Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
3
Replies

NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

Go to solution
edwardwaithaka
Level 1
Level 1

‎07-24-2007 02:35 AM - edited ‎02-21-2020 01:37 AM

Hello,

I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:

Core Switch:

------------------------------------

VLAN DB:

----------------

!

vlan 10

name VLAN_DEPT1

!

vlan 11

name VLAN_DEPT2

!

vlan 20

name VLAN_DEPT3

!

vlan 26

name VLAN_DEPT4

!

vlan 27

name VLAN_DEPT5

!

vlan 28

name VLAN_DEPT6

!

vlan 29

name VLAN_DEPT7

!

vlan 30

name VLAN_DEPT8

!

vlan 32

name VLAN_DEPT9

!

vlan 50

name VLAN_NetMGT

!

vlan 51

name VLAN_CAS_MGT

!

vlan 52

name VLAN_CAM_MGT

!

vlan 210

name VLAN_DEPT1_Auth

!

vlan 211

name VLAN_DEPT2_Auth

!

vlan 220

name VLAN_DEPT3_Auth

!

vlan 226

name VLAN_DEPT4_Auth

!

vlan 227

name VLAN_DEPT5_Auth

!

vlan 228

name VLAN_DEPT6_Auth

!

vlan 229

name VLAN_DEPT7_Auth

!

vlan 230

name VLAN_DEPT8_Auth

!

vlan 232

name VLAN_DEPT9_Auth

!

!

Interface Configs

--------------------

interface GigabitEthernet3/41

description "Link to Cisco CAM-PRI eth0"

switchport access vlan 52

switchport mode access

spanning-tree portfast

spanning-tree guard root

no cdp enable

no ip address

!

interface GigabitEthernet3/42

description "Link to Cisco CAM-FO eth0"

switchport access vlan 52

switchport mode access

spanning-tree portfast

spanning-tree guard root

no cdp enable

no ip address

!

interface GigabitEthernet3/43

description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 777

switchport mode trunk

switchport trunk allowed vlan 210,211,220,226-230,232

!

interface GigabitEthernet3/44

description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 777

switchport mode trunk

switchport trunk allowed vlan 210,211,220,226-230,232

!

interface GigabitEthernet3/46

description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

switchport trunk allowed vlan 10,11,20,26-30,32,50-51

!

interface GigabitEthernet3/48

description "Trunk to Cisco CAS-FO eth0 / Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

switchport trunk allowed vlan 10,11,20,26-30,32,50-51

!

!

interface GigabitEthernet1/1

description "Trunk link to DEPT1 Access SW"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

!

!------- Example of VLAN Interface --------

interface Vlan10

description "DEPT1 VLAN"

ip address x.x.10.1 255.255.255.0

ip helper-address x.x.50.5

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

no ip mroute-cache

!------- No VLAN Interface for AUTH VLAN 210 --------

*

*

*

Access Switch Configuration

-----------------------------------

interface GigabitEthernet0/1

description "Trunk Link to Core Switch"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

no ip address

!

!

interface GigabitEthernet0/6

switchport access vlan 30

switchport mode access

spanning-tree portfast

spanning-tree guard root

no cdp enable

no ip address

!

=========================================

Is the above config correct?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gghayur
Level 1
Level 1

‎08-09-2007 07:47 AM

The config looks ok but we recommend using bogus native vlans to be used on the trusted and untrusted trunk ports.

When you put the client machine on gig 0/6, make sure it is moving the vlan from 30 -->230.

Thanks,

Syed

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Not applicable

‎07-30-2007 06:12 AM

Refer the NAC configuration guide for more information. Go to device management and look for the configuration.

0 Helpful

Go to solution
gghayur
Level 1
Level 1

‎08-09-2007 07:47 AM

The config looks ok but we recommend using bogus native vlans to be used on the trusted and untrusted trunk ports.

When you put the client machine on gig 0/6, make sure it is moving the vlan from 30 -->230.

Thanks,

Syed

0 Helpful

Go to solution
edwardwaithaka
Level 1
Level 1
In response to gghayur

‎08-09-2007 11:45 PM

Hi,

By bogus I assume you mean something like;

interface Vlan700

description "BIT BUCKET for unused ports"

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

no ip mroute-cache

shutdown

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card