New Contributor

clearpass default route via mgmt. port

hi guys,


why does the default route for clearpass use the dataport not the mgmt port?


when i am downloading software updates ideally this traffic should go through the mgmt port on the AP port


Re: clearpass default route via mgmt. port

Edit:  See Danny's technote reference for specifics....


When you use both ports, the data port is used as the default route (for non-specific services/functions; ie. out to the Internet).  You can add a static route to use the Management interface if you need to for certain destinations (for the update server for example).


network ip add mgmt -d x.x.x.x

Systems Engineer, Northeast USA


Re: clearpass default route via mgmt. port

Please review my (Service Routing) TechNote at the following link to get an absolute specific answer to the question about default routes. Its is not true that the DATA port is always used as the default route. We in effect have two VRF in CPPM but hopefully if you read the TechNote it should help you understsdn what routes where and what doesn't.

Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: clearpass default route via mgmt. port

Adding a static route to Clearpass can be tricky, that's why I would like to complete the previous answer.

Before adding a static route, pay attention of the routing rules already in place :

network ip list


Here you'll see some IP rule, and some of them concerns incoming trafic, like :

10020 : from all to lookup mgmt


This basically means "for all incoming datagram going to network, follow the mgmt interface and the default gateway".


If you add a static route without specifying a rule id (like this) : 

network ip add mgmt -d x.x.x.x

this will create an entry with id=12000 and you'll have a very uncommon behaviour :


- From the Clearpass itself, you will be able to join the destination (you pass the id=12000)

- From the distant subnet, you'll not be able to get reply from the ClearPass (you pass in the id=10020)


This could be very tricky, especially when you expect RADIUS reply (because you'll see the RADIUS request in the ACCESS TRACKER), but as the RADIUS reply paquet goes through the default gateway, you'll never get it from the NAS point of view...


So the definitive good way of adding a static route to ClearPass is to specify a rule ID wich takes precedences over the default incoming rules (for instance 500), so the command looks like :


network ip add mgmt -i 500 -d x.x.x.x/24 -g y.y.y.y


This way, both initiating and incoming communication will works.


Laurent Asselin.


Regular Contributor I

Re: clearpass default route via mgmt. port

Laurent, great answer. This explain my problem exactly.

Only question remaing is, why is clearpass routing so strange!?

New Contributor

Re: clearpass default route via mgmt. port

Is there anyway to add 2 default routes?  We created 2 vlans on CPPM Mgmt and need to add 2 d 0/0 and we get the error Failed to add route.  In a normal unix machine you can add two default routes on 2 vlans.  
Search Airheads
Showing results for 
Search instead for 
Did you mean: