment? Having different subnetting within each DC is not uncommon. 

     

    I guess...You could create a different VLAN for each SSID on each site?

     

    DC A:

    VLAN 100

    10.10.10.1

    Guest SSID

     

    DC B:

    VLAN 101

    10.10.20.1

    Guest SSID

     

    Local:

    VLAN 100

    10.10.10.2

    Primary Guest SSID

     

    VLAN 101

    10.10.20.2

    Secondary Guest SSID

     

    Thoughts?



  • 4.  RE: Anchor Controller HA via L3 DC interconnect

    EMPLOYEE
    Posted Mar 16, 2016 07:24 PM

    Think about what is most likely to happen:

     

    1- A DC blows up

    2 - A controller loses power

     

    #2 is probably more likely, so you should have dual controllers at the Anchor with a GRE tunnel pointing to a VRRP between them.

     

    #1 is probably going to cause much more heartache and you probably have to work with someone to come up with a routing solution that deals with your issue.  Some people would use OSPF at the primary DC anchor controller that would fail over to the backup DC anchor controller for the same subnet.  Again, that is an advanced topic that depends on how your network is configured.  Like I said, #2 is probably more likely to happen.  When #1 happens, you might have more than the guest network on your mind, but with tunnel groups, new guest users will at least be able to get on, so it is not a complete loss..

     



  • 5.  RE: Anchor Controller HA via L3 DC interconnect

    Posted Mar 16, 2016 07:29 PM

    completely agree with your scenarios - i guess dealing with adopted environments produce certain challenges - and this is mine. 

     

    Cheers for the input mate.