Wireless Access

Reply
Frequent Contributor II

RAPs, VPNs and Failover OH MY!

I haven't dug into the manuals yet as I wanted to see if this were possible before I devoted the hours to do so. Essentially I have several configuration type questions:

 

1 - With site to site VPNs on mobility controllers, if I had 3 or 4 sites, can they all VPN to one another without causing a loop? And if one went down the others could still communicate. A site to site VPN mesh if you will.

2. If, in this mesh, I have RAPs that report to site A, and site A goes down, is there a way to set fail over so that the RAPs would fail over to site B?

3. Essentially same as question 2 but with VIA VPN access.

 

So the scenario would be sites A, B, C and D all site to site VPN together to share development VLANS (VLANS 10, 20, 30 go to all sites, each site having endpoints on the respective VLANS). RAPs bring in several remote offices to access these VLANs. VIA VPNs also bring in remote users to these VLANs. Initially, RAPs and VIA VPNs connect through site A.

 

Godzilla rolls through and takes out site A. The RAPs and VPNs need to fail over to site B for access to the development VLANs. The military takes out Godzilla and power is restored to site A and it comes back online and can once again be the connection point for RAPs and VPNs.

 

So is this a reasonable configuration?

Scott McNeil - Sr. Network & Security Engineer, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II

Re: RAPs, VPNs and Failover OH MY!

Anyone? Thoughts?

Scott McNeil - Sr. Network & Security Engineer, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite

Re: RAPs, VPNs and Failover OH MY!

In general If you advertise more than one route to a controller, you would want to use a routing protocol like OSPF to advertise availability in a "mesh" network situation.
If you have remote APs for redundancy you would want to put two IP addresses in a dns record and point your RAPs to that fqdn.
For via, you would advertise two profiles to each user so if the first one doesn't work, users can use the second.

This is only general advice. you should engage a Aruba value-added reseller to help design and implement the specifics of a plan.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: