Survivability

AOS-10 is dependent upon centralized services for normal operations. Any interruption of that communication can have an impact on the operations of AOS-10, so survivability of the network is a concern. The topic of survivability describes the impact of network outages on AOS-10 services, devices managed by Central, and client devices connecting to the network.

The purpose of this article is to capture the impact to clients, AOS-10 devices, and services if an outage prevents the AOS-10 devices from communicating with HPE Aruba Networking Central.

Client Devices

The following table captures the impact to client devices, roaming experience and traffic flows during an outage.

Feature or Service Impact
Application Visibility As enforcement is provided by access points (APs) and gateways, the classification and enforcement applications and categories will continue with no loss of functionality. Reporting of application visibility metrics to Central will be lost during the outage.
Authentication
  • Local / Centralized AAA: No impact if the AAA server is still reachable from the APs and/or gateways.
  • Cloud Authentication: As Cloud Authentication services reside in Central, new clients will be unable to join the network.
ClientMatch As ClientMatch services reside in Central, no client steers including sticky clients, band steering and load-balancing will occur. Clients will still be able to attach and roam, but in a less optimized environment.
Roaming Fast roaming is dependent on the Key Management Service (KMS) in Central to pre-distribute keys and user records. Some impact to fast roaming may occur:
  • Existing Clients: Will be able to fast roam to any neighboring APs that have previously received keys and user records. Roaming to non-neighboring APs will require a slow roam as keys and user records will not have been distributed.
  • New Clients: Will perform slow roaming only as keys and user records will no-longer be distributed.
UCC Reporting of call metrics to Central will be lost during the outage. Wi-Fi calling will also be unavailable if the service providers evolved packet data gateway (e-PDG) is unreachable.
WebCC As WebCC is dependent on BrightCloud, there may be some impact to traffic flows for unclassified applications when a cache miss occurs:
  • Gateways: If the gateways are the enforcement point, unclassified applications will be dropped if the Drop Packets during WebCC Miss option is enabled. Previously classified applications will be forwarded uninterrupted.
  • APs: If the the APs are the enforcement point, unclassified applications will be dropped if a deny any rule is assigned to the user role. Previously classified applications will be forwarded uninterrupted.

Managed Devices

The following table captures the impact to AP and gateway management and data-plane during an outage:

Feature or Service Impact
AirGroup As the AirGroup service resides in Central, no new discovery information will be propagated to APs. Existing cached information will be maintained but not updated.
AirMatch As the AirMatch service resides in Central, APs will continue to function with their existing channel, channel bandwidth, and EIRP settings and will respond to high noise and radar events. The APs will not receive newly calculated channel plan assignments from the AirMatch service until they are able to reconnect to Central.
Cloud Connect See Tunnel Orchestration.
Clustering Gateway Clustering is dependent on the Group / Site configuration in addition to Tunnel Orchestration:
  • New gateways: Cluster will not be established.
  • Operational / Connected gateways: Existing clusters will continue to function with no interruption. However, you will not be able to add or subtract nodes from the cluster.
DRT As downloadable regulatory table (DRT) upgrades are dependent on Central, no DRT update will occur. APs will continue to function uninterrupted using their existing regulatory information.
IDPS All devices will continue to function uninterrupted using their existing signatures.
Licensing Devices will continue to function uninterrupted.
Mesh Mesh operation is dependent on configuration from Central:
  • New Mesh APs: Will lose ability to provision and configure new Mesh APs.
  • Existing Mesh APs: No impact to operation. AP and mesh metrics to Central will be lost during the outage.
MultiZone See Tunnel Orchestration.
One Touch Provisioning (OTP) As OTP is dependent on Activate and Central, no new APs or gateways can be provisioned.
Route Orchestration (ORO) As the Route Orchestration service resides in Central:
  • New Devices: No routes will be orchestrated.
  • Operational / Connected Devices: AOS-10 devices will continue function, but no new routing updates will be received.
Tunnel Orchestration (OTO) As Tunnel Orchestration services reside in Central:
  • New Devices / Not Previously Connected: No tunnels can be orchestrated.
  • Operational / Connected Devices: Once tunnels have been orchestrated, AOS-10 devices will fall back to legacy IPsec re-key methodology for tunnel maintenance.
  • Operational / Rebooted Devices: AOS-10 devices will cache previous tunnel destinations and will utilize legacy IPsec methods for tunnel creation and maintenance.
Security Policies All devices will continue to function uninterrupted using their existing security policies.
Zero Touch Provisioning (ZTP) As ZTP is dependent on Activate and Central, no new APs or gateways can be provisioned.

Services

The following table captures the impact to services either consumed in Central or coordinated between Central and devices during an outage:

Feature or Service Impact
Configuration Management As configuration is dependent on Central, you will lose the ability to apply new configurations or make configuration changes to impacted devices. APs and gateway will continue to function using their existing configurations.
Events No events will be triggered for impacted devices during the outage.
Firewall Logging Reporting of firewall flows to Central will be lost during the outage.
IoT Operations As the IoT connector services reside in Central:
  • Lose IoT visibility in Aruba Central IoT Ops dashboard
  • Unable to add/remove AP to connector mapping
  • Unable to take actions on app store for install, uninstall, update etc of apps.
  • Unable to add more new connectors.
  • Previously established IoT integrations should function. (E.g., payloads will still continue to flow from AP to IoT Connector to partner endpoint.)
Location Services As location services, Visual RF and API services reside in Central:
  • AP and client locations for impacted sites will not be accessible on Visual RF dashboard in Central.
  • Location data for impacted devices and clients will not be available via the API.
Monitoring All monitoring information will be lost for impacted devices. This includes APs, gateways and Clients.
Presence Analytics Presence Analytics data in the Dashboard for impacted sites will not be updated.
RAPIDS
WIDS/WIPS
As the RAPIDS services reside in Central:
  • APs will retain existing WIDS/WIPS state (e.g. rogue, interferer, containment BSSID, etc.) until it ages out.
  • No coordination scanning between APs
  • No rogue triggers for wired / wireless containment.
  • No reporting or alerts.
  • All existing WIDS/WIPS state is lost if the AP is rebooted during the outage and it will not be able to perform any WIDS/WIPS activities.

Last modified: September 19, 2024 (2b464ff)