Security

Hi

 Can i use both interfaces?  For example.. 2 isolates offices?

Question: --> Input packet--> Output for the same interfaces? or it can not do it. what is it the default route?

B -eth0
Management
(gigabit Ethernet) Provides access for cluster administration and appliance maintenance via
web access, CLI, or internal cluster communications. Configuration required.
C -eth1
Data (gigabit
Ethernet) Provides point of contact for RADIUS, TACACS+, Web Authentication and
other data-plane requests. Configuration optional. If not configured, requests redirected to the
management port.

Thank you!

You cannot change the function of the ports. Certain services are bound to certain interfaces.

Take a look at one of the TechNotes I posted here last week.

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

Specifically look at the Service Routing TechNote.

Also to add, very few processes are now tied to physical interfaces, in the last few releases we have made the listening deamon list on both intetfaces (mgmt/data) and also work to the VIP.

Start with the TechNote and post any questions you have back here, or to me at danny@arubanetworks.com

Danny,
 
It's my understanding that both the mgmt and data NICs share the same route table / forwarding plane.  I've worked as a network engineer / architect for the past 15 years and in my line of work configuring a multi-homed server with multiple default gateways is typically discouraged.  This type of configuration usually doesn't result in the type of traffic pattern that most expect, and often leads to asymmetric routing.  This can go unnoticed until a stateful device like a firewall is inserted into the path where the firewall sees only one side of the conversation, or both sides on different NICs.
 
In your tech note you state that the appliance will respond to requests using the same NIC that it received the request on.  How are you able to achieve this when the destination is on a foreign subnet (subnet not directly attached to the server)?  Are you using policy routing where you make a routing decision based on the source IP address rather than the destination?  This is the only scenario I can think of that would explain the behavior you have described, but in my experience the use of policy routing is very rare on a server/appliance.  I'd say 99+% of servers/appliances out there make a routing decision based on the destination address.

When a server is configured with multiple default gateways it will have multiple default routes installed.  For a server that makes its routing decision based on destination IP address, regardless of which IP or NIC the request came in on the server will consult its routing table to determine which NIC to use to transmit the response.  If the destination IP is not on a subnet that is attached to the server and no other routes have been installed, the server will use one of the two default routes.  Which default route is selected varies from one system to another.
 
So given a scenario where a CPPM appliance receives a radius authentication request on the data NIC, and it now has a reply that needs to be routed to a destination IP that is neither on the mgmt or data subnet, it would need to use a default route to reach the destination (assuming no other routes have been installed).  When the route table has two default routes as a result of two configured default gateways, how does the appliance determine which one to use?

I think the short answer is, each interface has a default gateway listed. So the packet will be returned via that gateway (relevant to the recieved interface)  you can add specific routes for each interface as well but the policy manager will not route between interfaces.

But this is all theory as i have managed to break it a few times "playing" with static routes... :smileyembarrassed:

I understand this is how it is supposed to work, but I believe the reason there is confusion on the subject is that Linux and other systems do not behave this way when multiple default gateways are configured.  Some type of policy routing would need to be enabled on the system where traffic is routed based on source address rather than destination address.

Andy,

Thanks for taking the time to write such a detailed question. 

The mgmt/data DO NOT share the same route table, they hold seperate routing tables. With this in mind quite a few of your follow up question/points become muted. You are correct in that we make routing decisons based upon destination address.

In summary this is the best way I can summrize our route selection.....

If the destination network matches the management port subnet then CPPM uses management port to forward the traffic.
If the destination network matches the data port subnet then CPPM uses data port to forward the traffic.
If the destination network doesn't match either management port or data port subnet  then it uses data port to forward the traffic.

Danny,

Thanks for the response.  So to check my understanding, if I have a CPPM appliance with a mgmt NIC in subnet A, data NIC in subnet B, and a client PC in subnet C, and the client connects to the admin web interface in subnet A, the CPPM appliance will route traffic to the client using the data NIC.  Is this correct?

Andy,

Hopefully this will make it a little clearer..... I think we had some confusion regarding the section in the technote you had read which is specifically discussion CPPM<->CPPM.... its titled Auxilary Services....  I've just updated the Service Routing TechNote and will get it published ASAP to hopefuly make things a little clearer.

The following covers how route selection is chosen, this covers Client <-> CPPM.

• For network traffic that are received on the Management Interface, this interface is used as the return interface.
• For network traffic that are received on the Data Interface, this interface is used as the return interface.
• If the data interface is not configured all traffic will use the Management Interface.

Note: All of the above rules can be overridden by static routing from the ClearPass CLI using the appadmin UserID. An example of this is below in the next section.

The following services follow the below rules in regard to how their route selection is chosen, this specifically covers CPPM <-> CPPM communications.

Active Directory, LDAP, NTP, Network devices, CPPM Cluster Communications, Cloud updates, CRL, OSCP, CoA, Endpoint Context-Servers (PANW, MDM)

When CPPM is configured with both interfaces, the following applies to route selection….

• If the destination network/address is in the management subnet then we use the management interface.
• If the destination network/address is in the data subnet then we use the data interface.
• If the destination network is not in either management or data subnets, then we use the data interface by default. 

• If the data interface is not configured all traffic will use the Management Interface.

I am interested to ask whether the same principle also valid for VMC.

As I know Management nic is for Web GUI, so let say if I want simplicity for testing purposes.

I can use MGMT nic as Web GUI and Data traffic as well

tq

.

Correct. Its mandated that MGMT interface is configured. Regardless of appliance or VM in that scenario ALL data will go IN/OUT of MGMT interface.

Can I only set up one interface for the VM version? it won't let me put them both on the same subnet !!

Thanks,

you cant have the data and mgmt port in the same subnet in general, that is the whole idea of splitting them.

Yes, just use the MGMT interface.

Thanks very much for the quick response.