Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

A quick NAC CAM question

Hi all,

I am currently in the process of putting together an LLD for quite a large campus L2 OOB Virtual Gateway NAC deployment.

I wanted to check something simple at this early stage which is not clear from the docs I have read so far. Can you only have a single CAM HA pair manage all the CAS's in a deployment? Or can you have more than 1 CAM HA pair control all the SNMP communication to flip the VLAN's on the user switches?

I ask this for a good reason.

Cisco officially recommends that CAM HA pairs are not geographically seperated. I have a situation where I have 2 DC's where I can place CAM devices as well as at the campus site where the users are.

The choice of placement could involve having the HA pair split between the 2 DC's with a layer 2 network in between for HA comms. (Not Cisco recommended)

If I stick to CAM HA guidelines I could do the following;

Put the CAM HA pair in the user campus location in different main equipment rooms.

Put a CAM HA pair in a single DC. (Therefore the CAM HA pair could not survive a DC site failure)

Put CAM HA pairs in both DCs (Which is why I asked my initial question above having more than 1 CAM HA pair in a deployment)

Obviously I am not familar with NAC deployments however I have read up on the topic over the last month and would appreciate some assistance from any of you that do this kind of thing day in day out.

Thanks,

Olly

3 REPLIES

Re: A quick NAC CAM question

Olly,

Not quite clear on the question but I'll try:

- You can have one CAM HA pair manage your CASs, or have multiple HA CAMs manage your CASs, but any CAS can only be managed by a single CAM (or pair of HA CAMs), and not by multiple CAMs, at any point in time.

- The HA design is tricky with CAMs and multiple locations. I believe the new versions being planned would have something to alleviate this pain point, but as of right now your options are rather limited

- You can have multiple CAM HA pairs, all being controlled (as far as policy goes) by a master CAM and can achieve some redundancy and geographical diversity this way. More on this topic here: http://bit.ly/6aq8nZ

Does this help?!

Thanks,

Faisal

Bronze

Re: A quick NAC CAM question

Faisal,

Many thanks for your helpful and prompt reply.

I was really trying to understand if a CAS can be managed by more than 1 HA pair and you have answered that perfectly for me.

I am going to look at the link you sent me on master CAMs which seems interesting too.

Just out of interest why does cisco not recommend CAM HA comms over WAN? Obviously I understand that link failures will make the units go active/active but is it more than this such as timers, packet loss etc?

Thanks again.

Olly

Re: A quick NAC CAM question

Olly,

Primarily because the CAMs going both active is really really bad. They both would assume that their version of the DB is accurate and up to date, and when they'd try to re-sync, each would try to update the other. In short there would be uncertainty about the health of the DB if this happens, so to mitigate it we recommend only local HA.

In newer versions I believe this is being worked out in a different manner so WAN HA would be possible.

HTH,

Faisal

345
Views
0
Helpful
3
Replies