Problem with NAC IB VG

Unanswered Question
Jan 16th, 2009
User Badges:

Hi there,

I'm deploying NAC IB VG, but got the problem as the following:

My diagram:

..............FWSW

...............|

user -- Core sw -- NACmanager

.............|...|

.............|...|

...........NAC server


and the configuration for Core sw:

interface GigabitEthernet1/33

description To Trusted

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/34

description To Untrusted

switchport

switchport trunk encapsulation dot1q

switchport mode trunk


There are also many other trunk ports on Core sw, so traffic from user vlan always uses other trunk ports (it does not use port connecting to untrusted NAC server) to go to outside. How can I resolved this problem ?

Much appreciate your replying!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
namnt2604 Sat, 01/17/2009 - 20:37
User Badges:

My configuration on NAC server:

- Trusted interface:

IP: 10.0.9.131

Sub: 255.255.255.240

Default GW: 10.0.9.129

Management VLAN: 110

- Untrusted interface:

IP: 10.0.9.131

Sub: 255.255.255.240

Default GW: 10.0.9.129

- Managed Subnet:

10.16.0.199 / 255.255.0.0 / vlan 96

- Mapping vlan:

Untrusted: 96

Trusted: 16

- Static route:

Subnet: 10.16.0.0/ 16

Gateway: 10.16.0.254

Link: untrusted


My configuration is wrong ?Anyone can help me?


Daniel Laden Sun, 02/01/2009 - 12:25
User Badges:
  • Cisco Employee,


Take a look at the chalk talk series


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html


 


- in a L2 VGW solution, static routes are not used.


-confirm there is not L3 interface on the core switch for vlan 96


-change the native vlan on the trunks into the CAS to be different from each other.  Default is for a port to use native vlan 1.


-on the untrusted trunk, only allow the untrusted vlan.


- on the trusted trunk, only allow the trusted vlan and vlan associated with CAS management.


 


 

namnt2604 Mon, 02/02/2009 - 23:49
User Badges:

Hi daladen,


I have removed static routes in my configuration and also do something like:

- sure that don't have interface for vlan 96

- native vlan on trunks is different from each other

- just allow untrusted vlan on the untrusted trunk; allow trusted vlan and CAS management vlan on the trusted vlan

However, my NAC system is still not operating! I think the problem is that when PCs connect to the network, they are immediately gave IPs of Access Vlan (16), so they always pass though CAS without blocking (I have been set "deny all" on CAS server).

An other problem is that with this modified configuration the clients could not access to web interface of CAS via https.

Could pls give me some other advices? Thank you so much!


Actions

This Discussion