I don't know if switches will send profiling data to both defined ClearPass nodes, or to one (and use the other when it fails).
But regardless, the subscriber receiving the fingerprint info should send it to the primary profiling server (on publisher), which processes the information and updates it in the publisher (local for the profiling server as it runs on the publisher) database, and the update is then replicated back to each of the subscribers.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Feb 13, 2024 09:34 AM
From: alexs-nd
Subject: Performance tuning of cppm to support switch collectors
Ok so in our 4 node cluster we have the master publisher set as the primary server for "Server role in zone" and the other 3 cluster nodes don't have anything defined for server role in zone.
All the switches use 2 cppm VIPs in their radius servers which point to subscriber cluster nodes
So the switches would be sending fingerprint data to two of the subscriber nodes
A
Original Message:
Sent: 2/13/2024 9:18:00 AM
From: Herman Robers
Subject: RE: Performance tuning of cppm to support switch collectors
ClearPass would need to receive profiling data only once. When profiling data is received, it's sent for processing (I think one node in the cluster will be dedicated profiler node), then it's updated through the publisher and synced back to each of the subscribers.
Not sure if the switch will send the data to all ClearPass servers, or to just one, if multiple clearpass servers have been defined.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 13, 2024 03:44 AM
From: alexs-nd
Subject: Performance tuning of cppm to support switch collectors
Will do
Also, if you have multiple cradius servers defined on a switch and they're all clearpass servers , does the fingerprinting process send data to all of them?
I define all switch radius servers as being clearpass ones … but do you actually need to do that ?
On a switch my normal two radius server definitions are cppm VIPs to the same cluster , so my config pulls the same root ca down twice
Just wondered if I need to define both as cppm appliances
A
Sent from my iPhone
Original Message:
Sent: 2/13/2024 2:47:00 AM
From: Herman Robers
Subject: RE: Performance tuning of cppm to support switch collectors
In the case that you hit occasional issues with 1000 switches and 60 second reporting time, and that was resolved by changing to 120 second reporting time (basically cutting the load in half), if you have time and opportunity please report to Aruba support such that they and engineering can better understand the limits and scaling. I don't have 1500 switches to test/replicate with.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 12, 2024 07:20 AM
From: alexs-nd
Subject: Performance tuning of cppm to support switch collectors
Was more a preventative measure, had some issues with devices obtaining ip via dhcp not being fingerprinted by cppm. Everything was fine with low volume of switches, just had occasional issues when we got near the 1000 switch mark with fingerprint update every 60 secs. Have switched to default 120 sec update
Original Message:
Sent: 2/12/2024 7:07:00 AM
From: Herman Robers
Subject: RE: Performance tuning of cppm to support switch collectors
I'm not aware of required tuning. I'd expect the HTTPS connection to send an update (every 60-120s) then disconnect again, so number of concurrent connections should not be that high.
Did you experience issues?? Or is it just before you experience issues? If you need a better answer, it may be good to verify with TAC.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 24, 2024 09:54 AM
From: alexs-nd
Subject: Performance tuning of cppm to support switch collectors
Hi,
cppm 6.11.5
2930 switches WC.16.11.13
Have about 1500 switches all configured to support device fingerprinting using http,dhcp,lldp collectors. Client DHCP lease time is 2 days.
Each switch has 2 cppm vips defined as radius servers. fingerprint update times range from 60 secs to default of 120 secs
Given that the switches are using http(s) to upload data to the cppm VIPs, and. fact that default max concurrent http sessions per cppm server is 1500 ......
1). What , on the cppm server do you enable to debug fingberprint uplod using this method ( NOT packet capture on network interface when you have a UDP forwarder)
2). Is there any performance tuning I should be doing on the cppm servers to cope with the collector info from the estate ? ( increase max concurrent https sessions ?)
A