07-24-2007 02:35 AM - edited 02-21-2020 01:37 AM
Hello,
I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
Core Switch:
------------------------------------
VLAN DB:
----------------
!
vlan 10
name VLAN_DEPT1
!
vlan 11
name VLAN_DEPT2
!
vlan 20
name VLAN_DEPT3
!
vlan 26
name VLAN_DEPT4
!
vlan 27
name VLAN_DEPT5
!
vlan 28
name VLAN_DEPT6
!
vlan 29
name VLAN_DEPT7
!
vlan 30
name VLAN_DEPT8
!
vlan 32
name VLAN_DEPT9
!
vlan 50
name VLAN_NetMGT
!
vlan 51
name VLAN_CAS_MGT
!
vlan 52
name VLAN_CAM_MGT
!
vlan 210
name VLAN_DEPT1_Auth
!
vlan 211
name VLAN_DEPT2_Auth
!
vlan 220
name VLAN_DEPT3_Auth
!
vlan 226
name VLAN_DEPT4_Auth
!
vlan 227
name VLAN_DEPT5_Auth
!
vlan 228
name VLAN_DEPT6_Auth
!
vlan 229
name VLAN_DEPT7_Auth
!
vlan 230
name VLAN_DEPT8_Auth
!
vlan 232
name VLAN_DEPT9_Auth
!
!
Interface Configs
--------------------
interface GigabitEthernet3/41
description "Link to Cisco CAM-PRI eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
!
interface GigabitEthernet3/42
description "Link to Cisco CAM-FO eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
!
interface GigabitEthernet3/43
description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
!
interface GigabitEthernet3/44
description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
!
interface GigabitEthernet3/46
description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
!
interface GigabitEthernet3/48
description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
!
!
interface GigabitEthernet1/1
description "Trunk link to DEPT1 Access SW"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
!
!------- Example of VLAN Interface --------
interface Vlan10
description "DEPT1 VLAN"
ip address x.x.10.1 255.255.255.0
ip helper-address x.x.50.5
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!------- No VLAN Interface for AUTH VLAN 210 --------
*
*
*
Access Switch Configuration
-----------------------------------
interface GigabitEthernet0/1
description "Trunk Link to Core Switch"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
no ip address
!
!
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
!
=========================================
Is the above config correct?
Thanks
Solved! Go to Solution.
08-09-2007 07:47 AM
The config looks ok but we recommend using bogus native vlans to be used on the trusted and untrusted trunk ports.
When you put the client machine on gig 0/6, make sure it is moving the vlan from 30 -->230.
Thanks,
Syed
07-30-2007 06:12 AM
Refer the NAC configuration guide for more information. Go to device management and look for the configuration.
08-09-2007 07:47 AM
The config looks ok but we recommend using bogus native vlans to be used on the trusted and untrusted trunk ports.
When you put the client machine on gig 0/6, make sure it is moving the vlan from 30 -->230.
Thanks,
Syed
08-09-2007 11:45 PM
Hi,
By bogus I assume you mean something like;
interface Vlan700
description "BIT BUCKET for unused ports"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide