Mod15MBC Master Local Operation 6.3 v1.3

8/17/2019 Mod15MBC Master Local Operation 6.3 v1.3

http://slidepdf.com/reader/full/mod15mbc-master-local-operation-63-v13 1/36

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Aruba Bootcamp – Master-Local Operation

15-1





15-2





15-3

You may choose to deploy multiple controllers to scale your network to support the number ofusers or the amount of bandwidth that you may require. When deploying multiple controllers, thereis usually a master controller (maybe a backup) and local controllers. There may be only one

local, or many, depending upon your network requirements.

When you have a master/local architecture, you create global configurations on the master. When

you save the config on the master, the global settings such as firewall, VAP and others, get pushed

to the local controllers.





15-4

Masters and locals communicate with each other over a secure connection. PAPI traffic is carriedthrough this IPSec tunnel. The tunnel is not used to carry user data.

The tunnel parameters must be provisioned on both the local and master controllers. But the local

controllers instantiate the tunnel.





15-5

You can use a common key between your master and all locals, or you can define unique keys.Unique keys are highly recommended for security.





15-6

Centralized licensing allows licenses to be shared among multiple controllers with a master/localrelationship,

Here are some best practices for Centralized Licensing in a Master/Local Topology

• The entire cluster should be upgraded to a release supporting centralized licensing (6.3).

• Any controller that is not running the 6.3 release will not be a part of centralized licensing.

• The master controller should be upgraded before the local.

• Enable centralized licensing on the master controller.

6





15-7

Using centralized licensing licenses can also be shared between master controllers. Enabling thecentralized license feature will not result in IPSEC tunnels being established between the mastercontrollers.

(Optional) Establish secure IPsec tunnels between the primary licensing server controller and thelicensing client controllers by enabling control plane security on that cluster of master controllers,

or by creating site-to-site VPN tunnels between the licensing server and client controllers. Thisstep is not required, but if you do not create secure tunnels between the controllers, the controllers

will exchange clear, unencrypted licensing information. This step is not required for a master-local

topology.

7





15-8

Centralized licenses are configured and controlled using a license pool from which the controllerscan draw their licenses. Additional licenses can be installed directly on a controller and not as partof the centralized license pool. These additional licenses do not go into the pool and are only used

by the single controller where they are installed.

8





15-99





15-10

A standby license sever can be configured in the event of a failure on the master license server.

10





15-11

If a master license server fails with no standby server present the local controllers will continue touse licenses from the pool for a limited period of time.

1. Locals will continue to operate with the

last received pool capacity for 30 days

2.

After 30 days, any shared licenses will be

deleted and the box will revert to whatever

licenses were originally installed on the

11





15-1212





15-13

WebUI configuration for centralized image upgrade is under the Maintenance page.

13





15-14

The upgrade status can be seen on the maintenance page.

14





15-15





15-16

Prior to AOS 6.3, when the image on the controller is upgraded, the APs associated to thiscontroller download their images AFTER the controller reboots and comes up with the new image.Once the AP downloads the new image, it needs to reboot and complete the AP boot process

(network discovery, connect to LMS IP, check image and config, build PAPI/GRE tunnels to LMS)before it can become operational and start serving WLAN clients.

"#$% &'( )*+, $%- &. /012- .3-4516 7-1$83- 0#9#0#:-; $%- 65<9=0- 3->8#3-6 753 1 ?59$3544-3

8@2316- AB 1445<#92 $%- &.; 1;;5?#1$-6 $5 $%1$ ?59$3544-3 $5 65<94516 $%- 9-< #012-; CDE'FD $%-

?59$3544-3 1?$8144B A55$; <#$% $%- 9-< #012-*

G'HDI '94B ;8@@53$-6 59 +)JJ, K+, 196 LMNJ ;-3#-; ?59$3544-3;*

16





15-17

Start by upgrading a partition on the controller to the desired SW version but do not reboot.

To D91A4- &. /012- .3-4516I

O* G1P#21$- $5 K1#9$-919?-QR.3-4516 &. /012-

M* S4#?T 59 U%-3-V $5 &?=P1$- &. /012- .3-4516*

+* .5#9$ $5 $%- ?533-?$ @13==59*

W*

(-4-?$ &.;I /$ #; @5;;#A4- $5 ?%55;- ;-4-?=P- &.; 753 /012- .3-4516* &.; ?19 A- ;@-?#X-6 1;

75445<;I

• &44 &.; 1;;5?#1$-6 $5 $%- ?59$3544-3

• & 4#;$ 57 &. Y358@;

• /96#P#6814 &.; ZAB [1@Q910-[\

]* C1;-6 59 $%- -N#;=92 4516 59 $%- ?59$3544-3, #$ #; @5;;#A4- $5 ;@-?#7B %5< 019B &.; ?19

17





15-18

Multiple controllers implies that you will have APs terminating on more than one controller. In orderto do this, you need to create multiple AP groups. Each group will have a unique LMS-IP addresssetting defining where the AP should terminate its GRE. There may be other settings you will want

to change as well. These choices will depend upon your network’s requirements.





15-19

When you configure AP groups on the master, all of the group settings get pushed to all localcontrollers. This occurs when the configuration is saved on the master controller. Each controllermay not actually need to use every group. But all groups are pushed to all controllers to support

AP provisioning.





15-20

In this illustration, only the highlighted AP Groups are used on each of the controllers. Yet eachcontroller knows about ALL AP Groups to assist in the AP boot provisioning process.





15-21

When you have multiple controllers, you need to specify where the APs should build their GREs.You do that by setting the LMS-IP address under the AP system profile. Remember, this affects all

APs assigned to this group.





15-22

The New York and the Miami controllers have multiple differences in this case beyond LMS-IP.They also advertise different SSIDs and use different vlans. These changes require different APgroups to ensure the settings are localized to that group of APs or that geography.





15-23

VLAN pooling assists in larger deployments within a single building by allowing multiple VLANs tosupport a single SSID. Users will be assigned to their VLAN based upon their MAC address.When the client associates to the AP, the controller looks at the client MAC, hashes the value, and

assigns the VLAN. The VLAN will remain constant within the building as long as the MAC addressand the number of VLANs remain the same.

This provides a client distribution across the different broadcast domains within the VLAN pool. It

does not guarantee load distribution though.





15-24

Here we wish to segment the users across multiple vlans to provide broadcast domain

segmentation for a single SSID.





15-25





15-26

To create a VLAN pool, simply add multiple VLANs to the VAP profile.





15-27

Named VLANs provide an efficient way of creating VAPs by associating the VAP to a VLAN byname rather than a VLAN number. This simplifies configuration and helps when configuringredundancy where backup VAPs on different controllers are supported by different VLAN IDs.

Named VLANs can also be used in a RADIUS server VSA.





15-28

As a simple example of using Named VLANs, consider this case where we have three controllers.Each of them needs to advertise the same SSIDs. By using named VLANs the VAP configurationfor each group is constant. Without Named VLANs, you would need to create 3 VAPs to identify

the VLAN settings.





15-29

Named VLANs can be used in a limited set of configurations. Reference this chart for details.





15-30

Named VLANs can be created in the CLI as illustrated on this page.

Hash type Even: Sets the assignment type as even.The Even assignment type is based on aneven distribution of VLAN pool assignments.

Hash type Hash: Sets the assignment type as hash. The hash type means that the VLANassignment is based on the station MAC address.





15-31

You can also create Named VLANS in the WebUI. It is actually done under the VLAN Pool Tab.





15-32





15-33





15-34





15-35




Date post:	06-Jul-2018
Category:	Documents
Upload:	ewofkewofk
View:	215 times
Download:	0 times

Mod15MBC Master Local Operation 6.3 v1.3

Documents