Q:
Usage of enabling cluster security in IAP.
A: What is cluster-security?
-
Cluster security is the secure communication protocol which secures control plane messages between Instant Access Points. Control plane messages between cluster members like configuration, cluster join and related messages are secured using this protocol. It runs on UDP port 4434 and uses DTLS protocol to secure messages
Why do we need cluster-security ?
- Cluster security is required to provide secure control plane communication between IAP cluster nodes.
What are the prerequisites to use cluster-security ?
- Reachability to an NTP server. By default it should suffice if internet is reachable. If internet is not reachable, a local NTP server is required .
- UDP port 4434 should be permitted.
How is auto-join or "allow new ap" related to cluster-security dtls ?
- When auto-join is enabled, backward compatibility and recovery of IAPs is allowed on ARUBA UDP port 8211. Messages required for image synchronization and cluster security DTLS state synchronization are the only messages allowed.
- When auto-join is disabled, the allowed ap list or "AP whitelist" is used to verify peer MAC address. MAC address of an peer IAP from it device certificate is verified against the "AP whitelist" during device certificate validation.
Useful commands on cluster-security:
To print connection table, use the following command. The output is useful to check connections and debug connection level issues.
"show cluster-security connections"
To print the peer table, use following command. Prints peers to which there are connections and connections to each peer. “Local IDX” from the output can be used to find out details of a particular connection from the connection table.
"show cluster-security peers"
To print the cluster-security related statistics and counters, use the following command. The output has counters on a global level in cluster-security module and thus can be used to figure out packet drops, connection establishment failures, timeouts, out of resource conditions etc.
"show cluster-security stats"
To print the cluster-security connection related statistics and counters, use the following command. The output has counters only related to connections and on a per connection basis and thus can be used to figure out failures in individual connections like connection mismatch, negotiation failures, mac and certificate check failures, etc.
"show cluster-security connections stats"
To print the cluster-security peer related statistics and counters, use the following command. The output has counters only related to peers and on a per peer basis and thus can be used to figure out collision occurences, renegotiations and peer states like active, shutdown etc.
"show cluster-security peers stats"
To clear the cluster-security global statistics and counters and reset them to zero, use the following command:
"clear cluster-security stats"
To clear the cluster-security connections' statistics and counters and reset each of them to zero, use the following command:
"clear cluster-security connections stats"
To clear the cluster-security peers' statistics and counters and reset each of them to zero, use the following command:
"clear cluster-security peers stats"