Default Group Address Pool for Access Server
This document explains Access Server's default group address pool functionality and provides tips for using it with cluster setups.
This topic explains how the default group address pool functionality works in Access Server and tips for setting it up with your network.
How the default group address pool works on Access Server
A user assigned to a group will be assigned an IP address from the group's default address pool. If a subnet is defined on the group, that will be used instead. If neither is defined, an error message will result.
Important
A subnet's first and last IP addresses are reserved for use by the Access Server itself.
For example, suppose you have the subnet 192.0.2.0/24; then you might have four connected clients, and Access Server assigns these IP addresses:
192.0.2.2
192.0.2.3
192.0.2.4
192.0.2.5
Note
In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.
Ensure you replace them with valid IPv4 addresses and subnets for your network(s).
Default group address pool on standalone Access Servers
The process for a user looks like this:
Create the user in the Admin Web UI.
Assign the user to a group that doesn't have its own group subnet defined.
When the user connects, Access Server assigns an IP address from the group default IP address network subnet.
Suppose you then define access for that user to other subnets using routing or NAT. Then Access Server grants access without issue. Because only one Access Server uses this subnet, one route can properly ensure routing functions.
One server = one group address pool.
Default group address pool on a cluster of Access Servers
Access Serverhandles the default group address pool differently in a cluster setup.
The administrator can assign unique group default address subnets to each node. That way, routing can be set up to direct packets to the correct subnets.
This table helps provide an example:
Node | User | Group | Subnet | IP address |
|---|---|---|---|---|
Alpha node | User A | Group 1 | 192.0.2.0/24 | 192.0.2.2 |
Beta node | User B | Group 1 | 198.51.100.0/24 | 198.51.100.2 |
Gamma node | User C | Group 1 | 203.0.113.0/24 | 203.0.113.2 |
Now, each cluster has its own VPN network and VPN clients. A subnet is no longer assigned to all clusters. This allows routing on cluster configurations where only NAT worked previously because it uses unique node subnets.