NAC OOB VIRTUAL GW PROBLEM

Hi,
I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
Switch: 3550 (ios 12.2(46) adv ip serv)
NAC 4130 appliances: v4.1.6 (also tried v4.5)
Switch Configuration of the trunks to the CAS):
- int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
- int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
- SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
- Login Page
- Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
- Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
- vlan mapping between untrusted vlan 100 and trusted vlan 10
- tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
- also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
I would be very thankful for any hints to help me solve this issue.
Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
Thanks in advance for any help.

It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
For further details, refer to switch IOS caveat CSCdu27506:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
Cisco Catalyst Switch Model Virtual Gateway
Central Deployment
(both interfaces into same switch) Edge Deployment
(each interface into different switch)
6000/6500 Yes Yes
4000/4500 Yes Yes
3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
Yes
3550 (L3 switch) No 1
Yes
3750/3560 (L2 switch) Yes Yes
3550 (L2 switch) Yes Yes
2950/2960 Yes Yes
2900XL No 2
Yes
3500XL Yes Yes
28xx NME Yes with 12.2(25) SEE and higher 1
Yes
1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
2 2900 XL does not support removing VLAN 1 from switch trunks.

Similar Messages

  • NAC - OOB - Virtual IP - users lost connecti

    Hi.
    So my problem is the follow:
    I have i my customer a NAC OOB - Virtual Ip Gateway.
    So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
    TI -  auth vlan 585 -  access vlan 85
    ENGINEERING - auth vlan 586 - access vlan 86
    And works very very fine.
    BUT
    There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
    I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
    Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
    Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
    I tried to see any logs on the switch but could not see anything abnormal (yet).
    Other locations with others port profiles work normally.
    The uplinks on this switches and interfaces users dont have any CRC or errors.
    Could anyone help me? This is causing problems in my account.

    Hi,
    I understand then that the clients are not connecting through local or SSO mode, is that correct?
    I would suggest 3 things so far:
    1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
    * Vlan mapping enabled correctly
    * Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
    * The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
    2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
    3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
    Hope this helps,
    Regards,

  • NAC OOB L3 remote problem

    Hi All,
    I have remote site with above design. "login" is gray out in CAA. I run tcpdump on NAS, and I saw packets are hitting eth1 on NAS. In NAM, I got this error message "Unable to process out-of-band login request from [00:00:00:00:00:00 ## 10.111.18.3] Administrator. Cause: MAC address of 10.111.18.3 not found.".
    any idea would be very appreciated. if you need more information, please let me know. it's kind of urgent.
    thanks
    Alex

    Hi Faisal,
    I am pretty sure SNMP is right. switch has been added to NAM successfully. so there is no SNMP issue. I have this problem for the users in remote location only. users in local location can login without any problem.
    any suggestion would be appreciated.
    I am using 500 Express switch in remote site. is it causing the problem?
    thanks again.
    Alex

  • Urgent-NAC OOB VG Deplyment

    hi all,
             Iam in the middle of design of NAC OOB Virtual Gateway.
    I have the following doubts regading the placement of NAC Server to my existing Network
    I have two Core ( redundancy -HSRP ) running VTP & 25 Edge Switches ( VTP Client )
    According to CISCO , we can place NAC Server either in the Core or distribution Switches only , not on the edge switches, in OOB Virtual Gateway deployment.
    But currently my existing core switches is not having copper connectivity, customer don't want to invest on core switches.
    so I have to forcefully move the NAC server to one of the EDge Switches with both interfaces ( trusted & untrusted ) connected to same Edge switch, but CISCO is not recommending to do so in NAC OOB VG Deployment.
    I need to know why we cannot place NAC server at one of the Edge Switches. ( NAC OOB VG Deployment ) , what are the issues behind that ?
    One more thing is that , as my Network is running VTP , what are the things to be consider during the design of NAC OOB VG Deplyment.
    Iam attaching the Network Diagram, Please go through that.
    Expecting your valuable suggestions.
    Regards
    Dileep

    Dileep,
    You can put them on the edges, but you have to make sure you extend all the VLANs necessary to that edge. It's just bad design, but I don't see why it won't work.
    Unfortunately you don't have enough details in the map you provided to get a more detailed answer :-)
    HTH,
    Faisal

  • NAC L3 OOB Virtual Gateway/Real-IP Gateway

    In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
    Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
    If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
    I didn't found a response for this in the documentation.
    Thanks in advance.

    Hi, Paul
    >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

  • NAC OOB and 6500 in Virtual Switch Mode

    Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
    The customer uses Radius IAS for authentication. How does it fit with the AD SSO?

    Hi Bruce,
    I am afraid there are some arguments missing in your db command.
    To manually add the OID of  Cat4507R+E to CAM's database here is the  procedure to do this.
    [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
    psql: warning: extra command-line argument "INSERT" ignored
    psql: warning: extra command-line argument "0" ignored
    psql: warning: extra command-line argument "1" ignored
    INSERT 0 1
    Then to make sure it is there:
    [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
    The output should be:
    1.3.6.1.4.1.9.1.1286      |     4 | Cisco Catalyst 4507 R+E
    Restart perfigo service on NAC Manager and try to manage the switch  using the model used by the above command.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • L3 Deployment OOB Virtual Gateway

    Hi Faisal,
    Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
    For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
    Richard

    I have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the  static route in the cas. What else do need in the configuration?
    In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment.

  • NAC OOB logoff feature not working

    Hi all,
    I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
    It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
    I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
    I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
    Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
    I appreciate your responses
    ~Xavier

    Here are my configs if necessary. Tell me if anything else is needed.
    User Management > User Roles
    List of Roles
    Edit Role
    Traffic Control
    Bandwidth
    Schedule
    Disable this role
    Role Name
    Role Description
    Role Type
    Normal Login Role Quarantine Role
    *Max Sessions per User Account             ( Case-Insensitive Session Identifiers             )
    (1 – 255; 0 for unlimited)  
    Retag Trusted-side Egress Traffic with VLAN (In-Band)
    (0 – 4095, or leave it  blank)(*This option has been deprecated, and it will be removed in  upcoming  releases)
    *Out-of-Band User Role VLAN
    VLAN ID VLAN Name                 (if left blank, it will default to the default access vlan             settings in the Port Profile)
    *Bounce Switch Port After Login (OOB)
    Enable               Disable               (This option is effective only when port profile is set to use it)
    *Refresh IP After Login (OOB)
    Enable               Disable               (This option only applies to L2 OOB Virtual Gateway with Role VLAN             as Access VLAN and switch port is NOT bounced after VLAN change)
    *After Successful Login Redirect to
    previously requested URL
    this URL:
    (e.g. http://www.cisco.com/)
    Redirect Blocked Requests to
    default access blocked page
    this URL or HTML message:
    *Show Logged-on Users
    User info
    Logout button
    Enable Passive Re-assessment                          (To enable Passive Re-assessment for OOB Agent             connections, you must also enable the OOB Logoff option at             Device Management > Clean Access > General Setup > Agent Login.)
    Re-assessment Interval
    (Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
    Grace Timer
    (Minimum of 5 minutes and maximum of 30 minutes)
    Default action on failure
    Continue Allow user to remediate Logoff user immediately
    (*only applies to normal login role)
    Device Management > Clean Access
    Certified Devices
    General Setup
    Network Scanner
    Clean Access Agent
    Updates
                Web Login   ·  Agent Login 
    User Role
    Unauthenticated Role(not common) role_engineer role_developer role_admin role_sales role_guest
    Operating System 
    ALL WINDOWS_ALL WINDOWS_XP WINDOWS_VISTA_ALL WINDOWS_7_ALL MAC_ALL MAC_OSX LINUX FREEBSD SOLARIS_ALL SOLARIS_86 SOLARIS_SPARC UNIX VMS OS2 PALM
    (By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
    Enable OOB logoff for Windows NAC Agent and Mac OS X Agent        (This global option applies to all OOB CASs and user roles and  enables Agent logout and heartbeat timers for OOB Agent connections. You  must also enable this option for Passive Re-assessment to function with  OOB Agent connections.)
    Require use of Agent
    (for Windows & Macintosh OSX only)
    Agent Download Page Message (or URL):
               Network  Security Notice: This network is protected by a Cisco NAC  Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent  ensures that your computer meets the requirements for accessing this  network, and helps you keep your computer secure and up-to-date. 
    Please use the Agent to log in to the network.
    If you  don't have the Agent software yet, download it by clicking the button  below. After downloading the installation file, run it to complete the  installation.
    If you have already downloaded and installed the  Agent, please close this window and right-click the Agent icon in the  system tray and choose Login from the menu. Enter your usual network  user name and password in the login window.
    Require use of Cisco NAC Web Agent (for Windows only)
              Cisco NAC Web Agent Launch Page Message (or URL):
    Network  Security Notice: This network is protected by the Cisco NAC  Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC  Web Agent ensures that your computer meets the requirements for  accessing this network, and helps you keep your computer secure and  up-to-date.
    Please launch Cisco NAC Web Agent by clicking the  button below.
    Allow restricted network access in case user cannot use   NAC Agent or Cisco NAC Web Agent
              Restricted Access User Role: 
    role_engineer role_developer role_admin role_sales role_guest
              Restricted Access Button Text: 
    Restricted Network Access Message:
               Restricted  Network Access: If you cannot use a Cisco NAC Appliance  Agent, you can obtain restricted network access temporarily by clicking  the button below.
    Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
              Network Policy Link:  
    Logoff NAC Agent users from network on their machine logoff or shutdown after   
        secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
         (Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
    Refresh Windows domain group policy after login
    (for Windows only)
    Automatically close login success screen after    
        secs
         (Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
    Automatically close logout success screen after    
        secs
    (for Windows only)
         (Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.)

  • Layer 2 NAC OOB in HA

    Can somebody
    suggest me switch configurations for layer 2 OOB virtual gateway Haigh availability between distribution and
    access layer switch. I use 5 different vlans in 156 subnet ..which are
    user vlans and for authentication I used 10.x.x.x series vlans.....
    series are 3355 and 3315 as servers and 1 NAC manager in 4.7.2

    Thank you for feeding information back to the community to benefit others.
    That is the spirit...
    PK

  • NAC OOB L2 VG Managed Subnet

    I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.
    sometime i change the managed subnet, I work...
    I wonder what exact IP address should be typed into the managed subnet?
    Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)
    IP address for VLAN 10: 192.168.10.0/24
    IP address for VLAN 11: 192.168.11.0/24
    IP address for VLAN 12: 192.168.12.0/24
    IP address for VLAN 13: 192.168.10.0/24
    I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.
    However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?
    192.168.10.254/24 VLAN20
    192.168.11.254/24 VLAN21
    192.168.12.254/24 VLAN22
    192.168.13.254/24 VLAN23
    or
    192.168.10.254/24 VLAN10
    192.168.11.254/24 VLAN11
    192.168.12.254/24 VLAN12
    192.168.13.254/24 VLAN13
    also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??
    I'm green hand in NAC...hope someone guide. Many Thanks

    Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.
    Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..
    The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.
    Extracted as below:
    Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment
    For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.
    So.................... my Question is:
    Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???
    My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..
    SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM
    SW2 and SW3 could success performing CAS login.
    SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.

  • NAC OOB Configuration

    Hi!
    I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
    How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
    TKX
    Miguel

    Hi,
    Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
    You have L2/L3 mode.
    You have OOB/InB mode.
    You have Real-Ip/Virtual gateway mode.
    You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
    The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
    You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • NAC OOB Logoff feature workaround ?

    Hi,
    We have a NAC OOB, Real-Ip Layer2 setup and the new option "Logoff Clean Access Agent users from network on their machine logoff or shutdown" does not apply when using OOB mode (which is annoying). Anybody found a way to make sure that when a users logs off from his PC he's automatically put back to the authentication VLAN ? We thought of maybe put a program in Windows XP logoff script that would disable/enable the NIC card but it seems a bit tricky...
    I'm sure I'm not the only one who's trying to find a solution for this. Hopefully Cisco will support this feature right from the clean access agent in a future release...
    Thanks.
    Dominic

    for now we are waiting for the feature to become available from Cisco in Q2 or Q3 of 2007.
    And yes, we are using SSO in a Windows XP - Windows 2003 environment.
    Dominic

  • NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

    Hello,
    I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
    Core Switch:
    VLAN DB:
    vlan 10
    name VLAN_DEPT1
    vlan 11
    name VLAN_DEPT2
    vlan 20
    name VLAN_DEPT3
    vlan 26
    name VLAN_DEPT4
    vlan 27
    name VLAN_DEPT5
    vlan 28
    name VLAN_DEPT6
    vlan 29
    name VLAN_DEPT7
    vlan 30
    name VLAN_DEPT8
    vlan 32
    name VLAN_DEPT9
    vlan 50
    name VLAN_NetMGT
    vlan 51
    name VLAN_CAS_MGT
    vlan 52
    name VLAN_CAM_MGT
    vlan 210
    name VLAN_DEPT1_Auth
    vlan 211
    name VLAN_DEPT2_Auth
    vlan 220
    name VLAN_DEPT3_Auth
    vlan 226
    name VLAN_DEPT4_Auth
    vlan 227
    name VLAN_DEPT5_Auth
    vlan 228
    name VLAN_DEPT6_Auth
    vlan 229
    name VLAN_DEPT7_Auth
    vlan 230
    name VLAN_DEPT8_Auth
    vlan 232
    name VLAN_DEPT9_Auth
    Interface Configs
    interface GigabitEthernet3/41
    description "Link to Cisco CAM-PRI eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/42
    description "Link to Cisco CAM-FO eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/43
    description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/44
    description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/46
    description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet3/48
    description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet1/1
    description "Trunk link to DEPT1 Access SW"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    !------- Example of VLAN Interface --------
    interface Vlan10
    description "DEPT1 VLAN"
    ip address x.x.10.1 255.255.255.0
    ip helper-address x.x.50.5
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    !------- No VLAN Interface for AUTH VLAN 210 --------
    Access Switch Configuration
    interface GigabitEthernet0/1
    description "Trunk Link to Core Switch"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    no ip address
    interface GigabitEthernet0/6
    switchport access vlan 30
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    =========================================
    Is the above config correct?
    Thanks

    Hi,
    By bogus I assume you mean something like;
    interface Vlan700
    description "BIT BUCKET for unused ports"
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    shutdown

  • NAC OOB problem - moving users between ports

    Hi,
    I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
    This is what I did to replicate the issue, in detail:
    1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
    2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
    3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
    4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
    The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
    I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
    Thanks,
    Boris

    Faisal,
    The configuration includes the following lines (on both switches I used for access):
      snmp-server community *** RW
      snmp-server community *** RO
      snmp-server trap-source Vlan2 (management subnet)
      snmp-server location 10.0.0.101 (NAM IP address)
      snmp-server enable traps snmp linkdown linkup
      snmp-server enable traps mac-notification change move threshold
      snmp-server host 10.0.0.101 version 2c cisco  mac-notification snmp
    Also, NAC added the following line on monitored interfaces:
      snmp trap mac-notification change added
    Is this all that is required to send MAC-change and MAC-move traps?
    I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...
    Regards,
    Boris

  • WISM and NAC OOB/ Client in a different WLC problem

    Guys,
    I am using two WiSM modules in 6513 Chassi.
    We have 3 SSID configured but on each WLC  are using APGroups making a Layer 3 roaming.
    Well, Everything is work out fine and we have hundreds of the connections per day but each day appear two or three clients that still on Quarantine mode and the WLC does not change Auth_vlan to Access_Vlan.
    NAC appear that client as ONLINE on WLC 3 but that client isn't  there, he is on WLC 2 in Quarantine mode.
    anyone know can help me?
    thanks a lot

    I think the jndi service can be accessed froma remote m/c, you can initialize the context with the appropriate paramters, so the lookups on the topic and connection factories and continue with your work.

Maybe you are looking for

  • Adding new fields to Item Data - PO (ME

    Hi All, Is it possible to add new custom fields to PO Item Data in Confirmations tab and these new fields are required only in PO Change (ME22N). How can we achieve this! Can anybody provide feasible solution for the same! can anybody tell me if this

  • How do you get ALL reminders to show in your notification centre?

    So weird. All of them showed up on my old iPhone 4, which was on iOS 7 at the time already. Now I'm on a 5S, and all I see are the ones that have an alarm. Is there anyway to change/fix this so that I can see them all? I've tried toggling the on and

  • Difference caused by 2KES

    the difference caused by 2KES   Posted: Mar 6, 2009 6:53 AM     Edit          Reply  Dear ALL: I found a problem when we carry forward the retained earning account ( 140010)'s value from 2008 year to the 2009 year using tcode 2KES ( profit center acc

  • Embedding links in video

    Is there a way to embed a link in a portion of a video frame as opposed to the entire frame? Can QuickTime export a video with overlay layers? If so, at what bit depth and how many layers? Any help is much appreciated. Message was edited by: Nostets

  • xml:comment with BEA 6.1 sp1

    Hello, I have migrated a small project from BEA WLS6.0 to WSL6.1 with sp1. This project use the BEA taglib to transform XML data into HTML due an XSL stylesheet. My problem is that with the new version of the Xalan XSLT (WLS6.1), the XSL tag <xml:com