10-27-2016 07:26 PM
We're running a deployment with 2 x Masters with VRRP redundancy and 2 Local controllers.
We need to move the Master controllers to a different subnet, so wondering what implications there are to doing this. In addition we were planning to use the factory cert for IPSec rather than a pre-shared key.
Is it as simple as the following?
- Create new VLAN interface on Master controllers
- Re-configure VRRP / Master redundancy using new interfaces / addressing
- Change Master IP address / authentication method on each Local controller
Are any reboots required on either Masters or Locals?
It also happens that the Masters will live behind a firewall going forwards, is it sufficient to add the appropriate IKE, UDP-4500, ESP services from Local to Masters only or are bi-directional rules required?
Solved! Go to Solution.
10-28-2016 08:57 AM
Changing the controller-ip on the masters and the masterip on the locals will require a reboot.
Ports required to be opened below, I believe these should be incoming from locals to the masters. Easiest way to figure this out would be to log blocked packets on the firewall and filter on the controller IPs (local and master).
- IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.
- IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
- GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.