Wireless Access

last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VRRP Inquiry

This thread has been viewed 0 times

  • 1.  VRRP Inquiry

    Posted Nov 13, 2013 11:01 PM

    Hi Community,

     

    I just want to verify something about VRRP setup. I can say I am still new and learning on how vrrp and rap works. We are helping one of our clients who claimed that vrrp is not working. Upon checking the vrrp config for both wlcs, to me it looks ok and should work. Would you agree?

     

    WLC - 1

    master-redundancy
    master-vrrp 12
    peer-ip-address x.x.x.14 ipsec 0c6d2892bde201858aab1191c6dbf83c
    !
    vrrp 12
    priority 110
    ip address x.x.x.15
    description "Preferred-Master"
    vlan 12
    preempt
    tracking master-up-time 30 add 20
    no shutdown
    !
    ip default-gateway 10.29.3.13

     

    WLC 2

    master-redundancy
    master-vrrp 12
    peer-ip-address x.x.x.13 ipsec cbc9eae6f32be827c74b0daee0a078cb
    !
    vrrp 12
    ip address x.x.x.15
    description "Backup-Master"
    vlan 12
    preempt
    tracking master-up-time 30 add 20
    no shutdown
    !
    ip default-gateway x.x.x.14

     


    What I am thinking, the problem is that the backup-master (wlc 2) dhcp was not properly setup so when the preffered-master is down, the APs (configured as RAPs) cannot obtain ip addresses from the backup and most likely the scenario is that the APs are not broadcasting SSIDs. What do you think?

     

    WLC1

    ip local pool "AP-IP" x.x.x.1 x.x.x.200
    vpdn group l2tp
    client configuration dns x.x.x.x x.x.x.x
    !

    ip dhcp excluded-address x.x.x.x x.x.x.x
    ip dhcp pool AP_MNGT
    default-router x.x.x.13
    network x.x.x.0 255.255.255.0
    authoritative
    !
    service dhcp
    ip dhcp default-pool private


    WLC2

    vpdn group l2tp
    client configuration dns x.x.x.x x.x.x.x
    !

    ip dhcp pool ap_vlan
    default-router x.x.x.14
    lease 0 8 0
    network x.x.x.0 255.255.255.0
    authoritative
    !

    ip dhcp default-pool private


    Also the "no database synchronize" command on both WLCs is telling me that master is not pushing the updates to the backup and thus causing this issue?

     

    Thanks for any information.

     

    Oliver



  • 2.  RE: VRRP Inquiry

    EMPLOYEE
    Posted Nov 13, 2013 11:25 PM

    Are your RAPs pointing to a Public VRRP address?  The flavor of VRRP that the controller uses will not work with a natted VRRP address on the controller.  That means the VRRP address on the controller(s) needs to be an actual public address, instead of one that is behind a NAT boundary to work.

     

    For failover to work, with NAT, both controllers need to have a natted public address and you point your RAPs to an external DNS a-record which will supply both addresses, either in a round robin fashion, or both at a time to your RAP.  In the AP system profile for your RAPs, you can lower the IPSEC retries number so that your APs fail over more quickly.

     



  • 3.  RE: VRRP Inquiry

    Posted Nov 13, 2013 11:30 PM

    Without even considering the VRRP config:    The RAPs don't get an IP from DHCP, but rather from an L2TP pool.  From what you've shared of your config, WLC2 does not seem to have an L2TP pool setup.  WLC1 has:  ip local pool "AP-IP" x.x.x.1 x.x.x.200

     

     



  • 4.  RE: VRRP Inquiry

    Posted Nov 14, 2013 12:15 AM

    Thanks for the response.

     

    Yes the rap is pointed to the vrrp address.

     

    On what I understand on the client\s setup, when a new AP is connected, it gets an IP address from the DHCP then they will configured it as RAP and gets the IP from the L2TP pool. This is happening on the WLC1. But if the WLC1 is down, what would be the scenario? Will these RAPs can still connect to WLC2 properly even the L2TP pool is not on the WLC2? It seems to me that they will have also trouble provisioning new APs when WLC1 is down.

     

    Also, if client turn on the database synchronize on both WLCs, will all the setup/config from the preferred-master be transferred to the backup-master?

     

     

    Thanks!

     

    Oliver



  • 5.  RE: VRRP Inquiry

    EMPLOYEE
    Posted Nov 14, 2013 12:27 AM

    1.  A separate VPN pool needs to be setup on the backup master (that is not synchronized)

    2.  The RAP Whitelist is contained within the local database, so database synchronize must be configured and tested to make sure it has completed (show database synchronize).  The database syncronize period would only have to be as frequent as you add/remove the mac addresses of RAPs.  By default it is 30 minutes, which is normally good.  The global config itself is synchronized as soon as you setup a valid master/backup master pair, and remains sychronize everytime you do a "save config" or "write mem" on the master.



  • 6.  RE: VRRP Inquiry

    Posted Nov 14, 2013 12:56 AM

    Thanks for all your reponses. At least I can highlight these configuration to our client and help them sorted their issues.

     

    Oliver

     



  • 7.  RE: VRRP Inquiry

    Posted Nov 26, 2013 09:59 PM

    Hi,

     

    This is related to VRRP inquiry. 

     

    I wonder why it only show the IP address of the backup-master if I run "show switches" on the backup but I can see both IP addresses (master and backup) if I run the command from master.

     

    On what I understand on VRPP setup, both master and backup should be able to see their IP addresses to communicate.

     

     

    Thanks

     

    Oliver