Security

Reply
Highlighted
New Contributor

Pros and Cons of VIP vs Physical IP address

HI,

 

What are the pros and cons of using ClearPass (Wireless, Wired NAC, TACACS+) Virtual IP or Physical IP address?

How to decide which one is better for belwo scenario?

Thanks.

 

Situation

- 2 data centres

- 2 x CPPM at each data centre

- 10 x branch WLAN controllers

- 200 x switches which need TACACS+

Re: Pros and Cons of VIP vs Physical IP address

I can't comment on the cons with both the physical or virtual IP (VIP) address, cause the usage of these IP addresses on the network devices comes down to your requirement and the network design.

 

The virtual IP address has the advantage of being configured as a single radius/tacacs/captive-portal server with auto-failover when the primary server is down and fall-back once the primary server is up. 

 

I recommend using virtual IP address, especially if you are implementing Layer 3 authentication (guest registration/login). The VIP can direct the users to the secondary server without any manual configuration change.

 

 

 

 

 

 


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: Pros and Cons of VIP vs Physical IP address


@david.cw.liu1 wrote:

HI,

 

What are the pros and cons of using ClearPass (Wireless, Wired NAC, TACACS+) Virtual IP or Physical IP address?

How to decide which one is better for belwo scenario?

Thanks.

 

Situation

- 2 data centres

- 2 x CPPM at each data centre

- 10 x branch WLAN controllers

- 200 x switches which need TACACS+


I would say that the VIP address is designed for guest page redirect on CPPM, where you can only redirect users to  a single URL but you require some sort of redundancy.  With TACACS and radius, you can always add a second ip address in the NAS device for redundancy, but with guest scenarios, that is not possible.  The VIP is for that scenario for people who cannot or do not want to put their guest traffic in front of a load balancer for redundancy.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Pros and Cons of VIP vs Physical IP address

thanks Joseph.

 

So VIP is especially useful for Guest Portal resilience.

But will VIP impose extra down time or manual work for upgrading the CPPM VIP group? (suppose 2 x CPPM form a VIP for guest portal purpose)

Thanks.

 

David

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: