Security

I'm using a CP eval VM in ESXi 6.0.  I have two interfaces attached -- one for my lab management network (with access from userland), and one for the lab data network.  These correspond, coincidentally enough, to CP's mgmt and data interfaces.

The data network interface is a trunk port from ESX to my switch.  I would like to tag this traffic with VLAN 100, but I can fall back to untagged if I have to.

I first configured both mgmt and data as untagged (172.16.0.88 for mgmt, 192.168.0.88 for data), but tried to get fancy and create a VLAN under Administration > Server Configuration > (Server instance) > Network tab > Create VLAN.  I added VLAN 100, with the same IP (temporarily), and saved that page.  Then I went back to the System tab and removed the IP from the (untagged) data interface.  It stopped and restarted services, then complained that my session was expired.

So I logged back in, and saw that the data IP was gone (as it should be), and the VLAN was set up (as it should be.)  Except... there's no way to set a default gateway on a VLAN.... or any routes at all... so I thought about how this was going to work (it wasn't going to work), and tried to remove the VLAN.  It just complained about my expired session again.  So I logged in.  Again.  This time, it said the new VLAN was on the Mgmt interface (it shouldn't be).  I deleted it and saved changes.

Then, I tried to add the data IP back to the physical interface so I could have routing again, but I got this error (shown here from the CLI since it's easier to copy/paste):

[appadmin@clearpass.lab.local]# configure ip data 192.168.0.88 netmask 255.255.255.0 gateway 192.168.0.1

********************************************************
* *
* WARNING: Running this command might cause system *
* to lose network connectivity and may require relogin.*
* *
********************************************************

Continue? [y|n]: y
ERROR - Detected duplicate IPv4 Address. 192.168.0.88 is already assigned to the device [00:1E:F7:24:90:A0].
[appadmin@clearpass.lab.local]#

Here's the problem...  The device with that MAC address is a lab router interface with no interfaces at all in common with the data interface.  In fact, if I unplug that router, the MAC address just changes to some other address.  I get this error even if I make up totally bogus IPs, and even if I tell ESX to disconnect the data interface from the vSwitch.  I've rebooted and powered down the VM, changed switches(!)... no change.

I'm not too concerned with this VM.  It's freshly deployed in a lab.  But I AM concerned about knowing how to fix this, since I may come across this some day when I'm at a customer's site, where "meh.. just rebuild it" will go over like warm beer.

Any ideas?

Forgot:  CPPM version 6.5.0.71095

Nick,

In 6.5.1 we added support to add the vlan routing into the CLI, this is the piece your missing

. 

Ah, that's really good to hear!  (I was quite surprised to find that missing.)

Pardon the obvious, but where is the 6.5.1 update?  I looked through the software tree (ClearPass > Policy Manager > Current Release) and saw a 6.5.0 cumulative patch 1 in the Patches folder, and the OVF files for 6.5.0 in the ESXi folder, and something that looks like 6.4 to 6.5 in the Upgrade folder.  No patch or ugprade to 6.5.1 that I can find.

Also, in the meantime, I'm still curious what's going on with the "IP address already in use" error.  I found out that if I tell ESX to "unplug" both interfaces, then log in through the virtual console, it will allow me to change the IP.  I do not get any conflicts after the fact, so it seems like a problem with the in-use detection..?

Nick,

6.5.0 patch 1 is 6.5.1.