Wireless Access

Ive only got our current setup to refer to, along with the obviuos vrd and other docs.. but sometimes its still hard to figure out the best practice, so turned to the forums for some advice.  I dont think our currnet setup is ideally configured, so dont want to use it as a template for the new boxes. 

 

We have a master-local setup, and terminating APs on both boxes.  Both controller share the same layer2 network for management.  wlan clients use 10 layer 2 networks.  APs connect to the network at via a dozen or so hubs around the building, and are on the same subnets as local wired connecitons.  Wlan and wired used different vlans. 

 

For VRRP, I need only configure 2 instances, making one box the master for one, the other master for the other.  I can then configure AP groups to terminate on either using the VIP as the LMS IP.  The reason I ask, is that our current setup seems to have vrrp configured for each of the 10 user wlans, which doesnt really  make any sense to me.  The VRRP address is also on the same subnet as the clients.  I would have thought it would be best practice to have vrrp on their own small subnets?

 

With this master-local setup, if the master were to fail, and some of the APs reboot, I assume they wouldnt reconnect to the network as they would have no master to connect to?  In this sceanrio, "aruba-master" would be the address of the master, rather than the VIP of a redundant pair, which we dont have in our config.  An AP would reboot, look for the aruba-master and not find it.  Could I use the VIP for this so the AP would find the local controller and funciton as normal??

 

Ive tried to apply our sceanrio to what I have read in the vrds etc, but its sometimes like trying to put a square peg in a round hole, and I cant find the answers I actaully need... would appreciate any guidance.

 

Cheers

If you only have two controllers, you only need to point aruba-master DNS to the ip address of the VRRP.  If the controller(s) are just bridging user traffic to existing wired networks, you would not create any VRRPs on the controllers for your user traffic.

 

 

 

We load balance the APs across the 2 controllers, so I therefore thought I would need 2 vrrp instance, so the controller swould be in a master/backup, backup/master operational state for whicher APs were terminated on them.  Again, this is they way our current setup was, so I merely transferring this part of the ocnfig over.  I then used the VIP as the LMS IP in the AP System settings.  So I could use one of these VIPY for dns?

 

The wlan is layer2 and traffic is tunnelled back to the controllers, rather than bridged onto the wired network. 

  

Shoud I be creating new subnets for vrrp rather than using the same ones that clients use, or does this not really matter?

In the absence of the master, and APs rebootoing, will they still get their config from the local?

 

These extracts suggest they would, although its almost a contradiction!, but I assume I would have to be using one of the VIP as dns.

 

Initial AP configuration:When an AP first boots up, it contactsits master to receive the configuration
generated by the master. The master compares the AP information and determines its group
assignment, and then redirects that AP to the proper local.

 

P, AM, and SM configuration, management, and software updates:All Aruba APs are dependent APs,
which means they do not, in most instances, store configuration settings in the way that a traditional
autonomous AP would. Instead, at boot time each AP downloads its current configuration from the local.

 

Its clear from reading the docs that you wouldnt normally terminate the APs on a Master in a Master/Local pair, but again, this is just how things have been.. so perhaps I maybe need to rethink our strategy.  However, if an AP will still get its config from the local in the absence of the master, then at least we do have some redundancy.  That said, weve never lost the master, then had APs reboot, but you have to factor in such scenarios.

 

 

If a single controller has the capacity to support all of your access points, put a single VRRP between both controllers and send your access points to the VRRP using the aruba-master DNS.  The controller that has priority/control of the VRRP will terminate all access points.  When the primary controller fails, the second controller will pick up all of the access points and provide redundancy.  "Load Balancing" access points across controllers sounds like a good idea, but introduces complexity because you then have to first locate what controller your access points and users are on to start troubleshooting.  You do not need a second VRRP or a VRRP on your user subnets on the controller; .  I repeat:  If the default gateway of your wireless clients is NOT the controller, you do  not need a VRRP on your user subnets.

 

Having a single VRRP makes troubleshooting and management more deterministic and simple, because you can log into the VRRP to manage the active controller, access points and users.

Thanks.. ill give all of that some thought, as it sort of goies against what I have been used to working with for the past few years, which could suggest that our current setup doesnt really conform to best practice recommendations, however its always done what it needed to do!

 

I think having 1 controller simply acting as a standby may be seen as somehwat of a wast or resources (by management), especially given the fact that we have always fully utilised all the hardware we had but still have some sort of redundant failover between the controllers, although never master controller redundancy.  We have also now halved our controller count, and always used the Master to term APs.  I think they would prefer it this way, especially as thats how it funcitons on our legacy system. 

 

On your plast point, I could then put VRRP on eith its own vlan or the controllers management vlan.

 

 

 

 

 

 

 

My suggestions are my opinion, not Aruba best practices.  Everyone's best practices is what works best for them.    It might or might not work out for you, depending on your needs.

 

How much redundancy you want depends on how critical your WLAN is.  If you have support on your controller, and the WLAN is not that important to you, you can have a single controller and if it fails, you can wait until the next day.  If your business cannot survive a failure of your WLAN, you need a second controller because the money you spend on a second controller is less than your business will lose in productivity if one controller fails.  Hardware devices most certainly can fail.

 

If you do not have hundreds of access points, it is okay to terminate your access points on a master controller.  A VRRP is designed to provide inbound redundancy for traffic going to a controller.  You should have a single VRRP instance and point your access points at it for simplicity.  The more complicated your setup, the more difficult it is to troubleshoot, manage and recover if there is a problem.  Making your controller/access point deployment deterministic is key to isolating and resolving issues as fast as possible.

Thank you for all you help... much appreciated!  Its sometimes difficult to take what you read for the vrd's and docs and apply it to your circumstancs, as, as you say, its completely dependent upon your requirements and environment, hence its good to bounce thoughts in the forum....

 

Im a huge fan of keeping things simple!

 

Cheers

Still unable to conclude if in the abscence of a master an AP will/wont get its config from a local?  If dhcp/dns provides the VIP addressof a master/local pair?  Unfortunaltey, Its not something I can test...  I have read quite a bit of conflicting informaiton, so cant be 100% sure.

As Colin stated earlier, If an AP is running and master got powered off, the AP will continue to work.
But when AP got restarted for any reason, It will look for the master (from DNS, DHCP ADP) and since master is not available, the AP doesn't get any thing and become restarted. This cycle continues until the master comes UP.

Having re-read this thread a couple of times, cant actually see where that is implied...

 

I was trying to clarify if this would still be the case even if dhcp/dns was using a VIP address, so if the master was down.. tha AP would look ot the VIP and reach the local controller. 

---

@$k3l3t0r wrote:

Having re-read this thread a couple of times, cant actually see where that is implied...

 

I was trying to clarify if this would still be the case even if dhcp/dns was using a VIP address, so if the master was down.. tha AP would look ot the VIP and reach the local controller. 

---

In general, an access point can get its config from a local OR a master.  In redundancy, two controllers, either a master/backup master pair or a master/local pair or a local/local pair share an ip address and the access point is pointed to that ip address.  If one controller goes down or taken out of service, the other controller answers on that ip address to the access point and will continue servicing wlan clients.

Thanks for the confirmation...

 

Cheers

If you only have 2 controllers, why not create 2 AP groups and use the LMS IP and Backup LMS IP of the AP LMS Settings ?

 

Group 1 - LMS IP = Controller A, Backup LMS IP = Controller B

Group 2 - LMS IP = Controller B, Backup LMS IP = Controller A

 

might be wiser to create a new thread for a new question.

 

anyway it depends on your needs LMS IPs are slower then VRRP failover wise, but they do give the option to go cross L2 boundaries.