Security

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

AFAIK best practice is to run the Insight Master on one of the Subcriber nodes. This is recommended to keep resources available on the publisher node background processes.

Because you have a really large database, please work with Aruba TAC support.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------

Original Message:
Sent: Nov 30, 2020 03:47 PM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

Yes, the DB has evolved over the years. I agree it makes sense to move Insight off the Publisher. I'll plan for doing that.

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

Original Message:
Sent: Nov 30, 2020 04:04 PM
From: marcel koedijk
Subject: Insight and Publsiher/Subscriber

AFAIK best practice is to run the Insight Master on one of the Subcriber nodes. This is recommended to keep resources available on the publisher node background processes.

Because you have a really large database, please work with Aruba TAC support.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE

Original Message:
Sent: Nov 30, 2020 03:47 PM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

Lets start by reviewing what Insight Master means, this ONLY means which node with INSIGHT DB is responsible for producing any automated reports..... SO.... if you have no reporting automated then there is little to zero overhead of this settings, even if you have a few reports the overhead should be small unless the reports are churning through millions of records to produce the reports. 10G is large but not crazy and not a size I'd worry about.

the real question to ask is , What is the PUB actually doing in the nine-node cluster, is it processing authN, performing lots on integrations to ingest data and update the EndpointDb processing lots of Guest account creation or is it just sat there, running the custer and receiving netevents because INSIGHT is enabled and processing these... I could ask more about the other SUB with INSIGHT enabled, how busy is that node...... as a rule of thumb in a network this large {Saying that based upon the fact you have nine nodes} I wouldn't mix authN and Insight.... 

HTH

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Nov 30, 2020 04:04 PM
From: marcel koedijk
Subject: Insight and Publsiher/Subscriber

AFAIK best practice is to run the Insight Master on one of the Subcriber nodes. This is recommended to keep resources available on the publisher node background processes.

Because you have a really large database, please work with Aruba TAC support.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE

Original Message:
Sent: Nov 30, 2020 03:47 PM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

HI Danny, Thanks for responding.  The PUB (25k) does not handle endpoint auths. It hosts the CP page and does Guest account creation and MAC Auth registrations. None of which is particularly high volume. I seem to recall years ago hearing that making the Publisher an Insight Master was ok in our environment because of the relatively low resources it uses. There are only a couple of automated reports that get run. While reviewing the Release Notes for our upcoming 6.7 - 6.8 upgrade I thought it was a good time to check back in about this.

Our biggest traffic generator is 802.1x authN. Unfortunately, the other enabled Insight DB is on a SUB (25k) that is doing its share of .1x AuthN. All of the 25k SUBs share that burden fairly equally.

Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

Original Message:
Sent: Nov 30, 2020 10:15 PM
From: Danny Jump
Subject: Insight and Publsiher/Subscriber

Lets start by reviewing what Insight Master means, this ONLY means which node with INSIGHT DB is responsible for producing any automated reports..... SO.... if you have no reporting automated then there is little to zero overhead of this settings, even if you have a few reports the overhead should be small unless the reports are churning through millions of records to produce the reports. 10G is large but not crazy and not a size I'd worry about.

the real question to ask is , What is the PUB actually doing in the nine-node cluster, is it processing authN, performing lots on integrations to ingest data and update the EndpointDb processing lots of Guest account creation or is it just sat there, running the custer and receiving netevents because INSIGHT is enabled and processing these... I could ask more about the other SUB with INSIGHT enabled, how busy is that node...... as a rule of thumb in a network this large {Saying that based upon the fact you have nine nodes} I wouldn't mix authN and Insight.... 

HTH

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Nov 30, 2020 04:04 PM
From: marcel koedijk
Subject: Insight and Publsiher/Subscriber

AFAIK best practice is to run the Insight Master on one of the Subcriber nodes. This is recommended to keep resources available on the publisher node background processes.

Because you have a really large database, please work with Aruba TAC support.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE

Original Message:
Sent: Nov 30, 2020 03:47 PM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

Mike, 

Then IMO, your in a pretty good place with the PUB, my only guidance/advise then is to ensure the SUB with the other INSIGHT Db running is 'closely' monitored. The primary goal of that node is authN, you don't want netevents {Insight records} tha tare being consumed from ALL other nodes in the cluster to become a drain on resource.  Depending on how you are loading the dot1X from the NAD's to the SUB's, if your using a real ADC/SLB and the other nodes can take the load from this node, consider that, if your using the AOS load-balancing, consider moving this SUB off the group..... but this decision to remove this node from authN processing is really driven by how busy it is, or not.

HTH

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Dec 01, 2020 11:33 AM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

HI Danny, Thanks for responding.  The PUB (25k) does not handle endpoint auths. It hosts the CP page and does Guest account creation and MAC Auth registrations. None of which is particularly high volume. I seem to recall years ago hearing that making the Publisher an Insight Master was ok in our environment because of the relatively low resources it uses. There are only a couple of automated reports that get run. While reviewing the Release Notes for our upcoming 6.7 - 6.8 upgrade I thought it was a good time to check back in about this.

Our biggest traffic generator is 802.1x authN. Unfortunately, the other enabled Insight DB is on a SUB (25k) that is doing its share of .1x AuthN. All of the 25k SUBs share that burden fairly equally.

Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst

Original Message:
Sent: Nov 30, 2020 10:15 PM
From: Danny Jump
Subject: Insight and Publsiher/Subscriber

Lets start by reviewing what Insight Master means, this ONLY means which node with INSIGHT DB is responsible for producing any automated reports..... SO.... if you have no reporting automated then there is little to zero overhead of this settings, even if you have a few reports the overhead should be small unless the reports are churning through millions of records to produce the reports. 10G is large but not crazy and not a size I'd worry about.

the real question to ask is , What is the PUB actually doing in the nine-node cluster, is it processing authN, performing lots on integrations to ingest data and update the EndpointDb processing lots of Guest account creation or is it just sat there, running the custer and receiving netevents because INSIGHT is enabled and processing these... I could ask more about the other SUB with INSIGHT enabled, how busy is that node...... as a rule of thumb in a network this large {Saying that based upon the fact you have nine nodes} I wouldn't mix authN and Insight.... 

HTH

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Nov 30, 2020 04:04 PM
From: marcel koedijk
Subject: Insight and Publsiher/Subscriber

AFAIK best practice is to run the Insight Master on one of the Subcriber nodes. This is recommended to keep resources available on the publisher node background processes.

Because you have a really large database, please work with Aruba TAC support.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE

Original Message:
Sent: Nov 30, 2020 03:47 PM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------

Thanks for the explanation Danny, well done.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------

Original Message:
Sent: Dec 01, 2020 12:34 PM
From: Danny Jump
Subject: Insight and Publsiher/Subscriber

Mike, 

Then IMO, your in a pretty good place with the PUB, my only guidance/advise then is to ensure the SUB with the other INSIGHT Db running is 'closely' monitored. The primary goal of that node is authN, you don't want netevents {Insight records} tha tare being consumed from ALL other nodes in the cluster to become a drain on resource.  Depending on how you are loading the dot1X from the NAD's to the SUB's, if your using a real ADC/SLB and the other nodes can take the load from this node, consider that, if your using the AOS load-balancing, consider moving this SUB off the group..... but this decision to remove this node from authN processing is really driven by how busy it is, or not.

HTH

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Dec 01, 2020 11:33 AM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

HI Danny, Thanks for responding.  The PUB (25k) does not handle endpoint auths. It hosts the CP page and does Guest account creation and MAC Auth registrations. None of which is particularly high volume. I seem to recall years ago hearing that making the Publisher an Insight Master was ok in our environment because of the relatively low resources it uses. There are only a couple of automated reports that get run. While reviewing the Release Notes for our upcoming 6.7 - 6.8 upgrade I thought it was a good time to check back in about this.

Our biggest traffic generator is 802.1x authN. Unfortunately, the other enabled Insight DB is on a SUB (25k) that is doing its share of .1x AuthN. All of the 25k SUBs share that burden fairly equally.

Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst

Original Message:
Sent: Nov 30, 2020 10:15 PM
From: Danny Jump
Subject: Insight and Publsiher/Subscriber

Lets start by reviewing what Insight Master means, this ONLY means which node with INSIGHT DB is responsible for producing any automated reports..... SO.... if you have no reporting automated then there is little to zero overhead of this settings, even if you have a few reports the overhead should be small unless the reports are churning through millions of records to produce the reports. 10G is large but not crazy and not a size I'd worry about.

the real question to ask is , What is the PUB actually doing in the nine-node cluster, is it processing authN, performing lots on integrations to ingest data and update the EndpointDb processing lots of Guest account creation or is it just sat there, running the custer and receiving netevents because INSIGHT is enabled and processing these... I could ask more about the other SUB with INSIGHT enabled, how busy is that node...... as a rule of thumb in a network this large {Saying that based upon the fact you have nine nodes} I wouldn't mix authN and Insight.... 

HTH

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Nov 30, 2020 04:04 PM
From: marcel koedijk
Subject: Insight and Publsiher/Subscriber

AFAIK best practice is to run the Insight Master on one of the Subcriber nodes. This is recommended to keep resources available on the publisher node background processes.

Because you have a really large database, please work with Aruba TAC support.

------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE

Original Message:
Sent: Nov 30, 2020 03:47 PM
From: Michael Dickson
Subject: Insight and Publsiher/Subscriber

Hello,

We have a CPPM cluster of 9 appliances (one 5k, eight 25k) in a fairly busy environment. Currently, the Publisher is enabled as Insight Master and one Subscriber is enabled for Insight. The Insight DB file is about 10G. Is it best practice to enable Insight Master on the Publisher or is there a more optimal way to configure Insight?

Thanks,
Mike

------------------------------
Michael Dickson
Network Engineer
University of Massachusetts Amherst
------------------------------