75| Control Plane Security AOS-W 6.5.3.x| User Guide
Replacing a Cluster Member Switch with no Backup
The control plane security feature allows APs to fail over from one switch to another within a cluster. Therefore,
cluster members or their local switches may have associated APs that were first certified under some other
cluster member (or the cluster root). If you permanently remove a cluster member whose APs were all
originally certified under the cluster member being removed, its associated APs do not need to reboot in order
to connect to a different switch. If, however, you remove a cluster member whose associated APs were
originally certified under a different cluster member, those APs need to reboot and be re-certified before they
can connect to a different switch. If the cluster member you are removing has local switches, the local switches
also reboot so they can be updated with new certificates, then pass the trust update to their terminating APs.
To replace a cluster member that does not have a backup switch:
1. On the cluster master to be removed, clear the cluster root IP address by accessing the command-line
interface and issuing the no cluster-root-ip <cluster-root-ip> ipsec <clusterkey> command.
2. Remove the cluster member from the network.
3. If the cluster master you removed has any associated APs, you must reboot those APs so they receive an
updated certificate.
4. If the cluster member you removed has any associated local switches, reboot those local switches so they
receive a new certificate and then pass that trust update to their APs.
5. Remove the cluster master from the cluster root’s master switch list by accessing the command-line
interface on the cluster root and issuing the whitelist-db cpsec-master-switch-list del mac-address
<cluster-master-mac> command.
This step is very important. Unused local switch entries in the local switch whitelist can significantly increase
network traffic and reduce switch memory resources.
6. Remove the old cluster member from the network. Remember, that switch still has campus AP whitelist
entries from the entire cluster. You may want to delete or revoke unwanted entries from the campus AP
whitelist.
Now, you must install the new cluster member switch according to the procedure described in Creating a
Cluster Member on page 71. The new cluster member obtains a certificate from the cluster root when it first
becomes active.
7. If the new cluster member has any associated APs, reboot those APs so they obtain a trust update.
8. If the new cluster member has any local switches, reboot the local switches associated with the new cluster
member. The local switches obtain a new certificate signed by the cluster member, and then pass that trust
update to their associated APs.
Replacing a Redundant Cluster Member Switch
The control plane security feature requires you to synchronize databases from the primary switch to the
backup switch at least once after the network is up and running. This ensures that all certificates, keys, and
whitelist entries are synchronized to the backup switch. Because the AP whitelist may change periodically, you
should regularly synchronize these settings to the backup switch. For details, see Configuring Networks with a
Backup Master Switch on page 72.
When you install a new backup cluster member, you must add it as a lower priority switch than the existing
primary switch. After you install the backup cluster member on the network, resynchronize the database from
the existing primary switch to the new backup switch to ensure that all certificates, keys, and whitelist entries
required for control plane security are added to the new backup switch configuration. If you want the new
switch to act as the primary switch, you can increase that switch’s priority after the settings have been
resynchronized.
To Next Page
Loading...