Filter
Top Products
94 |ControlPlaneSecurity DellPowerConnectW-SeriesArubaOS6.2 | User Guide
window, select the entry for the local controller you want to delete from the local switch whitelist, and click
Delete.
4. Install the new local controller, but do not connect it to the network yet. If the controller has been previously
installed on the network, you must ensure that the new local controller has a clean whitelist.
5. Access the command-line interface on the new local controller and issue the command
whitelist-db cpsec purge
Or,
Access the local controller WebUI, navigate to Configuration>AP Installation>Campus AP Whitelist and click
Purge.
6. Now, connect the new local controller to the network. It is very important that the local controller is able to
contact the master controller the first time it is connected to the network, because the local controllertries to get
its control plane security certificate certified by the master controller the first time the local controller contacts
its master.
7. Once the local controller has a valid control plane security certificate and configuration, the local controller
receives the campus AP whitelist from the master controller and starts certifying approved APs.
8. APs associated with the new local controller reboots and creates new IPsec tunnels to their controller using the
new certificate keys
Replacing a Master Controllerwith No Backup
Use the following procedure to replace a master controller that does not have a backup controller.
1. Remove the old master controller from the network.
2. Install and configure the new master controller, then connect the new master to the network. The new master
controller generates a new certificate when it first becomes active
3. If the new master controller has a different IP address than the old master controller, change the master IP
address on the local Dell controllers to reflect the address of the new master.
4. Reboot each local controller to ensure that the local Dell controllers get their certificate from the new master.
Each local controllerbegins using a new certificate signed by the master controller.
5. APs are now no longer be able to securely communicate with the controller using their current key, and must
receive a new certificate. Access the campus AP whitelist on any local controller and change all APs in a
“certified” state to an “approved” state. The new master controller sends the approved APs new certificates. The
APs reboot and create new IPsec tunnels to their controller using the new certificate key.
If the master controller does not have any local Dell controllers, you must recreate the campus AP whitelist by
turning on automatic certificate provisioning or manually reentering the campus AP whitelist entries.
Replacing a Redundant Master Controller
The control plane security feature requires you to synchronize databases from the primary master controller to the
backup master controller at least once after the network is up at running. This ensures that all certificates, keys and
whitelist entries are synchronized to the backup controller. Since the AP whitelist may change periodically, the
network administrator should regularly synchronize these settings to the backup controller. For details, see
"Configuring Networks with a Backup Master Controller" on page 90
When you install a new backup master controller,
you must add it as a lower priority
controller than the existing
primary controller. After you install the backup controller on the network, synchronize the database from the existing
primary controller to the new backup controller to ensure that all certificates, keys and whitelist entries required for
control plane security are added to the new backup controller configuration. If you want the new controller to act as
the primary controller, you can increase that controller’s priority
after
the settings have been synchronized.