Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAC.OOB.L2.Real IP GW.dhcp-relay issue.

Hello.

I have CAM (manager) which is configured as L2 OOB real-ip gateway. central deployment.

ethernet 0 (trusted) is L3. (ip add x.x.x.x)

ethernet 1 (untrusted) is .1q and several authentication vlans (a,b,c,d) are connected to it.

of cause managed subnets are configured for auth vlans on eth1.

Manager is configured as dhcp-relay.

Is it ok that manager changes dhcp packets to the dhcp server so that it's ethernet 0 ip address (x.x.x.x) becomes the source address of the requests to the dhcp server?

how can dhcp server recognize auth vlan a from auth vlan b if all packets have the single source (x.x.x.x)???

Where could be my mistake?

Regards

  • Other Security Subjects
4 REPLIES
New Member

Re: NAC.OOB.L2.Real IP GW.dhcp-relay issue.

Hello varnavsky!

You have to configure vlan mapping (at the CAM) for all authentication vlan! After the authentication and posture validation, the NAC client won't give a new IP address, so the client has to have an IP address from the proper access vlan. When you configure these vlan mappings CAS always acquire an IP address from the proper range.

By(e) Miki

New Member

Re: NAC.OOB.L2.Real IP GW.dhcp-relay issue.

Hi, Mike.

I don't think so. vlan mapping is NOT applicable to Real IP GW.

I've sniffed dhcp-requests from the auth vlans to dhcp server. They are all from the single ip address (NAC Server eth0-trusted). But inside there is the ip address of the untrusted interface - as dhcp relay agent ))

I've solved this issue. It's ok =)

New Member

Re: NAC.OOB.L2.Real IP GW.dhcp-relay issue.

Hi varnavsky!

You are right! I thought you are in VGW mode, so I'm sorry.

You mentioned you had solved this problem. How does it work finally?

By(e) Miki

New Member

Re: NAC.OOB.L2.Real IP GW.dhcp-relay issue.

Hi, Mike.

Yes, it's done.

If you have any questions try to help you.

Today I'm fighting with AD+SSO+LDAP so that users can get vlan accourding to their OU in the AD. There are still some problems.

And at the next week I'll try vlan mapping in the VGW mode =)

177
Views
0
Helpful
4
Replies
This widget could not be displayed.