配置次要移动大师使用3层冗余

ArubaOS8.2.0.0 introduces support for a redundant pair of移动大师s in a layer 3 network. This prevents a scenario where a移动大师如果链接到移动大师下降，或共同定居的次级移动大师VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.控制器对由于网络故障或当地自然灾害而失败。

这移动大师第3层冗余中的s位于不同的2层网络中，并扮演主要和次要的角色移动大师s。Similar to Layer-2 redundancy, the primary and secondary移动大师s establishIPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.tunnel to securely synchronize data between them by using Layer-3 Master redundancy configuration.

It is mandatory to useVRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.IPv6地址而不是开关IPv6地址以建立一个IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.tunnel, whenVRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.IPv6 address is configured in both primary and secondary移动大师s。This is to ensure that there are no database synchronization failures between primary and secondary移动大师s在3层冗余。

ArubaOSnow allows you to also configure IPv6 address of the peer移动大师建立IPv6IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.tunnel between the primary and secondary移动大师s in Layer-3 Master redundancy configuration. All the applications that are involved in data synchronization between the two移动大师s use the IPv6 address of the peer移动大师。

For Layer-3 redundancy to work, ensure thatICMP互联网控制消息协议。ICMP是错误报告协议。网络设备（例如路由器）使用它，当网络问题阻止交付IP数据包时，将错误消息和操作信息发送到源IP地址。protocol is not blocked on托管设备s，，，，VPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。concentrators, and移动大师s in the user network. Layer-3 redundancy is not supported on控制器s在主人中运行Controller模式 （7200系列and7030控制器s).

Configuring Layer-3 Redundancy

这Layer-3 redundancy feature will support Active-Standby Model. The Layer-3 redundancy role is driven by user configuration at both the primary and secondary移动大师。一旦设置了第3层冗余的系统，则将在主要时进行切换事件移动大师goes down. The secondary移动大师will provide the移动大师functionality without any user intervention.

托管设备将只有一条管理隧道移动大师在任何给定时间。这托管设备将尝试连接到次要移动大师如果它失去了与初级的连通性移动大师。这secondary移动大师will accept the management tunnel connections from a托管设备only if its tunnel with primary移动大师下降。这将确保仅在主要时处理3层切换事件移动大师下降，不是由于托管设备and primary移动大师。

However, since the applications under the托管设备use the IPv4 address to communicate with the移动大师， 这托管设备s建立具有主要或次级的IPv6隧道移动大师S和IPv4数据包通过IPv6隧道路由到移动大师。

Listed below are the salient features of Layer-3 Redundancy:

配置和数据库事件是从主要到辅助的自动同步的移动大师。

托管设备detect a failure in the primary移动大师并自动切换到次要移动大师after 15 minutes.

这switchover event in the托管设备如果有的话，将产生最小的服务影响。

Support for centralized licensing, a single license for both primary and secondary移动大师s。

Layer-2 and Layer-3 redundancy will work together.

When the primary移动大师comes back up all托管设备s将切换回主移动大师如果有的话，服务的影响很小。

以下过程在主上配置了3层主冗余移动大师：

1。In the移动大师节点层次结构，导航到配置>冗余> L3冗余tab.

2。选择theController role。

3。Enter the同步/iod(in hours).

这minimum value is 2 hours and the maximum value is 24 hours.

For Layer-2 redundancy, the minimum value is 1 minute and the maximum value is 25200 minutes.

4。Enter theIP address of the peer.

5。从Authenticationdrop-box.

a.Ifipsec键is selected as an authentication method, enter theipsec键of the peerandRe-type the key

b。If证书被选为身份验证方法和Factoryis selected as the证书type,enter thePeer's MAC address

C。If证书被选为身份验证方法和Customis selected as the certificate type, enter thePeer's MAC address, CA certificate, Server Certificate并选择一个Suite B algorithm从下拉列表中。

6。点击提交。

7.点击Pending Changes。

8.In thePending Changeswindow, select the check box and clickDeploy changes。

这following procedure configures the details of a primary移动大师on托管设备for L3 redundancy.

1。In theManaged Network节点层次结构，导航到配置>控制器tab.

2。Enable thel3 redudancytoggle switch.

3。选择直接的orViaVPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。concentratorforConnection to master。

4。选择theIP address version of master。

5。Enter theIPv4 address of master.

6。Enter theFQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.控制器。

7.Choose the Source interface from theSource interfacedrop down list.

8.从Authenticationdrop-box.

a.Ifipsec键is selected as an authentication method, enter theipsec键of the peerandRe-type the key

b。If证书被选为身份验证方法和Factoryis selected as the证书type,enter thePeer's MAC address

C。If证书被选为身份验证方法和Customis selected as the certificate type, enter thePeer's MAC address, CA certificate, Server Certificate并选择一个Suite B algorithm从下拉列表中。

9.Enter theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.主人的地址。

10.Enter theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address of the redundant master。

11。Enable theThis controller is acting asVPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。concentratorcheck-box if the controller is aVPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。集中器。

12。点击提交。

13。点击Pending Changes。

14。In thePending Changeswindow, select the check box and clickDeploy changes。

以下过程配置了次要的详细信息移动大师on托管设备for L3 redundancy.

1。In theManaged Network节点层次结构，导航到配置>控制器tab.

2。Enable thel3 redudancytoggle switch.

3。输入主要的详细信息移动大师。

4。扩张Secondary移动大师。

5。选择直接的orViaVPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。concentratorforConnection to master。

6。选择theIP address version of master。

7.Enter theIPv4 address of master.

8.Enter theFQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.控制器。

9.Choose the Source interface from theSource interfacedrop down list.

10.从Authenticationdrop-box.

a.Ifipsec键is selected as an authentication method, enter theipsec键of the peerandRe-type the key

b。If证书被选为身份验证方法和Factoryis selected as the证书type,enter thePeer's MAC address

C。If证书被选为身份验证方法和Customis selected as the certificate type, enter thePeer's MAC address, CA certificate, Server Certificate并选择一个Suite B algorithm从下拉列表中。

11。Enter theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.主人的地址。

12。Enter theMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address of the redundant master。

13。Enable theThis controller is acting asVPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。concentratorcheck-box if the controller is aVPN虚拟专用网络。VPN可以在远程位置时可安全访问公司网络。它使计算机能够在共享或公共网络上发送和接收数据，就好像它直接连接到了专用网络一样，同时受益于专用网络的功能，安全性和管理策略。这是通过通过使用专用连接，加密或两者组合来建立虚拟点对点连接来完成的。集中器。

14。点击提交。

15。点击Pending Changes。

16。In thePending Changeswindow, select the check box and clickDeploy changes。

这followingCLI命令行接口。带有命令行壳的控制台接口，允许用户执行文本输入为命令，并将这些命令转换为适当的函数。commands configure Layer-3 Master redundancy on the primary移动大师：

(MM-Primary) [mynode] (config) #master-l3redundancy

（mm-primary） ^[myNode]（config-submode）＃l3-peer-ip-address { | } ipsec

(MM-Primary) [mynode] (config) #write memory

这followingCLI命令行接口。带有命令行壳的控制台接口，允许用户执行文本输入为命令，并将这些命令转换为适当的函数。commands configure Layer-3 Master redundancy on the primary移动大师：

(MM-Primary) [mynode] (config) #master-l3redundancy

(MM-Primary) ^[mynode] (config-submode)#l3-peer-ip-address 2001:1001::201 ipsec aruba123

(MM-Primary) ^[mynode] (config) #write memory

这following sample is a Layer-3 Master redundancy configuration on the backup移动大师：

（mm-backup）[myNode]（config）#Seondary MasterIPV6 2001：1001 :: 203

(MM-Backup) ^[mynode] (config-submode)#peer-ip-address 192.168.10.243 ipsec aruba123

(MM-Backup) ^[mynode] (config) #write memory

确保托管设备has the same connection type between primary and secondary移动大师s to establish a tunnel usingPSKPre-shared关键。一个独特的共享密钥,公关eviously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.，，，，custom, or factory-installed certificate.

Important

配置更改无法在次要上进行移动大师。在主要的情况下移动大师是倒下的，需要在次要上进行更改移动大师the user must change the sync state of the secondary移动大师到主要。

To preserve these configuration changes, a Layer-3 synchronization between the new primary移动大师and the old primary移动大师should take place. For the synchronization to take place the sync state of the old primary移动大师应将其从初级状态更改为二级状态。

When the L3 sync state of a移动大师从初级变为次要移动大师重新启动,以确保适当的清理工作的移动大师before new configurations or data is pushed from the new primary移动大师。

Once the roles of移动大师s逆转，用户应确保托管设备spoint to the correct primary移动大师and secondary移动大师by changing the respective master IP address addresses.

这change of master IP and secondary master IP address that takes place on the primary移动大师from the托管设备节点应在同一写入内存周期中完成。如果在同一写入内存周期中未完成此过程，则托管设备s可能指向与他们的主要和次要的IP相同移动大师s。If this happens reconfiguring the correct secondary masterip when the托管设备sare up will fix the issue.

这change of master IP and secondary master IP address that takes place on the primary移动大师from the托管设备节点应在同一写入内存周期中完成。如果在同一写入内存周期中未完成此过程，则托管设备s可能指向与他们的主要和次要的IP相同移动大师s。If this happens reconfiguring the correct secondary masterip when the托管设备sare up will fix the issue.

3层同行之间的数据库同步

Data synchronization between the Layer-3 peers only happens for the data that is already synchronized between Layer-3 pairs.

Table 1:Layer-3 Synchronization

	Synchronized Across Layer-3 Peers
配置	Yes
Database	Yes
证书	Yes
圈养门户圈养门户网站是一个网页，允许用户在连接到公共访问网络之前进行身份验证和登录。圈养门户通常由商务中心，机场，酒店大厅，咖啡店和其他为客人提供免费Wi-Fi热点的场所使用。	Yes
Dynamic State Information of Services	No
监视数据	No
数据分配服务状态	No

Activate Provisioning

这Activate provisioning rule is enhanced to include the following data when Layer-3 Redundancy level is configured. Separate titles for primary data center and secondary data center are displayed to differentiate information.

初级数据中心二级数据中心

=================== =====================

主要主控制器：主主控制器：

主控制器IP：主控制器IP：

辅助主控制器：辅助主控制器：

Primary VPN Concentrator MAC: Primary VPN Concentrator MAC:

VPN浓缩器IP：VPN浓缩器IP：

次级VPN浓缩器Mac：次级VPN浓缩器Mac：

这Activate provisioning rule does not provide the托管设备with provisioning information.

Health Check Manager

健康检查经理提供了有关上行链路健康的详细信息。健康检查经理会定期pings并报告上行链路另一端的设备是否可以到达。每个托管设备interfaces with the Health Check Manager that provides information on the state of uplinks in both the primary and the secondary移动大师。

这secondary移动大师allows the connection of托管设备sonly if it determines that the primary移动大师is down for 15 minutes.

Load Balancing

负载平衡功能，提供了一种在相同端点之间或跨越多个上行链路上加载平衡的方法移动大师s。

仅针对一个主动管理隧道提供支持。没有支持负载平衡管理流量。