n Cloud Management on page 230Cloud Management on page 230
Scalable Site-to-Site VPN Tunnels
AOS-W 6.4.4.0 and later supports site-to-site IPSEC tunnels based on a Fully Qualified Domain Name (FQDN).
When you identify the remote peer for a branch config group using an FQDN, that config group can be applied
across multiple branch switches, as the configured FQDN can resolve to different IP addresses for each local
branch, based on local DNS settings.
In AOS-W 6.4.4.0 and later releases, crypto maps for site-to-site VPNs support a VLAN ID as the identifier for
the source network. When the VPN settings are pushed to branch switch, the IKE negotiation process uses the
IP address range for the VLAN. This feature allows you to push the same source network configuration to
multiple branch switches, as each branch switch negotiates a different source source network IP for its VLAN
based on the IP pool for that local branch.
Layer-3 Redundancy for Branch Switch Masters
AOS-W 6.4.4.0 introduces support for a redundant secondary master switch in branch switch deployments.
This prevents a scenario where a master switch acts as a single point of failure if the link to the master goes
down, or a co-located Master-Standby VRRP switch pair fail due to a network failure or local natural disaster.
Configuring Layer-3 Redundancy
The IPaddress of a primary master and a secondary, backup master switch can be defined for a branch during
the Zero-touch provisioning process, and is either defined in a DHCP server, or is manually entered into the
branch switch during the initial startup dialog. The primary and secondary master switches must be manually
kept in synchronization by ensuring all the configuration, certificates, and branch switch whitelist, AP whitelist
and local user database are the same in both of them.
Database settings are not automatically synchronized from a primary master to a secondary master with Layer-3
redundancy. All database settings, certificates, whitelist settings and profile configurations must be kept in sync
manually.
Viewing Switch Connectivity Status
The status of the branch's connection to a primary and secondary master switch appears in the WAN
dashboard page of the branch switch WebUI. To display the current status of the branch switch's connectivity
to the master and secondary master IP addresses, click the Layer3 Redundancy tab on the Status section of
the dashboard.
Figure 39 Branch Switch Redundancy Status
Failover Behaviors
When a provisioned branch switch detects that its primary master is unreachable, it attempts to reconnect to
the primary master for the time period defined by the Master L3 Redundancy Switchover Timeout in its branch
AOS-W 6.5.3.x | User Guide BranchSwitch Config for Cloud Services Switches | 217
To Next Page
Loading...