Backup controller support for IPsec tunnel

The switch supports two controllers with all the services such as ClearPass, Syslog, DNS, and AirWave. In such scenarios, a controller functions as a backup controller.

  1. aruba-vpn is modified to support backup controller IP.

    aruba-vpn type amp peer-ip <IP_addr> backup-peer-ip <IP_addr>
    
    no aruba-vpn type amp peer-ip <IP_addr> backup-peer-ip <IP_addr>
    switch(config)# aruba-vpn type amp peer-ip 171.0.0.1
    backup-peer-ip        Configure the Aruba VPN backup IP address.
    tos                   Configure the Aruba VPN tos value.
    ttl                   Configure the Aruba VPN ttl value.
    switch(config)# aruba-vpn type amp peer-ip 171.0.0.1 backup-peer-ip 171.0.0.3
  2. When the switch is configured with both the primary and backup controllers, the switch will establish IPsec tunnel connection with primary controller.

  3. Switch initiates a new IPsec session with either primary or backup controller once "Dead Peer Detection" event is triggered for existing IPsec session.

  4. Switch retries establishing IPsec session with both primary and backup controllers alternatively until a successful IPsec handshake.

  5. Switch tries to establish the IPsec tunnel with the same controller when the following events occur:

    • Switch IP change

    • Vlan ID change

    • Redundancy switch over

  6. If aruba-vpn type is amp, after five consecutive AirWave check-in failures, the existing tunnel is destroyed and an IPsec tunnel is established with the other controller.

NOTE:

ZTP continues to support existing DHCP options for AirWave or Controller IP discovery. You can configure both the primary and backup controllers IP in DHCP.

Switch reachability to the controllers

Figure 37: Controllers through same VLAN
Figure 38: Controllers through different VLANs