Wireless Access

Hi,

We have two uplinks and we want to load balance uplinks like  VPN traffic should be on primary link,  internet traffic should be on secondary link. And each link should be redundant to each other. 

Is this instant or a controller-based deployment?

it is controller based.

7210 / 7205 ..

Yes:  https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/uplink.htm?Highlight=uplink

it does not say about VPN load balancing. it load balances ALL traffic. 

Can you share a configuration example? 

I apoligize.  You said Uplink load balancing.  The Aruba feature is Policy Based Routing (PBR), where you send specific traffic over specific links.  The concept is not complicated but the implementation can be pretty involved.  Have you already formed the VPN link and is it working?

If yes, please read a list of articles about PBR here:  http://community.arubanetworks.com/t5/forums/searchpage/tab/message?include_tkbs=true&location=category%3ASupport-Documentation-Downloads&q=pbr

Thank for your reply. 

I tried to follow up the guides but no luck.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-configure-a-router-ACL-for-PBR/ta-p/234519

i can not create ACL on my command line. "network" command is not supported.

GUIDE:

2) Create a route ACL with PBR option required
(6.4.3-Beta-Master) (config-route-test)#network 10.0.0.0 255.255.0.0 any any route ?

My device:

(config) #net
netdestination Configure IPv4 network destination
netdestination6 Configure IPv6 network destination
netexthdr Configure IPv6 Next/Extended Header filter
netservice Configure a network service

ArubaOS (MODEL: Aruba7005), Version 8.2.1.0

Can you provide a PBR guide which is compatible with 8.2.1.0 ? 

And configuration examples or best practises guide? 

Start here:  https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Branch%20Office/MN_PBR.htm

the guide you have provided says: 

In the Managed Network node hierarchy, navigate to

Configuration> Interfaces > IP Routes.
2. Expand the Policy-Based Routing menu.

There is no such PBR menu.

Am I missing something? 

It looks like the Policy Based Routing documentation is incorrect for ArubaOS 8.3.x is incorrect and we are looking into that.

Meanwhile, all that is necessary for Policy based routing is to create:

1 - An ip nexthop list with at minimum one nexthop ip address behind the VPN connection you have

2 - A session ACL for your user role allowing and denying traffic

3 - A route ACL that will determine if traffic is permitted (regular routing) or "routed" to the nexthop list in item#1

4. - Apply the session ACL and the route ACL to the user role for the traffic you want it applied to.

Let me come up with some commandline steps on how to accomplish that and I will get back to you.

That would be very nice. Waiting for reply then.  Thank you.

You need:

1.  To make sure that you are in the /md tree above or at where your controllers are located when you create everything.  (you should not create anything directly in the md folder).

2.  the ip address of the "router" that you want to handle the next hop.  This goes into the next hop list.  The format is slightly different for a VPN connection that is terminated on the controller, however.

3.  to create a Route ACL that defines what traffic is to be routed to the next hop vs routed the normal way.  

4.  Assign that route ACL to the user role.

In the example below, I will send https traffic to the next hop, and all the other traffic the regular way for the user role "myuserrole".  I am currently in the MD/<blah blah/ folder:

config t
ip nexthop-list myrouter
ip 192.168.1.3  <--ip address of the router path you want the traffic to take
exit

**The nexthop list needs to be created before it is referenced below***

ip access-list route routeacl
any any tcp 443 route next-hop-list myrouter <---sending https to that next hop
any any any forward <------all other traffic takes normal routing
exit

routing-policy-map role myuserrole access-list routeacl
exit

^^^Assigned the route-acl called "routeacl" to the user role myuserrole

write mem

That is all that is necessary.

show ip nexthop-list on the md will show that you have created a nexthop list and the ip address in that list

show ip health-check on the md will determine if that next hop ip address is alive.  The controller periodically reaches out to ip addresses in the next hop list to determine if they are valid destinations.  You could have more than one ip address in the next hop list and the controller needs to know which path is actually available.

show datapath session table <ip address of client> will have a "r" route nexthop flag on the line that is being routed using the route acl.

I hope that makes sense.