Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 142
Choosing External IPs for Link-Based Failover, CAS High Availability Requirements, Physical Connection
View all Cisco NAC3350-PROF-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 142 highlights
Installing a Clean Access Server High Availability Pair Chapter 4 Configuring High Availability (HA) Choosing External IPs for Link-Based Failover • Keep in mind that when the CAS initiates traffic, it will always send packets out of its untrusted (eth1) interface except for packets destined to its default gateway. Therefore, when choosing an external IP on trusted network for CAS to ping via the eth0 interface, choose any IP belonging to a subnet other than the CAS subnet. • The external IP addresses should be different for the trusted and untrusted interfaces. • When choosing an external IP on the untrusted network for CAS to ping via the eth1 interface: - This IP has to exist on the CAS management subnet. - It cannot be the default gateway of the CAS. - The CAS will send these ping packets out of the eth1 interface. - Verify whether Set Management VLAN ID is enabled for the eth1 interface. If this option is not enabled, CAS will send traffic out untagged on the eth1 interface. The switch will determine whether these packets should be received on its native VLAN. Therefore, on the untrusted interface, ensure that the native VLAN is being forwarded. - The external IP address will be in the CAS management subnet, but on the untrusted side, the traffic will be going out from the CAS in the native VLAN; hence ensure the native VLAN is being forwarded towards the external IP device. Refer to c. Configure HA-Primary Mode and Update, page 4-28 and c. Configure HA-Secondary Mode and Update, page 4-34 for additional configuration details. CAS High Availability Requirements This section describes addition planning considerations when implementing high availability. Note In a CAS HA deployment using NAT on the trusted (eth0) side, you must ensure that the -Dperfigo.nat.serviceip=