Which 8.x version you will be setting up L2 GRE tunnel between local controller cluster VIP and DMZ VRRP IP.
I too have similar scenario of upgrading 6.x to 8.x.
I'm planning to set this up in lab
@kell490 wrote:
Option 2 is the only way to go have the guest vlan accross the uplink switch because if one excludes the guest vlan from the cluster users on the guest WLAN which is 70% of our wireless lan take as long as 20 seconds to fail over to the 2nd controller during reboots such as upgrades. It defeats the propose of having version 8 layer 2 cluster. What we have done in our test lab is setup the same as our Version 6 enviroment one tunnel from each cluster node using VRRP VIP address as the source. The master controller of the VRRP instance tunnel is UP/UP the back up controller is up/down. While I'm able to ping from the backup vrrp controller though the tunnel not exactly sure if I will be able to use firewall statement to redirct to the tunnel # when users are on the backup VRRP cluster node because were going to a cluster active / active controller enviroment. I will have to test this in the lab.
My understanding that the firewall redirect to the tunnel # keeps users from being able to see other users on the guest wifi stops port scanners. We also enable the WLAN switch Deny inter user traffic. My hope is if we have to give up the redirect to the tunnel this switch will keep users from being able to connect to one another.
@kell490 wrote:
Option 2 is the only way to go have the guest vlan accross the uplink switch because if one excludes the guest vlan from the cluster users on the guest WLAN which is 70% of our wireless lan take as long as 20 seconds to fail over to the 2nd controller during reboots such as upgrades. It defeats the propose of having version 8 layer 2 cluster. What we have done in our test lab is setup the same as our Version 6 enviroment one tunnel from each cluster node using VRRP VIP address as the source. The master controller of the VRRP instance tunnel is UP/UP the back up controller is up/down. While I'm able to ping from the backup vrrp controller though the tunnel not exactly sure if I will be able to use firewall statement to redirct to the tunnel # when users are on the backup VRRP cluster node because were going to a cluster active / active controller enviroment. I will have to test this in the lab.
My understanding that the firewall redirect to the tunnel # keeps users from being able to see other users on the guest wifi stops port scanners. We also enable the WLAN switch Deny inter user traffic. My hope is if we have to give up the redirect to the tunnel this switch will keep users from being able to connect to one another.
@kell490 wrote:
Option 2 is the only way to go have the guest vlan accross the uplink switch because if one excludes the guest vlan from the cluster users on the guest WLAN which is 70% of our wireless lan take as long as 20 seconds to fail over to the 2nd controller during reboots such as upgrades. It defeats the propose of having version 8 layer 2 cluster. What we have done in our test lab is setup the same as our Version 6 enviroment one tunnel from each cluster node using VRRP VIP address as the source. The master controller of the VRRP instance tunnel is UP/UP the back up controller is up/down. While I'm able to ping from the backup vrrp controller though the tunnel not exactly sure if I will be able to use firewall statement to redirct to the tunnel # when users are on the backup VRRP cluster node because were going to a cluster active / active controller enviroment. I will have to test this in the lab.
My understanding that the firewall redirect to the tunnel # keeps users from being able to see other users on the guest wifi stops port scanners. We also enable the WLAN switch Deny inter user traffic. My hope is if we have to give up the redirect to the tunnel this switch will keep users from being able to connect to one another.