Wireless Access

I configure two 3400 controllers with Master-Master - Master-Standby Redundancy using VRRP shown below.

Also I configure Local controller 3200 for Master-Local redundancy. Local's loopback IP is 10.200.170.1.

There is MPLS network in between Master-Master/Backup-Master and Local controller, therefore layer 3 (IP layer) can only be transparent.

I need to establish L2 GRE tunnel for VLAN184 between Master-Master/Backup-Master and Local.

I choose Local controller's loopback IP 10.200.170.1 as a start point of L2 GRE tunnel, and I choose VRRP IP 10.200.175.254 as endpoint. But L2 GRE tunnel cannot be established.

If I choose Master-Master's vlan 10 interface IP address 10.200.175.1 as endpoint, L2 GRE is established.

I have read that VRRP IP can be used for L2 GRE tunnel endpoint, but it cannot.

Do you have a good solution?

When I established L2 GRE between 10.200.175.1 and 10.200.170.1(tunnel 1 for VLAN184) also L2 GRE between 10.200.175.2 and 10.200.170.1 (tunnel 2 for VLAN184), VLAN184 can go through between Master-Master, Backup-Master, and Local controller.

(Master-Master)

vlan 10

interface vlan 10

    ip address 10.200.175.1 255.255.255.0

interface Gi 1/0

    switchport access vlan 10

    switchport mode access

    trusted

vrrp 10

     vlan 10

     ip address 10.200.175.254

     priotity 110

     preempt

     tracking master-up-time 30 add 20

     no shutdown

Master-redundancy

     master-vrrp 10

     peer-ip-address 10.200.175.2

(Backup Master)

vlan 10

interface vlan 10

   ip address 10 200.175.2  255.255.255.0

interface gi 1/0

   switchport access vlan 10

   switchport mode access

  trusted

vrrp 10

   vlan 10

   ip address 10.200.175.254

   priority 100

   preempt

   tracking master-ip-up-time 30 add 20

   no shutdown

master-redundancy

    master-vrrp 10

    peer-ip-address 10.200.175.1

On each master, the tunnel source must be literal ip address, not the VRRP.

>On each master, the tunnel source must be literal ip address, not the VRRP

What we need to define is to provide DHCP server for VLAN184 at each master, for example:

Tunnel1   Source (Master-Master) 10.200.175 1   Destination(Local)  10.200.170.1   VLAN184

                  Master-Master's IP address in VLAN184 is  10.200.184.1 

                  DHCP server range 10.200.184.50 - 10.200.184.99

Tunnel2   Source (Backup-Master) 10.200.175 2   Destination(Local)  10.200.170.1   VLAN184

                  Backup-Master's IP address in VLAN184 is  10.200.184.2

                  DHCP server range 10.200.184.100 - 10.200.184.149

In 10.200.170.1 VLAN184, define DHCP helper IP address 10.200.175.1 and 10.200.175 2

The client which connects to Local 10.200.170.1, the client sends DHCP Request broadcast, then the client may receive DHCP Reply from Master-Master 10.200.184.1 and Backup-Master 10.200.184.2

But this is not a good idea.

In the situation above, can I define VRRP between Master-Master and Backup-Master through L2 GRE tunnel to show only one DHCP source and default gateway, 10,200,184.1?

This is exactly trial to create redundancy two Masters with several Local controllers. Aruba documents mentioned that they can do, but how? Especially in this case - Captive portal in VLAN184 is very typical configuration that everyone would like to try.

In the past I tried to create L3 GRE and set up static to route, but DHCP broadcast did not go through even I specified DHCP helper address ... in Cisco products DHCP helper works like let DHCP broadcast goes through L3 network, but I do not know what Aruba provides, since I cannot find a specification document what DHCP Helper functionality provides.

You cannot do this.  Both controllers will ALWAYS provide DHCP on the same layer2 VLAN, even if it is a backup master.  It is better to have an external DHCP source that will provide consistent DHCP.

If you want a local controller to provide redundancy for a master controller and the local controller does not have access to the same VLANs, instead of tunneling traffic back, you should use NAMED vlans to accomplish what I think you are trying to do.

>You cannot do this.  Both controllers will ALWAYS provide DHCP on the same layer2 VLAN, even if it is a backup master.  It is better to have an external DHCP source that will provide consistent DHCP.

VLAN184 is "logical" VLAN which does not have interface. My original configuration with just one 3200 controller was that I configured DHCP on Master 3200 controller with VLAN184 interface IP 172.200.184.1, and default gateway for VLAN184 user is 172.200.184.1 , so that I could set static route very easily.

Now, external DHCP source is recommended - but where. Both 3400 Master-Master and Master-Standby controller will be installed at Data Center, so assign one Interface Gi 1/1 for just VLAN184 external DHCP server ..? I think this is not a good picture; many users may expect Aruba controller to provide DHCP server functionality too.

Regarding NAMED VLAN, I am sorry that I am new for NAMED VLAN. My version is 5.0.4.6. Which version of ArubaOS for 3000 series controller the NAMED VLAN was implemented?  I assume that using NAMED VLAN, local controller can point Master-Master if Master-Master takes priority, and if Master-Standby takes priority, local controller can point Master-Standby. Is this a brief how it works?

I tried your suggestion - NAMED VLAN, but it does not work.

Master-Master has VLAN184 (Interface 172.200.184.1) DHCP range 172.200.184.100-110

Guest virtual AP has "VLAN184(184)" named vlan.

Named vlan VLAN184 = 184

Master-Standby has VLAN185 (Interface 172.200.185.1) DHCP range 172.200.185.100-110

Guest virtual AP has "VLAN184()" named vlan

This is a problem. Even If I make different vlan for Master-Master and Master-Standby, configuration can have only one NAMED VLAN or actual VLAN number.

What I am trying to do is - using server derivation rule, if Local controller is connected with Master-Master, choose VLAN184, and if Local controller is connected to Master-Standby, choose VLAN185. I thought the matching condition is Tunnel-Endpoint-Server IP address, I tried, but has not been successful.

Do you know a good idea for server derivation rule to choose VLAN?

Let me understand what you are trying to do:

You have a guest Vlan that you are trying to tunnel back to a master/backup master pair.

You want to terminate that VLAN on the VRRP between the master/backup master pair.

Is that correct?

>Let me understand what you are trying to do:

>You have a guest Vlan that you are trying to tunnel back to a master/backup master pair.

>You want to terminate that VLAN on the VRRP between the master/backup master pair.

>Is that correct?

Yes, correct.

If it is imposible to choose VRRP IP addres as a L2 GRE endpoint,

only way to establish L2 GRE tunnel is to use Master-Master or Master-Standby's VLAN interface IP address as a endpoint.

It is not impossible, and this should work.

On local:

GRE tunnel source = ip address of local

GRE tunnel destination = ip address of VRRP

 tunnel vlan 184:

On Master:

Gre tunnel source = ip address of master

Gre tunnel destination =  ip address of local

tunnel vlan 184:

On Backup master:

Gre tunnel source = ip address of backup master

Gre tunnel destination = ip address of local

The master and backup master do not refer to the VRRP interface in the tunnel definitions; they just handle the incoming GRE.

The tunnel will ONLY terminate on one device at a time (the controller that has control of the VRRP), so you can run DHCP on BOTH master/backup pair on Vlan 184

Yes, it worked fine :)

Now Master-Master VLAN184 has  172.200.184.2 , has DHCP server

Master-Standby VLAN184 has 172.200.184.3, has DHCP server

I understand, when the L2 GRE is established with Master-Master, Local controller VLAN184 cannot reach to Master-Standby,

but I am afraid to assign same IP address (i.e. 172.200.184.1) on Master-Master VLAN184 and Master-Standby VLAN184.

Also, if I assign the different IP address on Master-Master and Master-Standby,

when Master-Master fails, guest clients which is assigned 172.200.184.xx by DHCP, have 172.200.184.2 Default gateway,

then guest users are encouraged to reconnect to guest ssid because 172.200.184.2 gateway does not work.

What do you think? Do you agree to assign same VLAN184 gateway IP address on Master-Master and Master-Standby?

---

@mikek8877 wrote:

Yes, it worked fine :)

 

Now Master-Master VLAN184 has  172.200.184.2 , has DHCP server

Master-Standby VLAN184 has 172.200.184.3, has DHCP server

 

I understand, when the L2 GRE is established with Master-Master, Local controller VLAN184 cannot reach to Master-Standby,

but I am afraid to assign same IP address (i.e. 172.200.184.1) on Master-Master VLAN184 and Master-Standby VLAN184.

 

Also, if I assign the different IP address on Master-Master and Master-Standby,

when Master-Master fails, guest clients which is assigned 172.200.184.xx by DHCP, have 172.200.184.2 Default gateway,

then guest users are encouraged to reconnect to guest ssid because 172.200.184.2 gateway does not work.

 

What do you think? Do you agree to assign same VLAN184 gateway IP address on Master-Master and Master-Standby?

 

 

 

 

 

---

Assign the same ip address (.2).  Only one master can have control of the VRRP at the same time and that controller will only have a tunnel to the locals, but not to each other.  In addition, you need to assign a default gateway to your clients, so that when they fail over, the ip address of the default gateway does not change. 

Quite frankly, when you do failover, the user table is not synchronized, so the users WILL have to login again, anyway.

I tested following configuration:

Master-Master VLAN184 has  172.200.184.1 , has DHCP server default gateway is 172.200.184.1

Master-Standby VLAN184 has 172.200.184.1, has DHCP server default gateway is 172.200.184.1

Local has VLAN184 172.200.184.254, and VLAN184 is connected to Master-Master and Master-Standby using L2 GRE tunnel (Please refer to several posts back)

Connected to Local controller with guest access with Captive Portal. Authenticated with userid and password in Internel DB server.

Invoke ping 172.200.184.1 -t from guest laptop (Windows XP) and pull out Ethernetc cable from Master-Master, to invoke Master failover process.

Surprisingly, I could observe ping dropped for a minute, but after the failover was completed, ping 172.200.184.1 from guest client came back again. I did not need to re-authenticate with guest user. I think this is because I authenticated Captive Portal with Local controller.

Anyway, through this forum post I could acheive a good Master-Master, Master-Standby and Local redundancy configuration.

Thank you very much. 

On each master, the tunnel source must be literal ip address, not the VRRP.

I should update our final decision:

Master-Master VLAN184 has  172.200.184.2, has DHCP server default gateway is 172.200.184.2

Master-Standby VLAN184 has 172.200.184.3, has DHCP server default gateway is 172.200.184.3

Reasons are:

1) If the product is working as expected, 172.200.184.1 on Master-Master and Master-Standby must not have conflict.

But we should consider potential product failure which may cause IP conflict.

2) If we define two different gateways 172.200.184.2 and 172.200.184.3, it is easy to determine which controller the guest user is connecting to.