I am currently in the process of putting together an LLD for quite a large campus L2 OOB Virtual Gateway NAC deployment.
I wanted to check something simple at this early stage which is not clear from the docs I have read so far. Can you only have a single CAM HA pair manage all the CAS's in a deployment? Or can you have more than 1 CAM HA pair control all the SNMP communication to flip the VLAN's on the user switches?
I ask this for a good reason.
Cisco officially recommends that CAM HA pairs are not geographically seperated. I have a situation where I have 2 DC's where I can place CAM devices as well as at the campus site where the users are.
The choice of placement could involve having the HA pair split between the 2 DC's with a layer 2 network in between for HA comms. (Not Cisco recommended)
If I stick to CAM HA guidelines I could do the following;
Put the CAM HA pair in the user campus location in different main equipment rooms.
Put a CAM HA pair in a single DC. (Therefore the CAM HA pair could not survive a DC site failure)
Put CAM HA pairs in both DCs (Which is why I asked my initial question above having more than 1 CAM HA pair in a deployment)
Obviously I am not familar with NAC deployments however I have read up on the topic over the last month and would appreciate some assistance from any of you that do this kind of thing day in day out.
- You can have one CAM HA pair manage your CASs, or have multiple HA CAMs manage your CASs, but any CAS can only be managed by a single CAM (or pair of HA CAMs), and not by multiple CAMs, at any point in time.
- The HA design is tricky with CAMs and multiple locations. I believe the new versions being planned would have something to alleviate this pain point, but as of right now your options are rather limited
- You can have multiple CAM HA pairs, all being controlled (as far as policy goes) by a master CAM and can achieve some redundancy and geographical diversity this way. More on this topic here: http://bit.ly/6aq8nZ
I was really trying to understand if a CAS can be managed by more than 1 HA pair and you have answered that perfectly for me.
I am going to look at the link you sent me on master CAMs which seems interesting too.
Just out of interest why does cisco not recommend CAM HA comms over WAN? Obviously I understand that link failures will make the units go active/active but is it more than this such as timers, packet loss etc?
Primarily because the CAMs going both active is really really bad. They both would assume that their version of the DB is accurate and up to date, and when they'd try to re-sync, each would try to update the other. In short there would be uncertainty about the health of the DB if this happens, so to mitigate it we recommend only local HA.
In newer versions I believe this is being worked out in a different manner so WAN HA would be possible.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...