Cluster Roles

Gateway clustering with AOS 10.

Cluster Roles

Gateways in a cluster are assigned various roles to distribute client and device sessions between the available nodes. For each cluster, one Gateway is elected a cluster leader which is responsible for device session assignment, bucket map computation and node list distribution. In addition to a cluster leader role, a Gateway may assume one or more of the following roles:

  • Device Designated Gateway (DDG) or Standby Device Designated Gateway (S-DDG)

  • Switch Designated Gateway (SDG) or Standby Switch Designated Gateway (S-SDG)

  • User Designated Gateway (UDG) or Standby User Designated Gateway (S-UDG)

  • VLAN Designated Gateway (VDG) or Standby VLAN Designated Gateway (S-VDG)

The roles that are assigned to Gateways within a cluster will be dependent on the number of cluster nodes, persona of the Gateways, and the types of devices that are tunneling client traffic to the cluster. The UDG/S-UDG roles are assigned to Gateways for tunneled clients, DDG/S-DDG roles are assigned to Gateways for APs, and SDG/S-SDG roles are assigned to Gateways for UBT switches. VDG/S-VDG roles are assigned to Branch Gateways configured for Default Gateway mode that terminate user VLANs.

A cluster can consist of a single Gateway or multiple Gateways. A single Gateway is still considered a cluster as the cluster name must be selected for profiles configured for mixed and tunnel forwarding. When a cluster consists of a single Gateway, no standby sessions are assigned as there are no Gateways available to assume the standby roles. Standalone Gateways will assume the cluster leader and designated role for client and device sessions. When a cluster consists of two or more Gateways, designated and standby roles are distributed between the available cluster nodes.

Bucket Maps

The cluster leader is responsible for computing a bucket map for the cluster which is published to both APs and UBT switches by their assigned DDGs. Unlike AOS 8 where a bucket map was published per ESSID, in AOS 10 one bucket map is published per cluster. APs and UBT switches tunneling to multiple clusters will have a published bucket map for each cluster.

Bucket maps are used by APs and UBT switches to determine the UDG and S-UDG session assignments for each tunneled client. Each tunneled client is assigned a UDG to anchor north / south traffic. To determine the active and standby UDG role assignments, the last 3 bytes of each client’s MAC address is XORed to derive a decimal value (0-255) which is used as an index in the bucket map table to determine the UDG and S-UDG assignments. Each AP and switch that is tunneling to a cluster will be provided with the same bucket map. If multizone is deployed, each AP and UBT switch will receive separate bucket maps for each cluster.

The following illustration provides an example bucket map published by a two-node homogeneous cluster. Each Gateway in the UDG list is assigned a numerical value (0 and 1 in this case) that have an equal number of active and standby assignments. Each client MAC address is hashed to provide a numerical index value (0-255) that determines each client’s active and standby UDG assignment. In this example, the hashed index value 32 will assign node 0 as the UDG and node 1 as the S-UDG while the index value 15 will assign node 1 as the UDG and node 0 as the S-UDG.

Bucket map output from a gateway cluster.

Roles and Tunnels

Each AP and UBT switch that is tunneling clients to a cluster will establish tunnels to each Gateway node within the cluster:

  • Campus AP – Establishes IPsec and GRE tunnels to each cluster node, this operation is orchestrated by Central.

  • EdgeConnect Microbranch AP - Establishes IPsec tunnels to each VPN Concentrator in a cluster, this operation is orchestrated by Central. When using centralized layer 2 (CL2) forwarding, GRE tunnels are encapsulated in the IPsec tunnels.

  • UBT Switches – Establish GRE tunnels to each cluster node based on switch configuration.

The role of each Gateway within a cluster determines which cluster node is responsible for exchanging signaling messages to APs and UBT switches in addition to the forwarding of broadcast (BC), multicast (MC), and unicast traffic destined to tunneled clients.

Device Tunnel Type Traffic Type Gateway Role
Campus AP IPsec Device Signaling & BC/MC to Clients DDG
GRE Unicast to / from Clients & BC/MC from Clients UDG
EdgeConnect Microbranch AP (CL2) IPsec Device Signaling & BC/MC to Clients DDG
GRE in IPsec Unicast to / from Clients & BC/MC from Clients UDG
UBT Switch GRE Device Signaling & BC/MC to Clients (UBT 1.0) SDG
GRE Unicast to / from Clients
BC/MC from clients (UBT 1.0)
BC/MC to and from Clients (UBT 2.0)
UDG

Device Designated Gateway

Each AP is assigned a Device Designated Gateway (DDG) which is responsible for publishing the bucket map to the AP. The bucket map is used for UDG/S-UDG assignments for each tunneled client. One bucket map is published per cluster.

For each AP, the cluster leader selects a DDG and S-DDG as part of the initial orchestration and messaging. The assignments are performed in a round-robin fashion based on each cluster node’s device capacity and load. The resulting distribution will be even for homogeneous clusters and uneven for heterogeneous clusters as Gateways will have uneven device capacities. Higher capacity nodes will have more DDG/S-DDG assignments than lower capacity nodes.

Gateways with a DDG role are responsible for the following functions:

  1. Bucket map distribution

  2. Forwarding of north / south broadcast and multicast traffic destined to wireless clients

  3. Forwarding IGMP/MLD group membership reports for IP multicast

The S-DDG assumes the role of publishing the bucket map and other forwarding functions if the DDG is taken down for maintenance or fails. New DDG/S-DDG role assignments are event driven as nodes are added and removed from the cluster. There is no periodic load-balancing. If a failover occurs, the S-DDG assumes the DDG role and a new bucket map is published. Impacted devices from failover are assigned a new S-DDG node.

A cluster can accommodate multiple node failures and assign DDG and S-DDG roles until the cluster’s maximum device capacity has been reached. Once a cluster’s device capacity has been reached and additional nodes are lost, impacted APs will become orphaned as there is no remaining device capacity available in the cluster to accommodate new DDG role assignments.

DDG and S-DDG assignments are performed by the cluster leader and done in a round-robin fashion.

A depiction of the DDG and S-DDG assignments for a four-node heterogeneous cluster.

Switch Designated Gateway

Each UBT switch is assigned a Switch Designated Gateway (SDG) which, like the DDG role, is responsible for publishing the bucket map to the switches. Unlike APs, where the cluster leader dynamically determines each AP’s DDG and S-DDG role assignment, a UBT switch’s initial SDG assignment is determined by the explicit configuration of the primary and backup Gateways as part of the UBT configuration:

  • AOS-S – The Gateway’s IP address specified as the controller-ip or backup-controller-ip

  • AOS-CX – The Gateway’s IP address specified as the primary-controller-ip or backup-controller-ip

The switches initial SDG assignment is based on the controller-ip or primary-controller-ip defined as part of the switch configuration. Th switches S-SDG assignment is automatic and is distributed between the cluster members based on capacity and load.

When a UBT switch first initializes, an attempt will be made to establish a PAPI session to the primary Gateway IP address specified in the configuration. If the primary Gateway IP does not respond, the secondary Gateway IP is used. Once a connection is established, an S-SDG role is assigned by the Gateway cluster leader.

Gateways with an SDG role are responsible for the following functions:

  1. Bucket map distribution

  2. Forwarding of broadcast and multicast traffic destined to UBT version 1.0 clients

  3. Forwarding IGMP/MLD group membership reports for IP multicast (UBT version 1.0)

The S-SDG assumes the role of publishing the bucket map and other forwarding functions if the SDG is taken down for maintenance or fails. If a failover occurs, the S-SDG assumes the SDG role and a new bucket map is published. Impacted devices from failover are assigned a new S-SDG node.

The initial SDG assignments are based on the switch configuration while the S-SDG assignments are performed by the Gateway cluster leader in a round-robin manner.

A depiction of the SDG and S-SDG assignments for a four-node heterogeneous cluster.

As the AOS-S / AOS-CX switch configuration influences the SDG role assignments, HPE Aruba Networking recommends assigning different primary and backup IP addresses to groups of switches to provide an even distribution of SDG roles between the available cluster nodes. The distribution must be performed manually by the switch admin when defining the golden configuration for each group of access layer switches.

An equal distribution of SDG roles between the available cluster nodes is especially important for UBT version 1.0 deployments as each cluster node with an SDG role for a group of UBT switches is responsible for replication and forwarding of broadcast and multicast traffic destined to UBT clients. Distributing the SDG role ensures that broadcast and multicast traffic replication and forwarding is distributed between all the available cluster nodes.

An example distribution of primary and secondary IP addresses for a four-node cluster is provided in the table below:

Switch Group Primary IP Backup IP
1 GW-A GW-B
2 GW-B GW-C
3 GW-C GW-D
4 GW-D GW-A

User Designated Gateway

Each tunneled client is assigned a User Designated Gateway (UDG) to anchor north / south traffic. Each client’s unique MAC address is assigned a UDG and S-UDG via the bucket map that is published by the cluster leader for each cluster.

The bucket indexes used for UDG and S-UDG assignments are allocated in a round-robin fashion based on each cluster node’s client capacity. For homogeneous clusters, each Gateway in the cluster will be allocated equal buckets while for heterogeneous clusters higher capacity nodes will be allocated more buckets than lower capacity nodes. Client MAC address hashing is utilized to ensure good session distribution but also ensures that each client is anchored to the same Gateway while roaming.

Gateways with a UDG role are responsible for the following functions:

  • Forwarding broadcast and multicast traffic received from clients.

  • Forwarding of IP multicast traffic destined to UBT 2.0 clients.

  • Forwarding of unicast traffic (bi-directional).

The S-UDG assumes the role of forwarding functions if the UDG is removed from the cluster through maintenance or failure. A new bucket map is published by the cluster leader when nodes are added or removed from the cluster and is event driven. With AOS 10 there is no periodic load-balancing. If a failover occurs, the S-UDG assumes the UDG role and a new bucket map is published. Impacted clients from failover are assigned a new S-UDG node.

A cluster can accommodate multiple node failures and assign UDG and S-UDG roles until the cluster’s maximum client capacity has been reached. Once a cluster’s client capacity has been reached and additional nodes are lost, impacted clients will become orphaned as there is no remaining client capacity available in the cluster to accommodate new UDG role assignments.

UDG/S-UDG role assignments are determined using the published bucket map for the cluster by hashing each client’s MAC address to determine an index value (0-255).

In this example the hashing results in Client 1 being assigned GW-A for UDG and GW-B for S-UDG while Client 2 is assigned GW-C for UDG and GW-D for S-UDG.

Branch High Availability

When high availability (HA) is required for branch office deployments, a pair of Branch Gateways are deployed to terminate the WAN uplinks and VLANs within the branches and provide resiliency. Each Gateway is configured with an IP interface on the management and user VLANs, and Virtual Router Redundancy Protocol (VRRP) is automatically orchestrated to provide first-hop router redundancy and failover for clients and devices. Dynamic Host Control Protocol (DHCP) services may also be enabled to provide host addressing which will also operate in HA mode.

With the convergence of clustering and branch HA, role assignments are further optimized to prevent client traffic from taking multiple hops within the cluster. Branch HA is enabled on pairs of Gateways using auto-site clustering and requires the default Gateway mode to be enabled within the Central configuration group. A peer connection is established between the Gateways at each site where a preferred leader is configured by the admin or is automatically elected.

The cluster leader performs the following roles within the cluster during normal operation:

  • VLAN designated Gateway (VDG) and VRRP active role for the management and user VLANs

  • DDG role for each AP

  • SDG role for each UBT switch

  • UDG role for each tunneled client

The leader is responsible for routing and forwarding of all branch management and client traffic during normal operation. The forwarding of WAN traffic is distributed between the Gateways and may traverse the virtual peer link. The assignment of all the active roles to the preferred Gateway ensures that all client traffic is anchored to the preferred Gateway during normal operation, preventing unnecessary east-west traffic. The VDG and VRRP state for the management and user VLANs is synchronized and pinned to the active Gateway. The secondary Gateway operates in a standby mode and assumes all the standby roles. The only client traffic that is forwarded by a standby Gateway is WAN traffic for any WAN uplinks it terminates.

If the active Gateway is taken down for maintenance or fails, the standby Gateway will take over all the active roles within the cluster along with all routing and forwarding functions. As multiple layers of convergence are required, failover is not seamless and will temporarily impact user traffic.

The DDG, SDG, UDG and VDG role assignments for a branch HA cluster.


Last modified: February 28, 2024 (614bf13)