Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
3
Replies

Problem with NAC IB VG

namnt2604
Level 1
Level 1

‎01-16-2009 08:29 PM - edited ‎02-21-2020 03:13 AM

Hi there,

I'm deploying NAC IB VG, but got the problem as the following:

My diagram:

..............FWSW

...............|

user -- Core sw -- NACmanager

.............|...|

.............|...|

...........NAC server

and the configuration for Core sw:

interface GigabitEthernet1/33

description To Trusted

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/34

description To Untrusted

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

There are also many other trunk ports on Core sw, so traffic from user vlan always uses other trunk ports (it does not use port connecting to untrusted NAC server) to go to outside. How can I resolved this problem ?

Much appreciate your replying!

0 Helpful
3 Replies 3

namnt2604
Level 1
Level 1

‎01-17-2009 08:37 PM

My configuration on NAC server:

- Trusted interface:

IP: 10.0.9.131

Sub: 255.255.255.240

Default GW: 10.0.9.129

Management VLAN: 110

- Untrusted interface:

IP: 10.0.9.131

Sub: 255.255.255.240

Default GW: 10.0.9.129

- Managed Subnet:

10.16.0.199 / 255.255.0.0 / vlan 96

- Mapping vlan:

Untrusted: 96

Trusted: 16

- Static route:

Subnet: 10.16.0.0/ 16

Gateway: 10.16.0.254

Link: untrusted

My configuration is wrong ?Anyone can help me?

0 Helpful

Daniel Laden
Level 4
Level 4
In response to namnt2604

‎02-01-2009 12:25 PM

Take a look at the chalk talk series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

 

- in a L2 VGW solution, static routes are not used.

-confirm there is not L3 interface on the core switch for vlan 96

-change the native vlan on the trunks into the CAS to be different from each other.  Default is for a port to use native vlan 1.

-on the untrusted trunk, only allow the untrusted vlan.

- on the trusted trunk, only allow the trusted vlan and vlan associated with CAS management.

 

 

0 Helpful

namnt2604
Level 1
Level 1
In response to Daniel Laden

‎02-02-2009 11:49 PM

Hi daladen,

I have removed static routes in my configuration and also do something like:

- sure that don't have interface for vlan 96

- native vlan on trunks is different from each other

- just allow untrusted vlan on the untrusted trunk; allow trusted vlan and CAS management vlan on the trusted vlan

However, my NAC system is still not operating! I think the problem is that when PCs connect to the network, they are immediately gave IPs of Access Vlan (16), so they always pass though CAS without blocking (I have been set "deny all" on CAS server).

An other problem is that with this modified configuration the clients could not access to web interface of CAS via https.

Could pls give me some other advices? Thank you so much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card