doc title Help Center
You are here: Home > Gateway Cluster and Tunnel Orchestration

Gateway Cluster and Tunnel Orchestration

A Gateway cluster is a combination of multiple Aruba Gateways operating as a single entity to provide high availability and service continuity to the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. clients in a network. Gateway clusters provide full redundancy to APs and WLAN clients in the event of a failover.

The AOS 10.x supports Gateway clusters and provides the following features and benefits:

The automatic Gateway cluster configuration is supported on Aruba Gateways with ArubaOS or later versions. To view a list of Aruba Gateway models and supported software versions in Aruba Unified Network Architecture, refer Supported Devices for AOS 10.x

The AOS 10.x simplifies the existing load balancing algorithm to have a more balanced distribution of load when a Gateway comes back into the cluster after its failover. This is required to streamline the entire debugging and troubleshooting process and to reduce the number of user activations during multiple cluster failover. The AOS 10.x solution leverages cluster heartbeat and fast failover detection for other features to obtain seamless failover.

In the AOS 10.x, the APs do not anchor to a Gateway. The APs are anchored to the cloud and the Gateway identifies the AP when the AP is booted. However, the Device Designated Gateway (DDG), which is an AP designated gateway, is needed to achieve multicast functionality. From the user point of view, the APs would still be aware of cluster bucket map that is used to direct the user traffic to the user designated gateway.

An AOS 10.x solution configured with Gateway clusters requires the Gateways to be onboarded to the Aruba Central. See the workflow detailed in Gateway Cluster Architecture to onboard the Gateways.

Types of Gateway Clusters

You can deploy either a homogeneous or heterogeneous cluster for Gateways.

Homogeneous Cluster

A homogeneous cluster is a cluster built with all nodes of the same platform type, and consists of the same Aruba Gateway models. A homogeneous cluster of Aruba 7200 Series Gateway supports up to 12 nodes in a cluster, whereas a homogeneous cluster of Aruba 7000 Series Gateway supports only four Gateway nodes in a cluster.

The cluster sizing depends on the number of cluster AP count required to ensure that every AP has a DDG and S-DDG with adequate capacity for all APs to failover. The recommended AP load of this cluster should be half of the total cluster capacity. Therefore, the cluster AP count should be equal to 50% of the cluster capacity.

For example, if a cluster is made up of four 7220 managed devices, the combined capacity of four 7220 managed devices is 4096 APs, hence, the AP count would be 2048.

Heterogeneous Cluster

A heterogeneous cluster allows you to combine different models of Gateways. A heterogeneous cluster with a combination of 7200 Series and 7000 Series Gateways is supported with redundancy and reduced AP or client capacity. The size of the cluster becomes four when 7000 Series Gateway is combined with 7200 Series Gateway.

Cluster AP size should be equal to the lowest value of either 50% of total cluster capacity or the worst case scenario load. The worst case scenario load is the AP load handled by the remaining nodes in a cluster in the event of highest capacity cluster member going down.

Cluster Connection Type

AOS 10.x supports L2 connection type for cluster members where the cluster members share the same user VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. All user VLANs on each node are also present in all nodes.

A cluster is always formed over an L2 network.

Features of Gateway Clusters

Following are the features supported for Gateway clusters:

AP Load Balancing in Gateway Clusters

The load balancing of APs is done among Gateways during initial set up. In either a homogeneous or a heterogeneous cluster, the APs are load balanced in a round robin manner among Gateways depending on the platform AP capacity. The APs are equally distributed to offload multicast handling evenly across cluster peers. Only active and standby DDG configure the multicast tunnel to the user VLAN in the datapath.

Backup Cluster Configuration for Gateway Clusters

An optional setting is introduced to configure a Secondary Gateway Cluster, as a failover for tunnel-mode deployments, in case the primary cluster is unavailable. Enabling the Cluster Preemption check-box allows the AP to switch back to the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. of the primary gateway cluster, when it becomes available. Failover from primary cluster to secondary cluster is triggered when:

  • The Primary cluster is down.
  • The Primary cluster is UP but some devices are unable to reach the primary cluster. These devices would failover to backup cluster.

A secondary gateway cluster can be configured at the group-level or at the device-level and only one primary-secondary cluster can be configured per SSID. This setting be configured in a multizone environment and each zone can have it’s own backup cluster. For more information, see Configuring VLAN Settings for WLAN SSID Profile in Tunnel and Mixed Mode.

Multiversion Support in Gateway Clusters

The AOS 10.x supports multiple versions between Gateways in the same cluster profile by exchanging messages between Gateways in the cluster. To support multiple version for all the messages exchanged, messages are encoded in Protobuf format and sent over PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. so that the fields that are unknown to that Gateway are ignored. The following messages are exchanged between the Gateways:

The cluster is formed between Gateways in the same cluster profile by accepting the HELLO message request from peers.

Device Interface Manager in Gateway Clusters

The Device Interface Manager (DIM) is an interface between AP and the Gateway and handles the cluster related communication between them.

Cluster Support for Wired User from AP

The Gateway cluster also supports load balancing and redundancy for wired users connection to AP. This requires AP to use the bucketmap for the cluster to forward wired client traffic to appropriate Gateway. The AP uses the same GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel to forward wired and wireless client traffic and sends the same RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  messages to Gateway for wired users. The user is grouped as wired or wireless on the Gateway based on the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. port type sent by the AP.

Dynamic Authorization

Dynamic authorization supports Change of Authorization (CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. ) requests in a cluster. CoA requests are sent by the RADIUS servers to Gateways to dynamically modify the authorization attributes for a connected client session. Administrators can enable the dynamic authorizationDynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. feature to ensure that the CoA requests are not dropped when Gateway nodes change due to load balancing or in the event of a failover.

VPN Termination

The manual cluster configuration mode also allows you to enable VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. termination to terminate the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN tunnels originating from the APs. Administrators can enable VPN termination if the Gateways in the cluster are used as VPN endpoints.

Tunnel Orchestration

The IPsec between the AP and Gateway cluster are orchestrated by Tunnel Orchestrator for LAN Tunnels service in Aruba Central.

The Tunnel Orchestrator for LAN Tunnels service in Aruba Central automates routing between AP and the Gateway cluster provisioned in an Aruba Central account. The Tunnel Orchestrator for LAN Tunnels service also computes the cost for route between multiple data centers, so that different data centers preference can be applied for the devices in a branch. The designated Gateway in the cluster acts a preferred VPN concentrator and aggregates routes from APs and redistributes these routes to the neighboring routers.

For Layer 2 deployments, the administrators must configure a split-tunnel policy in the access rules and apply it to the user role in the WLAN SSID. Based on the ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. configured for an SSID and Gateway cluster, client traffic to the corporate domain is tunneled to the Gateway in the data center and traffic to the non-corporate domain is forwarded to the Internet.