When Cisco Cloud Web Security and Cisco Integrated Services Routers (ISR) Generation 2 (G2) are deployed back-to-back, they require a Lightweight Directory Access Protocol (LDAP) request to traverse the VPN tunnel between Cloud Web Security and the Cisco ISR G2. In such cases, the source interface IP address (example, the IP address of the LAN interface) must be specified in the LDAP query. Prior to the introduction of the Source Interface and VRF Support in LDAP feature, the source interface address cannot be specified in the source IP field of the LDAP query; instead the tunnel interface IP address was used in the source IP field.

The Source Interface and VRF Support in LDAP feature helps you configure a dedicated LDAP source interface address on Cisco ISR G2. The source interface address is configured on the Cisco ISR G2, and the device uses this interface address to originate all LDAP packets it sends to the LDAP server. The source interface address is also used for polling the end-server to ensure the reachability of the end-server.

The source interface IP (either an IPv4 or IPv6 address) address and virtual routing and forwarding (VRF) details are populated in the LDAP query while creating a TCP connection between the Cisco ISR G2 (client) and the LDAP server.

The VRF instance is configured on the Cisco ISR G2 and VRF table ID details are set in the socket option before creating a TCP connection to allow multiple instances of a routing table to coexist on the same device at the same time. Because routing instances are independent of each other, the same or overlapping IP address can be used without conflict.

The following illustration shows a Cloud Web Security deployment that uses an Authentication, Authorization, and Accounting (AAA) configuration that supports source interface address and virtual routing and forwarding (VRF) details, while establishing a TCP connection between Cisco Integrated Services Routers (ISR) Generation 2 (G2) and Cloud Web Security.

The following section describes the packet flow that happens in the deployment scenario shown in the illustration:

1. A AAA process posts a bind or search request to the Lightweight Directory Access Protocol (LDAP) process.

2. The LDAP process processes the AAA request.

3. A TCP connection is established <<between what >>before sending the request to the LDAP server.

   While creating the TCP connection, the source IP address and the VRF table details are set in the LDAP socket context.

4. • If the {ip | ipv6} ldap source-interface command is configured under the aaa group server ldap command, the source IP address and VRF details are populated before the TCP connection is established.

   • If the {ip | ipv6} ldap source-interface command is configured in global configuration mode; globally for the box, the source IP address and VRF details are populated after the TCP connection is established.

   • If the {ip | ipv6} ldap source-interface command is not configured, the best local IP address and the default table ID details are populated in the TCP packet while establishing the connection.

   • If you have configured the source interface address both under the aaa group server ldap command and in global configuration mode, the configuration under the aaa group server ldap command has the highest priority.

5. The LDAP process uses the TCP connection to send or receive packets.

6. If the source interface address or VRF configurations are changed or removed, the LDAP process tears down all existing TCP connections and establishes a new TCP connection with a new source interface address or the best local IP address when sending an LDAP packet.