Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

WLCM and NAC-NME configuration

Has anybody deployed WLCM and NAC-NME in the same ISR3800 box? What's the best practise and is there any configuration example?

customer has a small site where has one 3825, one WLCM(interface Integrated-Service-Engine1/0) and one NAC-NME(interface Integrated-Service-Engine2/0) are put in the 3825, GE0/0 of the 3825 connect to internal L3 switch, GE0/1 connect to internet. one WLAN had been configured in the WLCM(version 6.0.188) and will be protected by the NAC-NME(version 4.6.1).

It is said that NAC-NME not support OOB mode, can only work in In-Band mode. Since real IP Gateway mode has a lot of limitation, so can the NAC-NME be configured in In-Band Virtual Gateway mode? If yes, then how to setup a Layer2 connection between the WLCM(interface Integrated-Service-Engine1/0)  and the untrusted interface(external G 0) of the NAC-NME?

What I can think is:

let me assume the quarantined Vlan of this WLAN is 310, real Vlan is 311, both the NAC-NME's untrusted interface(external G 0) and GE0/0 of the 3825 are connected to a 3750E L3 switch's G1/0/1 and G1/0/2, untrusted interface management vlan is 304, trusted interface management vlan is 303, then I can configure:

1. For 3825:

interface GigabitEthernet0/0.310

encapsulation dot1Q 310
bridge-group 1

!

interface GigabitEthernet0/0.311

encapsulation dot1Q 311
bridge-group 2

!

interface Integrated-Service-Engine1/0.310
encapsulation dot1Q 310
no ip address
bridge-group 1
!

interface Integrated-Service-Engine1/0.311
encapsulation dot1Q 311
no ip address
bridge-group 2

!

bridge 1 protocol ieee
!

bridge 2 protocol ieee
!

2. For 3750E:

interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 304,310,311
switchport mode trunk
!

interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 310,311
switchport mode trunk
!

but how to configure interface Integrated-Service-Engine2/0 of the 3825 which is connected to the trusted interface of the NAC-NME?

interface Integrated-Service-Engine2/0.303
encapsulation dot1Q 303
ip address x.x.x.x

!

interface Integrated-Service-Engine1/0.311
encapsulation dot1Q 311
ip address y.y.y.y
!

3. NAC-NME will configure VLAN mapping 310<-->311

I have not tested these configurations(I don't have access the 3825 yet, will be able to access it next week), but I'm afraid since GigabitEthernet0/0.311 of 3825 had been configured as a bridge port, maybe Integrated-Service-Engine1/0.311 can't be  configured as a L3 port.

Anything else need to configure? or is there any other better design and configuration example? Any input is highly appreciated!

456
Views
0
Helpful
0
Replies
CreatePlease to create content