In the CLI
To create a cluster root via the CLI, access each of the member master switches and define the IPsec key or
certificate for communication between that switch and the cluster root.
(host)(config) #cluster-root-ip <ip-address>
ipsec <key>
ipsec-custom-cert root-mac-1 <root-mac-address-1> [master-mac2 <mac2>] ca-cert <ca> server-
cert <cert> [suite-b <gcm-128 | gcm-256>]
ipsec-factory-cert root-mac-1 <root-mac-address-1> root-mac-2 <root-mac-address-2>
In this command the <ip-address> parameter is the IP address of the root master switch in the cluster. If you
are using an IPsec key, the <key> parameter in this command must be have the same value as the key defined
for the cluster member via the cluster-member-ip command.
Viewing Switch Cluster Setting
You can view the switch cluster configuration using the WebUI or CLI.
In the WebUI
To view the current cluster configuration:
1. Navigate to Configuration > Switch.
2. Click the Cluster Setting tab.
n If you are viewing the WebUI of a cluster root, the output of this command displays the IP address of the
VLAN on the cluster member used to connect to the cluster root.
n If you are viewing the WebUI of a cluster member, the output of this command displays the IP address
of the VLAN on the cluster root used to connect to the cluster member.
In the CLI
To view your current cluster configuration, issue the CLI commands described in Table 23.
Command Description
show cluster-switches
When you issue this command from the cluster root, the output of this
command displays the IP address of the VLAN the cluster member uses to
connect to the cluster root.
If you issue this command from a cluster member, the output of this
command displays the IP address of the VLAN the cluster root uses to
connect to the cluster member.
show cluster-config
When you issue this command from the cluster root, the output of this
command shows the cluster role of the switch, and the IP address of each
active member switch in the cluster.
When you issue this command from a cluster member, the output of this
command shows the cluster role of the switch, and the IP address of the
cluster root.
Table 23: CLI Commands to Display Cluster Settings
Configuring Networks with a Backup Master Switch
If your network includes a redundant backup master switch, you must synchronize the database from the
primary master to the backup master at least once after all APs are communicating with their switches over a
secure channel. This ensures that all certificates, IPsec keys, and campus AP whitelist entries are synchronized
to the backup switch. You should also synchronize the database any time the campus AP whitelist changes (APs
are added or removed to ensure that the backup switch has the latest settings).
Master and backup switches can be synchronized using either of the following methods:
AOS-W 6.5.3.x | User Guide Control Plane Security | 72
To Next Page
Loading...