Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Smooth migration from a Master - Local to MM (ZTP)?

This thread has been viewed 4 times

  • 1.  Smooth migration from a Master - Local to MM (ZTP)?

    Posted Feb 05, 2019 05:05 AM

    Hi all,

     

    last week I was at a customer who ist planing to get smoothly from 6.5.x to 8.3.0.x. In 6.5 he has a Master - Local setup.

    What is the best way to upgrade the local controllers to 8.3.x code and redirect them to the new configured virtual mobility master?

     

    What we tested and soon discarded so far:

    - Migration Tool. I tested it and the drawback was that you can only migrate the whole infrastructure at once and not one local after another.

    - Aruba Activate: The problem with activate is, that you can't use a PSK for the IPsec connection. Another drawback was, that Activate uses the factory cert for the IPsec connection. We are using VMM so we do not have a factory cert.
    - Fulls-Setup by hand: This is in many locations not possible, because there are no people with IT knowledge.

     

    What do you think will be the best way to get the old local controllers smoothly to the new Mobility Master?



  • 2.  RE: Smooth migration from a Master - Local to MM (ZTP)?

    Posted Feb 05, 2019 05:17 AM

    can this be the solution?
    https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-setup-a-controller-using-ZTP-Zero-Touch-Provisioning-on-a/ta-p/292391

     

    Can anyone give me a couple more details about this?

    What do I need? A custom CA which is providing Certificates for the MM and the MDs?

    Do I nee to rewrite any crypto map for this?

     

    Thanks in advance

     



  • 3.  RE: Smooth migration from a Master - Local to MM (ZTP)?

    EMPLOYEE
    Posted Feb 05, 2019 05:45 AM

    The link to that article assumes that you already have an MM completely configured  and tested and that you have the production 6.x controller already plugged into the correct port.  It is also more for remote upgrades where the MM configuration has already soaked and been tested for months  and you want to upgrade many remote sites where there is no physical adminsitrator.  It requires alot of preplanning.

     

    If you don't have an MM already configured and tested with a migrated configuration, you cannot use this method.  If you are only migrating two controllers from 6.x to 8.x, this method will not save you any time, over upgrading the firmware to 6.x manually, typing write erase all and pointing the upgraded 8.x controller to the MM.

     

    If you haven't, please see the ArubaOS 8 Fundamentals Guide here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-8-Fundamentals-Guide/ta-p/428914



  • 4.  RE: Smooth migration from a Master - Local to MM (ZTP)?

    Posted Feb 05, 2019 07:12 AM

    Thanks for the clarification. And yes, I already have a fully configured and tested VMM up.

    What do you mean exactly with the preplaning?

     

    I think thats the only way I can go, without having to much trouble getting the MDs to the MM.



  • 5.  RE: Smooth migration from a Master - Local to MM (ZTP)?
    Best Answer

    EMPLOYEE
    Posted Feb 05, 2019 07:23 AM
    The ZTP is only useful for upgrading remote sites where there is no administrator. It requires that you already have the configuration for both controllers already in the MM, and you have to configure Activate.

    If you have physical access to the controller, ZTP will add additional steps to the conversion process. In addition it also requires internet access.

    The manual process is better than ZTP if you have physical access to the controller.


  • 6.  RE: Smooth migration from a Master - Local to MM (ZTP)?

    Posted Feb 05, 2019 07:33 AM

    Thanks again for the clarification!

     

    I think I will have to have a look at the ZTP for remote sites because there are no IT administrators.

    In other locations I see no problem to get physical access to the controllers and provision them by hand.

     

    what steps i need to think of? is there any recommendation regarding the cert format? pem, pkcs12 or some like that?

    CN = MAC of the MD!

    Did I get it right that I have to upload the MD Certs to the MM which is then syncing them to activate?



  • 7.  RE: Smooth migration from a Master - Local to MM (ZTP)?

    Posted Feb 07, 2019 06:17 AM

    Right now I'm at the customer side and we configured (everything) but it is not working.

    I created a new CA and certificates for the MM and MD. Both of them has the CN = MAC

    All the certificates are uploaded on the MM and the Activate config is synced.

     

    After I start the ZTP process on the MD I can see the following output:

     

    Feb 7 10:56:48 LOG: masterip <MM-IP> ipsec-factory-cert master-mac-1 <MM-MAC> interface vlan 4094

     

    for my understanding ther should be a different output with something like:

    masterip <MM-IP> ipsec-custom-cert master-mac-1-c <MM-MAC> ca-cert <name> server-cert <name> interface vl 4094

    When I check the activate status on the MM I see that the "cert upload" is the only field which is not up to date. All other fields are up to date after I typed "activate sync"