cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1285
Views
0
Helpful
5
Replies

NAC Appliance in IB VGW L3 mode - routing question

ovt
Level 4
Level 4

Hi!

I'm testing Clean Access in In-band VGW mode with clients that are *not* directly connected to the CAS (i.e. L3-adj. mode).

Can anybody tell me do I need to configure static routes on the CAS for user subnets? It seems that the CAS always send traffic via the trusted eth0 interface with the eth0 IP as the source. It doesn't use the eth1 IP (even if it is different than eth0 IP and the static route is pointing via the eth1).

So, it seems that eth1 (untrusted side) IP doesn't really matter and static routes are not used in VGW mode. Is my understanding correct?

5 Replies 5

Daniel Laden
Level 4
Level 4

For anything that L2 adjacent to the CAS, you will not need a static router (managed subnet present). All other subnets will need a static route.

The CAS in VGW mode is a L2 device and only have one used IP address. Typically the trusted and untrusted are the same IP address.

> All other subnets will need a static route

1. Why does the CAS need a static route if it already has default route via the trusted interface ???

2. In case I configure the static route should I specify the trusted interface or untrusted interface in this route ???

The client is inband. The traffic destine for client will have to come in the trusted and out the untrusted. The return traffic has to come in the untrusted and out the trusted.

The static route for the client IP will need to be associated with the untrusted interface. The route will need to point to a router interface other than the one used on the trusted side.

Take a look a the following link:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_L3oob.html

And the chalk talk series on 'Chalk Talk 2: Configuring NAC Appliance in In-Band Mode' solutions (you can download the PDF under 'Additional Resources'...particularly slide 15)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

Hope this helps,

Dan Laden

Thanks a lot for the replay, however it doesn't help.

> The traffic destine for client will have to come in the trusted and out the untrusted. The return traffic has to come in the untrusted and out the trusted.

This is only correct from bridging point of view. This is *not* correct from routing point of view.

1. As you know static routes are used to route traffic, right? And the routing is needed for *VGW* CAS solely to communicate with clients and the CAM.

2. As you pointed out earlier "the CAS usually has the same IP address on trusted and untrusted interfaces", right?

3. This IP address is needed for CAM-CAS communications, right?

4. So, it must be from the same IP network as the CAS default gateway. For example, the CAS trusted (and untrusted) IP is 10.10.10.1, the default gateway for CAS is 10.10.10.2.

5. At the same time the remote users are coming from the untrusted side. The previous-hop router (on the CAS untrusted side) has the IP address 192.168.88.1 and the next-hop router (on the CAS trusted side) has the IP address 192.168.88.2. The user's network is 172.16.172.0. So far, so good?

6. What are you suggesting now: specify on the CAS the following IP route:

172.16.172.0/24 via 192.168.88.1 (via untrusted eth1)

7. The problem is that the untrusted (eth1) interface has the IP address 10.10.10.1 and the router has 192.168.88.1! They're on different subnets! Does this route make sense? It looks more like a shortcut than a normal route. Why not just use the default route pointing to the 10.10.10.2 to reach the 172.16.172.0? The traffic can reach user subnet 172.16.172.0 via the following path: 10.10.10.1(trusted intf)->10.10.10.2->192.168.88.2->192.168.88.1->172.16.172.x!

The only question is: which interface, trusted or untrusted, the CAS will use to communicate with clients in case it has the same IP on the untrusted and trusted interfaces and no other routes configured, except the default route?

I know for sure, if the VGW CAS has different IPs on the trusted and untrusted interfaces, it always use the trusted interface to communicate with clients!

Pretty clear, right?

Answering my own question: "which interface, trusted or untrusted, the CAS will use to communicate with clients in case it has the same IP on the untrusted and trusted interfaces and no other routes configured, except the default route?".

The Answer: The VGW CAS will use the trusted interface to communicate with clients. Static routes are not needed.

If the static route is spcified via the untrusted interface, the CAS will still use the trusted interface IP address as the source IP, but will send packets out the untrusted interface with the untrusted interface MAC as the source. This is tricky and doesn't give much optimization -- the traffic coming from a PC will have next-hop router MAC address as the destination, rather than the CAS untrusted MAC address. (The traffic is "shortcutted" one way, not the other).

Thx me.

Review Cisco Networking for a $25 gift card