Wireless Access

Dear experts,

 

I will be grateful if anybody please confirm my VRRP configuration so that I can proceed on my setup. In my Setup two controllers 7210 are available and I want redundancy through VRRP.

 

Do I need both commands for database synchronization or just a single one ?

Two methods for database synchronization Manual and Automatic. Please suggest which one is better.

 

database synchronize    --------------------------------> Manual

database synchronize period 20   ------------------> Automatic

 

Master VLAN-5 interface-ip        172.17.48.163 /24               

Backup VLAN5- interface-ip        172.17.48.164 /24

 

Preferred-Master Configuration

 

vrrp 5

vlan 5

ip address 172.17.48.165

priority 110

preempt

authentication admin@123

description Preferred-Master

tracking interface gigabitethernet 1/1   20                                             

no shut down

 

master-redundancy

master-vrrp 5

peer-ip-address 172.17.48.164 ipsec admin@123  

 

database synchronize

 

Backup-Master Configuration

 

vrrp 5

vlan 5

ip address 172.17.48.165

priority 100

preempt

authentication admin@123

description Backup-Master

tracking interface gigabitethernet 1/1   20                                            

no shutdown

 

master-redundancy

master-vrrp 5

peer-ip-address 172.17.48.163 ipsec admin@123

 

database synchronize

Why are you using preemption?
Why are you tracking an interface?

I am using interface tracking because if by mistake someone would uplugged the uplink interface of Preferred-Master controller so interface tracking feature would decrement the priority by using the sub-value 20. So Preferred master priority would became 90 and  Backup-Master controller will take the ownership of VRRP due to having a priority of 100

 

Using preemption  becuase when the uplink interface again plugged into the Preferred-Master the priority gets incremented again and based on preemption it will take back an ownership of VRRP-5 from Backup-Master.

 

Please suggest should i use preemption on both controllers or just on preferred master or enabling preemption is recommended or not ?

 

Also suggest which  database synchronization method is suitable Manual or Automatic as mentioned in my first post. 

 

Looking forward for your valuable response.

The management interface is not on the uplink?
If it is not, it is fine to enable that option.

It is fair to enable preemption, but it leaves the door open to have a possibly failed component take control over another. For example, if the master controller reboots because of a hardware issue, when it comes back up it will take over, but it could have the same issue. Unless you are tracking your logs all of the time you might not notice you had an issue until much later. I would typically leave preemption off to avoid that scenario because it would make things harder to troubleshoot.

Database synchronize should be automatic at the default of 30 minutes.

We are not using vlan-1 as a managment vlan. No ip has been assigned to vlan-1

 

In our network we have defined VLAN-5 as a managment and defined as a native vlan-5 on all trunk interfaces. And we are using VRRP group 5 for our management vlan-5 .

 Sorry to forgot to inform you that both controllers are in layer-2 domain and forwarding the traffic towards uplink to core switch.

 

In last I just want to know Should I enable the preemption on both controllers or on just Preferred-Master ?

 

 

If VLAN 5 is on your uplink, then you do have your management vlan on your uplink and then you do not need to preempt based on the status of an interface. If that link goes down, the interface of the opposite controller will no longer see advertisements and take over. VRRP is only available layer 2. You are doing the right thing. You should only need a VRRP between the controller's management address and terminate the access point traffic. You should not need a VRRP for user subnets; you should instead have both controllers allow an upstream layer 3 switch be the default gateway for user subnets so that upon failover, clients would be attempting to reach the same gateway on the same device. Again, I am not a big fan of preemption, because it has the potential to introduce a failed part back into the network automatically, which would make things very difficult to troubleshoot. If a link keeps flapping for whatever reason, the opposite controller should take over so that it can service clients consistently. You will then have the opportunity to troubleshoot the controller with the issues, without it trying to take over an disrupting user traffic.

Dear cjoseph,

 

I am very grateful to you for showing your interest on this subject. From my first post you only picked two points tracking interface & preemption which means that rest of the configuration looks fine to you.

 

Once again thankyou for supporting and sharing the valuable knowledge.

 

 

 

 

Correct. On the face of it the rest of it looks fine, with the caveats that I mentioned.

Dear cjoseph

 

I need one more clarification. In my setup three access layer poe manageable switches and two controllers 7210 are connected to core switch via trunk links. Native Vlan-5 is define on each end of every trunk interfaces. Our whole management network is based on VLAN-5. No ip address assigned to VLAN-1 interface on any end. I have 75 access points of model 215.  

 

My question is when I do connect my access points on access layer switches, Should I change the Access Port vlan-id from vlan-1 to vlan-5 ?

 

I will be gratefull for your kind response on this query.

 

---

@Islamabad wrote:

Dear cjoseph

 

I need one more clarification. In my setup three access layer poe manageable switches and two controllers 7210 are connected to core switch via trunk links. Native Vlan-5 is define on each end of every trunk interfaces. Our whole management network is based on VLAN-5. No ip address assigned to VLAN-1 interface on any end. I have 75 access points of model 215.  

 

My question is when I do connect my access points on access layer switches, Should I change the Access Port vlan-id from vlan-1 to vlan-5 ?

 

I will be gratefull for your kind response on this query.

 

---

As long as your APs get an ip address and DNS server details (either fixed config or via DHCP) they will connect across layer3 to whatever ip address they get back from resolving the 'aruba-master' DNS entry ( A record).

 

So no, no vlan 5 is required on the access ports.

 Dear Koen,

 

Helper address assigned on controller management vlan-5 interface. Corporate DHCP will provide the leases to ip address.

 

I am much familiar that by default aruba uses ADP to locate the contoller ip and access points established the GRE tunnel with controller. But on access layer switches, by default access ports have vlan-1 and my network being consist of vlan-5 as a management / native vlan on trunk interfaces.

 

Why Should I not change the access ports vlan-id from vlan-1 to vlan-5 ??? 

 

Please clear me. 

---

@Islamabad wrote:

 Dear Koen,

 

Helper address assigned on controller management vlan-5 interface. Corporate DHCP will provide the leases to ip address.

 

I am much familiar that by default aruba uses ADP to locate the contoller ip and access points established the GRE tunnel with controller. But on access layer switches, by default access ports have vlan-1 and my network being consist of vlan-5 as a management / native vlan on trunk interfaces.

 

Why Should I not change the access ports vlan-id from vlan-1 to vlan-5 ??? 

 

Please clear me. 

---

An AP can use the following methods to find its controllers:

AP boot order

• “master” parameter set (manualy) on the AP
• dhcp option 43
• ADP multicast & broadcast
• DNS aruba-master

So yes, if your APs are connected in vlan 1 and your controller has an ip interface in this vlan, ADP will take care of it all.

In my experience however, DNS record aruba-master is much more user-friendly as the DNS it most often required just 1 A-record on your DNS server and allows connection from most internal vlans.

 

So yes, you can use vlan 1 after configuring an ip interface for it on your controller, but after configuring just an A-record on your DNS every vlan that distributes that DNS server through it's DHCP will work regardless of configuration on the controller.

 

If you ask me.. I like the DNS option alot more.

I agree with cjoseph about whether to use preemption or not. But from my understanding if want preemption you are going to use the preempt statement only on the controller you want to be preferred.