Security

 View Only
last person joined: 22 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - How to identify default route ?

This thread has been viewed 20 times
  • 1.  ClearPass - How to identify default route ?

    Posted Mar 31, 2022 12:35 PM
    Dear Arubers,

    I am currently trying to configure "Intune" extension but I need to use MGMT port for it. Below, it is configuration which is working but I'm not sure about routing table.
    There are some "default" entries and I am not sure to understand which is used for extensions communication.

    Could you help me to identify which is the default route in this table ?

    #network ip list
    =======================================================================
    IP Rule Information
    -----------------------------------------------------------------------
    0: from all lookup local
    220: from all lookup 220
    10020: from all to 10.0.10.48/28 lookup mgmt
    10040: from 10.0.10.51 lookup mgmt
    10060: from 172.31.40.17 lookup data
    12002: from all to 195.232.131.65 lookup mgmt
    32766: from all lookup main
    32767: from all lookup default
    =======================================================================
    Route Information for Table main
    -----------------------------------------------------------------------
    default via 172.31.40.20 dev eth1
    10.0.10.48/28 dev eth0 proto kernel scope link src 10.0.10.51
    127.17.0.0/16 dev docker0 proto kernel scope link src 127.17.0.1
    169.254.0.0/16 dev eth0 scope link metric 1002
    169.254.0.0/16 dev eth1 scope link metric 1003
    172.17.0.0/16 dev br-71gd828bf56e proto kernel scope link src 172.17.0.1
    172.31.40.16/29 dev eth1 proto kernel scope link src 172.31.40.17
    =======================================================================
    Route Information for Table static
    -----------------------------------------------------------------------
    default via 10.0.15.60 dev eth0
    =======================================================================
    Route Information for Table mgmt
    -----------------------------------------------------------------------
    default via 10.0.15.60 dev eth0
    10.0.10.48/28 dev eth0 scope link src 10.0.10.51
    =======================================================================
    Route Information for Table data
    -----------------------------------------------------------------------
    default via 172.31.40.20 dev eth1
    172.31.40.16/29 dev eth1 scope link src 172.31.40.17
    =======================================================================

    Thanks a lot for your clarification :)
    ------------------------------


  • 2.  RE: ClearPass - How to identify default route ?

    EMPLOYEE
    Posted Mar 31, 2022 09:10 PM
    Here is  the info on route selection on ClearPass appliances with mgmt and data ports
    https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/CPPM_UserGuide/Admin/datamanagementport.htm

    if you have to use the mgmt port for extensions then you have to configure a static route for it through mgmt interface
    network ip add mgmt -i 400 -d x.x.x.x/24 -g <IP-addr>

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: ClearPass - How to identify default route ?

    Posted Apr 01, 2022 03:04 AM
    Thanks you.

    I ever saw this document but I would identify these statements in the current routing table.  Which is the current default route among those in bold ?

    ------------------------------
    JB
    ------------------------------



  • 4.  RE: ClearPass - How to identify default route ?

    EMPLOYEE
    Posted May 03, 2022 08:51 AM
    In this case, for outbound traffic the ip rule "32766: from all lookup main" triggers, unless the destination is 195.232.131.65 (probably a management route that you set) which then takes the default route default via 172.31.40.20 dev eth1.

    Which matches the statement earlier that outbound traffic takes the data port, unless there is a management route or the destination is local in the management port's subnet.

    Note that using the ClearPass Data port is not recommended in most cases and may introduce security issues unless you fully understand and oversee the consequences.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------