topic Re: Problem with NAC IB VG in Network Security

Problem with NAC IB VG

namnt2604 — Fri, 21 Feb 2020 11:13:02 GMT

Hi there,

I'm deploying NAC IB VG, but got the problem as the following:

My diagram:

..............FWSW

...............|

user -- Core sw -- NACmanager

.............|...|

...........NAC server

and the configuration for Core sw:

interface GigabitEthernet1/33

description To Trusted

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet1/34

description To Untrusted

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

There are also many other trunk ports on Core sw, so traffic from user vlan always uses other trunk ports (it does not use port connecting to untrusted NAC server) to go to outside. How can I resolved this problem ?

Much appreciate your replying!

Re: Problem with NAC IB VG

namnt2604 — Sun, 18 Jan 2009 04:37:40 GMT

My configuration on NAC server:

- Trusted interface:

IP: 10.0.9.131

Sub: 255.255.255.240

Default GW: 10.0.9.129

Management VLAN: 110

- Untrusted interface:

IP: 10.0.9.131

Sub: 255.255.255.240

Default GW: 10.0.9.129

- Managed Subnet:

10.16.0.199 / 255.255.0.0 / vlan 96

- Mapping vlan:

Untrusted: 96

Trusted: 16

- Static route:

Subnet: 10.16.0.0/ 16

Gateway: 10.16.0.254

Link: untrusted

My configuration is wrong ?Anyone can help me?

Re: Problem with NAC IB VG

Daniel Laden — Sun, 01 Feb 2009 20:25:12 GMT

Take a look at the chalk talk series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

- in a L2 VGW solution, static routes are not used.

-confirm there is not L3 interface on the core switch for vlan 96

-change the native vlan on the trunks into the CAS to be different from each other. Default is for a port to use native vlan 1.

-on the untrusted trunk, only allow the untrusted vlan.

- on the trusted trunk, only allow the trusted vlan and vlan associated with CAS management.

Re: Problem with NAC IB VG

namnt2604 — Tue, 03 Feb 2009 07:49:18 GMT

Hi daladen,

I have removed static routes in my configuration and also do something like:

- sure that don't have interface for vlan 96

- native vlan on trunks is different from each other

- just allow untrusted vlan on the untrusted trunk; allow trusted vlan and CAS management vlan on the trusted vlan

However, my NAC system is still not operating! I think the problem is that when PCs connect to the network, they are immediately gave IPs of Access Vlan (16), so they always pass though CAS without blocking (I have been set "deny all" on CAS server).

An other problem is that with this modified configuration the clients could not access to web interface of CAS via https.

Could pls give me some other advices? Thank you so much!