Security

Reply
Frequent Contributor II
Posts: 119
Registered: ‎01-14-2013

CPPM data port and mgmt port.

Hi

 

 Can i use both interfaces?  For example.. 2 isolates offices?

 

Question: --> Input packet--> Output for the same interfaces? or it can not do it. what is it the default route?

 

B -eth0
Management
(gigabit Ethernet) Provides access for cluster administration and appliance maintenance via
web access, CLI, or internal cluster communications. Configuration required.
C -eth1
Data (gigabit
Ethernet) Provides point of contact for RADIUS, TACACS+, Web Authentication and
other data-plane requests. Configuration optional. If not configured, requests redirected to the
management port.

 

Thank you!

Guru Elite
Posts: 8,175
Registered: ‎09-08-2010

Re: CPPM data port and mgmt port.

You cannot change the function of the ports. Certain services are bound to certain interfaces.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Moderator
Posts: 472
Registered: ‎11-09-2012

Re: CPPM data port and mgmt port.

Take a look at one of the TechNotes I posted here last week.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

Specifically look at the Service Routing TechNote.

 

Also to add, very few processes are now tied to physical interfaces, in the last few releases we have made the listening deamon list on both intetfaces (mgmt/data) and also work to the VIP.

 

Start with the TechNote and post any questions you have back here, or to me at danny@arubanetworks.com

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II
Posts: 119
Registered: ‎01-14-2013

Re: CPPM data port and mgmt port.

Hii!!

Thank you very much! Is it all i need !! :)
Regular Contributor II
Posts: 229
Registered: ‎09-11-2013

Re: CPPM data port and mgmt port.

[ Edited ]

Can I only set up one interface for the VM version? it won't let me put them both on the same subnet !!

 

Thanks,

 

MVP
Posts: 1,406
Registered: ‎11-30-2011

Re: CPPM data port and mgmt port.

you cant have the data and mgmt port in the same subnet in general, that is the whole idea of splitting them.

Moderator
Posts: 472
Registered: ‎11-09-2012

Re: CPPM data port and mgmt port.

Yes, just use the MGMT interface.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor II
Posts: 229
Registered: ‎09-11-2013

Re: CPPM data port and mgmt port.

Thanks very much for the quick response.

New Contributor
Posts: 3
Registered: ‎05-07-2014

Re: CPPM data port and mgmt port.

Danny,
 
It's my understanding that both the mgmt and data NICs share the same route table / forwarding plane.  I've worked as a network engineer / architect for the past 15 years and in my line of work configuring a multi-homed server with multiple default gateways is typically discouraged.  This type of configuration usually doesn't result in the type of traffic pattern that most expect, and often leads to asymmetric routing.  This can go unnoticed until a stateful device like a firewall is inserted into the path where the firewall sees only one side of the conversation, or both sides on different NICs.
 
In your tech note you state that the appliance will respond to requests using the same NIC that it received the request on.  How are you able to achieve this when the destination is on a foreign subnet (subnet not directly attached to the server)?  Are you using policy routing where you make a routing decision based on the source IP address rather than the destination?  This is the only scenario I can think of that would explain the behavior you have described, but in my experience the use of policy routing is very rare on a server/appliance.  I'd say 99+% of servers/appliances out there make a routing decision based on the destination address.

When a server is configured with multiple default gateways it will have multiple default routes installed.  For a server that makes its routing decision based on destination IP address, regardless of which IP or NIC the request came in on the server will consult its routing table to determine which NIC to use to transmit the response.  If the destination IP is not on a subnet that is attached to the server and no other routes have been installed, the server will use one of the two default routes.  Which default route is selected varies from one system to another.
 
So given a scenario where a CPPM appliance receives a radius authentication request on the data NIC, and it now has a reply that needs to be routed to a destination IP that is neither on the mgmt or data subnet, it would need to use a default route to reach the destination (assuming no other routes have been installed).  When the route table has two default routes as a result of two configured default gateways, how does the appliance determine which one to use?

Contributor II
Posts: 41
Registered: ‎05-06-2013

Re: CPPM data port and mgmt port.

I think the short answer is, each interface has a default gateway listed. So the packet will be returned via that gateway (relevant to the recieved interface)  you can add specific routes for each interface as well but the policy manager will not route between interfaces.

 

But this is all theory as i have managed to break it a few times "playing" with static routes... :smileyembarrassed:

 

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: