57| Control Plane Security AOS-W 6.5.3.x| User Guide
n 2915
n 8200
These HP platforms are running version k.16.02.
Topics in this chapter include:
n Control Plane Security Overview on page 57
n Configuring Control Plane Security on page 57
n Managing AP Whitelists on page 59
n Managing Whitelists on Master and Local Switches on page 66
n Working in Environments with Multiple Master Switches on page 70
n Replacing a Switch on a Multi-Switch Network on page 73
n Configuring Control Plane Security after Upgrading on page 76
n Troubleshooting Control Plane Security on page 77
Control Plane Security Overview
Switches using control plane security only send certificates to APs that you have identified as valid APs on the
network. If you want closer control over each AP that is certified, you can manually add individual campus and
remote APs to the secure network by adding each AP's information to the whitelists when you first run the
initial setup wizard. If you are confident that all APs currently on your network are valid APs, then you can use
the initial setup wizard to configure automatic certificate provisioning to send certificates from the switch to
each campus or remote AP, or to all campus and remote APs within specific ranges of IP addresses.
The default automatic certificate provisioning setting requires that you manually enter each campus AP’s
information into the campus AP whitelist, and each remote AP's information into the remote AP whitelist. If
you change the default automatic certificate provisioning values to let the switch send certificates to all APs on
the network, that new setting ensures that all valid APs receive a certificate, but also increases the chance that
you will certify a rogue or unwanted AP. If you configure the switch to send certificates to only those APs within
a range of IP addresses, there is a smaller chance that a rogue AP receives a certificate, but any valid AP with an
IP address outside the specified address ranges will not receive a certificate, and can not communicate with the
switch (except to obtain a certificate). Consider both options carefully before you complete the control plane
security portion of the initial setup wizard. If your switch has a publicly accessible interface, you should identify
the APs on the network by IP address range. This prevents the switch from sending certificates to external or
rogue campus APs that may attempt to access your switch through that publicly accessible interface.
Configuring Control Plane Security
When you initially deploy the switch, you create your initial control plane security configuration using the initial
setup wizard. These settings can be changed at any time using the WebUI or the command-line interfaces.
If you are configuring control plane security for the first time after upgrading from AOS-W 5.0 or earlier, see
Configuring Control Plane Security after Upgrading on page 76 for details on enabling this feature using the WebUI
or CLI.
In the WebUI
1. Navigate to Configuration > Network > Switch.
2. Select the Control Plane Security tab.
To Next Page
Loading...