Wireless Access

Frequent Contributor II

Replacing a master controller with a new model in a master-local topology


I'm trying to replace a M3 master controller with a 7210 new with the same master role and ip configuration.

Our network is made of one M3 master controller and 3 7210 local controllers, with centraliced license and cpsec enabled.

The documentation says that when the new master controller is bring up (7210 controller), it generate a new certificate which is sent to local controllers and then to AP to secure access (cpsec behaviour).

The question is, assuming that I can migrate all AP to only one local controller and leave the other two with no AP, the new certificate is sent automatically from master to all local or I need to reboot the local controllers in order to get the new certificate?

What I'm trying to do is to restart each controller one by one and when it gets the new master certificate then migrate groups of virtual AP in order to avoid an entire AP rebooting in all network.


Thank you


Re: Replacing a master controller with a new model in a master-local topology

All of the APs will need to recertify and reboot.  You should plan this during a maintenance window.

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor II

Re: Replacing a master controller with a new model in a master-local topology

Yes, I know all AP should reboot, that's not the question.

The question is if local controllers reboots immediatlely after the master is replaced, I mean does the local controllers detect the master replacement and automatically reboot or the reboot must be done manually?

If the reboot is manually, does the associate AP lose service until the local controller is reloaded or not?


I'm thinking in replace the master controller on the morning and reboot local controller the same day on the night when the AP doesn't have clients.


Thank you

Guru Elite

Re: Replacing a master controller with a new model in a master-local topology


You can try this:


- Backup the flash on all controllers and copy them off the controllers.

- Add a VRRP to the existing master's management VLAN and make the master a priority of 200 on that VRRP.

- Change the masterip on your local controllers to point to the ip address of that VRRP (will require reboots of those controllers).

- Validate that they show up on the existing master, as well as all of the APs.

- Add the new master as a backup master

   a- prepare it to make sure it has the same version of ArubaOS as that master

  b- create a VRRP with the same number with a lower priority on that same management vlan. 

  c- make sure it becomes a backup to the master on that VRRP.

  d- configure master redundancy and reference that VRRP.

  e- Type "show switches" on the current master to make sure that it sees the new controller as a backup master

- If you remove the original master, the backup master should take over and have a copy of the centralized licensing database, as well as the cpsec whitelist.


You will have to test all of the steps above, because you might have things configured in a way that will not allow the general steps above to work.  If you feel uncomfortable about the steps above, please contact TAC for them to walk you through it.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: