AOS-W 6.5.3.x | User Guide Control Plane Security | 56
Chapter 2
Control Plane Security
AOS-W supports secure IPsec communications between a switch and campus or remote APs using public-key
self-signed certificates created by each master switch. The switch certifies its APs by issuing them certificates. If
the master switch has any associated local switches, the master switch sends a certificate to each local switch,
which in turn sends certificates to their own associated APs. If a local switch is unable to contact the master
switch to obtain its own certificate, it is not be able to certify its APs, and those APs cannot communicate with
their local switch until master-local communication has been reestablished. You create an initial control plane
security configuration when you first configure the switch using the initial setup wizard. The AOS-W initial setup
wizard enables control plane security by default, so it is very important that the local switch be able to
communicate with its master switch when it is first provisioned.
Some AP model types have factory-installed digital certificates. These AP models use their factory-installed
certificates for IPsec, and do not need a certificate from the switch. Once a campus or remote AP is certified,
either through a factory-installed certificate or a certificate from the switch, the AP can failover between local
switches and still stay connected to the secure network, because each AP has the same master switch as a
common trust anchor.
Starting with AOS-W 6.2, the switch maintains two separate AP whitelists; one for campus APs and one for
Remote APs. These whitelists contain records of all campus APs or remote APs connected to the network. You
can use a campus or AP whitelist at any time to add a new valid campus or remote AP to the secure network, or
revoke network access to any suspected rogue or unauthorized APs.
The control plane security feature supports IPv4 campus and remote APs only. Do not enable control plane security
on a switch that terminates IPv6 APs.
When the switch sends an AP a certificate, that AP must reboot before it can connect to its switch over a secure
channel. If you are enabling control plane security for the first time on a large network, you may experience
several minutes of interrupted connectivity while each AP receives its certificate and establishes its secure
connection.
HPPlatform interoperating with Alcatel-Lucent Switches
Following HP TPM based switches can now inter-operate with the Alcatel-Lucent switches and create the IKE /
IPSec tunnels.
n 2930F
n 5400R/v3 3810
n 5400R/v2 (compat. mode)
n 3800
n 2920
n 2530
n 2620
n 5400/v2
n 5400/v1
n 3500
n 2615
To Next Page
Loading...