Wireless Access

Frequent Contributor I

Change Master Controller VLAN/IP address

Hi Airheads,


We're running a deployment with 2 x Masters with VRRP redundancy and 2 Local controllers.


We need to move the Master controllers to a different subnet, so wondering what implications there are to doing this. In addition we were planning to use the factory cert for IPSec rather than a pre-shared key.


Is it as simple as the following?


- Create new VLAN interface on Master controllers

- Re-configure VRRP / Master redundancy using new interfaces / addressing

- Change Master IP address / authentication method on each Local controller


Are any reboots required on either Masters or Locals?


It also happens that the Masters will live behind a firewall going forwards, is it sufficient to add the appropriate IKE, UDP-4500, ESP services from Local to Masters only or are bi-directional rules required?


Aruba Employee

Re: Change Master Controller VLAN/IP address

Changing the controller-ip on the masters and the masterip on the locals will require a reboot. 


Ports required to be opened below, I believe these should be incoming from locals to the masters. Easiest way to figure this out would be to log blocked packets on the firewall and filter on the controller IPs (local and master).


  • IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.
  • IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
  • GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.


Marcus Wehmeyer
Search Airheads
Showing results for 
Search instead for 
Did you mean: