Andy,
Hopefully this will make it a little clearer..... I think we had some confusion regarding the section in the technote you had read which is specifically discussion CPPM<->CPPM.... its titled Auxilary Services.... I've just updated the Service Routing TechNote and will get it published ASAP to hopefuly make things a little clearer.
Client to CPPM Route selection
The following covers how route selection is chosen, this covers Client <-> CPPM.
- For network traffic that are received on the Management Interface, this interface is used as the return interface.
- For network traffic that are received on the Data Interface, this interface is used as the return interface.
- If the data interface is not configured all traffic will use the Management Interface.
Note: All of the above rules can be overridden by static routing from the ClearPass CLI using the appadmin UserID. An example of this is below in the next section.
CPPM Auxiliary Traffic Route selection
The following services follow the below rules in regard to how their route selection is chosen, this specifically covers CPPM <-> CPPM communications.
Active Directory, LDAP, NTP, Network devices, CPPM Cluster Communications, Cloud updates, CRL, OSCP, CoA, Endpoint Context-Servers (PANW, MDM)
When CPPM is configured with both interfaces, the following applies to route selection….
- If the destination network/address is in the management subnet then we use the management interface.
- If the destination network/address is in the data subnet then we use the data interface.
- If the destination network is not in either management or data subnets, then we use the data interface by default.