Wireless Access

Hi gurus,

I have a question regarding the IP addresses should be configured for the controllers within a cluster. I have a deployment where I have two MCs 7210 in different data centers, there is L2 connectivity between the DCs. For each MC in each DC, GE0/0/0 will be connected to the Internet FW, GE0/0/1 will be connected to the internal FW, behing this internal FW there is the customer network, where the MMs are (ArubaOS 8.5). And because MC 7210 doesn't have a OOB interface, I will create a VLAN interface for management. I will use two public IP addresses NATed to the MCs' IP addresses.

I know to configure the cluster I go to the cluster profile section and add the controllers. For each controller I have to enter the controller IP address and the associated public IP address.

My question is, what controller's IP address I have to enter? GE0/0/0 interface IP address? GE0/0/1 interface IP address? Or the VLAN interface management address? Thanks in advance.

Regards,

Julián

Normally you would use the IP address you use for the AP discovery. Use the VLAN IP for the VRRP VLAN you want your internal VIP to be. In your case I would use your GE0/0/1 interface. The cluster will be built with the common VRRP VLAN addresses, and the RAP public IPs will be used for the external to controller node list.

Make sure your VLANs on each controller is reachable by the other controller as well, otherwise you will end up in a L3 connected state with less cluster features.

Have you  seen the document here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00097853en_us  Take a look at Page 9, Design Considerations.

In general, the controller-ip will be the management ip address that can reach the MM and the MDs in the cluster.  That would be your gig0/0/1 address in your situation.  The RAP ip address will be the gig0/0/0 address in your situation.

I hope that makes sense.

Thanks guys for your interest.

@Dustin,

But I won't use VRRP for the cluster. Both MCs will be active-active. It is not needed to use VRRP and VIP.

@cjoseph,

Yes, thanks for the document. I read the document but briefly, I didn't see that page that explain my situation. In my case, MMs and MCs will use the management VLAN interface IP for the IPSec communication. In that case, is the controller-ip the management VLAN interface IP? And the public IP will be NATed to this management VLAN interface IP or to the GE0/0/0 interface IP, which is connected to the Internet FW?

@makariosm,

You talked about controller-ip and the private controller-ip, aren't they the same? If they are not the same, according to you, my controller-ip will be the management VLAN interface IP, because it will be used for the IPSec tunnel to the MM. And the GE0/0/0 interface IP will be the the private controller-ip, which will be NATed. Then, shall I configure the GE0/0/0 interface IP and the associated public IP in the cluster group-profile and the MC's management VLAN interface IP will be only used for the IPSec communication with the MM?

Regards,

Julián

Hi cjoseph and makariosm,

Briefly, I think my case is a mix between what you say. The MC's management VLAN interface IP address is used for the IPSec tunnel to the MM. And the GE0/0/0 interface IPs (which are connected to the Internet FWs in each DC) are the IPs which are NATed (one-to-one NAT) to two public IPs. In this case, which is the controller-ip what I have to configured in the cluster group-profile along with the public IP?

On the other hand, my three VLANs and segments, GE0/0/0 interface VLAN, GE0/0/1 interface VLAN, and management interface VLAN must be the same accross the two DCs, otherwise the cluster will be L3-connected. Is that right? Please confirm.

Regards,

Julián

You can't have the controller-ip be the GE0/0/1 interface IP, while the GE0/0/0 IP is NAT'ed.

The NAT support in Clustering mandates that the it is the controller-ip that will need to be NAT'ed, and both private IP (controller-ip) and the public IP are configured in the cluster group profile. That is because of the nodelist sent to the RAPs that provides the mapping between the two.

It really depends on your Internet firewall NAT capabilities and whether it can NAT to an IP that is not directly connected like the IP on the GE0/0/1.

If it is the case, then GE0/0/1 would be the controller-ip NAT'ed to the public IPs.

The other option is to use GE0/0/0 as the controller-IP NAT'ed to the public IPs on the firewall, and configure the masterip command to use IPSec setup from the GE0/0/1 vlan. In such case, you do need to set the radius, syslog, snmp source-interfaces to be GE0/0/1 interface IP.

Hope that answers your questions.

Hi makariosm,

OK, I understand, the controller-ip is the IP address which is NATed to the public IP address, and these two IP addresses are those that have to be configured in the cluster group profile. Then this really depends on the Internet FW NAT capabilities as you say.

In my case, the public IP addresses are NATed to the GE0/0/0 interfaces IPs. Then I believe I can use the GE0/0/0 interface as the controller-ip and its associated public IP address in the cluster group profile as you said, but to use the controller management IP address (instead of GE0/0/1) to setup the IPSec with the MM.

And on the other hand, my three VLANs and segments, GE0/0/0 interface VLAN, GE0/0/1 interface VLAN, and management interface VLAN must be the same accross the two DCs, otherwise the cluster will be L3-connected. Is that right? 

Regards,

Julián

You could exclude the non-user VLANs from the cluster probing and keep the cluster state as L2-Connected.

The user VLANs are the important ones to keep on all cluster members for stateful failover and client load balancing purposes.

OK, many thanks for your help!

Best regards,

Julián

Please review the document referenced by cjoseph for the two-arm design consideration, and keep in mind the following:

• Controller-ip is used to communicate with the MM. Could be done via an IPSEC tunnel setup by a different interface.
• private controller-ip is the one that needs to be NAT'ed, and both private and public IPs need  to be configured in the cluster group-profile.
• you can change syslog, snmp and radius source-interface to be different than the controller-ip