Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Distributed Zone Design

This thread has been viewed 4 times

  • 1.  Distributed Zone Design

    Posted Oct 20, 2017 05:06 AM

    Hi Guys,

    Just want to have more knowledge about Aruba ClearPass design implementation which is called zoning.

     

    What is the difference if we do not zone it and if we zone it? When I zone a group of CPPM, does the other CPPM will not be able to communicate to that zone?

     

    What is the use of it?

     

    Thanks



  • 2.  RE: Distributed Zone Design

    EMPLOYEE
    Posted Oct 20, 2017 08:13 AM
    It's generally used in large geographic deployments. It limits the amount of real-time data shared between the other nodes in the zone.


  • 3.  RE: Distributed Zone Design

    Posted Oct 20, 2017 11:29 AM

    Hi cappalli,

    You mean for example, I have NORTH zone and SOUTH zone. Information from NORTH will not be propagated to SOUTH and vice versa?

     

    Actually my design will be having 2 publishers in my DC and subscribers scattered to different geographical area. How will this have cluster if they don't share data from each other because they are in different zones?

     

    Thanks



  • 4.  RE: Distributed Zone Design

    EMPLOYEE
    Posted Oct 20, 2017 11:33 AM

    Please work with your ClearPass partner. It's difficult to answer in this setting without background about your network/deployment.



  • 5.  RE: Distributed Zone Design

    Posted Oct 21, 2017 02:51 AM

    Read my Cluster TechNote, searah on 'zone' it should help you.

     

    CPPM TechNote - Clustering Design Guidelines v1.2



  • 6.  RE: Distributed Zone Design

    Posted Oct 22, 2017 08:39 AM

    hi dannyjump,

    thanks for your reply and I read the tech note but I still have questions about the zoning and configuration for cluster design.

     

    for example I have 5 cppm, 2 of it will be zoned in DC as publishers and 3 will be placed in different geographical places as subscribers  and has different configuration (1 will be zoned to south and 2 will be zoned to north).

     

    the question is,

    1. Since configuration will be done in publisher then it will be replicated to the subscribers. Is this means that all 3 subscribers will have a copy of their own configuration plus the configuration of the other the subcriber?

     

    2. Since the subscribers are in zoning, what will happen if my user truly resides in the site south then eventually the user go to site north, can the user can still authenticate and do posture successfully?

     

    Thank you.



  • 7.  RE: Distributed Zone Design

    EMPLOYEE
    Posted Oct 22, 2017 08:52 AM
    1) all subscribers have the same config
    2) yes


  • 8.  RE: Distributed Zone Design

    Posted Oct 22, 2017 08:56 AM

    hi cappalli,

    thanks for the fast reply.

    regarding number 2, if that is the case what would be the sole purpose of the zoning?

    thanks



  • 9.  RE: Distributed Zone Design

    EMPLOYEE
    Posted Oct 22, 2017 09:09 AM
    It's used for larger scale, globally disparate deployments. In most scenarios, it is not used.


  • 10.  RE: Distributed Zone Design

    Posted Oct 22, 2017 08:13 PM

    Without getting into the weeds, the main and really only important item is that the zoning effectively reduces the amount of data that has to be replicated over the WAN between nodes.