01-05-2009 11:11 AM - edited 02-21-2020 03:11 AM
I've done several NAC installs with CAM HA configured, always with a crossover cable connected between the two and with IP addresses on the failover interface in the same subnet/network.
My question is: is it possible to have the failover CAM's in seperate geographic locations, so that the failover interfaces (eth1) fall into different networks on each CAM?
TIA
01-05-2009 12:19 PM
As far as I know, they have to be on the same subnet.
01-05-2009 12:52 PM
Steve..
theoritically, with Layer 3 setup, CAM's can have routed IP addresses, on the HA interfaces... again.. i say .. theoritically..
but practically.. i really donno what this blackbox does ! this is one box, for which even the cisco docs arent that good enuf !! there are multiple scenarios and solutions associated with this box and sometimes we are handicapped ! if had a lab before soemtime, but wasnt able to test this.. if you get a chance, test this.. i think it might work, since you just give the "service IP address" and the hostname on the failover settings.. and if the service IP address is reachable, it should be fine..
the only reason i would see them to be in the same location is, that the latency / packet drops if any, on the WAN.. becomes really complicated, if the WAN is unstable.. so, better to have this locally :)
didnt i confuse you ;) thats what this NAC appliance does, for most of us.. he he..
hope this helps.. all the best.. happy new year..
Raj
01-05-2009 09:22 PM
I dont see why this would be an issue as long as routing is sound.
Should you loose around 30 seconds of communication (default) between the two CAMs before this would become a problem. At this point the 2 CAMs would both think they are active which might play to your advantage for a while if each site has its own CAS.
01-06-2009 06:52 AM
thanks for the input.
01-08-2009 03:03 AM
I don't mean to hijack this thread but i do have folowup question.
I understand that the eth1 Failover interface should be able to be used over a routed network. But what about the eth0 interface and the Service IP, those are kind of crucial to a working setup.
I borrowed a image from the CAM guide to illustrate the problem, in the image both eth0 interfaces are in the same subnet and a service IP is used from the same subnet.
If both CAM's are in different locations and most likely different subnets, then how should one configure the service IP.
01-08-2009 04:43 PM
yo'ure right, i dont think it's possible for all those reasons.
I ended up placing them in the same physical location.
01-13-2009 06:07 AM
Some additional information that indicates that it is impossible to use a L3 link between Failover CAM's . As it turns out, the failover interface cannot be Layer 3 as well because the subnet mask of the failover interface is fixed at /30.
"The subnet mask and last octet of the IP address are fixed" from http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00808fbc0f.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: