cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
566
Views
19
Helpful
7
Replies

NAC - CAM HA general question

srue
Level 7
Level 7

I've done several NAC installs with CAM HA configured, always with a crossover cable connected between the two and with IP addresses on the failover interface in the same subnet/network.

My question is: is it possible to have the failover CAM's in seperate geographic locations, so that the failover interfaces (eth1) fall into different networks on each CAM?

TIA

7 Replies 7

michael_dean
Level 1
Level 1

As far as I know, they have to be on the same subnet.

sachinraja
Level 9
Level 9

Steve..

theoritically, with Layer 3 setup, CAM's can have routed IP addresses, on the HA interfaces... again.. i say .. theoritically..

but practically.. i really donno what this blackbox does ! this is one box, for which even the cisco docs arent that good enuf !! there are multiple scenarios and solutions associated with this box and sometimes we are handicapped ! if had a lab before soemtime, but wasnt able to test this.. if you get a chance, test this.. i think it might work, since you just give the "service IP address" and the hostname on the failover settings.. and if the service IP address is reachable, it should be fine..

the only reason i would see them to be in the same location is, that the latency / packet drops if any, on the WAN.. becomes really complicated, if the WAN is unstable.. so, better to have this locally :)

didnt i confuse you ;) thats what this NAC appliance does, for most of us.. he he..

hope this helps.. all the best.. happy new year..

Raj

kylerossd
Level 4
Level 4

I dont see why this would be an issue as long as routing is sound.

Should you loose around 30 seconds of communication (default) between the two CAMs before this would become a problem. At this point the 2 CAMs would both think they are active which might play to your advantage for a while if each site has its own CAS.

thanks for the input.

I don't mean to hijack this thread but i do have folowup question.

I understand that the eth1 Failover interface should be able to be used over a routed network. But what about the eth0 interface and the Service IP, those are kind of crucial to a working setup.

I borrowed a image from the CAM guide to illustrate the problem, in the image both eth0 interfaces are in the same subnet and a service IP is used from the same subnet.

If both CAM's are in different locations and most likely different subnets, then how should one configure the service IP.

yo'ure right, i dont think it's possible for all those reasons.

I ended up placing them in the same physical location.

Some additional information that indicates that it is impossible to use a L3 link between Failover CAM's . As it turns out, the failover interface cannot be Layer 3 as well because the subnet mask of the failover interface is fixed at /30.

"The subnet mask and last octet of the IP address are fixed" from http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00808fbc0f.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: