NAC 4.1 bridge loop occurs when both CAS NICs enabled

Unanswered Question
May 14th, 2007

I'm in the implementation phase of NAC (OOB VGW with 3 HA CAS pairs and 1 HA CAM pair). I recently moved all 8 servers from a 2950 that I was using for testing to the 6509. Ever since, I've been experiencing an ARP storm when both eth0 and eth1 are plugged in on any of the second two CAS pairs. The trunk-allowed statements are all correct--they are pruning the vlans that are active on the other interface of that CAS.

I didn't experience any bridge loops when the servers were connected to the 2950.

6509 is running 12.2.18SXD7 and all interfaces are plugged into the same blade (only one copper blade in chassis).

Here's an example of a switch port config for both ends of the CAS on the 6509. 299 is the management VLAN for NAC.

[interface that CAS3, eth0 is attached]

description ***CCA CAS3 Trusted***

no ip address


switchport trunk allowed vlan 2-99,299

switchport mode trunk

no cdp enable

[interface that CAS3 eth1 is attached]

description ***CCA CAS3 Untrusted***

no ip address


switchport trunk allowed vlan 300-399

switchport mode trunk

no cdp enable

Any ideas?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
oabduo983 Mon, 05/14/2007 - 11:04

Did you make sure you followed the guide step by step...

I faced this issue before, and you really had to unplug the trusted if until you finish and apply vlan mapping... otherwise you will most probably consider re-imaging the CAS...


drbenham Mon, 05/14/2007 - 11:39

Thanks for the info. I've been (incorrectly?) unplugging the UNtrusted nic while applying all of the vlan mappings. If I've been misreading all of those docs this entire time, I'm going to be really upset. I'll try unplugging the trusted instead of the untrusted and see if I have better results.



oabduo983 Mon, 05/14/2007 - 17:41

You will have to unplug the untrust not the trust. you will use the trust interface to connect the CAS to the CAM...


drbenham Mon, 05/14/2007 - 19:15

In that case, that is what I have done... I even deleted the CAS pair out of the CAM and re-added it (with the untrusted side unplugged). No joy.

jvr775 Sat, 05/19/2007 - 20:17

Hey Dave,

try setting each interface's native vlan to thier own respective setting. CAS3 eth0 to native vlan 998, CAS3 eth1 to native vlan 999

drbenham Sun, 05/20/2007 - 10:14

I'll give that a shot this week. Thanks for the idea...

drbenham Tue, 05/22/2007 - 04:20

I set the native vlans on the trusted side of all of the CASes and still get the same problem. The untrusted side doesn't really have a native vlan since clients get placed in about 40 different vlans, so I left that side unset.

Any other ideas?


jvr775 Tue, 05/22/2007 - 09:31

Hi Dave

per documentation from Cisco, it says to configure the trusted/untrusted VGW (OOB/IB) CAS ports on different native vlans.


This Discussion