NAC OOB VIRTUAL GW PROBLEM
Hi,
I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
Switch: 3550 (ios 12.2(46) adv ip serv)
NAC 4130 appliances: v4.1.6 (also tried v4.5)
Switch Configuration of the trunks to the CAS):
- int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
- int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
- SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
- Login Page
- Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
- Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
- vlan mapping between untrusted vlan 100 and trusted vlan 10
- tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
- also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
I would be very thankful for any hints to help me solve this issue.
Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
Thanks in advance for any help.
It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
For further details, refer to switch IOS caveat CSCdu27506:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
Cisco Catalyst Switch Model Virtual Gateway
Central Deployment
(both interfaces into same switch) Edge Deployment
(each interface into different switch)
6000/6500 Yes Yes
4000/4500 Yes Yes
3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
Yes
3550 (L3 switch) No 1
Yes
3750/3560 (L2 switch) Yes Yes
3550 (L2 switch) Yes Yes
2950/2960 Yes Yes
2900XL No 2
Yes
3500XL Yes Yes
28xx NME Yes with 12.2(25) SEE and higher 1
Yes
1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
2 2900 XL does not support removing VLAN 1 from switch trunks.
Similar Messages
-
NAC - OOB - Virtual IP - users lost connecti
Hi.
So my problem is the follow:
I have i my customer a NAC OOB - Virtual Ip Gateway.
So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
TI - auth vlan 585 - access vlan 85
ENGINEERING - auth vlan 586 - access vlan 86
And works very very fine.
BUT
There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
I tried to see any logs on the switch but could not see anything abnormal (yet).
Other locations with others port profiles work normally.
The uplinks on this switches and interfaces users dont have any CRC or errors.
Could anyone help me? This is causing problems in my account.Hi,
I understand then that the clients are not connecting through local or SSO mode, is that correct?
I would suggest 3 things so far:
1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
* Vlan mapping enabled correctly
* Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
* The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
Hope this helps,
Regards, -
Hi All,
I have remote site with above design. "login" is gray out in CAA. I run tcpdump on NAS, and I saw packets are hitting eth1 on NAS. In NAM, I got this error message "Unable to process out-of-band login request from [00:00:00:00:00:00 ## 10.111.18.3] Administrator. Cause: MAC address of 10.111.18.3 not found.".
any idea would be very appreciated. if you need more information, please let me know. it's kind of urgent.
thanks
AlexHi Faisal,
I am pretty sure SNMP is right. switch has been added to NAM successfully. so there is no SNMP issue. I have this problem for the users in remote location only. users in local location can login without any problem.
any suggestion would be appreciated.
I am using 500 Express switch in remote site. is it causing the problem?
thanks again.
Alex -
hi all,
Iam in the middle of design of NAC OOB Virtual Gateway.
I have the following doubts regading the placement of NAC Server to my existing Network
I have two Core ( redundancy -HSRP ) running VTP & 25 Edge Switches ( VTP Client )
According to CISCO , we can place NAC Server either in the Core or distribution Switches only , not on the edge switches, in OOB Virtual Gateway deployment.
But currently my existing core switches is not having copper connectivity, customer don't want to invest on core switches.
so I have to forcefully move the NAC server to one of the EDge Switches with both interfaces ( trusted & untrusted ) connected to same Edge switch, but CISCO is not recommending to do so in NAC OOB VG Deployment.
I need to know why we cannot place NAC server at one of the Edge Switches. ( NAC OOB VG Deployment ) , what are the issues behind that ?
One more thing is that , as my Network is running VTP , what are the things to be consider during the design of NAC OOB VG Deplyment.
Iam attaching the Network Diagram, Please go through that.
Expecting your valuable suggestions.
Regards
DileepDileep,
You can put them on the edges, but you have to make sure you extend all the VLANs necessary to that edge. It's just bad design, but I don't see why it won't work.
Unfortunately you don't have enough details in the map you provided to get a more detailed answer :-)
HTH,
Faisal -
NAC L3 OOB Virtual Gateway/Real-IP Gateway
In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
I didn't found a response for this in the documentation.
Thanks in advance.Hi, Paul
>>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active. -
NAC OOB and 6500 in Virtual Switch Mode
Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
The customer uses Radius IAS for authentication. How does it fit with the AD SSO?Hi Bruce,
I am afraid there are some arguments missing in your db command.
To manually add the OID of Cat4507R+E to CAM's database here is the procedure to do this.
[root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
psql: warning: extra command-line argument "INSERT" ignored
psql: warning: extra command-line argument "0" ignored
psql: warning: extra command-line argument "1" ignored
INSERT 0 1
Then to make sure it is there:
[root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
The output should be:
1.3.6.1.4.1.9.1.1286 | 4 | Cisco Catalyst 4507 R+E
Restart perfigo service on NAC Manager and try to manage the switch using the model used by the above command.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
L3 Deployment OOB Virtual Gateway
Hi Faisal,
Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
RichardI have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the static route in the cas. What else do need in the configuration?
In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment. -
NAC OOB logoff feature not working
Hi all,
I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
I appreciate your responses
~XavierHere are my configs if necessary. Tell me if anything else is needed.
User Management > User Roles
List of Roles
Edit Role
Traffic Control
Bandwidth
Schedule
Disable this role
Role Name
Role Description
Role Type
Normal Login Role Quarantine Role
*Max Sessions per User Account ( Case-Insensitive Session Identifiers )
(1 – 255; 0 for unlimited)
Retag Trusted-side Egress Traffic with VLAN (In-Band)
(0 – 4095, or leave it blank)(*This option has been deprecated, and it will be removed in upcoming releases)
*Out-of-Band User Role VLAN
VLAN ID VLAN Name (if left blank, it will default to the default access vlan settings in the Port Profile)
*Bounce Switch Port After Login (OOB)
Enable Disable (This option is effective only when port profile is set to use it)
*Refresh IP After Login (OOB)
Enable Disable (This option only applies to L2 OOB Virtual Gateway with Role VLAN as Access VLAN and switch port is NOT bounced after VLAN change)
*After Successful Login Redirect to
previously requested URL
this URL:
(e.g. http://www.cisco.com/)
Redirect Blocked Requests to
default access blocked page
this URL or HTML message:
*Show Logged-on Users
User info
Logout button
Enable Passive Re-assessment (To enable Passive Re-assessment for OOB Agent connections, you must also enable the OOB Logoff option at Device Management > Clean Access > General Setup > Agent Login.)
Re-assessment Interval
(Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
Grace Timer
(Minimum of 5 minutes and maximum of 30 minutes)
Default action on failure
Continue Allow user to remediate Logoff user immediately
(*only applies to normal login role)
Device Management > Clean Access
Certified Devices
General Setup
Network Scanner
Clean Access Agent
Updates
Web Login · Agent Login
User Role
Unauthenticated Role(not common) role_engineer role_developer role_admin role_sales role_guest
Operating System
ALL WINDOWS_ALL WINDOWS_XP WINDOWS_VISTA_ALL WINDOWS_7_ALL MAC_ALL MAC_OSX LINUX FREEBSD SOLARIS_ALL SOLARIS_86 SOLARIS_SPARC UNIX VMS OS2 PALM
(By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
Enable OOB logoff for Windows NAC Agent and Mac OS X Agent (This global option applies to all OOB CASs and user roles and enables Agent logout and heartbeat timers for OOB Agent connections. You must also enable this option for Passive Re-assessment to function with OOB Agent connections.)
Require use of Agent
(for Windows & Macintosh OSX only)
Agent Download Page Message (or URL):
Network Security Notice: This network is protected by a Cisco NAC Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure and up-to-date.
Please use the Agent to log in to the network.
If you don't have the Agent software yet, download it by clicking the button below. After downloading the installation file, run it to complete the installation.
If you have already downloaded and installed the Agent, please close this window and right-click the Agent icon in the system tray and choose Login from the menu. Enter your usual network user name and password in the login window.
Require use of Cisco NAC Web Agent (for Windows only)
Cisco NAC Web Agent Launch Page Message (or URL):
Network Security Notice: This network is protected by the Cisco NAC Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC Web Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure and up-to-date.
Please launch Cisco NAC Web Agent by clicking the button below.
Allow restricted network access in case user cannot use NAC Agent or Cisco NAC Web Agent
Restricted Access User Role:
role_engineer role_developer role_admin role_sales role_guest
Restricted Access Button Text:
Restricted Network Access Message:
Restricted Network Access: If you cannot use a Cisco NAC Appliance Agent, you can obtain restricted network access temporarily by clicking the button below.
Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
Network Policy Link:
Logoff NAC Agent users from network on their machine logoff or shutdown after
secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
(Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
Refresh Windows domain group policy after login
(for Windows only)
Automatically close login success screen after
secs
(Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
Automatically close logout success screen after
secs
(for Windows only)
(Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.) -
Can somebody
suggest me switch configurations for layer 2 OOB virtual gateway Haigh availability between distribution and
access layer switch. I use 5 different vlans in 156 subnet ..which are
user vlans and for authentication I used 10.x.x.x series vlans.....
series are 3355 and 3315 as servers and 1 NAC manager in 4.7.2Thank you for feeding information back to the community to benefit others.
That is the spirit...
PK -
I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.
sometime i change the managed subnet, I work...
I wonder what exact IP address should be typed into the managed subnet?
Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)
IP address for VLAN 10: 192.168.10.0/24
IP address for VLAN 11: 192.168.11.0/24
IP address for VLAN 12: 192.168.12.0/24
IP address for VLAN 13: 192.168.10.0/24
I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.
However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?
192.168.10.254/24 VLAN20
192.168.11.254/24 VLAN21
192.168.12.254/24 VLAN22
192.168.13.254/24 VLAN23
or
192.168.10.254/24 VLAN10
192.168.11.254/24 VLAN11
192.168.12.254/24 VLAN12
192.168.13.254/24 VLAN13
also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??
I'm green hand in NAC...hope someone guide. Many ThanksSuccessful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.
Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..
The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.
Extracted as below:
Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment
For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.
So.................... my Question is:
Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???
My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..
SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM
SW2 and SW3 could success performing CAS login.
SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN. -
Hi!
I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
TKX
MiguelHi,
Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
You have L2/L3 mode.
You have OOB/InB mode.
You have Real-Ip/Virtual gateway mode.
You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
NAC OOB Logoff feature workaround ?
Hi,
We have a NAC OOB, Real-Ip Layer2 setup and the new option "Logoff Clean Access Agent users from network on their machine logoff or shutdown" does not apply when using OOB mode (which is annoying). Anybody found a way to make sure that when a users logs off from his PC he's automatically put back to the authentication VLAN ? We thought of maybe put a program in Windows XP logoff script that would disable/enable the NIC card but it seems a bit tricky...
I'm sure I'm not the only one who's trying to find a solution for this. Hopefully Cisco will support this feature right from the clean access agent in a future release...
Thanks.
Dominicfor now we are waiting for the feature to become available from Cisco in Q2 or Q3 of 2007.
And yes, we are using SSO in a Windows XP - Windows 2003 environment.
Dominic -
NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)
Hello,
I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
Core Switch:
VLAN DB:
vlan 10
name VLAN_DEPT1
vlan 11
name VLAN_DEPT2
vlan 20
name VLAN_DEPT3
vlan 26
name VLAN_DEPT4
vlan 27
name VLAN_DEPT5
vlan 28
name VLAN_DEPT6
vlan 29
name VLAN_DEPT7
vlan 30
name VLAN_DEPT8
vlan 32
name VLAN_DEPT9
vlan 50
name VLAN_NetMGT
vlan 51
name VLAN_CAS_MGT
vlan 52
name VLAN_CAM_MGT
vlan 210
name VLAN_DEPT1_Auth
vlan 211
name VLAN_DEPT2_Auth
vlan 220
name VLAN_DEPT3_Auth
vlan 226
name VLAN_DEPT4_Auth
vlan 227
name VLAN_DEPT5_Auth
vlan 228
name VLAN_DEPT6_Auth
vlan 229
name VLAN_DEPT7_Auth
vlan 230
name VLAN_DEPT8_Auth
vlan 232
name VLAN_DEPT9_Auth
Interface Configs
interface GigabitEthernet3/41
description "Link to Cisco CAM-PRI eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/42
description "Link to Cisco CAM-FO eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/43
description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/44
description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/46
description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet3/48
description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet1/1
description "Trunk link to DEPT1 Access SW"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
!------- Example of VLAN Interface --------
interface Vlan10
description "DEPT1 VLAN"
ip address x.x.10.1 255.255.255.0
ip helper-address x.x.50.5
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!------- No VLAN Interface for AUTH VLAN 210 --------
Access Switch Configuration
interface GigabitEthernet0/1
description "Trunk Link to Core Switch"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
no ip address
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
=========================================
Is the above config correct?
ThanksHi,
By bogus I assume you mean something like;
interface Vlan700
description "BIT BUCKET for unused ports"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown -
NAC OOB problem - moving users between ports
Hi,
I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
This is what I did to replicate the issue, in detail:
1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
Thanks,
BorisFaisal,
The configuration includes the following lines (on both switches I used for access):
snmp-server community *** RW
snmp-server community *** RO
snmp-server trap-source Vlan2 (management subnet)
snmp-server location 10.0.0.101 (NAM IP address)
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.0.0.101 version 2c cisco mac-notification snmp
Also, NAC added the following line on monitored interfaces:
snmp trap mac-notification change added
Is this all that is required to send MAC-change and MAC-move traps?
I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...
Regards,
Boris -
WISM and NAC OOB/ Client in a different WLC problem
Guys,
I am using two WiSM modules in 6513 Chassi.
We have 3 SSID configured but on each WLC are using APGroups making a Layer 3 roaming.
Well, Everything is work out fine and we have hundreds of the connections per day but each day appear two or three clients that still on Quarantine mode and the WLC does not change Auth_vlan to Access_Vlan.
NAC appear that client as ONLINE on WLC 3 but that client isn't there, he is on WLC 2 in Quarantine mode.
anyone know can help me?
thanks a lotI think the jndi service can be accessed froma remote m/c, you can initialize the context with the appropriate paramters, so the lookups on the topic and connection factories and continue with your work.
Maybe you are looking for
-
Adding new fields to Item Data - PO (ME
Hi All, Is it possible to add new custom fields to PO Item Data in Confirmations tab and these new fields are required only in PO Change (ME22N). How can we achieve this! Can anybody provide feasible solution for the same! can anybody tell me if this
-
How do you get ALL reminders to show in your notification centre?
So weird. All of them showed up on my old iPhone 4, which was on iOS 7 at the time already. Now I'm on a 5S, and all I see are the ones that have an alarm. Is there anyway to change/fix this so that I can see them all? I've tried toggling the on and
-
the difference caused by 2KES Posted: Mar 6, 2009 6:53 AM Edit Reply Dear ALL: I found a problem when we carry forward the retained earning account ( 140010)'s value from 2008 year to the 2009 year using tcode 2KES ( profit center acc
-
Is there a way to embed a link in a portion of a video frame as opposed to the entire frame? Can QuickTime export a video with overlay layers? If so, at what bit depth and how many layers? Any help is much appreciated. Message was edited by: Nostets
-
xml:comment with BEA 6.1 sp1
Hello, I have migrated a small project from BEA WLS6.0 to WSL6.1 with sp1. This project use the BEA taglib to transform XML data into HTML due an XSL stylesheet. My problem is that with the new version of the Xalan XSLT (WLS6.1), the XSL tag <xml:com