Automatic Cluster Configuration for Branch Gateway Groups

Aruba Central supports automatic creation of clusters for the Branch Gateway groups. When gateways are added to a Branch Gateway group, the gateways of that group automatically form a cluster with the device MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

For Tunnel and Mixed mode SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. configuration, administrators must associate a gateway cluster for client authentication, policy enforcement, and role assignment to clients.

Based on the type of SSID configured on the APs and user VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., a gateway from the cluster is automatically assigned to the AP. The AP forwards client authentication requests to gateways. The User Designated Gateway (UDG) in the cluster derives the user role either locally or from an external authentication server, thus allowing clients to connect to the network.

The client and AP traffic are routed to the leader in a cluster if Branch HA and cluster are co-existing. The Default Gateway Mode is also known as 1:1 redundancy because a cluster consists of two gateways, where one is the leader and the other is the member (two-node cluster). The active Device Designated Gateway (DDG), User Designated Gateway (UDG), and VLAN Designated Gateway (VDG) are always updated with the IP address of the leader. The standby DDG, UDG, and VDG are updated with the IP address of the member. Thus, the cluster leader has the VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. status as master and the cluster member has the VRRP status as backup.

The tunnel orchestrator service in Aruba Central automatically establishes secure tunnels between AP and each gateway present in the cluster. This allows APs to send client traffic to the tunnel mode network for role assignment and policy enforcement. For site-specific clusters, the tunnel orchestrator service automatically allows the devices on the particular site to establish tunnels among themselves.

In a cluster mode, RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentications are sourced or proxied from an interface. This is done to ensure Change of Authorization (CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. ) messages are sent to a highly available IP address that is specified for Management VLAN.

The following configuration conditions apply for gateway clusters in Aruba Central:

  • To allow gateways to form a cluster, ensure that you assign gateways to the same group in Aruba Central.
  • For gateways in a group assigned to the same site, a secure tunnel is established between the APs and gateways of that site.

  • A Branch Gateway cluster consists of two gateways where one is the leader and the other is a member.
  • Gateways with ArubaOS 10.2 or later software versions can automatically form a cluster when assigned to a Branch Gateway group.

Branch Gateway Group Cluster Deployment Workflow

The following workflow explains the process to configure Branch Gateway cluster using the UI options.

Step 1: Configuring a Branch Gateway Group

Aruba Branch Gateways operate at the branch to optimize and control WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance., LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server., and cloud security services. The Branch Gateway provides features such as routing, firewall Firewall is a network security system used for preventing unauthorized access to or from a private network., security, website content filtering, and WAN compression. With support for multiple WAN connection types, the Branch Gateway routes traffic over the most efficient link based on availability, application, user-role, and link health. For more information, see Configuring Branch Gateway Groups Using the Guided Setup

Step 2: Assign Gateways and AP to a Site

Aruba Central supports assigning gateways to groups for the ease of configuration and maintenance. The Aruba gateways running ArubaOS 10.2 or later versions can form a cluster automatically when they are assigned to a Branch Gateway group. Optionally, the gateways assigned to the same site can automatically form clusters among themselves. Ensure to add a gateway (maximum number of two gateways) and an AP to the same site. For more information, see Assigning Gateways to Sites.

Step 3: Configure the Gateway Cluster for a Branch Gateway Group

A gateway cluster consists of Aruba Branch Gateways. For tunnel mode and mixed mode SSID configuration, you must associate a gateway cluster for client authentication, policy enforcement, and role assignment. The gateway clusters are created automatically for Branch Gateway group. For more information, see Cluster Mode for a Branch Gateway Group.