Most of the deployments I will be involved with will require 2 controllers, doing load balance. As the centralized licensing brings a nice cost reduction in licensing, then most of the time I will also use it. Now, I would like to challenge the community to create a “cook book”, including the minimum steps to achieve a “well know good” configuration of an All Masters model for this specific scenario. This said, my steps for the first (and only one) deployment I did were:
1 – Set controller’s A and controller’s B basic L2 and L3 services (IP addresses, STP, NTP, DNS, etc.);
2 – As the default is to have Control Plane activated, create a cluster where controller A is the “Cluster Root” and controller B is a “Cluster Member”. This will make controller A create a self-signed certificate and publish to the members, allowing the APs to fail-back and create an IPSec session with controller B, and vice versa, in case one of the controllers fails.
3 – Create 2 VLANs, one for “AP domain A” and another for “AP domain B”. On each VLAN create an instance of VRRP where controller A is the master of VLAN A virtual IP and controller B is the master of VLAN B virtual IP.
4 – Create a HA – High Availability cluster and define both controller on this group using the “dual” mode definition. At the same screen, configure the database replication to 20 minutes.
5 – As the configurations must be equal on both controllers, use AirView where controller A is on “monitoring mode” and controller B is on “managed mode”. In this way, all changes made on controller A can be imported into AirView and then automatically published into controller B so the configuration between them will be always synchronized.
6 – Provision domain A APs pointing to the VRRP IP of controller A and domain B APs pointing to the VRRP IP of controller B.
This above configuration is in place and working properly. Should you have any comment about it, just share with the community.
Now, I want to disable the Control Plane to avoid unnecessary IPSec burden to the APs. When I did it, the controllers got instable. Controller A would not see the PEFN licenses and not enable these services. So I just flipped back until I understand where I am doing something wrong. And yes, I am suing 6.3.1.3.
So, I ask the community two questions/feedback:
1 – Although it produces a “working configuration”, are my steps above correct or I am missing something?
2 – What would be the steps to disabled Control Plane and have the system working still?
Cheers!
Mo