Source Interface and VRF Support in LDAP Overview
When Cisco Cloud Web Security and Cisco Integrated Services Routers (ISR) Generation 2 (G2) are deployed back-to-back, they require a Lightweight Directory Access Protocol (LDAP) request to traverse the VPN tunnel between Cloud Web Security and the Cisco ISR G2. In such cases, the source interface IP address (example, the IP address of the LAN interface) must be specified in the LDAP query. Prior to the introduction of the Source Interface and VRF Support in LDAP feature, the source interface address cannot be specified in the source IP field of the LDAP query; instead the tunnel interface IP address was used in the source IP field.
The Source Interface and VRF Support in LDAP feature helps you configure a dedicated LDAP source interface address on Cisco ISR G2. The source interface address is configured on the Cisco ISR G2, and the device uses this interface address to originate all LDAP packets it sends to the LDAP server. The source interface address is also used for polling the end-server to ensure the reachability of the end-server.
The source interface IP (either an IPv4 or IPv6 address) address and virtual routing and forwarding (VRF) details are populated in the LDAP query while creating a TCP connection between the Cisco ISR G2 (client) and the LDAP server.
The VRF instance is configured on the Cisco ISR G2 and VRF table ID details are set in the socket option before creating a TCP connection to allow multiple instances of a routing table to coexist on the same device at the same time. Because routing instances are independent of each other, the same or overlapping IP address can be used without conflict.