My centralized CCA deployment is not working. I am using a Cat3560 as my central switch with both CAS interfaces connecting to it.
The switch is running 12.2(25)SEE2 and the CCA servers 3.6.4
The layout is as described below:
CAS e0 connected to 3560 via dot1q trunk carrying VLANs 960 (CAS mgt) and 60 (access)
CAS e1 connected to 3560 on VLAN 160 (authentication)
Client machine connected to 3560 on VLAN 160
CAM connected to 3560 on VLAN 33
DHCP server connected to 3560 on VLAN 33
CAT 3560 SVIs VLAN 960-10.9.60.1, VLAN 60-10.60.1.1, VLAN 33-10.33.1.1
CAS configured for Virtual Gateway, managed VLAN 160 ip address 10.60.1.2, VLAN mapping 160 to 60
The client machine cannot even get a DHCP address when brought up on VLAN 160.
Is there something I am missing?
Also, should you be able to ping the 10.60.1.2 address on the CAS?
No, this is in-band virtual gateway. Even so, both CAS interfaces have the same IP address as shown in configuration documentation. As I said earlier, the interfaces are on seperate VLANs, with the e0 interface on a trunk with the access VLAN and the CAS management VLAN configured.
Have you configured the CAS for DHCP forwarding.
The CAS should be on a different VLAN than user or access vlan in particular for a Virtual gateway. Your access Vlan is 60 and you can use a different vlan for cas.
Yes, CAS is configured for DHCP forwarding, and the CAM, as well as both interfaces on the CAS are on seperate 3560 VLANs.
The Cisco CCA engineer I have been working with said that the CAS and CAM configurations are correct.
Has anyone out there successfully tested virtual gateway on a 3560?
Would you be so kind as to detail the layout and configuration details of the test set you had? I'm sure there is something simple being missed with our setup, and hopefully, with you info, we can figure it out.
I use Visio if you have any documents you could share.
I am also deploying CCA In-Band. My confusion comes with the documentation on VG In-Band configuration. The product domentation clearly states that in VG In-Band connected to same switch, eth0 and eth1 should be on different VLANs, and does not go into any more details. However for VG OOB, the documentation goes into details similiar to your configuration. I've been trying to find out if the same level of configuration is required for VG In-Band, or is the documentation stating different VLANs on same switch is all that's needed? Confusing documentation because I've talked to TAC and was told to follow same configs for IB or OOB, but Cisco Systems Engr did not indicate smae level of VLAN mapping config for IB that's required for OOB.
I found my problem... I was attempting to send traffic to the untrusted CAS interface from a simple switched port, rather than a dot1q trunk port. Because I was using VLAN mapping, and the switched port strips the VLAN tag prior to sending traffic, the CAS was never seeing the untrusted-side VLAN information, and the traffic never made it past the CAS.
Once I configured the untrusted-side port as a dot1q trunk, the traffic flowed as expected.
This was true even though I was only passing a single VLAN to the untrusted side of the CAS. I "allowed" only the single VLAN over the trunk.
This makes perfect sense, but it might save some folks a bit of head scratching if it were explicitly brought out in the documentation.
Thanks for all previous replys!
I am having similar problems implementing VGOOB using 2960 as edge and 6509 as core. Is there any chance that you could document your findings and configurations that you deployed on all components. Also, were you using AD SSO as I can't seem to get that working either. The furthest I get is the local challenge at port level. I can however see my CAS and Switches from the CAM OK.
Your help would be greatly appreciated.