Background:
The most misunderstood topic of the configuration of NACA is Managed Subnets. Every time I get a call about a LAN deployment, which is not working, the first thing I say is "Managed Subnets!". Hopefully, by reading this you will start to understand the taboo term and know when/where to configure Managed Subnets.
Managed Subnets Theory:
"For all CAS modes in L2 deployments (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface."
The first question you must ask during deployment is "are there more than one VLAN on the untrusted side of the CAS?" If so, you need to give the CAS "logical interfaces" so that the CAS can "manage" those vlans/subnets. The best way to think about managed subnets is to think about a "router on a stick" deployment; A single interface has multiple sub-interfaces in order to reduce the quantity of physical interfaces on the router. This concept can be applied to the CAS. The CAS uses DOT1Q trunking to logically manage multiple subnets. Why does the CAS need to do this? The CAS needs to be able to communicate with the clients on each of the subnets connected to it untrusted interface. This includes things like Web Redirection, SWISS Protocol, etc. The first step in communication is being able to arp and without managed subnets the CAS cannot arp for the clients off of its UnTrusted interface.
When to use Managed Subnets:
"Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS. For all CAS modes in L3 deployment, Static Routes must be configured for the user subnets that are one or more hops away. Managed subnets should not be configured for these subnets. "
This logic can be used for In-Band/Out-of-Band, Real-IP/Virtual Gateway, Central/Edge Deployments. If you are a newbie to NACA please review the NACA ChalkTalks(CCO Login Required) before thinking too much into this.
How to configure Managed Subnets:
Managed Subnets are configured for each CAS at Device Management - Clean Access Server - manage X.X.X.X - Advanced - Managed Subnet
There are four configuration fields:
IP Address - This value varies based on the type of deployment:
Subnet Mask - Mask for the ip address used above.
VLAN ID - This is the VLAN ID of the UnTrusted VLAN. EVEN when using Virtual Gateway.
Description - Let remember that the next engineer might not understand managed subnets and needs to read this to get a better understand. Use best practice descriptions.
Summary:
Managed Subnets are something that are overlooked a lot, but after you take the time understand them, they really are just another check on the deployment checklist. Make sure that the next time you are practicing NACA, create a lab scenario that requires managed subnets! Cheers!
Source: CAS Admin Guide
The most misunderstood topic of the configuration of NACA is Managed Subnets. Every time I get a call about a LAN deployment, which is not working, the first thing I say is "Managed Subnets!". Hopefully, by reading this you will start to understand the taboo term and know when/where to configure Managed Subnets.
Managed Subnets Theory:
"For all CAS modes in L2 deployments (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface."
The first question you must ask during deployment is "are there more than one VLAN on the untrusted side of the CAS?" If so, you need to give the CAS "logical interfaces" so that the CAS can "manage" those vlans/subnets. The best way to think about managed subnets is to think about a "router on a stick" deployment; A single interface has multiple sub-interfaces in order to reduce the quantity of physical interfaces on the router. This concept can be applied to the CAS. The CAS uses DOT1Q trunking to logically manage multiple subnets. Why does the CAS need to do this? The CAS needs to be able to communicate with the clients on each of the subnets connected to it untrusted interface. This includes things like Web Redirection, SWISS Protocol, etc. The first step in communication is being able to arp and without managed subnets the CAS cannot arp for the clients off of its UnTrusted interface.
When to use Managed Subnets:
"Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS. For all CAS modes in L3 deployment, Static Routes must be configured for the user subnets that are one or more hops away. Managed subnets should not be configured for these subnets. "
Layer 2 Deployment = Managed Subnets
Layer 3 Deployments = Static Routes
Layer 3 Deployments = Static Routes
This logic can be used for In-Band/Out-of-Band, Real-IP/Virtual Gateway, Central/Edge Deployments. If you are a newbie to NACA please review the NACA ChalkTalks(CCO Login Required) before thinking too much into this.
How to configure Managed Subnets:
Managed Subnets are configured for each CAS at Device Management - Clean Access Server - manage X.X.X.X - Advanced - Managed Subnet
There are four configuration fields:
IP Address - This value varies based on the type of deployment:
- Real-IP Gateway: Think of router on a stick. This ip address will be the Default Gateway for the clients on the UnTrusted VLAN.
- Virtual Gateway: This needs to be an UNUSED IP address on the network.
VLAN ID - This is the VLAN ID of the UnTrusted VLAN. EVEN when using Virtual Gateway.
Description - Let remember that the next engineer might not understand managed subnets and needs to read this to get a better understand. Use best practice descriptions.
Figure 1 - Sample Managed Subnet
Summary:
Managed Subnets are something that are overlooked a lot, but after you take the time understand them, they really are just another check on the deployment checklist. Make sure that the next time you are practicing NACA, create a lab scenario that requires managed subnets! Cheers!
Source: CAS Admin Guide
Comments
Post a Comment