How to disable whitelist DB sync in the Master - Local controller setup?

MVP Expert
MVP Expert
Requirement:

 

In deployments, where there are many controllers and AP with CPSEC involved, having whitelist DB synced across controllers may cause unwanted DB utilization. For eg, if we have 10000 APs across 10 controllers, with whitelist DB sync enabled, all 10000 AP entries would be synced across all 10 controllers. If any controllers in the cluster is not used for terminating APs, then having its DB utilized may be unneccessary.



Solution:

 

In cases, where we do not want whitelist DB to be synced between Master and Local controller, we can disable it.

 

Note: This command is applicable on Master only.

 

 



Configuration:

 

To Disable whitelist DB sync:

 

(Aruba7240-164.10) (config) #disable-whitelist-sync 

Whitelist sync has been disabled


(Aruba7240-164.10) (config) #end
(Aruba7240-164.10) #show whitelist-db cpsec-status 

Wed Oct 31 03:40:22.188 2018


My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address                 10.29.164.10
Master IP-Address             10.29.164.10
Switch-Role                   Master
Whitelist-sync is disabled                                 <<<<<<<<<<<< DB sync disabled

Entries in Whitelist database

Total entries:                3
Approved entries:             2
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    4

 

To enable whitelist DB sync:

 

(Aruba7240-164.10) (config) #no disable-whitelist-sync 

Whitelist sync has been enabled


(Aruba7240-164.10) (config) #show whitelist-db cpsec-status 

My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address                 10.29.164.10
Master IP-Address             10.29.164.10
Switch-Role                   Master
Whitelist-sync is enabled

Entries in Whitelist database

Total entries:                1
Approved entries:             0
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    2


Verification

 

Before whitelist DB sync disabled

 

On Master:

 

(Aruba7240-164.10) #show whitelist-db cpsec

Wed Oct 31 03:39:14.068 2018



Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                   Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                   ---------     -----------  -----------  ------------
44:48:c1:ca:66:ec                     Enabled  certified-factory-cert  factory-cert                            Thu Sep  6 15:05:35 2018

Total Entries: 1

(Aruba7240-164.10) #whitelist-db cpsec add mac-address 44:48:c1:ca:66:bb ap-name APw
(Aruba7240-164.10) #show whitelist-db cpsec

Wed Oct 31 03:39:38.669 2018



Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------     -----------  -----------  ------------
44:48:c1:ca:66:ec                     Enabled  certified-factory-cert   factory-cert                            Thu Sep  6 15:05:35 2018
44:48:c1:ca:66:aa            APx      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:39:14 2018 <<<<< Entry added on Local
44:48:c1:ca:66:bb            APw      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:39:34 2018 <<<<< Entry added on Master

Total Entries: 3

(Aruba7240-164.10) #show whitelist-db cpsec-status 

Wed Oct 31 03:39:48.658 2018


My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address                 10.29.164.10
Master IP-Address             10.29.164.10
Switch-Role                   Master
Whitelist-sync is enabled

Entries in Whitelist database

Total entries:                3
Approved entries:             2
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    4

 

On Local:

 

(Aruba7240-164.30) #whitelist-db  cpsec add mac-address 44:48:c1:ca:66:aa ap-name APx
(Aruba7240-164.30) #show whitelist-db cpsec

Wed Oct 31 03:44:16.627 2018



Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------     -----------  -----------  ------------
44:48:c1:ca:66:ec                     Enabled  certified-factory-cert   factory-cert                            Wed Oct 31 03:43:03 2018
44:48:c1:ca:66:aa            APx      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:44:12 2018 <<<<< Entry added on Local

Total Entries: 2

(Aruba7240-164.30) #show whitelist-db cpsec-status 

Wed Oct 31 03:44:23.969 2018


My Mac-Address                00:1a:1e:03:87:c8
My IP-Address                 10.29.164.30
Master IP-Address             10.29.164.10
Switch-Role                   Local

Entries in Whitelist database

Total entries:                2
Approved entries:             1
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    6

(Aruba7240-164.30) #show whitelist-db cpsec-status 

Wed Oct 31 03:45:20.812 2018


My Mac-Address                00:1a:1e:03:87:c8
My IP-Address                 10.29.164.30
Master IP-Address             10.29.164.10
Switch-Role                   Local

Entries in Whitelist database

Total entries:                3                       <<<<< Value moved to 3 post a new entry added on Master
Approved entries:             2
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    7

(Aruba7240-164.30) #show whitelist-db cpsec        

Wed Oct 31 03:45:23.503 2018



Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------     -----------  -----------  ------------
44:48:c1:ca:66:ec                     Enabled  certified-factory-cert   factory-cert                            Wed Oct 31 03:43:03 2018
44:48:c1:ca:66:aa            APx      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:44:12 2018
44:48:c1:ca:66:bb            APw      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:45:04 2018 <<<<< Entry added on Master

Total Entries: 3

 

Post disabling whitelist DB sync on Master:

 

On Master

 

(Aruba7240-164.10) (config) #disable-whitelist-sync 

Whitelist sync has been disabled


(Aruba7240-164.10) (config) #end
(Aruba7240-164.10) #show whitelist-db cpsec-status 

Wed Oct 31 03:40:22.188 2018


My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address                 10.29.164.10
Master IP-Address             10.29.164.10
Switch-Role                   Master
Whitelist-sync is disabled                                 <<<<<< Sync disabled

Entries in Whitelist database

Total entries:                3
Approved entries:             2
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    4

(Aruba7240-164.10) #whitelist-db  cpsec add mac-address 44:48:c1:ca:66:cc ap-name APe       <<<<<<< added a new entry on master
(Aruba7240-164.10) #show whitelist-db  cpsec                                         

Wed Oct 31 03:40:59.095 2018



Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------     -----------  -----------  ------------
44:48:c1:ca:66:ec                     Enabled  certified-factory-cert   factory-cert                            Thu Sep  6 15:05:35 2018
44:48:c1:ca:66:aa            APx      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:39:14 2018
44:48:c1:ca:66:bb            APw      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:39:34 2018
44:48:c1:ca:66:cc            APe      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:40:56 2018

Total Entries: 4

(Aruba7240-164.10) #show whitelist-db cpsec-status                                   

Wed Oct 31 03:51:16.736 2018


My Mac-Address                00:1a:1e:03:d1:c8
My IP-Address                 10.29.164.10
Master IP-Address             10.29.164.10
Switch-Role                   Master
Whitelist-sync is disabled

Entries in Whitelist database

Total entries:                4
Approved entries:             3
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    5

 

On Local

 

 

(Aruba7240-164.30) #show whitelist-db cpsec-status 

Wed Oct 31 03:46:32.733 2018


My Mac-Address                00:1a:1e:03:87:c8
My IP-Address                 10.29.164.30
Master IP-Address             10.29.164.10
Switch-Role                   Local

Entries in Whitelist database

Total entries:                3                       <<<<<< On master, total entry is 4 whereas on Local its 3 post db sync disable
Approved entries:             2
Unapproved entries:           0
Certified entries:            1
Certified hold entries:       0
Revoked entries:              0
Marked for deletion entries:  0
Current Sequence Number:    7

(Aruba7240-164.30) #show whitelist-db cpsec        

Wed Oct 31 03:46:37.209 2018



Control-Plane Security Whitelist-entry Details
----------------------------------------------
MAC-Address        AP-Group  AP-Name  Enable   State                    Cert-Type     Description  Revoke Text  Last Updated
-----------        --------  -------  ------   -----                    ---------     -----------  -----------  ------------
44:48:c1:ca:66:ec                     Enabled  certified-factory-cert   factory-cert                            Wed Oct 31 03:43:03 2018
44:48:c1:ca:66:aa            APx      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:44:12 2018
44:48:c1:ca:66:bb            APw      Enabled  approved-ready-for-cert  switch-cert                             Wed Oct 31 03:45:04 2018

Total Entries: 3
Version history
Revision #:
2 of 2
Last update:
‎11-06-2018 01:23 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: