Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Controller Clustering
Cluster is a combination of multiple managed devices working together to provide high availability to all the clients and ensure service continuity when a failover occurs.
The APs are managed by a single managed device. The client load is shared by all the managed devices. The goal of a cluster is to provide full redundancy to APs and wireless clients alike in case of a malfunction of one or more of its cluster members.
All the members in a cluster are active managed devices.
Cluster facilitates a large roaming domain, minimizes fault-domain, and helps in speedy recovery.
The objectives of a cluster are:
- Seamless Campus Roaming—When a client roams between APs of different managed devices within a large L2 domain, the client retains the same subnet Subnet is the logical division of an IP network. and IP address to ensure seamless roaming. The clients remain anchored to a single managed device in a cluster throughout their roaming area which makes their roaming experience seamless because their L2 or L3 information and sessions remain on the same managed device.
- Hitless Client Failover—When a managed device fails, all the users fail over to their standby managed device seamlessly without any disruption to their wireless connectivity or existing high-value sessions.
- Client and AP Load Balancing—When there is excessive workload among the managed devices, the client and AP load is evenly balanced among the cluster members. Both clients and APs are load balanced seamlessly.
Following sections describe the pre-requisites, key considerations, and features supported in a cluster.
Requirements
Cluster is supported only on the Mobility Conductor and cluster members can only be managed devices.
The following managed devices support clustering:
- 7200 Series controllers—Support for up to 12 nodes in a cluster.
- 7000 Series controllers—Support for a maximum of 4 nodes in a cluster.
- 9004 controllers—Support for a maximum of 4 nodes in a cluster.
- 9012 controllers—Support for a maximum of 4 nodes in a cluster.
- 9240 controllers—Support for up to 12 nodes in a cluster.
- Mobility Controller Virtual Appliance—Support for a maximum of 4 nodes in a cluster.
Even with a 12-node cluster, the maximum supported APs and client counts are limited to 10K and 100K, respectively.
Key Considerations
Some of the key considerations are:
- All the managed devices within the cluster need to run the same software version.
- If HA-AP fast failover is enabled, then cluster cannot be enabled.
- A 12-node cluster is supported for Remote APs. Starting from AOS-8.6.0.0, Remote APs can now terminate on the cluster with more than 4 nodes.
- A mix of hardware devices and the Mobility Controller Virtual Appliance-based controller is not supported.
- A Mobility Controller Virtual Appliance cluster can be set up only with same SKU Stock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory. models. Only homogenous clusters are supported for Mobility Controller Virtual Appliance.
- A mix of 7200 Series controllers and 7000 Series controllers within the same cluster is not recommended due to disparity in capacity between the two controller series models. However, you can use these devices in the same cluster when you want to migrate from a smaller cluster like 7000 series controllers to a larger cluster with 7200 Series controllers.
- Only homogenous cluster is supported for 9004 managed devices.
- In a cluster, the managed devices do not have to be identical.
- A managed device can be either L2 or L3-connected or it can also be a mix of both.
- During VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. configuration, all clusters are assumed to be L2-connected. To check for VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. mismatches, the show lc-cluster vlan-probe status command is recommended since the show lc-cluster group-membership command will always display devices as L2-connected. It is expected that all user VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. within a cluster are configured on all managed devices within the cluster to ensure seamless client failovers.
- Cluster is not supported for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -RAPs.
- Cluster is supported for external allowlist database for Remote APs in a ClearPass Policy Manager server.
- No license is required to enable the cluster feature.
- Cluster is not supported in stand-alone controllers.
- Campus APs, Remote APs, and Mesh APs are supported.
- Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. is not supported for the split-tunnel mode Virtual APs and wired APs, when cluster is enabled.
- Clustering does not work when the loopback IP address is set as Controller-IP because the cluster process does not source the heartbeat packets from the loopback interface.
- A cluster supports both IPv4 and IPv6 APs in a dual-stack deployment. which is applicable to both Campus APs and Remote APs.
Support for Homogeneous Cluster
A homogeneous cluster is a cluster built with all nodes of the same platform type.
Cluster AP Capacity
The cluster sizing depends on the number of cluster AP count required to ensure that every AP has an AAC and S-AAC with adequate capacity for all APs to failover. The recommended AP load of this cluster should be half of the total cluster capacity. Therefore, the cluster AP count should be equal to 50% of the cluster capacity.
For example, if a cluster is made up of four 7220 managed devices, the combined capacity of four 7220 managed devices is 4096 APs, hence, the AP count would be 2048.
Support for Heterogeneous Cluster
The following list provides the points to be considered for cluster capacity (APs and clients) when the cluster has a heterogeneous managed device mix. For example, 7210, 7220, and 7240 controllers.
- Total capacity of individual managed devices in the cluster, when redundancy is disabled.
- The number of cluster nodes is restricted to four when it involves a 7000 Series managed device.
- When 7200 Series managed devices are added to a cluster consisting of other 7000 Series managed devices, then the capacity of the 7200 Series managed devices is reduced to the maximum capacity of the 7000 Series managed devices that are currently part of the cluster.
- When 7000 Series managed devices are added to a cluster consisting of 7200 Series managed devices, then one of the following conditions apply:
- If there are more than three 7200 Series managed devices in the cluster, the 7000 Series managed devices are not allowed to join the cluster.
- If the current AP or station count on the 7200 Series managed devices is greater than the maximum AP or station capacity supported on the newly added 7000 Series managed devices, then the 7000 Series managed devices are not allowed to join the cluster. To check if the 7000 Series managed devices are allowed to join the cluster, execute the command.
- If the current AP or station count on the 7200 Series managed devices is lesser than the maximum AP or station capacity supported on the newly added 7000 Series managed devices, then the capacity of the 7200 Series managed devices in the cluster drops to the maximum capacity supported on the 7000 Series managed devices and the existing supported APs in the 7200 Series managed devices are not impacted.
- 9240 managed devices do not operate in a heterogeneous cluster.
Cluster AP Capacity
Cluster AP size should be equal to the lowest value of either 50% of total cluster capacity or the worst case scenario load. The worst case scenario load is the AP load handled by the remaining nodes in a cluster in the event of highest capacity cluster member going down.
Following examples elaborate how to calculate the cluster AP size based on the capacity of the managed devices:
Example 1:
In a cluster with one 7220 managed device and two 7240 managed devices. Capacity of a 7220 managed device is 1024 and the capacity of 7240 managed device is 1024 . Now, let’s calculate 50% of total capacity is (1024+1024 +1024 /2 = 1536 APs. Now, assume one 7240 managed device is down, hence, the worst case scenario load is (1024 + 1024) = 2048.
Therefore, the cluster AP size in this example is 1536 APs as it is the lowest value between the 50% of total cluster capacity and the worst case scenario load.
Example 2:
In a cluster with two 7210 managed devices and one 7240 managed device. The capacity of 7210 managed device is 512 APs and the capacity of 7240 managed device is 512 APs. So, 50% of total capacity is (512+512+512)/2=768 APs. Now, assume the 7240 managed device is down, hence, the worst case scenario load is (512+512) = 1024 APs.
Therefore, the cluster AP size in this example is 1024 APs as it is the lowest value between the 50% of total cluster capacity and the worst case scenario load.
Cluster Connection Types
Clustering supports the following two connection types for cluster members:
- L2-connected—The cluster members share the same user VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. All user VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on each node are also present in all nodes.
- L3-connected—The cluster members do not necessarily share the same user VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Some user VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are not present on the other nodes.
Cluster can be formed over an L2 or L3 network. L2 is recommended for simplicity.
Roles
This section explains the roles of the members within the cluster:
Cluster Leader
When several managed devices form a cluster, the devices exchange handshake or hello messages with one another to form a cluster. When all the cluster members are in a fully connected mesh, a cluster leader is elected. The cluster leader is elected based on the highest effective priority derived from configured priority, platform value, and the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device.
The cluster leader computes which client is mapped to which cluster member.
The cluster leader also dynamically and seamlessly balances the client load when load increases and there is an imbalance of load among the cluster members.
The cluster leader identifies standby managed devices for clients and APs to ensure hitless failover.
AAC - AP Anchor Controller
This role is given to a managed device from individual AP perspective. This is an anchor for APs. AP sets up active tunnels with its LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. -IP and also, the AAC is responsible for handling all management functions of an AP and its radios.
UAC - User Anchor Controller
This is an anchor for users. The user associates to an AP and the AP creates a dynamic tunnel to the client UAC. The UAC handles all the wireless client traffic, including association or disassociation notification, authentication, and all the unicast traffic between the managed device and the client. The UAC is used to ensure that the managed device remains the same within the cluster when clients roam between APs.
S-AAC - Standby AP Anchor Controller
A standby AAC is dynamically assigned from other cluster members. An AP sets up standby tunnels with the S-AAC. If the AAC fails, the S-AAC detects the failure and ensures that the AP fails over to the S-AAC. Dynamically, the cluster leader chooses the new S-AAC for an AP after the original AAC failed and the S-AAC becomes the new AAC.
S-UAC - Standby User Anchor Controller
This is the standby managed device from the user perspective. A user fails over to this managed device when the active UAC is down. The S-UAC is the role given to the managed device if a user fails over to this managed device when the Active UAC (A-UAC) is down.
Anchored to a Single Managed Device
A user is mapped to a UAC through a hashing algorithm at the AP level. At the AP, there is a single hashing algorithm that creates an index based on the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client. This index points to a mapping table to the actual UAC for that user. This mapping is sent to all the nodes in the cluster by the cluster leader and then, the AAC sends this mapping to the respective APs. So, all APs in the cluster have the same mapping information. The cluster leader assigns the S-AAC to each AP after considering the AP load on the cluster.
Remote AP Support
With Remote APs, a tunnel mode VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. is configured and each AP is assigned with an inner-IP or remote-IP. The same remote-IP or inner-IP is assigned to the Remote APs on every managed device in the cluster. Starting from AOS-8.0.0.0, the cluster setup supports both IPv4 and IPv6 clients and the IPv6 clients sessions are also synchronized and continued after failovers.
Starting from AOS-8.7.0.0, when both inner IPv4 address and inner IPv6 address pools are configured for Remote APs, the tunnel is established based on the outer IP address of the Remote AP. If the outer IP is IPv4 address, cluster inner IPv4 address from Remote AP inner IP pool is used to form the tunnel. Similarly, if the outer IP is IPv6 address, cluster inner IPv6 address is used to form the tunnel.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command supports IPv4 address for Remote APs in a cluster configuration:
(host) [mynode] (config)#lc-rap-pool <pool_name> [{pool_start_address} {pool_end_address}]
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command supports IPv6 address for Remote APs in a cluster configuration:
(host) [mynode] (config)#lc-rap-pool-v6 <pool_name> [{pool_start_address} {pool_end_address}]
AOS-8 now provides support for ClearPass Policy Manager to allowlist Remote APs in a cluster environment. For more information, see Offloading a Controller Allowlist to ClearPass Policy Manager .
IPv6 Cluster Support
Starting from AOS-8.2.0.0, IPv6 cluster is supported. Managed devices must terminate on the Mobility Conductor through the IPv6 IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel.
Only IPv6 APs can terminate on an IPv6 cluster and clients can be either IPv4 or IPv6 type.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays IPv6 cluster information:
(host) #show lc-cluster group-membership
VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-IP and VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-VLAN are not supported with IPv6 cluster.
AOS-8 now allows both IPv4 and IPv6 APs to connect to a cluster seamlessly in a dual-stack deployment, irrespective of the cluster IP address family. In a cluster formation, both the IPv4 and IPv6 addresses are exchanged between cluster members. Hence, the cluster can send both IPv4 and IPv6 addresses in node list to APs so that the APs are able to connect to the cluster member.
The following table provides information on the supported address modes between clusters and APs:
Cluster Address Mode |
Supported on IPv4 APs |
Supported on IPv6 APs |
---|---|---|
Native IPv4 cluster |
Yes |
No |
Native IPv6 cluster |
No |
Yes |
Dual-stack IPv4 cluster |
Yes |
Yes |
Dual-stack IPv6 cluster |
Yes |
Yes |
Cluster Features
Following sections describe the features supported on a cluster:
Enhanced Multicast Proxy
A managed device acts as a multicast proxy for all the wireless clients connected to it. The subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. of the managed device to multicast stream is done through a single VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Hence, only one copy of the multicast stream will be delivered to a client.
Clustering supports only IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. proxy and MLD Multicast Listener Discovery. A component of the IPv6 suite. It is used by IPv6 routers for discovering multicast listeners on a directly attached link..
When IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. proxy or MLD Multicast Listener Discovery. A component of the IPv6 suite. It is used by IPv6 routers for discovering multicast listeners on a directly attached link. is enabled, client reports reach the UAC. The UAC then transfers the subscription A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. information to the AAC . Both managed devices (AAC and UAC) serve as proxies for clients in the uplink multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
APs are anchored on the AAC and users on the UAC. When an AP boots, it establishes a tunnel with the AAC. The same tunnel is used for UAC traffic as well. When a client comes up, the AP determines its UAC and establishes a tunnel with the UAC. When the client roams from one AAC to another, PIM Protocol-Independent Multicast. PIM refers to a family of multicast routing protocols for IP networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. detects this roaming through STA (station) channel and deletes the multicast subscriptions A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. of the client from the old AAC and adds them to the new AAC. To perform this, a cluster proxy table that stores per-client subscriptions A business model where a customer pays a certain amount as subscription price to obtain access to a product or service. is maintained in the UAC.
If a multicast stream is sourced from a wireless station, the managed device forwards the stream to the multicast router through the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. where the client is located. The downstream is still from the multicast router to each managed device in the cluster through the configured VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for multicast proxy operation. If the two VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are the same, the proxy on the UAC of the sourcing client does not receive the stream from the multicast router.
In an L3-connected cluster, when the AAC does not have the same VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. as the UAC, the multicast traffic from the uplink does not reach the AAC. Therefore, the cluster has to be L2-connected to stream multicast traffic.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a cluster with multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:
(host) [multicast] (cluster1) #controller 10.15.128.102 mcast-vlan
<mcast_vlan> VLAN id
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays if a cluster is configured with multicast VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:
(host) #show lc-cluster group-profile cluster1
IPv4 Cluster Members
--------------------
CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN
------------- -------- ---------- ------- ---------
10.15.128.103 128 29 0.0.0.0 0
10.15.128.104 128 29 0.0.0.0 0
10.15.128.105 128 29 0.0.0.0 0
10.15.128.102 128 29 0.0.0.0 0
Redundancy:Yes
Active Client Rebalance Threshold:50%
Standby Client Rebalance Threshold:75%
Unbalance Threshold:5%
Client State Synchronization
Client state synchronization feature helps resolve issues regarding seamless failover, service availability, and high availability. To achieve hitless failover, the following two conditions should be met:
- Redundancy mode needs to be enabled, this is enabled by default.
- L2 connected type, that is, the cluster members must share the same VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
Stateful failover is achieved through full client synchronization from the UAC to the S-UAC. For example, the station table, the user table, the L2 user state, the L3 user state, the key cache, the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. cache, and so on get synchronized between the UAC and the S-UAC.
Users sessions are synchronized or duplicated on an S-UAC. Only high-value sessions like FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. and DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. are synchronized. But, some sessions that are considered low value like regular HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic are not synchronized.
When there is a failover, no client is deauthenticated and hence, the client seamlessly fails over to the S-UAC .
A maximum of 10 sessions per client is supported. Client state synchronization is now supported for IPv6 clients and dual stack.
In an existing cluster, when new managed devices are added and the existing managed devices have a load more than the threshold, the load balancer ensures that traffic from UACs that are overloaded are redirected to the new managed device. In this scenario, synchronization of sessions for these users is performed before the load balancer switches the users from other UACs to ensure reliability.
Starting from AOS-8.6.0.0, during a UAC failure, hitless failure of high-value application traffic such as voice is supported when the client roams between BSSIDs Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..
Client state synchronization is useful in two different scenarios:
- When Redundancy is OFF —When redundancy mode is turned off, a standby copy is not created for an AP or the client for failover protection. As part of load balancing, prior to planned UAC switchover, sessions are synchronized to the new UAC.
- When Redundancy is ON —When redundancy mode is turned on, the system assigns the standby managed device for all APs and clients. The sessions are synchronized to the standby UAC.
Execute the following command on one of the cluster members to view the list of duplicate users that are currently connected to S-UAC.
(host) #show user-table standby
AP LACP Support
Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP can no longer be used to stripe the traffic as each AP has GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to more than one managed device. Therefore, starting from AOS-8.2.0.0, Cluster LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. is used to stripe traffic on a per-UAC basis. That is, in a cluster setup, the clients or users on the same AP are steered to different UACs and the traffic is striped to these UACs.
When cluster is enabled, striping IP is not used even if it is a single-node cluster; the striping of traffic for the Ethernet Ethernet is a network protocol for data transmission over LAN. interfaces is according to the UAC node.
For a non-cluster setup, the striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP is used in the same way as before.
For an upstream traffic, the cluster LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. load-balances these UACs across the Ethernet Ethernet is a network protocol for data transmission over LAN. ports.
For a downstream traffic, because the GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. packets are different from those of AP, the AP's uplink switch spreads the traffic.
and of theThe following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure AP LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. in a non-cluster topology:
On an uplink switch of an AP, use the following command to configure LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. between the two ethernet ports of the AP:
(host) [md] (config) #ap-lacp-striping-ip
(host) [md] (AP LACP LMS map information) #aplacp-enable
(host) [md] (AP LACP LMS map information) #striping-ip 10.15.127.2 lms 10.15.127.3
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the configuration:
(host) #show ap-lacp-striping-ip
AP LACP LMS map information
---------------------------
Parameter Value
--------- -----
AP LACP Striping IP Enabled
GRE Striping IP 10.15.127.2 LMS 10.15.127.3
The lms-ip value in ap-system-profile will be used as a key to look up entries in ap-lacp profile.
It is recommended not to configure GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. striping IP address for stand-alone controller deployments.
Authorization Server Interaction
This feature supports CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. requests in a cluster using multiple VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances. This feature ensures that the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. request is not dropped when the UAC changes due to controller failure or client load balancing.
CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. is change of authorization, which is an extension to RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. attributes and capabilities. CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. request messages are sent by a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server to a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. device for dynamically modifying the existing session authorization attributes. A CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -Request contains the information for dynamically changing session authorizations. If NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. is able to successfully change the authorizations of the user session(s), it responds with a CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -ACK. Otherwise, it returns a CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -NAK Negative Acknowledgement. NAK is a response indicating that a transmitted message was received with errors or it was corrupted, or that the receiving end is not ready to accept transmissions. to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server.
To support this feature, multiple VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances are created dynamically, with one instance per cluster node. Here, the cluster node is the conductor of that instance. In a cluster, the virtual IP of each VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance is used as a NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP when sending RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server.
The VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IDs for these instances are reserved and the reserved IDs range from 220 to 255.
For example, for a cluster with 5 nodes, there are five VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances and five virtual IP addresses. That is, One Virtual IP address for each VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance. The cluster uses the virtual IP for an instance as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP in a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. request. That is, when the cluster node sends RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests on behalf of a client that is trying to authenticate a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server, It inserts the Virtual IP as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP in that RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. packet.
VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. can be the same as that of the controller-ip. VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. can also be different if the same VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is used with all of the cluster members.
To set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address of the A-UAC as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP, VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP must be assigned for each cluster member. This assignment process automatically configures the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. membership for other members of the cluster, and sets the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. priority correctly so that the primary A-UAC owns the virtual IP when it is up.
The following procedure describes how to set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address and VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:
- When configuring a new cluster, select the group folder under which the managed devices are located, in the node hierarchy.
- Navigate to the tab.
- Click
The
table is displayed.
in the table to create a new cluster profile. - Enter a name for the cluster.
- Click
The
table is displayed.
in the table to add a new controller. - Enter the managed device. and the field values of the
- Click .
- Similarly, enter the managed devices. and the values for all
Aruba recommends you to use the same controller-ip subnet Subnet is the logical division of an IP network. as the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-VLAN.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address of the A-UAC as the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP:
(host) [MD-cluster1]#lc-cluster group-profile primary-cluster
(host) [MD-cluster1](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.2 vrrp-ip 100.1.1.2 vrrp-vlan 100
Following is an example of how to set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP for a cluster with two managed devices:
(host) [MD]#lc-cluster group-profile primary-cluster
(host) [MD-cluster1](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.2 vrrp-ip 100.1.1.2 vrrp-vlan 100
(host) [MD-cluster4](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.5 vrrp-ip 100.1.1.5 vrrp-vlan 100
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands verify the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. status for both managed devices:
(host) [MD-cluster1] #show vrrp
Virtual Router 220:
Description
Admin State UP, VR State CONDUCTOR
IP Address 100.1.1.2, MAC Address 00:00:5e:00:01:dc, vlan 100
Priority 255, Advertisement 1 sec, Preemption Enable Delay 0
Auth type NONE ********
tracking is not enabled
(host) [MD-cluster4] #show vrrp
Virtual Router 220:
Description
Admin State UP, VR State BACKUP
IP Address 100.1.1.2, MAC Address 00:00:5e:00:01:dc, vlan 100
Priority 235, Advertisement 1 sec, Preemption Enable Delay 0
Auth type NONE ********
tracking is not enabled
AP Failover to Different Cluster
Starting from AOS-8.0.0.0, an AP can fail over between clusters. Redundancy across geographically separated data centers are supported. An AP terminates on an AAC in a cluster. If a member in the cluster fails, the AP will fails over to the S-AAC in the same cluster. If the AP is unable to establish communication with any of the members in the first cluster, then it terminates on another cluster setup in the backup data center. It terminates on another cluster only if the other cluster member IP is provided in the AP system profile as backup LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. .
For example, a cluster with four managed devices is deployed in the West Coast data center. Similarly, a cluster with four managed devices is deployed in the East Coast data center. An AP is configured to have a primary termination on the West Coast data center and backup termination on the East Coast data center. If a managed device fails in the West Coast data center, then the AAC moves to another managed device in the same data center. However, if the entire West Coast data center is inaccessible to the AP, then it fails over to the East Coast data center.
AOS-8 now allows you to disable the Ethernet Ethernet is a network protocol for data transmission over LAN. link and/or PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. PSE of the wired downlink ports during AP failover. When the AP fails over to a backup cluster that is in a different data center, you must disconnect the wired clients. This is to ensure that the clients can re-initiate DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. request to obtain the new IP address from a different IP address pool. Also, you must apply a wired port downtime so that the clients can release the IP address. After the wired port downtime expires, the AP can recover the configurations which were not applied during the down time.
You can configure the wired port down time after the AP fails over to backup cluster or falls back to the primary cluster. You can configure port bounce for either the Ethernet Ethernet is a network protocol for data transmission over LAN. link or the PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. or configure the down time for both in the AP system profile of the managed device.
The following procedure configures the port bounce feature in the AP system profile:
- In the node hierarchy, navigate to tab.
- In the list, expand the AP menu and then select .
- Select the AP system profile you want to edit, or click to create a new profile.
- Under
- Enter a value between 0 to 60 for Wired Port Down-Time By Shutdown Ethernet Ethernet is a network protocol for data transmission over LAN. Link field.
- Enter a value between 0 to 60 for Wired Port Down-Time By Shutdown POE field.
- Enter a value between 0 to 60 for both Wired Port Down-Time By Shutdown Ethernet Ethernet is a network protocol for data transmission over LAN. Link and Wired Port Down-Time By Shutdown POE fields.
, perform one of the following steps: - Click .
- Click .
- In the window, select the checkbox and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example configures the wired port downtime for both Ethernet Ethernet is a network protocol for data transmission over LAN. link and PoE Power over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port.:
(host)[mynode](config)#ap system-profile <profile-name>
(host)[mynode] (AP system profile "<profile-name>") # wired-poe-bounce-interval 10
(host)[mynode] (AP system profile "<profile-name>") # wired-port-bounce-interval 40
(host)[mynode] (AP system profile "<profile-name>") # write memory
Saving Configuration...
Configuration Saved.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example displays AP's wired port status and the wired port bounce configurations that are forwarded from the controller:
(host) [mynode] #show ap remote debug wired-port-down-state ap-name ap-303h1
The configurations pushed from the controller
---------------------------------------------
The port bounce time by disable POE: 30
The port bounce time by shutdown ethernet link: 60
AP's wired port is in down time, the port status as below
---------------------------------------------------------
All wired ports' status
-----------------------
Wired port Ethernet Ethernet is a network protocol for data transmission over LAN. link status Whether Support PSE PSE status
---------- -------------------- ------------------- ----------
eth0 up no
eth1 down no
eth2 down no
eth3 up yes enable
Grouping Managed Devices Within a Cluster
Starting from AOS-8.2.0.0, you can group managed devices within a cluster, which helps influence the S-AAC and S-UAC assignments. The preference for both S-AAC and S-UAC is given to the managed devices in different groups compared to the group which has the AAC and UAC configured.
A new parameter,
, is introduced in the command.(host) #lc-cluster group-profile <profile>
controller <ip> [priority <prio>] [mcast-vlan <mcast_vlan>] [vrrp-ip <vrrp_ip> vrrp-vlan <vrrp_vlan> group <group number>]
AP Node List
When an AP joins a cluster, it learns the IP addresses of all the cluster members. These IP addresses are stored in a Node List, which is saved as an environment variable in the AP's flash memory. Therefore, when the AP reboots and comes back up, the AP checks the Node List, contact the cluster member that is listed first in the Node List. If the cluster member that is first on the Node List is down or not reachable, then the AP dynamically tries the second cluster member listed in the Node List and so forth. The AP always finds a managed device as long as at least one managed device is active in the cluster.
The AP rebootstraps if the entire Node List is not reachable.
APmove
This feature allows an end user to move a specific AP from the current managed device to a target managed device. The command reassigns an AP or AP group to any managed device.
Use the managed device in the following scenarios:
command to move a specific AP to a specific assigned- To move some specific APs to other managed device without changing any configuration.
- If there is no failover or rebootstrap configuration between the current managed device and the target managed device.
You can execute the
command in the following setups:- Same cluster group — managed device leader. can only be executed on a cluster
- Same HA — this command is executed on the HA-Active node and the AP fails over to HA standby.
- Normal topology — In a non-cluster setup, managed device to another managed device. can be executed on the node to move an AP from the current
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command moves a specific AP:
If cluster is enabled, the system access point monitor process checks whether the current node is the cluster leader. If not, it displays an error and the cluster leader's IP address is provided to the end-user. The end-user can then locate the cluster leader and execute the command in the correct managed device.
The
command is executed as follows:(host) [mynode] (config) #apmove <ap-mac> <target-ip>
(host) [mynode] (config) #apmove <ap-group/all> <source-ip> <target-ip>
Parameter |
Description |
---|---|
ap-mac |
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a specific AP. |
ap-group/all |
APs in specific group or all APs in the specific managed device. |
source-ip |
Specific managed device from which the specific APs are to be moved. |
target-ip |
Specific managed device to which the APs are to be moved. |
When the target IP is within the cluster, the APmove is initiated from the cluster leader. When the target IP is outside the cluster, Apmove is initiated on the AAC or S-AAC.
When APmove is initiated from the AAC, the AP gets the target IP and sets the APmove conductor variables. If the APmove target is a managed device outside the current cluster, then the AP rebootstraps and connects to that target managed device. Irrespective of whether the target node is in another cluster or not, the AP nodelist is purged if target IP is outside the cluster. If the target managed device is part of another cluster, then a new nodelist is sent to the AP. If the AP is unable to connect to any of the nodes in the nodelist, it falls back to other known entities such as previous_lms, backup_lms, conductor, and so on.
In a cluster environment, the priority given by the AP when APmove is initiated is as follows:
- APmove conductor (only used in cluster upgrade scenario)
- Cluster nodelist
- Previous LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. (CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller.-enabled only)
- Conductor variables
A nodelist is introduced to avoid multiple redirections to the AP and allows the AP to directly connect to the previous known AAC. However, if the previous known AAC is down, the AP connects to any of the nodes in the nodelist.
EST Support for Cluster
In a cluster setup, the APs establish IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with AAC, S-AAC, and UAC. Starting from AOS-8.4.0.0, the cluster members use enrolled certificate for IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel authentication instead of using factory certificates.
When Enrollment over Secure Transport (EST) is enabled in a cluster setup, AAC sends the EST parameters to APs and APs will undergo enrollment and establish an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with all the cluster members using these enrolled certificates.
The existing cluster gets disconnected on EST activation and all the APs reboot as part of EST enrollment. During this process, the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels on the cluster peer are deleted, which results in the cluster getting disconnected on that peer. This ensures that the cluster traffic does not go to the peers without getting encrypted or encapsulated.
It is recommended to enable EST on all the cluster members before enabling cluster group-membership.
Configuring EST support for cluster
To configure EST support for cluster, refer to Certificate Enrollment Using EST section.
Remote AP Support with Cluster behind NAT
Remote APs were supported only with public IP addresses for all the managed devices in a cluster deployment. But, the cluster behind NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. cannot work with Remote APs because the managed devices in the cluster use switch IPs which are in private domain; to which the Remote AP does not have access.
Starting from AOS-8.4.0.0, Remote APs can map the managed device’s private address to a public space by obtaining the private IP and public IP address mapping from a cluster. Therefore, the cluster behind NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is supported with Remote APs.
Key Consideration
- Remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. are provisioned with any of the public IP address that the cluster is using.
- NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. mapping is configured in the customer NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device accordingly to what the cluster profile is using
- The mapping must be allowed even if a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. is configured.
Limitations
- Configuration of same public IP for different nodes in the same cluster profile is not allowed.
- Configuring same public IP across different cluster profiles only when one profile is active across all cluster members.
- Cluster is not supported for external allowlist-db.
Mapping between the public and private addresses configured in the cluster profile must be configured in the NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device as well.
The following procedure describes how to enable a Cluster behind NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. with Remote APs:
- In the node hierarchy, navigate to the tab.
- Click
The
table is displayed.
in the table to create a new cluster profile. - Enter the cluster name as in the field.
- Enter the RAP Public IP along with the parameters listed in
- Click .
- In the tab, select from the drop-down list.
- Click .
- Click .
- In the window, select the checkbox and click
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands map the public and private addresses with the Remote AP in a cluster profile:
(host) [cluster] (config) #lc-cluster group-profile rapcluster
(host) [cluster] (Classic Controller Cluster Profile "rapcluster") controller 10.10.10.1 rap-public-ip 100.100.100.101
(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.2 rap-public-ip 100.100.100.102
(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.3 rap-public-ip 100.100.100.103
(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.4 rap-public-ip 100.100.100.104
When this profile is configured in the group-membership, then the corresponding public IP for that cluster member is used.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands check if the public IP of the Remote AP is configured based on the controller's private IP address:
(host) #Show lc-cluster group-profile
IPv4 Cluster Members
--------------------
CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN GROUP-ID RAP-PUBLIC-IP
------------- -------- ---------- ------- --------- -------- -------------
10.17.62.194 128 0 1.1.1.1 200 0 10.10.10.11
10.17.62.195 128 0 1.1.1.2 200 0 10.10.10.12
Deny Inter-User Bridging
Deny inter-user bridging prevents the forwarding of Layer-2 traffic between wired or wireless users even when the users are on different managed devices in a cluster. This feature is supported in all the managed devices across a cluster.
This feature is also applicable to all deployment types for all clients, for example, Campus APs, Remote APs, wireless users, wired users, tunneled users, and split-tunnel users.
In previous releases, clients were able to access trusted devices when deny-inter-user-bridging was enabled. However, starting from AOS-8.8.0.0, clients will not be able to access those trusted devices on their network unless they are auto learned or manually added to an allowed list.
Traffic from the client is allowed only if the addresses are added in the allowed-address-list table. Any traffic, including broadcast, multicast, or other Layer-2 frames, will be dropped if the destination of the Layer-3 packet is not included the allowed-address-list table.
Some Layer-2 devices are automatically learned and allowed by their Layer-3 addresses, such as the default gateway Gateway is a network node that allows traffic to flow in and out of the network. and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. addresses from DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. responses.
For all other required local network addresses, such as non-default gateways Gateway is a network node that allows traffic to flow in and out of the network. with multiple routers, ensure to manually add them to the allowed-list table. Otherwise, Layer-2 traffic to those destinations will be dropped.
For troubleshooting, run the following show command in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. to check for dropped frames:
(host) [mynode] #show datapath frame
This feature is not supported in bridge mode deployments because bridge user's traffic is locally bridged by APs.
Auto Learn Addresses
In each VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., managed devices auto learns the gateway Gateway is a network node that allows traffic to flow in and out of the network. and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. addresses by snooping DHCPv4, DHCPv6, and IPV6 RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers.. Therefore, the user need not add these addresses manually to the allowed list. If there is no DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. configured, then the user will need to add the gateway Gateway is a network node that allows traffic to flow in and out of the network. and DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. entries manually. If communication to additional local addresses is required, then the user will need to add the addresses manually. Apart from these auto-learned addresses, the user can configure a maximum of 256 IP addresses.
- For IPv4 addresses, only one gateway Gateway is a network node that allows traffic to flow in and out of the network. and three DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. entries can be auto-learned. For IPv6 addresses, one RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. gateway Gateway is a network node that allows traffic to flow in and out of the network. and 3 DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. entries can be auto-learned.
- If the gateway Gateway is a network node that allows traffic to flow in and out of the network. is different and non-default (same Layer-2 network), ensure to add the non-default gateway Gateway is a network node that allows traffic to flow in and out of the network. address to the controller allowed list.
- If RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. and DHCPv6 server is different (same Layer-2 network) , ensure to add the DHCPv6 server link-local address to the controller allowed list.
- If RA Router Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. and DHCPv6 relay is different (same Layer-2 network), ensure to add the DHCPv6 relay server link-local address to the controller allowed list.
Manually Configuring the Allowed Address List
To enable the Deny inter-user bridging feature, perform the following steps in the WebUI:
- In a Managed Network hierarchy, navigate to Configuration > Services > Firewall Firewall is a network security system used for preventing unauthorized access to or from a private network..
- Expand the Inter User Bridging accordion and then click Deny inter user bridging toggle button.
- Click the + icon in the Allowed Addresses table to add IP addresses that are trusted devices.
- In the IP version field, enter the IP version as IPv4 or IPv6.
- In the IP address field, enter the IP address.
- Repeat step 3 to add all the allowed IP addresses.
- Click .
- Click .
- In the window, select the checkbox and click
To add the allowed IP addresses when the deny inter-user bridging feature is enabled, run the following commands in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:
(host) [mynode] #allowed-address-list ipv4 <IP address>
(host) [mynode] #allowed-address-list ipv6 <IP address>
To view the allowed IP addresses list, run the following show commands in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:
(host) [mynode] #show allowed-address-list all
Allowed address list
----------------------
Type : Address
----------------------
IPv4 2.2.2.2
IPv6 2002::2
IPV4 192.168.1.1
Total : 3
(host) [mynode] #show datapath allowed-address-list ipv4
Allowed address list
-----------------------
Type : Address
-----------------------
IPv4 2.2.2.2
IPV4 192.168.1.1
Total : 2
(host) [mynode] #show datapath allowed-address-list ipv6
Allowed address list
-----------------------
Type : Address
-----------------------
IPv6 2002::2
Total : 1
(host) [mynode] #show datapath allowed-address-list counters
------------------------------
Allowed address stats counter
------------------------------
IPv4 drop : 126
IPv6 drop : 1526
To remove IP addresses from the allowed list, run the following commands in CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:
(host) [mynode] #no allowed-address-table ipv4 <IP address>
(host) [mynode] #no allowed-address-table ipv6 <IP address>
VRRP ID and Passphrase
Cluster allows users to set the starting value of VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID and passphrase for a virtual IP in the cluster profile to avoid VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflict. That is, Cluster VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. members will be assigned consecutive VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IDs starting from the value configured.
Traditionally, when a user configured a virtual IP in a cluster, AOS-8 automatically configured the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. groups between the range, 220 - 225. This lead to VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflicts when multiple clusters shared the same L2 network. Therefore, to avoid VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflict, clusters now allow users to set the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID for a virtual IP in the cluster profile.
Following parameters can be set by the user in the cluster configuration profile:
- Specify the starting VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID
- Specify the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. passphrase for securing the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. session
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID and VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. passphrase:
lc-cluster group-profile <profile-name>
vrrp-id <starting id> [ vrrp-passphrase <vrrp passphrase string>]
Parameter |
Description |
---|---|
vrrp-id |
This is an optional parameter which specifies the starting VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID for cluster members. If this is not configured, system automatically configures VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. groups within the range of 220-225. |
vrrp-passphrase |
This is an optional password of up to 8 characters that can authenticate VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. peers in their advertisements. If this is not configured, there is no authentication password. |
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command checks the configuration:
(host) #show lc-cluster group-profile v4cluster
IPv4 Cluster Members
--------------------
CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN GROUP-ID RAP-PUBLIC-IP
------------- -------- ---------- ------- --------- -------- -------------
10.20.101.12 128 0 0.0.0.0 0 0 0.0.0.0
10.20.101.5 128 0 0.0.0.0 0 0 0.0.0.0
10.20.101.20 128 0 0.0.0.0 0 0 0.0.0.0
10.20.101.7 128 0 0.0.0.0 0 0 0.0.0.0
Redundancy:Yes
Active Client Rebalance Threshold:20%
Standby Client Rebalance Threshold:40%
Unbalance Threshold:5%
Active AP Load Balancing:YES
Active AP Rebalance Threshold:20%
Active AP Unbalanced Threshold:5%
Active AP Rebalance Count:50
Active AP Rebalance Timer:1 mins
Starting VRRP ID:99
VRRP Passphrase:********