Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Ways to mitigate problems when upgrading to 6.11 a cluster running on HW appliance

This thread has been viewed 9 times
  • 1.  Ways to mitigate problems when upgrading to 6.11 a cluster running on HW appliance

    Posted Sep 21, 2023 03:42 AM

    Hello,

    I have to plan the upgrade a cluster of two HW appliances (C3000, HPE DL360 Gen 9) from 6.10 to 6.11

    My customer concern is about the risks of a failing upgrade of an HW appliance as there is no rollback possibility (other than RMA).
    If the upgrade to 6.11 fail on one of the servers he will be running the whole network with only one HW server !!
    All Wifi & Wired devices (3000-3500 devices) are relying on Clearpass for network connectivity (802.1x & MAC auth).

    I have seen that some peoples have purchase some spare disks to be installed on the appliances before the reimaging but
    as the C3000 have 6 SAS disks it could be very expensive.

    Also my customer doesn't want to migrate the production cluster to VM appliances as it would simplify the recovery.

    My idea is to deploy, temporarily and only during the upgrade process, a third server on VMware to the existing 6.10 cluster

    Like that if the upgrade procedure fail on the first HW appliance (Publisher) we still have 2 CPPM servers running (on 6.10) and we can
    wait until a TAC case (RMA or fix) can restore the failing appliance.

    If the first HW appliance upgrade goes well we have the same risk when upgrading the second HW appliance (Subscriber), then
    we could deploy a new virtual CPPM Subscriber on 6.11 to keep a two servers cluster until the problem is resolved.

    My concern is that I was thinking of using an Eval Platform license on the virtual server (that would be decommissioned after both
    HW appliances have been successfully upgraded). 

    Is it possible to run a cluster with a mix of Permanent licenses (Platform & Access) and an Eval licence (Platform only) on the
    VM appliance ?

    I don't want to open a proactive TAC case for this topic right now since it will take a long time and also because HPE (as other vendors 
    like Cisco or Paloalto) are assigning penalties on Partners for non bug related cases.

    Thanks for your advises.

    Kind regards

    Christian Chautems



  • 2.  RE: Ways to mitigate problems when upgrading to 6.11 a cluster running on HW appliance

    Posted Sep 22, 2023 10:54 AM

    Yes that should work.

    I'm not aware of penalties to non bug-related cases, and a proper upgrade strategy (or validation of that) is something I would use TAC for if you feel that makes sense.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------