Uplink Monitoring and Load Balancing

The ArubaOS Uplink Manager prioritizes cellular and wired uplinks, and checks and monitors the availability and quality of the connection to a remote host with specified FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. or IP address. The status of these monitored uplinks appears on the WAN section of the WebUI dashboard.

By default, the cellular uplink is a lower priority than the wired uplink; making the wired link the primary link and the cellular link the secondary or backup link. A  managed device supports multiple 3GThird Generation of Wireless Mobile Telecommunications Technology. See W-CDMA. cellular uplinks in addition to its standard wired ports, providing redundancy in the event of a connection failure. If wired link cannot access the internet, the managed device can fail over to a secondary cellular link and continue routing traffic.

Uplink Load Balancing

WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. traffic can be balanced across two or more active uplinks from a managed device to a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator. The uplink load balancing feature supports both active and standby uplinks, so the traffic load is balanced across two wired uplinks, while the backup cellular uplink remains idle.

When a managed device has multiple active uplinks, uplink load balancing can modify the IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. parameters for the managed device to create multiple managed device/VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels, one on each uplink. Once multiple uplinks and IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels are up, Layer-3 traffic can be load-balanced across these uplinks using specially created internal routing ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. and nexthop lists.

Load Balancing ACLs

When uplink load balancing is enabled, any Layer-3 traffic session that is not associated to a manually defined routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. will be managed by two specially created, internal ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. placed at the bottom of the routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. table; the editable ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. uplink-lb-cfg-racl, followed by the non-editable ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. uplink-lb-sys-racl.

Load Balancing Nexthop Lists

The uplink load balancing feature uses three special internally created nexthop lists:

Load-balance-gateways is used for load-balancing internet-bound traffic, and load-balance-ipsecs for managing encrypted traffic headed to the corporate headquarters. These nexthop lists include information about one nexthop gatewayGateway is a network node that allows traffic to flow in and out of the network. and one managed device / VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel for each uplink, which are added to these lists so all nexthops are considered active and are available for routing.

The third nexthop list created by this feature is traditional-ipsecs, which is created by the load balancing feature, and used by uplinks in active-standby mode to send control plane traffic from the managed device to the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator.

Configuring the Uplink Manager

Use the following procedure to disable or enable the uplink manager, and manage priorities for the wired and cellular connections. The uplink managed is enabled by default on managed device uplinks.

In the WebUI

1. In the Managed Network node hierarchy, navigate to the Configuration> Services > WAN tab
2. Expand the Uplinks menu.
3. Click the Enable uplink toggle switch to enable this setting.
4. Define a non-default priority for a wired and cellular connections in the Default Wired Priority and Default Cellular Priority fields. The default priority for a wired connection is 200, and the default priority for a cellular connection is 100.
5. (Optional) If you are configuring an uplink to a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator, select Load Balancing to balance session traffic across multiple active uplinks. Do not enable this feature if the managed device has uplinks that connect directly to Mobility Master.
6. Click the Mode drop-down list and choose one of the following load balancing modes:

Hash based: Hash-based load balancing uses information from the packets being sent (for example, the source IP address, destination IP address, protocol and port numbers to determine how to load balance that traffic).

Round Robin: Traffic is equally distributed to all the active uplinks.

Session Count: Traffic is balanced between the uplinks based upon the number of sessions managed by each link, so that the load for each active uplink stays within 5% of the other active uplinks.

7. In the Max sessions per uplink (%) field, enter the maximum percentage of total sessions that can be managed by any active uplink. The default value is 25%.
8. (Optional) Check the Media Mode option to reevaluate the selected uplink for the session if it is identified as a media session. By default, all sessions use the load-balance mode specified in step 6. When you select this option, any time a session is identified as a media session, the uplink is reassigned to the optimal uplink for media sessions, based upon a separate media load-balancing algorithm.
9. (Optional) Enter a value into the Latency threshold (ms) field to optimize media sessions by defining the maximum latency allowed for media sessions in media mode. The supported range is 1 - 400 milliseconds, and the default is 20 ms.
10. (Optional) Enter a value into the Jitter threshold (ms) field to optimize media sessions by defining the maximum jitter allowed for media sessions in media mode. The supported range is 1 - 300 milliseconds, and the default is 5 ms.
11. Click + in the Uplink VLANs table and enter the following values to define a uplink VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for an uplink interface on the managed device.

Link: Link to which the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is assigned

VLAN ID: VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID number

Description: Text string describing the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Enabled: Select this drop-down list to disable or re-enable the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. New VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. created on Configuration > Services > WAN > Uplinks are enabled by default.

Priority: If load balanced is not enabled, this value defines the priority for the uplink in an active/standby uplink scenario.

Weight: If the uplink is using load balancing in session mode, this value defines the weight given to the uplink in an active/active uplink scenario. An uplink with a higher weight will be assigned more session traffic than an uplink with a lower weight. The supported range of values is 1-100.

12. Click Submit.
13. Click Pending Changes.
14. In the Pending Changes window, select the check box and click Deploy Changes.

In the CLI

The following examples configure an uplink load-balancing solution via the Mobility Master command-line interface.

Step 1: Configure the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator

If a managed device terminates a secure tunnel on a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator, you can issue the vpn-peer peer-mac command on the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator configuration to enable load balancing on secure uplinks between the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator and a managed device.

The following example enables load balancing on the uplinks between a managed device with the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address 01:00:5E:00:00:FF and a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator:

(host)[node](config) #vpn-peer peer-mac 01:00:5E:00:00:FF cert-auth factory-cert load-balance

 

If the peer device is an x86 server, then configure the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the management interface of the managed device. However, if the peer device is a hardware platform, you must provide the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface of the managed device

 

Step 2: Enable the Uplink Manager

Issue the following command to enable the uplink manager:

(host) [node] (config) #uplink enable

 

Step 3: Enable the Load Balancing

Issue the uplink load-balance command without any additional parameters to enable uplink load balancing:

(host) [node] (config) #uplink load-balance

 

Step 4: (Optional) Configure Load Balancing Settings

Use the uplink load-balance command with the following parameters to configure additional uplink load-balancing settings. You cannot define load balancing settings unless the uplink manager and uplink load balancing features are already enabled.

(host) [node] (config) #uplink load-balance ?

mode load-balancing mode

media-mode load-balancing media mode

vlan uplink vlan

 

To disable uplink load balancing between a managed device and VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator, disable the load balancing feature on the managed device (no uplink load-balance) before you disable load balancing on the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator (no vpn-peer peer-mac).

Load Balancing Group

ArubaOS supports the configuration of load balancing groups through the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The load balancing group supports configuration of primary and secondary maps, GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. standby, preemptive failover, hold time after which a failover occurs, and random time after hold-time when failover occurs.

(host) [node] (config) #lb-group <name>