Backup controller support for IPsec tunnel

ArubaOS-Switch supports two controllers with all the services such as CPPM, Syslog, DNS, and AirWave. In such scenarios, a controller is expected to function as a backup controller.

  1. aruba-vpn is modified to support backup controller IP.

    aruba-vpn type amp peer-ip <IP_addr> backup-peer-ip <IP_addr>
    
    no aruba-vpn type amp peer-ip <IP_addr> backup-peer-ip <IP_addr>
    switch(config)# aruba-vpn type amp peer-ip 171.0.0.1
    backup-peer-ip        Configure the Aruba VPN backup IP address.
    tos                   Configure the Aruba VPN tos value.
    ttl                   Configure the Aruba VPN ttl value.
    switch(config)# aruba-vpn type amp peer-ip 171.0.0.1 backup-peer-ip 171.0.0.3
  2. When the switch is configured with both the primary and backup controllers, the switch will establish IPsec tunnel connection with primary controller.

  3. Switch initiates a new IPsec session with either primary or backup controller once "Dead Peer Detection" event is triggered for existing IPsec session.

  4. Switch retries establishing IPsec session with both primary and backup controllers alternatively until a successful IPsec handshake.

  5. Switch tries to establish the IPsec tunnel with the same controller when the following events occur:

    • Switch IP change

    • Vlan ID change

    • Redundancy switch over

  6. If aruba-vpn type is amp, after five consecutive AirWave check-in failures, the existing tunnel destroyed and an IPsec tunnel are established with the other controller.

NOTE:

ZTP continues to support existing DHCP options for AirWave or Controller IP discovery. You can configure both the primary and backup controllers IP in DHCP.

Switch reachability to the controllers

Controllers through same VLAN
Controllers through different VLANs