Security

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A

I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.

Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A

I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.

Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A

In the case that you hit occasional issues with 1000 switches and 60 second reporting time, and that was resolved by changing to 120 second reporting time (basically cutting the load in half), if you have time and opportunity please report to Aruba support such that they and engineering can better understand the limits and scaling. I don't have 1500 switches to test/replicate with.

I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.

Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A

In the case that you hit occasional issues with 1000 switches and 60 second reporting time, and that was resolved by changing to 120 second reporting time (basically cutting the load in half), if you have time and opportunity please report to Aruba support such that they and engineering can better understand the limits and scaling. I don't have 1500 switches to test/replicate with.

I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.

Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A

ClearPass would need to receive profiling data only once. When profiling data is received, it's sent for processing (I think one node in the cluster will be dedicated profiler node), then it's updated through the publisher and synced back to each of the subscribers.

Not sure if the switch will send the data to all ClearPass servers, or to just one, if multiple clearpass servers have been defined.

In the case that you hit occasional issues with 1000 switches and 60 second reporting time, and that was resolved by changing to 120 second reporting time (basically cutting the load in half), if you have time and opportunity please report to Aruba support such that they and engineering can better understand the limits and scaling. I don't have 1500 switches to test/replicate with.

I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.

Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A

ClearPass would need to receive profiling data only once. When profiling data is received, it's sent for processing (I think one node in the cluster will be dedicated profiler node), then it's updated through the publisher and synced back to each of the subscribers.

Not sure if the switch will send the data to all ClearPass servers, or to just one, if multiple clearpass servers have been defined.

In the case that you hit occasional issues with 1000 switches and 60 second reporting time, and that was resolved by changing to 120 second reporting time (basically cutting the load in half), if you have time and opportunity please report to Aruba support such that they and engineering can better understand the limits and scaling. I don't have 1500 switches to test/replicate with.

I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.

Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.

Hi,

cppm 6.11.5

2930 switches WC.16.11.13

Have about  1500 switches all configured to support device fingerprinting  using http,dhcp,lldp collectors.  Client DHCP lease time  is 2 days.

Each switch has 2 cppm vips defined as radius servers.  fingerprint update times range from 60 secs to  default of 120 secs

Given that  the switches are using  http(s) to upload data to the cppm VIPs, and. fact that  default max concurrent  http sessions per cppm server  is 1500 ......

1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)

2). Is there any performance tuning I should be doing on the cppm servers  to cope with the  collector info from the estate ? ( increase max concurrent  https sessions ?)

A