Configuration / The LANCOM High Availability Clustering Option
Parent topic: The LANCOM High Availability Clustering Option

Setting up configuration synchronization

In order for configuration synchronization to function, all of the devices to be configured need to have valid certificates. In the interests of easy certificate distribution, you first need to configure a SCEP-CA on one of the devices.

  1. To do this it is necessary to enable the SCEP server under Certificates > SCEP CA. If you set up the configuration synchronization on a WLC, it is most likely that the SCEP server is already active.




  2. Then you enable the SCEP client on any device that is to work with configuration synchronization (including the SCEP CA device) under Certificates > SCEP client. If you set up the configuration synchronization on a WLC, it is most likely that the SCEP client is already active.




  3. Add a new entry for the SCEP server to the CA table.

    The values for the CA table match the settings of the SCEP server from step 1 and are thus the same for all stations. For the URL you enter http://IPADR/cgi-bin/pkiclient.exe, replacing IPADR with the IP address of the device configured as SCEP-CA.

    If you set up the configuration synchronization on a WLC, a corresponding entry for the WLC operation will already be available. This entry can also be used to obtain a certificate for configuration synchronization, and in this case there is no need to make any changes to the CA table.





  4. The Certificate table in the SCEP client needs a new entry for the retrieval of a configuration synchronization certificate. The CA distinguished name is the one you used when you created the CA table entry.




    As the subject, enter each device's own IP address (e.g. /CN=IPADR /O=COMPANY/C=DE), replacing IPADR with the IP address of the device configured as SCEP-CA.

    Important: In order for the configuration synchronization to function, it is absolutely necessary for the IP address of the device to be included in the certificate's subject.

    Set the Usage type to "Configuration synchronization". Also, adjust the Key length to "2048 bits". Set a Name of your choice for the table entry.

    The challenge password of the device configured as SCEP CA is located in its configuration under Certificates > Certificate handling > General challenge password.





  5. This concludes the set up of the SCEP CA and the SCEP client for the retrieval of configuration synchronization certificates. At this time you can write the configuration back to the device in order to retrieve the certificates.
  6. Now activate the configuration synchronization under Management > Synchronization with the option Configuration synchronization module enabled. Under Cluster name you can also set a name that appears in the LANconfig device list.




  7. Under Cluster members, enter the IP addresses of all of the devices that are to be members of the cluster.




  8. Under Menu nodes you specify the menus you want to synchronize. If you wish to explicitly exclude menu nodes from the synchronization, set the Usage to "excluded from synchronization".




    Under "Ignored rows" you can optionally specify the rows of a table that should be excluded from synchronization. Example: The default route on VPN gateways, which should be different for each gateway. The rest of the routing table can be synchronized by making an entry in the Menu nodes.





  9. The set up of configuration synchronization is now concluded for this device. You can write the configuration back to the device.
  10. Perform steps 2 through 9 on the other devices that belong to the cluster. When configuring each SCEP client, point to the SCEP CA of the first device, as indicated above.
  11. Now start the cluster on the device that should initially distribute its configuration to the other cluster members. To do this in LANconfig, select the appropriate entry from the device list and, in the context menu, click [Start cluster...].
  12. The cluster is now in operation. You can check the state of the cluster in WEBconfig under Status > Config > Sync > Status. Now, configuration changes made on any cluster member are synchronized to the other members.
Please note the following requirements:
  • The correct time must be set on all of the involved devices (certificate checks).
  • The IP address of each device must appear in the subject of its own certificate.
  • To menu trees for synchronization must be the same on both devices (which is not always the case with different firmware versions or device options).
  • If any changes are made to the configuration of the configuration synchronization (menu nodes, etc.) after the cluster was started already, then the cluster must be restarted.
Parent topic: The LANCOM High Availability Clustering Option

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo