One clarification - if you set the L3 discovery host IP to a
non-existent/private/different IP address, the following agent upgrade
WILL update the discovery host setting on client machines that already
have an agent installed.  

-Rajesh.

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Alok Agrawal
(alagrawa)
Sent: Monday, October 23, 2006 12:30 PM
To: [log in to unmask]
Subject: Re: CCA and unwanted L3 Agent queries

Hey Bruce,
The discovery host address doesn't have to be allocated to a device. The
discovery host IP can be any IP (on the trusted network) that is
routable from the untrusted network. The CAS doesn't forward the agent
discovery packets out.

The goal is to make the agent discovery packets hit the untrusted port
of the CAS. For L2 mode, the traffic will hit the CAS before hitting the
default gateway, hence the discovery host doesn't really matter. For L2
users, the agent sends discovery packets on port 8905 destined to the
default gateway.
regards
-Alok

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Bruce Hudson
Sent: Monday, October 23, 2006 12:20 PM
To: [log in to unmask]
Subject: Re: CCA and unwanted L3 Agent queries

 
> 1) It is recommended that the discovery Host not be the CAS IP
address.
> In fact, it should be the IP address of a device on the trusted side 
> (beyond the CAS) - Preferably the CAM.

    Just out of curiosity, does it have to be an address actually
allocated to a device? In Virtual Gateway mode, the traffic should use
default route and go to the router (through the CAS) whether the IP is
valid or not.

    Does the CAS actually pass the traffic in normal operation?
--
Bruce A. Hudson				| [log in to unmask]
UCIS, Networks and Systems		|
Dalhousie University			|
Halifax, Nova Scotia, Canada		| (902) 494-3405