Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Fast Failover Design with Guest DHCP Pools and NATTing

This thread has been viewed 1 times

  • 1.  Fast Failover Design with Guest DHCP Pools and NATTing

    Posted Aug 11, 2017 09:07 AM

    I have two controllers in fast failover and I want to protect guest users in the event of a controller failover to standby (FF mode). 

     

    1> Can I create identical VLAN interfaces and DHCP pools in both controllers (in the fast failover pair)? Bear in mind these VLANS are not on physical interfaces and are NAT’D VLANs?

     

    2> Do the two controllers (in the HA/FF pair) sync IP DHCP assignments so if the AP needs to switch to the standby, DHCP leases of guests clients are not lost?  

     

    3> Is there a better way to handle DHCP pools for guest SSIDs with two (or more) controllers in HA FF mode? Under the condition where the guest VLAN is within the controller(s) and NAT'D on another vlan.

     scenario details related to this question:
     two 7205s controller running AOS 6.5.4.0
     100 APs.

    controller 1> The Master controller’s "aruba-master" IP (controller-ip) interface is on VLAN 3.  10.10.3.1/24

    controller 2> The Local’s controller IP interface (controller-ip) is on VLAN 22.   10.10.22.21/24

    conditions

    > master local ipsec is up and working fine.  ("show switches" on master shows both controllers)
    > HA group is up and working fine.   ("show ap database" shows APs on both active and standby just fine and "show ha ap table" on both controllers shows all aps).
    >sync is enabled in HA group and controller heartbeats are configured. 


    The AP group

       > lms is 10.10.22.21 (local)
       > blms is 10.10.3.1 (master)
     

    GUEST SSID:
    The GUEST SSID is on VLAN 4. Both controllers have identical IPs and DHCP pools - exactly same config for VLAN 4..
    No physical interfaces assigned to VLAN 4. Instead,  VLAN 4 is natted through VLAN 22  on the local controller and VLAN 3 on the master controller.
    captive portal hosted on the controllers.  

    Let me know if I missed something that’s needed to answer this question.

     

    Thx!!

    Tony Molica



  • 2.  RE: Fast Failover Design with Guest DHCP Pools and NATTing
    Best Answer

    Posted Aug 11, 2017 09:33 AM
    Your best bet is to offload DHCP from the controller since it limits you to 512 addresses only.

    On one of my customer networks, I have an external DHCP server and the controllers are in HA-FF mode.

    The guest network is vlan 108 on both controllers with 2 different layer 3 interface addresses. We are using Clearpass for the guest captive portal.

    For #1, yes you can create identical vlan interfaces but unsure of the dhcp pool. your guest VLAN will require an IP address for captive portal delivery.

    For #2, maybe with database synchronization enabled but i cannot be sure, I know that client-states don't sync unless you are using 802.1x. When we performed a failover between controller 1 and 2, the guests, roles did not sync so they performed a mac auth since they already had a session. Again, our DHCP server was not on the controller for this case.

    For #3, again you should probably look at moving your guest dhcp pool off the controller


  • 3.  RE: Fast Failover Design with Guest DHCP Pools and NATTing

    Posted Aug 11, 2017 10:24 AM

    Thanks Pasquale. If fast failover requires a guest deployment design restriction, sure would help to document it. Argh.  thank you for response.  I'm hoping possibly others can testify to some success keeping NAT'd vlans behind controllers and sync'd across failover controller pairs.



  • 4.  RE: Fast Failover Design with Guest DHCP Pools and NATTing

    Posted Aug 11, 2017 11:12 AM
    There is no such restrictions technically, there is nothing saying you cant use a dhcp server a controller but best practice is technically to use an external dhcp server.


  • 5.  RE: Fast Failover Design with Guest DHCP Pools and NATTing

    EMPLOYEE
    Posted Aug 12, 2017 05:32 AM

    The 7205 controllers support a max leases of 4000 so you could have the dhcp on the controller.

     

    In that case the best thing to do is to split the scope between controller (bottom half on one and top half on the other), so that in the even of a failover you don't have duplicate ip addresses creeping in.  The client subnet is nat'd and as such can be identical.

     

    As others have mentioned, the best and most scalable solution is to use an external dhcp server BUT you should note some complications that will/can arise in your setup.

     

    The unicast dhcp will have a src.ip of the guest vlan interface.  As this is nat'd you need a static route pointing to the controller for the response to get back to the controller/client.  Given your controllers are in different L3 networks this could get very complicated.  These complications may mean that the simplest is to have the dhcp on the controller.



  • 6.  RE: Fast Failover Design with Guest DHCP Pools and NATTing

    Posted Aug 11, 2017 09:47 PM
    I have a similar setup. Since my guest network is a /24, I setup a pool on each controller and restricted the usable range to a /25 on each.


    #AirheadsMobile


  • 7.  RE: Fast Failover Design with Guest DHCP Pools and NATTing

    Posted Aug 11, 2017 09:47 PM
    I have a similar setup. Since my guest network is a /24, I setup a pool on each controller and restricted the usable range to a /25 on each.


    #AirheadsMobile