05-20-2009 11:32 AM - edited 02-21-2020 03:28 AM
Nac policy is being enforced on a cisco switch.If a non cisco switch is connected to that cisco switch, can nac policy be implemented on the non cisco switch ?
Solved! Go to Solution.
05-22-2009 01:18 AM
you can do that only if you are deploying NAC in inband mode. You cannot enforce policies on non-cisco switches in out of band mode.
so if nac is deployed in inband mode, your answer is yes.
if nac is deployed in out of band mode, your answer is no.
05-22-2009 02:41 AM
snmp mac-notification and link up/down are used only in out-of-band.
For non-cisco switches you MUST go for inband. The idea is to force all the traffic coming from these switches to go through the NAC server. At all time (before and after being trusted), all the traffic will go through the NAC server.
You also have to note that a NAC server box can either work in inband mode OR out-of-band, but not the 2 at the same time. So you have to either go for inband for all your traffic coming from all your switches, or use 2 different NAC servers, 1 which will be configured in inband mode (for your non-cisco switches), and another one which will be configured in out-of-band mode (for your cisco switches).
you can find a step by step guide on how to configure nac in inband mode here: http://tools.cisco.com/cmn/jsp/index.jsp?id=55785
05-21-2009 10:39 AM
need more info please.
in band? out of band? nac appliance?
05-22-2009 01:12 AM
Hello,
I am using NAC Appliance 3310 Server -max 500 users and NAC Appliance 3310 Manager -max 3 Servers in in band mode.
05-22-2009 01:18 AM
you can do that only if you are deploying NAC in inband mode. You cannot enforce policies on non-cisco switches in out of band mode.
so if nac is deployed in inband mode, your answer is yes.
if nac is deployed in out of band mode, your answer is no.
05-22-2009 02:28 AM
then assume i have Lynksys,3com,peabirdp or hp procurve switch how can i configure thoses switches for snmp mac-notification and link down for the switch to alert the nas ?
05-22-2009 02:41 AM
snmp mac-notification and link up/down are used only in out-of-band.
For non-cisco switches you MUST go for inband. The idea is to force all the traffic coming from these switches to go through the NAC server. At all time (before and after being trusted), all the traffic will go through the NAC server.
You also have to note that a NAC server box can either work in inband mode OR out-of-band, but not the 2 at the same time. So you have to either go for inband for all your traffic coming from all your switches, or use 2 different NAC servers, 1 which will be configured in inband mode (for your non-cisco switches), and another one which will be configured in out-of-band mode (for your cisco switches).
you can find a step by step guide on how to configure nac in inband mode here: http://tools.cisco.com/cmn/jsp/index.jsp?id=55785
09-17-2010 06:31 PM
Dear Sir,
We have Cisco NAC installed on our network and found out that when in-band the access speed is half than that of out of band speed.
Could you please highlight us on this issue as why this is happening. Any solution to this problem?
Thanks and Regards,
09-20-2010 06:56 AM
Liyas,
In in-band mode all your traffic from all your clients is going through the CAS so CAS can become a choke-point. With OOB setups, the initial traffic goes through the CAS and after authentication/posture you are moved to the core network directly.
HTH,
Faisal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: