Security

Reply
Occasional Contributor II

Distributed Zone Design

Hi Guys,

Just want to have more knowledge about Aruba ClearPass design implementation which is called zoning.

 

What is the difference if we do not zone it and if we zone it? When I zone a group of CPPM, does the other CPPM will not be able to communicate to that zone?

 

What is the use of it?

 

Thanks

Guru Elite

Re: Distributed Zone Design

It's generally used in large geographic deployments. It limits the amount of real-time data shared between the other nodes in the zone.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Distributed Zone Design

Hi cappalli,

You mean for example, I have NORTH zone and SOUTH zone. Information from NORTH will not be propagated to SOUTH and vice versa?

 

Actually my design will be having 2 publishers in my DC and subscribers scattered to different geographical area. How will this have cluster if they don't share data from each other because they are in different zones?

 

Thanks

Guru Elite

Re: Distributed Zone Design

Please work with your ClearPass partner. It's difficult to answer in this setting without background about your network/deployment.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator

Re: Distributed Zone Design

Read my Cluster TechNote, searah on 'zone' it should help you.

 

CPPM TechNote - Clustering Design Guidelines v1.2


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: Distributed Zone Design

hi dannyjump,

thanks for your reply and I read the tech note but I still have questions about the zoning and configuration for cluster design.

 

for example I have 5 cppm, 2 of it will be zoned in DC as publishers and 3 will be placed in different geographical places as subscribers  and has different configuration (1 will be zoned to south and 2 will be zoned to north).

 

the question is,

1. Since configuration will be done in publisher then it will be replicated to the subscribers. Is this means that all 3 subscribers will have a copy of their own configuration plus the configuration of the other the subcriber?

 

2. Since the subscribers are in zoning, what will happen if my user truly resides in the site south then eventually the user go to site north, can the user can still authenticate and do posture successfully?

 

Thank you.

Guru Elite

Re: Distributed Zone Design

1) all subscribers have the same config
2) yes

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Distributed Zone Design

hi cappalli,

thanks for the fast reply.

regarding number 2, if that is the case what would be the sole purpose of the zoning?

thanks

Guru Elite

Re: Distributed Zone Design

It's used for larger scale, globally disparate deployments. In most scenarios, it is not used.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator

Re: Distributed Zone Design

Without getting into the weeds, the main and really only important item is that the zoning effectively reduces the amount of data that has to be replicated over the WAN between nodes.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: