Controller Clustering

Cluster is a combination of multiple managed devices working together to provide high availability to all the clients and ensure service continuity when a failover occurs.

The APs are managed by a single managed device. The client load is shared by all the managed devices. The goal of a cluster is to provide full redundancy to APs and wireless clients alike in case of a malfunction of one or more of its cluster members.

All the members in a cluster are active managed devices.

Cluster facilitates a large roaming domain, minimizes fault-domain, and helps in speedy recovery.

The objectives of a cluster are:

  • Seamless Campus Roaming—When a client roams between APs of different managed devices within a large L2 domain, the client retains the same subnet Subnet is the logical division of an IP network. and IP address to ensure seamless roaming. The clients remain anchored to a single managed device in a cluster throughout their roaming area which makes their roaming experience seamless because their L2 or L3 information and sessions remain on the same managed device.
  • Hitless Client Failover—When a managed device fails, all the users fail over to their standby managed device seamlessly without any disruption to their wireless connectivity or existing high-value sessions.
  • Client and AP Load Balancing—When there is excessive workload among the managed devices, the client and AP load is evenly balanced among the cluster members. Both clients and APs are load balanced seamlessly.

Following sections describe the pre-requisites, key considerations, and features supported in a cluster.

Requirements

Cluster is supported only on the Mobility Conductor and cluster members can only be managed devices.

The following managed devices support clustering:

  • 7200 Series controllers—Support for up to 12 nodes in a cluster.
  • 7000 Series controllers—Support for a maximum of 4 nodes in a cluster.
  • 9004 controllers—Support for a maximum of 4 nodes in a cluster.
  • 9012 controllers—Support for a maximum of 4 nodes in a cluster.
  • 9240 controllers—Support for up to 12 nodes in a cluster.
  • Mobility Controller Virtual Appliance—Support for a maximum of 4 nodes in a cluster.

Even with a 12-node cluster, the maximum supported APs and client counts are limited to 10K and 100K, respectively.

Key Considerations

Some of the key considerations are:

Support for Homogeneous Cluster

A homogeneous cluster is a cluster built with all nodes of the same platform type.

Cluster AP Capacity

The cluster sizing depends on the number of cluster AP count required to ensure that every AP has an AAC and S-AAC with adequate capacity for all APs to failover. The recommended AP load of this cluster should be half of the total cluster capacity. Therefore, the cluster AP count should be equal to 50% of the cluster capacity.

For example, if a cluster is made up of four 7220 managed devices, the combined capacity of four 7220 managed devices is 4096 APs, hence, the AP count would be 2048.

Support for Heterogeneous Cluster

The following list provides the points to be considered for cluster capacity (APs and clients) when the cluster has a heterogeneous managed device mix. For example, 7210, 7220, and 7240 controllers.

  • Total capacity of individual managed devices in the cluster, when redundancy is disabled.
  • The number of cluster nodes is restricted to four when it involves a 7000 Series managed device.
  • When 7200 Series managed devices are added to a cluster consisting of other 7000 Series managed devices, then the capacity of the 7200 Series managed devices is reduced to the maximum capacity of the 7000 Series managed devices that are currently part of the cluster.
  • When 7000 Series managed devices are added to a cluster consisting of 7200 Series managed devices, then one of the following conditions apply:
    • If there are more than three 7200 Series managed devices in the cluster, the 7000 Series managed devices are not allowed to join the cluster.
    • If the current AP or station count on the 7200 Series managed devices is greater than the maximum AP or station capacity supported on the newly added 7000 Series managed devices, then the 7000 Series managed devices are not allowed to join the cluster. To check if the 7000 Series managed devices are allowed to join the cluster, execute the show lc-cluster group-membership command.
    • If the current AP or station count on the 7200 Series managed devices is lesser than the maximum AP or station capacity supported on the newly added 7000 Series managed devices, then the capacity of the 7200 Series managed devices in the cluster drops to the maximum capacity supported on the 7000 Series managed devices and the existing supported APs in the 7200 Series managed devices are not impacted.
  • 9240 managed devices do not operate in a heterogeneous cluster.

Cluster AP Capacity

Cluster AP size should be equal to the lowest value of either 50% of total cluster capacity or the worst case scenario load. The worst case scenario load is the AP load handled by the remaining nodes in a cluster in the event of highest capacity cluster member going down.

Following examples elaborate how to calculate the cluster AP size based on the capacity of the managed devices:

Example 1:

In a cluster with one 7220 managed device and two 7240 managed devices. Capacity of a 7220 managed device is 1024 and the capacity of 7240 managed device is 1024 . Now, let’s calculate 50% of total capacity is (1024+1024 +1024 /2 = 1536 APs. Now, assume one 7240 managed device is down, hence, the worst case scenario load is (1024 + 1024) = 2048.

Therefore, the cluster AP size in this example is 1536 APs as it is the lowest value between the 50% of total cluster capacity and the worst case scenario load.

Example 2:

In a cluster with two 7210 managed devices and one 7240 managed device. The capacity of 7210 managed device is 512 APs and the capacity of 7240 managed device is 512 APs. So, 50% of total capacity is (512+512+512)/2=768 APs. Now, assume the 7240 managed device is down, hence, the worst case scenario load is (512+512) = 1024 APs.

Therefore, the cluster AP size in this example is 1024 APs as it is the lowest value between the 50% of total cluster capacity and the worst case scenario load.

Cluster Connection Types

Clustering supports the following two connection types for cluster members:

Cluster can be formed over an L2 or L3 network. L2 is recommended for simplicity.

Roles

This section explains the roles of the members within the cluster:

Cluster Leader

When several managed devices form a cluster, the devices exchange handshake or hello messages with one another to form a cluster. When all the cluster members are in a fully connected mesh, a cluster leader is elected. The cluster leader is elected based on the highest effective priority derived from configured priority, platform value, and the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device.

The cluster leader computes which client is mapped to which cluster member.

The cluster leader also dynamically and seamlessly balances the client load when load increases and there is an imbalance of load among the cluster members.

The cluster leader identifies standby managed devices for clients and APs to ensure hitless failover.

AAC - AP Anchor Controller

This role is given to a managed device from individual AP perspective. This is an anchor for APs. AP sets up active tunnels with its LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. -IP and also, the AAC is responsible for handling all management functions of an AP and its radios.

UAC - User Anchor Controller

This is an anchor for users. The user associates to an AP and the AP creates a dynamic tunnel to the client UAC. The UAC handles all the wireless client traffic, including association or disassociation notification, authentication, and all the unicast traffic between the managed device and the client. The UAC is used to ensure that the managed device remains the same within the cluster when clients roam between APs.

S-AAC - Standby AP Anchor Controller

A standby AAC is dynamically assigned from other cluster members. An AP sets up standby tunnels with the S-AAC. If the AAC fails, the S-AAC detects the failure and ensures that the AP fails over to the S-AAC. Dynamically, the cluster leader chooses the new S-AAC for an AP after the original AAC failed and the S-AAC becomes the new AAC.

S-UAC - Standby User Anchor Controller

This is the standby managed device from the user perspective. A user fails over to this managed device when the active UAC is down. The S-UAC is the role given to the managed device if a user fails over to this managed device when the Active UAC (A-UAC) is down.

Anchored to a Single Managed Device

A user is mapped to a UAC through a hashing algorithm at the AP level. At the AP, there is a single hashing algorithm that creates an index based on the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client. This index points to a mapping table to the actual UAC for that user. This mapping is sent to all the nodes in the cluster by the cluster leader and then, the AAC sends this mapping to the respective APs. So, all APs in the cluster have the same mapping information. The cluster leader assigns the S-AAC to each AP after considering the AP load on the cluster.

Remote AP Support

With Remote APs, a tunnel mode VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. is configured and each AP is assigned with an inner-IP or remote-IP. The same remote-IP or inner-IP is assigned to the Remote APs on every managed device in the cluster. Starting from ArubaOS 8.0.0.0, the cluster setup supports both IPv4 and IPv6 clients and the IPv6 clients sessions are also synchronized and continued after failovers.

Starting from ArubaOS 8.7.0.0, when both inner IPv4 address and inner IPv6 address pools are configured for Remote APs, the tunnel is established based on the outer IP address of the Remote AP. If the outer IP is IPv4 address, cluster inner IPv4 address from Remote AP inner IP pool is used to form the tunnel. Similarly, if the outer IP is IPv6 address, cluster inner IPv6 address is used to form the tunnel.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command supports IPv4 address for Remote APs in a cluster configuration:

(host) [mynode] (config)#lc-rap-pool <pool_name> [{pool_start_address} {pool_end_address}]

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command supports IPv6 address for Remote APs in a cluster configuration:

(host) [mynode] (config)#lc-rap-pool-v6 <pool_name> [{pool_start_address} {pool_end_address}]

ArubaOS now provides support for ClearPass Policy Manager to allowlist Remote APs in a cluster environment. For more information, see Offloading a Controller Allowlist to ClearPass Policy Manager .

IPv6 Cluster Support

Starting from ArubaOS 8.2.0.0, IPv6 cluster is supported. Managed devices must terminate on the Mobility Conductor through the IPv6 IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel.

Only IPv6 APs can terminate on an IPv6 cluster and clients can be either IPv4 or IPv6 type.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays IPv6 cluster information:

(host) #show lc-cluster group-membership

ArubaOS now allows both IPv4 and IPv6 APs to connect to a cluster seamlessly in a dual-stack deployment, irrespective of the cluster IP address family. In a cluster formation, both the IPv4 and IPv6 addresses are exchanged between cluster members. Hence, the cluster can send both IPv4 and IPv6 addresses in node list to APs so that the APs are able to connect to the cluster member.

The following table provides information on the supported address modes between clusters and APs:

Table 1: Supported Address Modes

Cluster Address Mode

Supported on IPv4 APs

Supported on IPv6 APs

Native IPv4 cluster

Yes

No

Native IPv6 cluster

No

Yes

Dual-stack IPv4 cluster

Yes

Yes

Dual-stack IPv6 cluster

Yes

Yes

Cluster Features

Following sections describe the features supported on a cluster:

Enhanced Multicast Proxy

A managed device acts as a multicast proxy for all the wireless clients connected to it. The subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. of the managed device to multicast stream is done through a single VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Hence, only one copy of the multicast stream will be delivered to a client.

When IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. proxy or MLD Multicast Listener Discovery. A component of the IPv6 suite. It is used by IPv6 routers for discovering multicast listeners on a directly attached link. is enabled, client reports reach the UAC. The UAC then transfers the subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. information to the AAC . Both managed devices (AAC and UAC) serve as proxies for clients in the uplink multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

APs are anchored on the AAC and users on the UAC. When an AP boots, it establishes a tunnel with the AAC. The same tunnel is used for UAC traffic as well. When a client comes up, the AP determines its UAC and establishes a tunnel with the UAC. When the client roams from one AAC to another, PIM Protocol-Independent Multicast. PIM refers to a family of multicast routing protocols for IP networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. detects this roaming through STA (station) channel and deletes the multicast subscriptions A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. of the client from the old AAC and adds them to the new AAC. To perform this, a cluster proxy table that stores per-client subscriptions A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. is maintained in the UAC.

If a multicast stream is sourced from a wireless station, the managed device forwards the stream to the multicast router through the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. where the client is located. The downstream is still from the multicast router to each managed device in the cluster through the configured VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for multicast proxy operation. If the two VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are the same, the proxy on the UAC of the sourcing client does not receive the stream from the multicast router.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a cluster with multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(host) [multicast] (cluster1) #controller 10.15.128.102 mcast-vlan

<mcast_vlan> VLAN id

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays if a cluster is configured with multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(host) #show lc-cluster group-profile cluster1

IPv4 Cluster Members

--------------------

CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN

------------- -------- ---------- ------- ---------

10.15.128.103 128 29 0.0.0.0 0

10.15.128.104 128 29 0.0.0.0 0

10.15.128.105 128 29 0.0.0.0 0

10.15.128.102 128 29 0.0.0.0 0

Redundancy:Yes

Active Client Rebalance Threshold:50%

Standby Client Rebalance Threshold:75%

Unbalance Threshold:5%

Client State Synchronization

Client state synchronization feature helps resolve issues regarding seamless failover, service availability, and high availability. To achieve hitless failover, the following two conditions should be met:

Stateful failover is achieved through full client synchronization from the UAC to the S-UAC. For example, the station table, the user table, the L2 user state, the L3 user state, the key cache, the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. cache, and so on get synchronized between the UAC and the S-UAC.

Users sessions are synchronized or duplicated on an S-UAC. Only high-value sessions like FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. and DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. are synchronized. But, some sessions that are considered low value like regular HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic are not synchronized.

When there is a failover, no client is deauthenticated and hence, the client seamlessly fails over to the S-UAC .

A maximum of 10 sessions per client is supported. Client state synchronization is now supported for IPv6 clients and dual stack.

In an existing cluster, when new managed devices are added and the existing managed devices have a load more than the threshold, the load balancer ensures that traffic from UACs that are overloaded are redirected to the new managed device. In this scenario, synchronization of sessions for these users is performed before the load balancer switches the users from other UACs to ensure reliability.

Starting from ArubaOS 8.6.0.0, during a UAC failure, hitless failure of high-value application traffic such as voice is supported when the client roams between BSSIDs Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

Client state synchronization is useful in two different scenarios:

  • When Redundancy is OFF —When redundancy mode is turned off, a standby copy is not created for an AP or the client for failover protection. As part of load balancing, prior to planned UAC switchover, sessions are synchronized to the new UAC.
  • When Redundancy is ON —When redundancy mode is turned on, the system assigns the standby managed device for all APs and clients. The sessions are synchronized to the standby UAC.

Execute the following command on one of the cluster members to view the list of duplicate users that are currently connected to S-UAC.

(host) #show user-table standby

AP LACP Support

Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP can no longer be used to stripe the traffic as each AP has GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to more than one managed device. Therefore, starting from ArubaOS 8.2.0.0, Cluster LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. is used to stripe traffic on a per-UAC basis. That is, in a cluster setup, the clients or users on the same AP are steered to different UACs and the traffic is striped to these UACs.

When cluster is enabled, striping IP is not used even if it is a single-node cluster; the striping of traffic for the Ethernet Ethernet is a network protocol for data transmission over LAN. interfaces is according to the UAC node.

For a non-cluster setup, the striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP is used in the same way as before.

For an upstream traffic, the cluster LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. load-balances these UACs across the Ethernet Ethernet is a network protocol for data transmission over LAN. ports.

For a downstream traffic, because the Source-IP and MAC address of the GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. packets are different from those of AP, the AP's uplink switch spreads the traffic.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure AP LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. in a non-cluster topology:

On an uplink switch of an AP, use the following command to configure LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. between the two ethernet ports of the AP:

(host) [md] (config) #ap-lacp-striping-ip

(host) [md] (AP LACP LMS map information) #aplacp-enable

(host) [md] (AP LACP LMS map information) #striping-ip 10.15.127.2 lms 10.15.127.3

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the configuration:

(host) #show ap-lacp-striping-ip

AP LACP LMS map information

---------------------------

Parameter Value

--------- -----

AP LACP Striping IP Enabled

GRE Striping IP 10.15.127.2 LMS 10.15.127.3

The lms-ip value in ap-system-profile will be used as a key to look up entries in ap-lacp profile.

It is recommended not to configure GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. striping IP address for stand-alone controller deployments.

Authorization Server Interaction

This feature supports CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. requests in a cluster using multiple VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances. This feature ensures that the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. request is not dropped when the UAC changes due to controller failure or client load balancing.

CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. is change of authorization, which is an extension to RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes and capabilities. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. request messages are sent by a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. device for dynamically modifying the existing session authorization attributes. A CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -Request contains the information for dynamically changing session authorizations. If NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. is able to successfully change the authorizations of the user session(s), it responds with a CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -ACK. Otherwise, it returns a CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -NAK Negative Acknowledgement. NAK is a response indicating that a transmitted message was received with errors or it was corrupted, or that the receiving end is not ready to accept transmissions. to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

To support this feature, multiple VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances are created dynamically, with one instance per cluster node. Here, the cluster node is the conductor of that instance. In a cluster, the virtual IP of each VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance is used as a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP when sending RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

For example, for a cluster with 5 nodes, there are five VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances and five virtual IP addresses. That is, One Virtual IP address for each VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance. The cluster uses the virtual IP for an instance as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP in a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request. That is, when the cluster node sends RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests on behalf of a client that is trying to authenticate a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, It inserts the Virtual IP as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP in that RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

To set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address of the A-UAC as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP, VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP must be assigned for each cluster member. This assignment process automatically configures the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. membership for other members of the cluster, and sets the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. priority correctly so that the primary A-UAC owns the virtual IP when it is up.

The following procedure describes how to set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address and VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

  1. When configuring a new cluster, select the group folder under which the managed devices are located, in the Managed Network node hierarchy.
  2. Navigate to the Configuration > Services > Clusters tab.
  3. Click + in the Clusters table to create a new cluster profile.

    The New Cluster Profile table is displayed.

  4. Enter a name for the cluster.
  5. Click + in the Controllers table to add a new controller.

    The Add Controller table is displayed.

  6. Enter the VRRP IP and the VRRP VLAN field values of the managed device.
  7. Click OK.
  8. Similarly, enter the VRRP IP and the VRRP VLAN values for all managed devices.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address of the A-UAC as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP:

(host) [MD-cluster1]#lc-cluster group-profile primary-cluster

(host) [MD-cluster1](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.2 vrrp-ip 100.1.1.2 vrrp-vlan 100

Following is an example of how to set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP for a cluster with two managed devices:

(host) [MD]#lc-cluster group-profile primary-cluster

(host) [MD-cluster1](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.2 vrrp-ip 100.1.1.2 vrrp-vlan 100

(host) [MD-cluster4](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.5 vrrp-ip 100.1.1.5 vrrp-vlan 100

 

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands verify the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. status for both managed devices:

(host) [MD-cluster1] #show vrrp

Virtual Router 220:

Description

Admin State UP, VR State CONDUCTOR

IP Address 100.1.1.2, MAC Address 00:00:5e:00:01:dc, vlan 100

Priority 255, Advertisement 1 sec, Preemption Enable Delay 0

Auth type NONE ********

tracking is not enabled

 

(host) [MD-cluster4] #show vrrp

Virtual Router 220:

Description

Admin State UP, VR State BACKUP

IP Address 100.1.1.2, MAC Address 00:00:5e:00:01:dc, vlan 100

Priority 235, Advertisement 1 sec, Preemption Enable Delay 0

Auth type NONE ********

tracking is not enabled

AP Failover to Different Cluster

Starting from ArubaOS 8.0.0.0, an AP can fail over between clusters. Redundancy across geographically separated data centers are supported. An AP terminates on an AAC in a cluster. If a member in the cluster fails, the AP will fails over to the S-AAC in the same cluster. If the AP is unable to establish communication with any of the members in the first cluster, then it terminates on another cluster setup in the backup data center. It terminates on another cluster only if the other cluster member IP is provided in the AP system profile as backup LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. .

For example, a cluster with four managed devices is deployed in the West Coast data center. Similarly, a cluster with four managed devices is deployed in the East Coast data center. An AP is configured to have a primary termination on the West Coast data center and backup termination on the East Coast data center. If a managed device fails in the West Coast data center, then the AAC moves to another managed device in the same data center. However, if the entire West Coast data center is inaccessible to the AP, then it fails over to the East Coast data center.

ArubaOS now allows you to disable the Ethernet Ethernet is a network protocol for data transmission over LAN. link and/or PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. PSE of the wired downlink ports during AP failover. When the AP fails over to a backup cluster that is in a different data center, you must disconnect the wired clients. This is to ensure that the clients can re-initiate DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  request to obtain the new IP address from a different IP address pool. Also, you must apply a wired port downtime so that the clients can release the IP address. After the wired port downtime expires, the AP can recover the configurations which were not applied during the down time.

You can configure the wired port down time after the AP fails over to backup cluster or falls back to the primary cluster. You can configure port bounce for either the Ethernet Ethernet is a network protocol for data transmission over LAN. link or the PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. or configure the down time for both in the AP system profile of the managed device.

The following procedure configures the port bounce feature in the AP system profile:

  1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles tab.
  2. In the All Profiles list, expand the AP menu and then select AP system.
  3. Select the AP system profile you want to edit, or click + to create a new profile.
  4. Under General, perform one of the following steps:
  5. Click Submit.
  6. Click Pending Changes.
  7. In the Pending Changes window, select the checkbox and click Deploy Changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example configures the wired port downtime for both Ethernet Ethernet is a network protocol for data transmission over LAN. link and PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port.:

(host)[mynode](config)#ap system-profile <profile-name>

(host)[mynode] (AP system profile "<profile-name>") # wired-poe-bounce-interval 10

(host)[mynode] (AP system profile "<profile-name>") # wired-port-bounce-interval 40

(host)[mynode] (AP system profile "<profile-name>") # write memory

Saving Configuration...

Configuration Saved.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example displays AP's wired port status and the wired port bounce configurations that are forwarded from the controller:

(host) [mynode] #show ap remote debug wired-port-down-state ap-name ap-303h1

 

The configurations pushed from the controller

---------------------------------------------

The port bounce time by disable POE: 30

The port bounce time by shutdown ethernet link: 60

AP's wired port is in down time, the port status as below

---------------------------------------------------------

All wired ports' status

-----------------------

Wired port Ethernet Ethernet is a network protocol for data transmission over LAN. link status Whether Support PSE PSE status

---------- -------------------- ------------------- ----------

eth0 up no

eth1 down no

eth2 down no

eth3 up yes enable

Grouping Managed Devices Within a Cluster

Starting from ArubaOS 8.2.0.0, you can group managed devices within a cluster, which helps influence the S-AAC and S-UAC assignments. The preference for both S-AAC and S-UAC is given to the managed devices in different groups compared to the group which has the AAC and UAC configured.

A new parameter, group, is introduced in the lc-cluster group-profile command.

(host) #lc-cluster group-profile <profile>

controller <ip> [priority <prio>] [mcast-vlan <mcast_vlan>] [vrrp-ip <vrrp_ip> vrrp-vlan <vrrp_vlan> group <group number>]

AP Node List

When an AP joins a cluster, it learns the IP addresses of all the cluster members. These IP addresses are stored in a Node List, which is saved as an environment variable in the AP's flash memory. Therefore, when the AP reboots and comes back up, the AP checks the Node List, contact the cluster member that is listed first in the Node List. If the cluster member that is first on the Node List is down or not reachable, then the AP dynamically tries the second cluster member listed in the Node List and so forth. The AP always finds a managed device as long as at least one managed device is active in the cluster.

The AP rebootstraps if the entire Node List is not reachable.

APmove

This feature allows an end user to move a specific AP from the current managed device to a target managed device. The apmove command reassigns an AP or AP group to any managed device.

Use the apmove command to move a specific AP to a specific assigned managed device in the following scenarios:

  • To move some specific APs to other managed device without changing any configuration.
  • If there is no failover or rebootstrap configuration between the current managed device and the target managed device.

You can execute the apmove command in the following setups:

  • Same cluster group — apmove can only be executed on a cluster managed device leader.
  • Same HA — this command is executed on the HA-Active node and the AP fails over to HA standby.
  • Normal topology — In a non-cluster setup, apmove can be executed on the node to move an AP from the current managed device to another managed device.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command moves a specific AP:

If cluster is enabled, the system access point monitor process checks whether the current node is the cluster leader. If not, it displays an error and the cluster leader's IP address is provided to the end-user. The end-user can then locate the cluster leader and execute the command in the correct managed device.

The apmove command is executed as follows:

(host) [mynode] (config) #apmove <ap-mac> <target-ip>

(host) [mynode] (config) #apmove <ap-group/all> <source-ip> <target-ip>

 

Parameter

Description

ap-mac

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a specific AP.

ap-group/all

APs in specific group or all APs in the specific managed device.

source-ip

Specific managed device from which the specific APs are to be moved.

target-ip

Specific managed device to which the APs are to be moved.

When the target IP is within the cluster, the APmove is initiated from the cluster leader. When the target IP is outside the cluster, Apmove is initiated on the AAC or S-AAC.

When APmove is initiated from the AAC, the AP gets the target IP and sets the APmove conductor variables. If the APmove target is a managed device outside the current cluster, then the AP rebootstraps and connects to that target managed device. Irrespective of whether the target node is in another cluster or not, the AP nodelist is purged if target IP is outside the cluster. If the target managed device is part of another cluster, then a new nodelist is sent to the AP. If the AP is unable to connect to any of the nodes in the nodelist, it falls back to other known entities such as previous_lms, backup_lms, conductor, and so on.

In a cluster environment, the priority given by the AP when APmove is initiated is as follows:

  1. APmove conductor (only used in cluster upgrade scenario)
  2. Cluster nodelist
  3. Previous LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. (CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller.-enabled only)
  4. Conductor variables

A nodelist is introduced to avoid multiple redirections to the AP and allows the AP to directly connect to the previous known AAC. However, if the previous known AAC is down, the AP connects to any of the nodes in the nodelist.

EST Support for Cluster

In a cluster setup, the APs establish IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with AAC, S-AAC, and UAC. Starting from ArubaOS 8.4.0.0, the cluster members use enrolled certificate for IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel authentication instead of using factory certificates.

When Enrollment over Secure Transport (EST) is enabled in a cluster setup, AAC sends the EST parameters to APs and APs will undergo enrollment and establish an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with all the cluster members using these enrolled certificates.

The existing cluster gets disconnected on EST activation and all the APs reboot as part of EST enrollment. During this process, the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels on the cluster peer are deleted, which results in the cluster getting disconnected on that peer. This ensures that the cluster traffic does not go to the peers without getting encrypted or encapsulated.

It is recommended to enable EST on all the cluster members before enabling cluster group-membership.

Configuring EST support for cluster

To configure EST support for cluster, refer to Certificate Enrollment Using EST section.

Remote AP Support with Cluster behind NAT

Remote APs were supported only with public IP addresses for all the managed devices in a cluster deployment. But, the cluster behind NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. cannot work with Remote APs because the managed devices in the cluster use switch IPs which are in private domain; to which the Remote AP does not have access.

Starting from ArubaOS 8.4.0.0, Remote APs can map the managed device’s private address to a public space by obtaining the private IP and public IP address mapping from a cluster. Therefore, the cluster behind NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is supported with Remote APs.

Key Consideration

Limitations

  • Configuration of same public IP for different nodes in the same cluster profile is not allowed.
  • Configuring same public IP across different cluster profiles only when one profile is active across all cluster members.
  • Cluster is not supported for external allowlist-db.

The following procedure describes how to enable a Cluster behind NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. with Remote APs:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Services > Clusters tab.
  2. Click + in the Clusters table to create a new cluster profile.

    The New Cluster Profile table is displayed.

  3. Enter the cluster name as rapcluster in the Cluster Name field.
  4. Enter the RAP Public IP along with the parameters listed in
  5. Click Submit.
  6. In the Cluster Profile tab, select rapcluster from the cluster group-membership drop-down list.
  7. Click Submit.
  8. Click Pending Changes.
  9. In the Pending Changes window, select the checkbox and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands map the public and private addresses with the Remote AP in a cluster profile:

(host) [cluster] (config) #lc-cluster group-profile rapcluster

(host) [cluster] (Classic Controller Cluster Profile "rapcluster") controller 10.10.10.1 rap-public-ip 100.100.100.101

(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.2 rap-public-ip 100.100.100.102

(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.3 rap-public-ip 100.100.100.103

(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.4 rap-public-ip 100.100.100.104

When this profile is configured in the group-membership, then the corresponding public IP for that cluster member is used.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands check if the public IP of the Remote AP is configured based on the controller's private IP address:

(host) #Show lc-cluster group-profile

 

IPv4 Cluster Members

--------------------

CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN GROUP-ID RAP-PUBLIC-IP

------------- -------- ---------- ------- --------- -------- -------------

10.17.62.194 128 0 1.1.1.1 200 0 10.10.10.11

10.17.62.195 128 0 1.1.1.2 200 0 10.10.10.12

Deny Inter-User Bridging

Deny inter-user bridging prevents the forwarding of Layer-2 traffic between wired or wireless users even when the users are on different managed devices in a cluster. This feature is supported in all the managed devices across a cluster.

This feature is also applicable to all deployment types for all clients, for example, Campus APs, Remote APs, wireless users, wired users, tunneled users, and split-tunnel users.

In previous releases, clients were able to access trusted devices when deny-inter-user-bridging was enabled. However, starting from ArubaOS 8.8.0.0, clients will not be able to access those trusted devices on their network unless they are auto learned or manually added to an allowed list.

Traffic from the client is allowed only if the addresses are added in the allowed-address-list table. Any traffic, including broadcast, multicast, or other Layer-2 frames, will be dropped if the destination of the Layer-3 packet is not included the allowed-address-list table.

Some Layer-2 devices are automatically learned and allowed by their Layer-3 addresses, such as the default gateway Gateway is a network node that allows traffic to flow in and out of the network. and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. addresses from DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  responses.

For all other required local network addresses, such as non-default gateways Gateway is a network node that allows traffic to flow in and out of the network. with multiple routers, ensure to manually add them to the allowed-list table. Otherwise, Layer-2 traffic to those destinations will be dropped.

For troubleshooting, run the following show command in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. to check for dropped frames:

(host) [mynode] #show datapath frame

This feature is not supported in bridge mode deployments because bridge user's traffic is locally bridged by APs.

Auto Learn Addresses

In each VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., managed devices auto learns the gateway Gateway is a network node that allows traffic to flow in and out of the network. and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. addresses by snooping DHCPv4, DHCPv6, and IPV6 RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers.. Therefore, the user need not add these addresses manually to the allowed list. If there is no DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  configured, then the user will need to add the gateway Gateway is a network node that allows traffic to flow in and out of the network. and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. entries manually. If communication to additional local addresses is required, then the user will need to add the addresses manually. Apart from these auto-learned addresses, the user can configure a maximum of 256 IP addresses.

Manually Configuring the Allowed Address List

To enable the Deny inter-user bridging feature, perform the following steps in the WebUI:

  1. In a Managed Network hierarchy, navigate to Configuration > Services > Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network..
  2. Expand the Inter User Bridging accordion and then click Deny inter user bridging toggle button.
  3. Click the + icon in the Allowed Addresses table to add IP addresses that are trusted devices.
    1. In the IP version field, enter the IP version as IPv4 or IPv6.
    2. In the IP address field, enter the IP address.
  4. Repeat step 3 to add all the allowed IP addresses.
  5. Click Submit.
  6. Click Pending Changes.
  7. In the Pending Changes window, select the checkbox and click Deploy changes.

To add the allowed IP addresses when the deny inter-user bridging feature is enabled, run the following commands in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

(host) [mynode] #allowed-address-list ipv4 <IP address>

(host) [mynode] #allowed-address-list ipv6 <IP address>

To view the allowed IP addresses list, run the following show commands in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

(host) [mynode] #show allowed-address-list all

Allowed address list

----------------------

Type : Address

----------------------

IPv4 2.2.2.2

IPv6 2002::2

IPV4 192.168.1.1

Total : 3

(host) [mynode] #show datapath allowed-address-list ipv4

Allowed address list

-----------------------

Type : Address

-----------------------

IPv4 2.2.2.2

IPV4 192.168.1.1

Total : 2

(host) [mynode] #show datapath allowed-address-list ipv6

 

Allowed address list

-----------------------

Type : Address

-----------------------

IPv6 2002::2

Total : 1

(host) [mynode] #show datapath allowed-address-list counters

------------------------------

Allowed address stats counter

------------------------------

IPv4 drop : 126

IPv6 drop : 1526

To remove IP addresses from the allowed list, run the following commands in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

(host) [mynode] #no allowed-address-table ipv4 <IP address>

(host) [mynode] #no allowed-address-table ipv6 <IP address>

VRRP ID and Passphrase

Cluster allows users to set the starting value of VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID and passphrase for a virtual IP in the cluster profile to avoid VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflict. That is, Cluster VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. members will be assigned consecutive VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IDs starting from the value configured.

Traditionally, when a user configured a virtual IP in a cluster, ArubaOS automatically configured the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. groups between the range, 220 - 225. This lead to VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflicts when multiple clusters shared the same L2 network. Therefore, to avoid VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflict, clusters now allow users to set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID for a virtual IP in the cluster profile.

Following parameters can be set by the user in the cluster configuration profile:

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID and VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. passphrase:

lc-cluster group-profile <profile-name>

vrrp-id <starting id> [ vrrp-passphrase <vrrp passphrase string>]

 

Parameter

Description

vrrp-id

This is an optional parameter which specifies the starting VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID for cluster members. If this is not configured, system automatically configures VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. groups within the range of 220-225.

vrrp-passphrase

This is an optional password of up to 8 characters that can authenticate VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. peers in their advertisements. If this is not configured, there is no authentication password.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command checks the configuration:

(host) #show lc-cluster group-profile v4cluster

IPv4 Cluster Members

--------------------

CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN GROUP-ID RAP-PUBLIC-IP

------------- -------- ---------- ------- --------- -------- -------------

10.20.101.12 128 0 0.0.0.0 0 0 0.0.0.0

10.20.101.5 128 0 0.0.0.0 0 0 0.0.0.0

10.20.101.20 128 0 0.0.0.0 0 0 0.0.0.0

10.20.101.7 128 0 0.0.0.0 0 0 0.0.0.0

Redundancy:Yes

Active Client Rebalance Threshold:20%

Standby Client Rebalance Threshold:40%

Unbalance Threshold:5%

Active AP Load Balancing:YES

Active AP Rebalance Threshold:20%

Active AP Unbalanced Threshold:5%

Active AP Rebalance Count:50

Active AP Rebalance Timer:1 mins

Starting VRRP ID:99

VRRP Passphrase:********