Let me see if I can create a video on publisher failover, however, I think I'd like to get other videos in the series out before. If you want to check out yourself, go into the Server Configuration (Administration » Server Manager » Server Configuration) to the Cluster-Wide Parameters, then to the Standby Publisher tab. There you can enable the automatic failover and select a designated standby publisher.

No, publisher and subscribers should run the same software version. During an upgrade, that temporarily is not the case, and subscribers will run standalone as long as their version does not match the publisher, and (seamlessly) sync again as soon versions match.

​@hermanrobers Noted with thanks Herman. As we are planning to upgrade from 6.9 to 6.11. Is there any order to follow upgrade as we have many subscribers and publisher

@@satheeshkumar3755 The 6.11 'upgrade' is basically a reinstall. First reinstall your subscriber as otherwise you can't really reinstall your subscribers. If your publisher is a VM, I would install the new publisher in parallel, so you can still manager your 6.9 cluster from the original subscriber. If you are in doubt, it may be best to work with your Aruba partner and/or support to plan your upgrade.

Noted with thanks Herman👍👍👍

Thanks for that. Unfortunately, I cannot edit the video and upload it again to change that. Hope this note will take care of the confusion.

That can be pretty technical. High-level there are database syncs between publisher and subscribers and you load balance your switches, controllers, APs manually over the available cluster nodes. The more detailed technical story is in the CPPM TechNote - Clustering Design Guidelines v1.2, which can be found at support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx

I think the official number is 30. It depends a bit on the load though, and how you use zones to reduce the synchronization load between the different nodes. If you plan to deploy more than a few subscribers, it may be good to work with your partner/Aruba SE as they can assist in optimizing your cluster.

If your ClearPass servers are in the same (L2) subnet, and you can use a virtual IP, yes that can be used for redundancy. If your ClearPass servers are in different sites, and you have either L3 (routed) or limited bandwidth, it may be better to use network or DNS load balancers.

There is an updated video on this topic: kzbin.info/www/bejne/r4a3i5Z6rMZ4rK8 . To answer the question, it's recommended to have your certificates properly setup on the publisher before joining a subscriber; you can then through the publisher manage the certificates for the subscriber. No need to have a cert on the subscriber before joining, but it will be retained if you have it installed already.

It depends on your architecture and intended use. If you have 4 equal ClearPass servers, the preferred method is to use an external Network Load Balancer (NLB) with service checks to offer a single ClearPass IP to the network. If you don't have that, I would create indeed 4 VIPs on 1-2 2-3 3-4 4-1 and point your network equipment to two of them that don't share the same appliances. In that case you have the VIP for fast failover if an appliance fails, and the fallback RADIUS in case a cluster fails. With a NLB, all redundancy is arranged in there. There is a TechNote on how to use F5 LTM for that purpose, if you have a different load balancer, the high level steps will probably be similar.

I'm not sure what you are trying to achieve. I would recommend to stay away from using multiple interfaces on ClearPass. In order to reach subscribers to reach the publisher, just set up IP connectivity through the default gateway of the management network. Don't use the data interface, just management. If you really can't avoid using the data interface, read carefully and understand the ClearPass Services Routing Technote. If your question is not answered, can you try to explain in different wording what you try to do?