Wireless Access

Reply
Frequent Contributor I

Smooth migration from a Master - Local to MM (ZTP)?

Hi all,

 

last week I was at a customer who ist planing to get smoothly from 6.5.x to 8.3.0.x. In 6.5 he has a Master - Local setup.

What is the best way to upgrade the local controllers to 8.3.x code and redirect them to the new configured virtual mobility master?

 

What we tested and soon discarded so far:

- Migration Tool. I tested it and the drawback was that you can only migrate the whole infrastructure at once and not one local after another.

- Aruba Activate: The problem with activate is, that you can't use a PSK for the IPsec connection. Another drawback was, that Activate uses the factory cert for the IPsec connection. We are using VMM so we do not have a factory cert.
- Fulls-Setup by hand: This is in many locations not possible, because there are no people with IT knowledge.

 

What do you think will be the best way to get the old local controllers smoothly to the new Mobility Master?

Network Engineer
ACCX #931 | ACMP
Frequent Contributor I

Re: Smooth migration from a Master - Local to MM (ZTP)?

can this be the solution?
https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-setup-a-controller-using-ZTP-Zero-Touch-Provisioning-on-a/ta-p/292391

 

Can anyone give me a couple more details about this?

What do I need? A custom CA which is providing Certificates for the MM and the MDs?

Do I nee to rewrite any crypto map for this?

 

Thanks in advance

 

Network Engineer
ACCX #931 | ACMP
Guru Elite

Re: Smooth migration from a Master - Local to MM (ZTP)?

The link to that article assumes that you already have an MM completely configured  and tested and that you have the production 6.x controller already plugged into the correct port.  It is also more for remote upgrades where the MM configuration has already soaked and been tested for months  and you want to upgrade many remote sites where there is no physical adminsitrator.  It requires alot of preplanning.

 

If you don't have an MM already configured and tested with a migrated configuration, you cannot use this method.  If you are only migrating two controllers from 6.x to 8.x, this method will not save you any time, over upgrading the firmware to 6.x manually, typing write erase all and pointing the upgraded 8.x controller to the MM.

 

If you haven't, please see the ArubaOS 8 Fundamentals Guide here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-8-Fundamentals-Guide/ta-p/428914


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Smooth migration from a Master - Local to MM (ZTP)?

Thanks for the clarification. And yes, I already have a fully configured and tested VMM up.

What do you mean exactly with the preplaning?

 

I think thats the only way I can go, without having to much trouble getting the MDs to the MM.

Network Engineer
ACCX #931 | ACMP
Guru Elite

Re: Smooth migration from a Master - Local to MM (ZTP)?

The ZTP is only useful for upgrading remote sites where there is no administrator. It requires that you already have the configuration for both controllers already in the MM, and you have to configure Activate.

If you have physical access to the controller, ZTP will add additional steps to the conversion process. In addition it also requires internet access.

The manual process is better than ZTP if you have physical access to the controller.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Frequent Contributor I

Re: Smooth migration from a Master - Local to MM (ZTP)?

Thanks again for the clarification!

 

I think I will have to have a look at the ZTP for remote sites because there are no IT administrators.

In other locations I see no problem to get physical access to the controllers and provision them by hand.

 

what steps i need to think of? is there any recommendation regarding the cert format? pem, pkcs12 or some like that?

CN = MAC of the MD!

Did I get it right that I have to upload the MD Certs to the MM which is then syncing them to activate?

Network Engineer
ACCX #931 | ACMP
Frequent Contributor I

Re: Smooth migration from a Master - Local to MM (ZTP)?

Right now I'm at the customer side and we configured (everything) but it is not working.

I created a new CA and certificates for the MM and MD. Both of them has the CN = MAC

All the certificates are uploaded on the MM and the Activate config is synced.

 

After I start the ZTP process on the MD I can see the following output:

 

Feb 7 10:56:48 LOG: masterip <MM-IP> ipsec-factory-cert master-mac-1 <MM-MAC> interface vlan 4094

 

for my understanding ther should be a different output with something like:

masterip <MM-IP> ipsec-custom-cert master-mac-1-c <MM-MAC> ca-cert <name> server-cert <name> interface vl 4094

When I check the activate status on the MM I see that the "cert upload" is the only field which is not up to date. All other fields are up to date after I typed "activate sync"

 

 

Network Engineer
ACCX #931 | ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: