cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1894
Views
0
Helpful
13
Replies

NAC OOB L2 VG Managed Subnet

szekahungdanny
Level 1
Level 1

I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.

sometime i change the managed subnet, I work...

I wonder what exact IP address should be typed into the managed subnet?

Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)

IP address for VLAN 10: 192.168.10.0/24

IP address for VLAN 11: 192.168.11.0/24

IP address for VLAN 12: 192.168.12.0/24

IP address for VLAN 13: 192.168.10.0/24

I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.

However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?

192.168.10.254/24 VLAN20

192.168.11.254/24 VLAN21

192.168.12.254/24 VLAN22

192.168.13.254/24 VLAN23

or

192.168.10.254/24 VLAN10

192.168.11.254/24 VLAN11

192.168.12.254/24 VLAN12

192.168.13.254/24 VLAN13

also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??

I'm green hand in NAC...hope someone guide. Many Thanks

13 Replies 13

Faisal Sehbai
Level 7
Level 7

Hi,

Always use IP addresses for Managed Subnet entries, and never the subnet address.

As for setting management VLANs, except for some corner cases, it should be nothing on the untrusted side.

HTH,

Faisal

how about the VLAN in managed subnet? should be untrust or trust VLAN??

Fail to get IP address from DHCP server ..

I added vlan mapping in vlan mapping tab:

vlan 1 is trust vlan, vlan 240 is untrust vlan

vlan 110 is trust vlan, vlan 241 is untrsut vlan

also add managed subnet as following:

168.18.0.0 255.255.0.0 vlan 1

192.168.210.0 255.255.255.0 vlan 110

Traffic Crotrol as following:

unauthentication role

Default <-- DNS* Allow DHCP and DNS

the DHCP server is located in vlan 1 168.18.0.x,

vlan 110 need to go gateway with ip helper-address to 168.18.0.x

would ip helper-address make vlan 241 fail to get IP?

any special need to do in CAM/CAS so that vlan 241 could get IP from DHCP server 168.18.0.x?

Hi,

Change those networks to an IP in those networks, so for example 168.18.0.0 255.255.0.0 should be 168.18.0.254

Vlan tag should be of the untrusted vlan, so in this case vlan 1, and if you can please move away from vlan 1 and use something else.

There isn't anything special required for dhcp to work other than a correct managed subnet and vlan mapping.

HTH,

Faisal

oh..might be my explaination is not clear... It should be vlan 240 as untrust, vlan 1 is trust.

i knew from installation guide that vlan 1 is not recommended but in my case, I can't move it away from user access(trsut) vlan.

trust untrust

------ ----------

vlan1 vlan240

using any UNUSED ip address as virtual gateway in managed subnet with related untrust VLAN ID.

for example,

Managed Subnet

-------------------------

168.18.0.254 255.255.0.0 vlan 240

Should i configure ARP entry too?

Arp entries (i saw installation guide.. it mentioned the entries would be automaticatedly created ... how to verify that?? coz there're no entries in arp tab )

----------------

168.18.0.254 eth1 ????

Also, not to select "L3 enable"?!!!

Hello,

No need to set ARP entries. They are done automatically. If your setup is L2 only, then there's no need to enable L3 also. Enabling it won't make a difference for your L2 clients.

To see the arp entries on a CAS, use the command: cat /proc/click/intern_arpq/table (see entries on untrusted side) or cat /proc/click/extern_arpq/table (to see entries on the trusted side)

HTH,

Faisal

yes.. Arp could not allow me to add since it is conflicted with managed subnet..

I still have not chance down to server room and take a look on ARP entries. But i would do this next monday.

Thanks for your reply. However, I still could not get any IP from DHCP servers.

I wonder that there're NO untrust VLAN could get IP from DHCP server NOW.

The attached file is captured from real case.

I just use 2 VLAN as testing now.

pic 1 - pic6:

Only L2 is ok.. I uncheck L3 enable already.

168.18.0.0/16 = VLAN1 <--> VLAN240

192.168.210.0/24 = VLAN110 <--> VLAN241

I take 2 unused IP addresses from 168.18.1.210/16 and 192.168.210.254/24 as manage subnet.

Unauthenticated role is allowed UDP/DHCP by default..

Could explain what I wrong in configuration?

Uncheck the "Enable subnet-based VLAN retag" option, reboot your CAS and try again.

HTH,

Faisal

Help!!.. It still fail to get IP for any untrust vlan.

If i set the port as uncontrol, pc is normally received IP for the related VLAN.

so, all vlan (included "untrust") is normally configured on all switches located between paths from cas/cam.

i attached a screen dump for further help!! many thanks.

Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.

Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..

The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.

Extracted as below:

Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment

For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.

So.................... my Question is:

Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???

My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..

SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM

SW2 and SW3 could success performing CAS login.

SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.

Hi,

Please post a network diagram of what you're working with. Mark the VLANs and IP addresses and post the switch configurations of the switches in question.

Thanks,

Faisal

get it from SSH console..

cat /proc/click/intern_arpq/table (see entries on untrusted side)  <-- No entries

cat /proc/click/extern_arpq/table (to see entries on the trusted side) <-- Many Entries

Why no entries in intern_arpq/table????

and is it correct ??

fail to get IP X.X

Also, more info:

CAS is using vlan 228 (192.168.228.0/24)

CAM is using vlan 229 (192.168.229.0/24)

They are individual VLAN and using 3750 as inter-VLAN routing to other vlans.

Hi to All,

I  would like to ask some help for my nac appliance. Currently im setting  up the nac appliance. I just having trouble what ip address should I use  for the managed subnet. I have setup trusted vlan as it is existing in  our network but what about the untrusted vlan? Should i make new ip  addresses for it and put it in the untrusted? I dont know if made it  correct but I cannot get an ip address everytime i change the switchport  to port profile I made. Please can you guys help me i just need to know  it for my project. thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: