Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

Hello,

I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:

Core Switch:

------------------------------------

VLAN DB:

----------------

!

vlan 10

name VLAN_DEPT1

!

vlan 11

name VLAN_DEPT2

!

vlan 20

name VLAN_DEPT3

!

vlan 26

name VLAN_DEPT4

!

vlan 27

name VLAN_DEPT5

!

vlan 28

name VLAN_DEPT6

!

vlan 29

name VLAN_DEPT7

!

vlan 30

name VLAN_DEPT8

!

vlan 32

name VLAN_DEPT9

!

vlan 50

name VLAN_NetMGT

!

vlan 51

name VLAN_CAS_MGT

!

vlan 52

name VLAN_CAM_MGT

!

vlan 210

name VLAN_DEPT1_Auth

!

vlan 211

name VLAN_DEPT2_Auth

!

vlan 220

name VLAN_DEPT3_Auth

!

vlan 226

name VLAN_DEPT4_Auth

!

vlan 227

name VLAN_DEPT5_Auth

!

vlan 228

name VLAN_DEPT6_Auth

!

vlan 229

name VLAN_DEPT7_Auth

!

vlan 230

name VLAN_DEPT8_Auth

!

vlan 232

name VLAN_DEPT9_Auth

!

!

Interface Configs

--------------------

interface GigabitEthernet3/41

description "Link to Cisco CAM-PRI eth0"

switchport access vlan 52

switchport mode access

spanning-tree portfast

spanning-tree guard root

no cdp enable

no ip address

!

interface GigabitEthernet3/42

description "Link to Cisco CAM-FO eth0"

switchport access vlan 52

switchport mode access

spanning-tree portfast

spanning-tree guard root

no cdp enable

no ip address

!

interface GigabitEthernet3/43

description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 777

switchport mode trunk

switchport trunk allowed vlan 210,211,220,226-230,232

!

interface GigabitEthernet3/44

description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 777

switchport mode trunk

switchport trunk allowed vlan 210,211,220,226-230,232

!

interface GigabitEthernet3/46

description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

switchport trunk allowed vlan 10,11,20,26-30,32,50-51

!

interface GigabitEthernet3/48

description "Trunk to Cisco CAS-FO eth0 / Trusted Network"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

switchport trunk allowed vlan 10,11,20,26-30,32,50-51

!

!

interface GigabitEthernet1/1

description "Trunk link to DEPT1 Access SW"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

!

!------- Example of VLAN Interface --------

interface Vlan10

description "DEPT1 VLAN"

ip address x.x.10.1 255.255.255.0

ip helper-address x.x.50.5

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

no ip mroute-cache

!------- No VLAN Interface for AUTH VLAN 210 --------

*

*

*

Access Switch Configuration

-----------------------------------

interface GigabitEthernet0/1

description "Trunk Link to Core Switch"

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 700

switchport mode trunk

no ip address

!

!

interface GigabitEthernet0/6

switchport access vlan 30

switchport mode access

spanning-tree portfast

spanning-tree guard root

no cdp enable

no ip address

!

=========================================

Is the above config correct?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: NAC/CCA Configuration Verification: OOB + Virtual Gateway (L

The config looks ok but we recommend using bogus native vlans to be used on the trusted and untrusted trunk ports.

When you put the client machine on gig 0/6, make sure it is moving the vlan from 30 -->230.

Thanks,

Syed

3 REPLIES
Anonymous
N/A

Re: NAC/CCA Configuration Verification: OOB + Virtual Gateway (L

Refer the NAC configuration guide for more information. Go to device management and look for the configuration.

Community Member

Re: NAC/CCA Configuration Verification: OOB + Virtual Gateway (L

The config looks ok but we recommend using bogus native vlans to be used on the trusted and untrusted trunk ports.

When you put the client machine on gig 0/6, make sure it is moving the vlan from 30 -->230.

Thanks,

Syed

Community Member

Re: NAC/CCA Configuration Verification: OOB + Virtual Gateway (L

Hi,

By bogus I assume you mean something like;

interface Vlan700

description "BIT BUCKET for unused ports"

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

no ip mroute-cache

shutdown

297
Views
0
Helpful
3
Replies
CreatePlease to create content