NAC Appliance in IB VGW L3 mode - routing question
I'm testing Clean Access in In-band VGW mode with clients that are *not* directly connected to the CAS (i.e. L3-adj. mode).
Can anybody tell me do I need to configure static routes on the CAS for user subnets? It seems that the CAS always send traffic via the trusted eth0 interface with the eth0 IP as the source. It doesn't use the eth1 IP (even if it is different than eth0 IP and the static route is pointing via the eth1).
So, it seems that eth1 (untrusted side) IP doesn't really matter and static routes are not used in VGW mode. Is my understanding correct?
Thanks a lot for the replay, however it doesn't help.
> The traffic destine for client will have to come in the trusted and out the untrusted. The return traffic has to come in the untrusted and out the trusted.
This is only correct from bridging point of view. This is *not* correct from routing point of view.
1. As you know static routes are used to route traffic, right? And the routing is needed for *VGW* CAS solely to communicate with clients and the CAM.
2. As you pointed out earlier "the CAS usually has the same IP address on trusted and untrusted interfaces", right?
3. This IP address is needed for CAM-CAS communications, right?
4. So, it must be from the same IP network as the CAS default gateway. For example, the CAS trusted (and untrusted) IP is 10.10.10.1, the default gateway for CAS is 10.10.10.2.
5. At the same time the remote users are coming from the untrusted side. The previous-hop router (on the CAS untrusted side) has the IP address 192.168.88.1 and the next-hop router (on the CAS trusted side) has the IP address 192.168.88.2. The user's network is 172.16.172.0. So far, so good?
6. What are you suggesting now: specify on the CAS the following IP route:
172.16.172.0/24 via 192.168.88.1 (via untrusted eth1)
7. The problem is that the untrusted (eth1) interface has the IP address 10.10.10.1 and the router has 192.168.88.1! They're on different subnets! Does this route make sense? It looks more like a shortcut than a normal route. Why not just use the default route pointing to the 10.10.10.2 to reach the 172.16.172.0? The traffic can reach user subnet 172.16.172.0 via the following path: 10.10.10.1(trusted intf)->10.10.10.2->192.168.88.2->192.168.88.1->172.16.172.x!
The only question is: which interface, trusted or untrusted, the CAS will use to communicate with clients in case it has the same IP on the untrusted and trusted interfaces and no other routes configured, except the default route?
I know for sure, if the VGW CAS has different IPs on the trusted and untrusted interfaces, it always use the trusted interface to communicate with clients!
Answering my own question: "which interface, trusted or untrusted, the CAS will use to communicate with clients in case it has the same IP on the untrusted and trusted interfaces and no other routes configured, except the default route?".
The Answer: The VGW CAS will use the trusted interface to communicate with clients. Static routes are not needed.
If the static route is spcified via the untrusted interface, the CAS will still use the trusted interface IP address as the source IP, but will send packets out the untrusted interface with the untrusted interface MAC as the source. This is tricky and doesn't give much optimization -- the traffic coming from a PC will have next-hop router MAC address as the destination, rather than the CAS untrusted MAC address. (The traffic is "shortcutted" one way, not the other).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :