Remote APs
Overview
Also known as a RAP.
Steps:
- RAP IP pool on
/mm - Public addresses
- DNS
- Cluster
IP Pool
The RAPs use an IP address inside the IPSec tunnel. The scope of this address is limited to the AP and MD, which makes it a good candidate for link local addressing. Each RAP uses 1 address, so make sure the pool has at least as many addresses as there are RAPs.
It is configured as a lc-rap-pool at /mm.
By convention, we use the prefix rapp-.
CLI
Configure (at /mm):
lc-rap-pool rapp-rap 169.254.10.10 169.254.10.50
Verify:
(isb-mm-1) [mm] #show lc-rap-pool
IP addresses used in pool rapp-rap
169.254.10.10-169.254.10.21
IPv4 pool : Total - 12 IPs used - 29 IPs free - 41 IPs configured
IPv6 pool : Total - 0 IPs used - 0 IPs free - 0 IPs configured
LC RAP Pool Total Allocs/Deallocs/Reserves : 13/0/0
LC RAP Pool Allocs/Deallocs/Reserves(succ/fail) : 12/0/(0/0)
API
Config:
{
"lc_rap_pool":[
{
"pool_end_address": "169.254.10.50",
"pool_name": "rapp-rap",
"pool_start_address": "169.254.10.10"
}
]
}
Running the show command via API does not return (meaningfully) structured
data (last tested on AOS 8.7.1.2).
Public addresses
The key requirement is n public legacy (IPv4) addresses for n controllers in the cluster.
Documentation suggests that the public address could exist on a NAT device.
We've opted to set it up directly on the MD.
This is done just like any other vlan interface.
It doesn't make any sense to use IPv6 with the RAP service.
- If we knew we had IPv6 connectivity from the remote location, we could just setup the AP as a campus AP (CAP) with CPSec. Improved RAP discovery with Aruba Activate may be a compelling reason to go with a RAP anyways. We haven't yet gotten that far with the RAP setup, though.
- Too many ISPs still offer legacy-only connectivity.
Also, RAPs cannot use a VRRP address to connect to the cluster, so don't bother setting up an AP discovery VIP.
DNS
- RAPs must look for the MDs by DNS (since VRRP isn't an option)
- VT uses the address
rap.mobility.nis.vt.edu - This name must resolve to each of the public addresses of the MDs in the cluster.
- The MDs take care of load balancing once the RAP has connected, so any method DNS uses (round-robin, ordered list, etc) is fine.
$ dig +short rap.mobility.nis.vt.edu
198.82.171.142
198.82.171.141
Cluster
The only extra step here is to provide the RAP external IP.
Remember to follow the usual clustering steps as well (vlan excludes, join the md to the cluster, etc)
CLI
(isb-mm-1) [rap] #show configuration committed | begin lcc-
lc-cluster group-profile "lcc-col-rap"
controller 172.16.1.31 priority 255 mcast-vlan 299 vrrp-ip 172.16.1.41 vrrp-vlan 299 group 0 rap-public-ip 198.82.171.141
controller 172.16.1.32 priority 128 mcast-vlan 299 vrrp-ip 172.16.1.42 vrrp-vlan 299 group 0 rap-public-ip 198.82.171.142
!
API
{
"cluster_prof": [
{
"cluster_controller": [
{
"group_id": 0,
"ip": "172.16.1.31",
"mcast_vlan": 299,
"prio": 255,
"rap_public_ip": "198.82.171.141",
"vrrp_ip": "172.16.1.41",
"vrrp_vlan": 299
},
{
"group_id": 0,
"ip": "172.16.1.32",
"mcast_vlan": 299,
"prio": 255,
"rap_public_ip": "198.82.171.142",
"vrrp_ip": "172.16.1.42",
"vrrp_vlan": 299
}
],
"profile-name": "lcc-col-rap",
"vrrp_info": {
"vrrp_id": 240,
"vrrp_passphrase": ""
}
}
]
}