ArubaOS 8.6.0.0 Help Center
You are here: Home > Cluster > Cluster Overview

Controller Clustering

Cluster is a combination of multiple managed devices working together to provide high availability to all the clients and ensure service continuity when a failover occurs.

The APs are managed by a single managed device. The client load is shared by all the managed devices. The goal of a cluster is to provide full redundancy to APs and wireless clients alike in case of a malfunction of one or more of its cluster members.

All the members in a cluster are active managed devices.

Cluster facilitates a large roaming domain, minimizes fault-domain, and helps in speedy recovery.

 

The master controller mode does not support cluster.

The objectives of a cluster are:

Seamless Campus Roaming: When a client roams between APs of different managed devices within a large L2 domain, the client retains the same subnetSubnet is the logical division of an IP network. and IP address to ensure seamless roaming. The clients remain anchored to a single managed device in a cluster throughout their roaming area which makes their roaming experience seamless because their L2 or L3 information and sessions remain on the same managed device.

Hitless Client Failover: When a managed device fails, all the users fail over to their standby managed device seamlessly without any disruption to their wireless connectivity or existing high-value sessions.

Client and AP Load Balancing: When there is excessive workload among the managed devices, the client and AP load is evenly balanced among the cluster members. Both clients and APs are load balanced seamlessly.

Following sections describe the pre-requisites, key considerations, and features supported in a cluster.

Requirements

Cluster is supported only on the Mobility Master and cluster members can only be managed devices.

The following managed devices support clustering:

7200 Series controllers - Support for up to 12 nodes in a cluster.

7000 Series controllers - Support for a maximum of 4 nodes in a cluster.

9004 controllers - Support for a maximum of 4 nodes in a cluster.

Mobility Controller Virtual Appliance - Support for a maximum of 4 nodes in a cluster.

Even with a 12-node cluster, the maximum supported APs and client counts are limited to 10K and 100K, respectively.

Key Consideration

Some of the key considerations are:

All the managed devices within the cluster need to run the same software version.

If HA-AP fast failover is enabled, then cluster cannot be enabled.

A 12-node cluster is supported for Remote APs. Starting from ArubaOS 8.6.0.0, Remote APs can now terminate on the cluster with more than 4 nodes.

A mix of hardware devices and the Mobility Controller Virtual Appliance-based controller is not supported.

A Mobility Controller Virtual Appliance cluster can be set up only with same SKUStock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory. models. Only homogenous clusters are supported for Mobility Controller Virtual Appliance.

A mix of 7200 Series controllers and 7000 Series controllers within the same cluster is not recommended due to disparity in capacity between the two controller series models. However, you can use these devices in the same cluster when you want to migrate from a smaller cluster like 7000 series controllers to a larger cluster with 7200 Series controllers.

Only homogenous cluster is supported for 9004 managed devices.

In a cluster, the managed devices do not have to be identical.

A managed device can be either L2- or L3-connected or it can also be a mix of both.

Cluster is not supported for PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -RAPs.

Cluster is supported for external whitelist database for Remote APs in a ClearPass Policy Manager server.

No license is required to enable the cluster feature.

Cluster is not supported in stand-alone controllers.

Campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on., Remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., and Mesh APs are supported.

Captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. is not supported for the split-tunnel mode Virtual APs and wired APs, when cluster is enabled.

Support for Homogeneous Cluster

A homogeneous cluster is a cluster built with all nodes of the same platform type.

Cluster AP Capacity

The cluster sizing depends on the number of cluster AP count required to ensure that every AP has an AAC and S-AAC with adequate capacity for all APs to failover. The recommended AP load of this cluster should be half of the total cluster capacity. Therefore, the cluster AP count should be equal to 50% of the cluster capacity.

For example, if a cluster is made up of four 7220 managed devices, the combined capacity of four 7220 managed devices is 4096 APs, hence, the AP count would be 2048.

Support for Heterogeneous Cluster

The following list provides the points to be considered for cluster capacity (APs and clients) when the cluster has a heterogeneous managed device mix. For example, 7210, 7220, and 7240 controllers.

Total capacity of individual managed devices in the cluster, when redundancy is disabled.

The number of cluster nodes is restricted to four when it involves a 7000 Series managed device.

When 7200 Series managed devices are added to a cluster consisting of other 7000 Series managed devices, then the capacity of the 7200 Series managed devices is reduced to the maximum capacity of the 7000 Series managed devices that are currently part of the cluster.

When 7000 Series managed devices are added to a cluster consisting of 7200 Series managed devices, then one of the following conditions apply:

If there are more than three 7200 Series managed devices in the cluster, the 7000 Series managed devices are not allowed to join the cluster.

If the current AP or station count on the 7200 Series managed devices is greater than the maximum AP or station capacity supported on the newly added 7000 Series managed devices, then the 7000 Series managed devices are not allowed to join the cluster. To check if the 7000 Series managed devices are allowed to join the cluster, execute the show lc-cluster group-membership command.

If the current AP or station count on the 7200 Series managed devices is lesser than the maximum AP or station capacity supported on the newly added 7000 Series managed devices, then the capacity of the 7200 Series managed devices in the cluster drops to the maximum capacity supported on the 7000 Series managed devices and the existing supported APs in the 7200 Series managed devices are not impacted.

Cluster AP Capacity

Cluster AP size should be equal to the lowest value of either 50% of total cluster capacity or the worst case scenario load. The worst case scenario load is the AP load handled by the remaining nodes in a cluster in the event of highest capacity cluster member going down.

Following examples elaborate how to calculate the cluster AP size based on the capacity of the managed devices:

Example 1:

In a cluster with one 7220 managed device and two 7240 managed devices. Capacity of a 7220 managed device is 1024 and the capacity of 7240 managed device is 2048. Now, let’s calculate 50% of total capacity is (1024+2048+2048)/2 = 2560 APs. Now, assume one 7240 managed device is down, hence, the worst case scenario load is (1024 + 2048) = 3072.

Therefore, the cluster AP size in this example is 2560 APs as it is the lowest value between the 50% of total cluster capacity and the worst case scenario load.

Example 2:

In a cluster with two 7210 managed devices and one 7240 managed device. The capacity of 7210 managed device is 512 APs and the capacity of 7240 managed device is 2048 APs. So, 50% of total capacity is (512+512+2048)/2=1536 APs. Now, assume the 7240 managed device is down, hence, the worst case scenario load is (512+512) = 1024 APs.

Therefore, the cluster AP size in this example is 1024 APs as it is the lowest value between the 50% of total cluster capacity and the worst case scenario load.

Cluster Connection Types

Clustering supports the following two connection types for cluster members:

L2-connected: The cluster members share the same user VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. All user VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on each node are also present in all nodes.

L3-connected: The cluster members do not necessarily share the same user VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Some user VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are not present on the other nodes.

 

Cluster can be formed over an L2 or L3 network. L2 is recommended for simplicity.

Roles

This section explains the roles of the members within the cluster:

Cluster Leader

When several managed devices form a cluster, the devices exchange handshake or hello messages with one another to form a cluster. When all the cluster members are in a fully connected mesh, a cluster leader is elected. The cluster leader is elected based on the highest effective priority derived from configured priority, platform value, and the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device.

The cluster leader computes which client is mapped to which cluster member.

The cluster leader also dynamically and seamlessly balances the client load when load increases and there is an imbalance of load among the cluster members.

The cluster leader identifies standby managed devices for clients and APs to ensure hitless failover.

AAC - AP Anchor Controller

This role is given to a managed device from individual AP perspective. This is an anchor for APs. AP sets up active tunnels with its LMSLocal Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. -IP and also, the AAC is responsible for handling all management functions of an AP and its radios.

UAC - User Anchor Controller

This is an anchor for users. The user associates to an AP and the AP creates a dynamic tunnel to the client UAC. The UAC handles all the wireless client traffic, including association or disassociation notification, authentication, and all the unicast traffic between the managed device and the client. The UAC is used to ensure that the managed device remains the same within the cluster when clients roam between APs.

S-AAC - Standby AP Anchor Controller

A standby AAC is dynamically assigned from other cluster members. An AP sets up standby tunnels with the S-AAC. If the AAC fails, the S-AAC detects the failure and ensures that the AP fails over to the S-AAC. Dynamically, the cluster leader chooses the new S-AAC for an AP after the original AAC failed and the S-AAC becomes the new AAC.

S-UAC - Standby User Anchor Controller

This is the standby managed device from the user perspective. A user fails over to this managed device when the active UAC is down. The S-UAC is the role given to the managed device if a user fails over to this managed device when the Active UAC (A-UAC) is down.

Anchored to a Single Managed Device

A user is mapped to a UAC through a hashing algorithm at the AP level. At the AP, there is a single hashing algorithm that creates an index based on the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client. This index points to a mapping table to the actual UAC for that user. This mapping is sent to all the nodes in the cluster by the cluster leader and then, the AAC sends this mapping to the respective APs. So, all APs in the cluster have the same mapping information. The cluster leader assigns the S-AAC to each AP after considering the AP load on the cluster.

Remote AP Support

With Remote APs, a tunnel mode VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. is configured and each AP is assigned with an inner-IP or remote-IP. The same remote-IP or inner-IP is assigned to the Remote APs on every managed device in the cluster. Starting with ArubaOS 8.0.0.0, the cluster setup supports both IPv4 and IPv6 clients and the IPv6 clients sessions are also synchronized and continued after failovers.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command supports Remote APs in a cluster configuration:

(host) [mynode] (config)#lc-rap-pool <pool_name> [{pool_start_address} {pool_end_address}]

 

The lc-rap-pool command currently supports only IPv4 address in a cluster environment.

ArubaOS now provides support for ClearPass Policy Manager to whitelist Remote APs in a cluster environment. For more information, see Offloading a Controller Whitelist to ClearPass Policy Manager .

IPv6 Support

Starting from ArubaOS 8.2.0.0, IPv6 cluster is supported. Managed devices must terminate on the Mobility Master through the IPv6 IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel.

Only IPv6 APs can terminate on an IPv6 cluster and clients can be either IPv4 or IPv6 type.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays IPv6 cluster information:

(host) #show lc-cluster group-membership

 

VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-IP and VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are not supported with IPv6 cluster.

Cluster Features

Following sections describe the features supported on a cluster:

Enhanced Multicast Proxy

A managed device acts as a multicast proxy for all the wireless clients connected to it. The subscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. of the managed device to multicast stream is done through a single VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Hence, only one copy of the multicast stream will be delivered to a client.

 

Clustering supports only IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. proxy and MLDMulticast Listener Discovery. A component of the IPv6 suite. It is used by IPv6 routers for discovering multicast listeners on a directly attached link..

When IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. proxy or MLDMulticast Listener Discovery. A component of the IPv6 suite. It is used by IPv6 routers for discovering multicast listeners on a directly attached link. is enabled, client reports reach the UAC. The UAC then transfers the subscriptionA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. information to the AAC . Both managed devices (AAC and UAC) serve as proxies for clients in the uplink multicast VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

APs are anchored on the AAC and users on the UAC. When an AP boots, it establishes a tunnel with the AAC. The same tunnel is used for UAC traffic as well. When a client comes up, the AP determines its UAC and establishes a tunnel with the UAC. When the client roams from one AAC to another, PIMProtocol-Independent Multicast. PIM refers to a family of multicast routing protocols for IP networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. detects this roaming through STA (station) channel and deletes the multicast subscriptionsA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. of the client from the old AAC and adds them to the new AAC. To perform this, a cluster proxy table that stores per-client subscriptionsA business model where a customer pays a certain amount as subscription price to obtain access to a product or service. is maintained in the UAC.

If a multicast stream is sourced from a wireless station, the managed device forwards the stream to the multicast router through the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. where the client is located. The downstream is still from the multicast router to each managed device in the cluster through the configured VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for multicast proxy operation. If the two VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are the same, the proxy on the UAC of the sourcing client does not receive the stream from the multicast router.

 

In an L3-connected cluster, when the AAC does not have the same VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. as the UAC, the multicast traffic from the uplink does not reach the AAC. Therefore, the cluster has to be L2-connected to stream multicast traffic.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a cluster with multicast VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(host) [multicast] (cluster1) #controller 10.15.128.102 mcast-vlan

<mcast_vlan> VLAN id

 

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays if a cluster is configured with multicast VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

(host) #show lc-cluster group-profile cluster1

IPv4 Cluster Members

--------------------

CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN

------------- -------- ---------- ------- ---------

10.15.128.103 128 29 0.0.0.0 0

10.15.128.104 128 29 0.0.0.0 0

10.15.128.105 128 29 0.0.0.0 0

10.15.128.102 128 29 0.0.0.0 0

Redundancy:Yes

Active Client Rebalance Threshold:50%

Standby Client Rebalance Threshold:75%

Unbalance Threshold:5%

Client State Synchronization

Client state synchronization feature helps resolve issues regarding seamless failover, service availability, and high availability. To achieve hitless failover, the following two conditions should be met:

Redundancy mode needs to be enabled, this is enabled by default.

L2 connected type, that is, the cluster members must share the same VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Stateful failover is achieved through full client synchronization from the UAC to the S-UAC. For example, the station table, the user table, the L2 user state, the L3 user state, the key cache, the PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. cache, and so on get synchronized between the UAC and the S-UAC.

Users sessions are synchronized or duplicated on an S-UAC. Only high-value sessions like FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. and DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. are synchronized. But, some sessions that are considered low value like regular HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic are not synchronized. High-value client sessions such as voice, video, and FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. , and IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. used for IPv4 multicast and MLDMulticast Listener Discovery. A component of the IPv6 suite. It is used by IPv6 routers for discovering multicast listeners on a directly attached link. used for IPv6 multicast groups are synchronized between active and standby controllers of a cluster, thereby allowing the connected devices to failover to the standby controller seamlessly. However, this synchronization is supported only for the first failover; for subsequent failovers, failed over session is not synchronized to new standby controller. New sessions will be synchronized.

When there is a failover, no client is deauthenticated and hence, the client seamlessly fails over to the S-UAC .

 

A maximum of 10 sessions per client is supported. Client state synchronization is now supported for IPv6 clients and dual stack.

In an existing cluster, when new managed devices are added and the existing managed devices have a load more than the threshold, the load balancer ensures that traffic from UACs that are overloaded are redirected to the new managed device. In this scenario, synchronization of sessions for these users is performed before the load balancer switches the users from other UACs to ensure reliability.

Starting from ArubaOS 8.6.0.0, during a UAC failure, hitless failure of high-value application traffic such as voice is supported when the client roams between BSSIDsBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

Client state synchronization is useful in two different scenarios:

When Redundancy is OFF — When redundancy mode is turned off, a standby copy is not created for an AP or the client for failover protection. As part of load balancing, prior to planned UAC switchover, sessions are synchronized to the new UAC.

When Redundancy is ON — When redundancy mode is turned on, the system assigns the standby managed device for all APs and clients. The sessions are synchronized to the standby UAC.

Execute the following command on one of the cluster members to view the list of duplicate users that are currently connected to S-UAC.

(host) #show user-table standby

AP LACP Support

Striping LMSLocal Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP can no longer be used to stripe the traffic as each AP has GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to more than one managed device. Therefore, starting from ArubaOS 8.2.0.0, Cluster LACPLink Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. is used to stripe traffic on a per-UAC basis. That is, in a cluster setup, the clients or users on the same AP are steered to different UACs and the traffic is striped to these UACs.

When cluster is enabled, striping IP is not used even if it is a single-node cluster; the striping of traffic for the EthernetEthernet is a network protocol for data transmission over LAN. interfaces is according to the UAC node.

For a non-cluster setup, the striping LMSLocal Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP is used in the same way as before.

For an upstream traffic, the cluster LACPLink Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. load-balances these UACs across the EthernetEthernet is a network protocol for data transmission over LAN. ports.

For a downstream traffic, because the Source-IP and MAC address of the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. packets are different from those of AP, the AP's uplink switch spreads the traffic.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure AP LACPLink Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. in a non-cluster topology:

On an uplink switch of an AP, use the following command to configure LACPLink Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. between the two ethernet ports of the AP:

(host) [md] (config) #ap-lacp-striping-ip

(host) [md] (AP LACP LMS map information) #aplacp-enable

(host) [md] (AP LACP LMS map information) #striping-ip 10.15.127.2 lms 10.15.127.3

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the configuration:

(host) #show ap-lacp-striping-ip

AP LACP LMS map information

---------------------------

Parameter Value

--------- -----

AP LACP Striping IP Enabled

GRE Striping IP 10.15.127.2 LMS 10.15.127.3

 

The lms-ip value in ap-system-profile will be used as a key to look up entries in ap-lacp profile.

It is recommended not to configure GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. striping IP address for stand-alone controller deployments.

Authorization Server Interaction

This feature supports CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. requests in a cluster using multiple VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances. This feature ensures that the CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. request is not dropped when the UAC changes due to controller failure or client load balancing.

CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. is change of authorization, which is an extension to RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes and capabilities. CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. request messages are sent by a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server to a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. device for dynamically modifying the existing session authorization attributes. A CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -Request contains the information for dynamically changing session authorizations. If NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. is able to successfully change the authorizations of the user session(s), it responds with a CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -ACK. Otherwise, it returns a CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. -NAKNegative Acknowledgement. NAK is a response indicating that a transmitted message was received with errors or it was corrupted, or that the receiving end is not ready to accept transmissions. to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

To support this feature, multiple VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances are created dynamically, with one instance per cluster node. Here, the cluster node is the master of that instance. In a cluster, the virtual IP of each VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance is used as a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP when sending RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

 

The VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IDs for these instances are reserved and the reserved IDs range from 220 to 255.

For example, for a cluster with 5 nodes, there are five VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instances and five virtual IP addresses. That is, One Virtual IP address for each VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. instance. The cluster uses the virtual IP for an instance as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP in a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request. That is, when the cluster node sends RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests on behalf of a client that is trying to authenticate a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, It inserts the Virtual IP as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. -IP in that RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packet.

 

VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. can be the same as that of the controller-ip. VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. can also be different if the same VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is used with all of the cluster members.

To set the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address of the A-UAC as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP, VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP must be assigned for each cluster member. This assignment process automatically configures the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. membership for other members of the cluster, and sets the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. priority correctly so that the primary A-UAC owns the virtual IP when it is up.

The following procedure describes how to set the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address and VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.:

1. When configuring a new cluster, select the group folder under which the managed devices are located, in the Managed Network node hierarchy, navigate to the Configuration > Services > Clusters tab.

2. Click + in the Clusters table to create a new cluster profile. The New Cluster Profile table is displayed.

3. Enter a name for the cluster.

4. Click + in the Controllers table to add a new controller. The Add Controller table is displayed.

5. Enter the VRRP IP and the VRRP VLAN field values of the managed device.

6. Click OK.

7. Similarly, enter the VRRP IP and the VRRP VLAN values for all managed devices.

 

Aruba recommends you to use the same controller-ip subnetSubnet is the logical division of an IP network. as the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.-VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP address of the A-UAC as the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP:

(host) [MD-cluster1]#lc-cluster group-profile primary-cluster

(host) [MD-cluster1](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.2 vrrp-ip 100.1.1.2 vrrp-vlan 100

 

Following is an example of how to set the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IP for a cluster with two managed devices:

(host) [MD]#lc-cluster group-profile primary-cluster

(host) [MD-cluster1](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.2 vrrp-ip 100.1.1.2 vrrp-vlan 100

(host) [MD-cluster4](Classic Controller Cluster Profile "primary-cluster") #controller 10.15.43.5 vrrp-ip 100.1.1.5 vrrp-vlan 100

 

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands verify the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. status for both managed devices:

(host) [MD-cluster1] #show vrrp

Virtual Router 220:

Description

Admin State UP, VR State MASTER

IP Address 100.1.1.2, MAC Address 00:00:5e:00:01:dc, vlan 100

Priority 255, Advertisement 1 sec, Preemption Enable Delay 0

Auth type NONE ********

tracking is not enabled

 

(host) [MD-cluster4] #show vrrp

Virtual Router 220:

Description

Admin State UP, VR State BACKUP

IP Address 100.1.1.2, MAC Address 00:00:5e:00:01:dc, vlan 100

Priority 235, Advertisement 1 sec, Preemption Enable Delay 0

Auth type NONE ********

tracking is not enabled

AP Failover to Different Cluster

Starting from ArubaOS 8.0.0.0, an AP can fail over between clusters. Redundancy across geographically separated data centers are supported. An AP terminates on an AAC in a cluster. If a member in the cluster fails, the AP will fails over to the S-AAC in the same cluster. If the AP is unable to establish communication with any of the members in the first cluster, then it terminates on another cluster setup in the backup data center. It terminates on another cluster only if the other cluster member IP is provided in the AP system profile as backup LMSLocal Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. .

For example, a cluster with four managed devices is deployed in the West Coast data center. Similarly, a cluster with four managed devices is deployed in the East Coast data center. An AP is configured to have a primary termination on the West Coast data center and backup termination on the East Coast data center. If a managed device fails in the West Coast data center, then the AAC moves to another managed device in the same data center. However, if the entire West Coast data center is inaccessible to the AP, then it fails over to the East Coast data center.

Grouping Managed Devices Within a Cluster

Starting from ArubaOS 8.2.0.0, you can group managed devices within a cluster, which helps influence the S-AAC and S-UAC assignments. The preference for both S-AAC and S-UAC is given to the managed devices in different groups compared to the group which has the AAC and UAC configured.

A new parameter, group, is introduced in the lc-cluster group-profile command.

(host) #lc-cluster group-profile <profile>

controller <ip> [priority <prio>] [mcast-vlan <mcast_vlan>] [vrrp-ip <vrrp_ip> vrrp-vlan <vrrp_vlan> group <group number>]

AP Node List

When an AP joins a cluster, it learns the IP addresses of all the cluster members. These IP addresses are stored in a Node List, which is saved as an environment variable in the AP's flash memory. Therefore, when the AP reboots and comes back up, the AP checks the Node List, contact the cluster member that is listed first in the Node List. If the cluster member that is first on the Node List is down or not reachable, then the AP dynamically tries the second cluster member listed in the Node List and so forth. The AP always finds a managed device as long as at least one managed device is active in the cluster.

 

The AP rebootstraps if the entire Node List is not reachable.

APmove

This feature allows an end user to move a specific AP from the current managed device to a target managed device. The apmove command reassigns an AP or AP group to any managed device.

Use the apmove command to move a specific AP to a specific assigned managed device in the following scenarios:

To move some specific APs to other managed device without changing any configuration.

If there is no failover or rebootstrap configuration between the current managed device and the target managed device.

You can execute the apmove command in the following setups:

Same cluster group — apmove can only be executed on a cluster managed device leader.

Same HA — this command is executed on the HA-Active node and the AP fails over to HA standby.

Normal topology — In a non-cluster setup, apmove can be executed on the node to move an AP from the current managed device to another managed device.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command moves a specific AP:

If cluster is enabled, the system access point monitor process checks whether the current node is the cluster leader. If not, it displays an error and the cluster leader's IP address is provided to the end-user. The end-user can then locate the cluster leader and execute the command in the correct managed device.

The apmove command is executed as follows:

(host) [mynode] (config) #apmove <ap-mac> <target-ip>

(host) [mynode] (config) #apmove <ap-group/all> <source-ip> <target-ip>

 

Parameter

Description

ap-mac

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a specific AP.

ap-group/all

APs in specific group or all APs in the specific managed device.

source-ip

Specific managed device from which the specific APs are to be moved.

target-ip

Specific managed device to which the APs are to be moved.

When the target IP is within the cluster, the APmove is initiated from the cluster leader. When the target IP is outside the cluster, Apmove is initiated on the AAC or S-AAC.

When APmove is initiated from the AAC, the AP gets the target IP and sets the APmove master variables. If the APmove target is a managed device outside the current cluster, then the AP rebootstraps and connects to that target managed device. Irrespective of whether the target node is in another cluster or not, the AP nodelist is purged if target IP is outside the cluster. If the target managed device is part of another cluster, then a new nodelist is sent to the AP. If the AP is unable to connect to any of the nodes in the nodelist, it falls back to other known entities such as previous_lms, backup_lms, master, and so on.

In a cluster environment, the priority given by the AP when APmove is initiated is as follows:

1. APmove master (only used in cluster upgrade scenario)

2. Cluster nodelist

3. Previous LMSLocal Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. (CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. -enabled only)

4. Master variables

 

A nodelist is introduced to avoid multiple redirections to the AP and allows the AP to directly connect to the previous known AAC. However, if the previous known AAC is down, the AP connects to any of the nodes in the nodelist.

EST Support for Cluster

In a cluster setup, the APs establish IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with AAC, S-AAC, and UAC. Starting from ArubaOS 8.4.0.0, the cluster members use enrolled certificate for IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel authentication instead of using factory certificates.

When Enrollment over Secure Transport (EST) is enabled in a cluster setup, AAC sends the EST parameters to APs and APs will undergo enrollment and establish an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with all the cluster members using these enrolled certificates.

The existing cluster gets disconnected on EST activation and all the APs reboot as part of EST enrollment. During this process, the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels on the cluster peer are deleted, which results in the cluster getting disconnected on that peer. This ensures that the cluster traffic does not go to the peers without getting encrypted or encapsulated.

 

It is recommended to enable EST on all the cluster members before enabling cluster group-membership.

Configuring EST support for cluster

To configure EST support for cluster, refer to Certificate Enrollment Using EST section.

Remote AP Support with Cluster behind NAT

Remote APs were supported only with public IP addresses for all the managed devices in a cluster deployment. But, the cluster behind NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. cannot work with Remote APs because the managed devices in the cluster use switch IPs which are in private domain; to which the Remote AP does not have access.

Starting from ArubaOS 8.4.0.0, Remote APs can map the managed device’s private address to a public space by obtaining the private IP and public IP address mapping from a cluster. Therefore, the cluster behind NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is supported with Remote APs.

Key Consideration

Remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. are provisioned with any of the public IP address that the cluster is using.

NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. mapping is configured in the customer NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device accordingly to what the cluster profile is using

The mapping must be allowed even if a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. is configured.

Limitations

Configuration of same public IP for different nodes in the same cluster profile is not allowed.

Configuring same public IP across different cluster profiles only when one profile is active across all cluster members.

Cluster is not supported for external whitelilst-db.

 

Mapping between the public and private addresses configured in the cluster profile must be configured in the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. device as well.

The following procedure describes how to enable a Cluster behind NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. with Remote APs:

1. In the Managed Network node hierarchy, navigate to the Configuration > Services > Clusters tab.

2. Click + in the Clusters table to create a new cluster profile. The New Cluster Profile table is displayed.

3. Enter the cluster name, rapcluster.

4. Enter the RAP Public IP along with the parameters listed in

5. Click Submit.

6. Then, in the Cluster Profile tab, select rapcluster from the cluster group-membership drop-down list.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands map the public and private addresses with the Remote AP in a cluster profile:

(host) [cluster] (config) #lc-cluster group-profile rapcluster

(host) [cluster] (Classic Controller Cluster Profile "rapcluster") controller 10.10.10.1 rap-public-ip 100.100.100.101

(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.2 rap-public-ip 100.100.100.102

(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.3 rap-public-ip 100.100.100.103

(host) [cluster] (Classic Controller Cluster Profile "rapcluster")controller 10.10.10.4 rap-public-ip 100.100.100.104

 

When this profile is configured in the group-membership, then the corresponding public IP for that cluster member is used.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands check if the public IP of the Remote AP is configured based on the controller's private IP address:

(host) #Show lc-cluster group-profile

 

IPv4 Cluster Members

--------------------

CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN GROUP-ID RAP-PUBLIC-IP

------------- -------- ---------- ------- --------- -------- -------------

10.17.62.194 128 0 1.1.1.1 200 0 10.10.10.11

10.17.62.195 128 0 1.1.1.2 200 0 10.10.10.12

VRRP ID and Passphrase

Cluster allows users to set the starting value of VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID and passphrase for a virtual IP in the cluster profile to avoid VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflict. That is, Cluster VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. members will be assigned consecutive VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. IDs starting from the value configured.

Traditionally, when a user configured a virtual IP in a cluster, ArubaOS automatically configured the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. groups between the range, 220 - 225. This lead to VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflicts when multiple clusters shared the same L2 network. Therefore, to avoid VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. conflict, clusters now allow users to set the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID for a virtual IP in the cluster profile.

Following parameters can be set by the user in the cluster configuration profile:

Specify the starting VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID

Specify the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. passphrase for securing the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. session

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID and VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. passphrase:

lc-cluster group-profile <profile-name>

vrrp-id <starting id> [ vrrp-passphrase <vrrp passphrase string>]

 

Parameter

Description

vrrp-id

This is an optional parameter which specifies the starting VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. ID for cluster members. If this is not configured, system automatically configures VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. groups within the range of 220-225.

vrrp-passphrase

This is an optional password of up to 8 characters that can authenticate VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. peers in their advertisements. If this is not configured, there is no authentication password.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command checks the configuration:

(host) #show lc-cluster group-profile v4cluster

IPv4 Cluster Members

--------------------

CONTROLLER-IP PRIORITY MCAST-VLAN VRRP-IP VRRP-VLAN GROUP-ID RAP-PUBLIC-IP

------------- -------- ---------- ------- --------- -------- -------------

10.20.101.12 128 0 0.0.0.0 0 0 0.0.0.0

10.20.101.5 128 0 0.0.0.0 0 0 0.0.0.0

10.20.101.20 128 0 0.0.0.0 0 0 0.0.0.0

10.20.101.7 128 0 0.0.0.0 0 0 0.0.0.0

Redundancy:Yes

Active Client Rebalance Threshold:20%

Standby Client Rebalance Threshold:40%

Unbalance Threshold:5%

Active AP Load Balancing:YES

Active AP Rebalance Threshold:20%

Active AP Unbalanced Threshold:5%

Active AP Rebalance Count:50

Active AP Rebalance Timer:1 mins

Starting VRRP ID:99

VRRP Passphrase:********

/*]]>*/