01-25-2011 04:26 AM - edited 03-09-2019 11:22 PM
Dear All,
I am trying to implement NAC in my network, I have CAM(3315) & CAS(3315) i have completed licensing on CAM as i can see (CAM Lite), under licencing tab.
I have gone through the initial configuration of CAM & CAS.
Config <<
CAM(Eth0<trusted>=192.168.200.15/24) &
CAS(Eth0<trusted>=192.168.200.16/24 &
Eth1<untrusted>=192.168.215.10/24),
preshared key : cisco & connected via cross cable,
Now i tried to ping CAS(.16) from CAM(.15) it fails...(dont know)
but not able to have connectivity between them :cry: Is it neccesary to have CAM on diffent subnet ?
further I took a webconsole of CAM & I tried to add CAS to CAM,but it fails & gives error like "Reached maximum limits for server"... strange ? As this NEW device , Also i have reinstalled License at least 3-4 times...but no result...
I have gone through the pdf's but there is no guideline how to configure from basic(like how to connect....which interface shld be connected to where eg which inteface should be trusted/untrusted.)
Kindly share your comments /design/documents for the same from basic.
01-27-2011 05:12 AM
Hi netlinkin,
Based on your post in the other thread, I understand you're doing a layer 2 virtual gateway deployment. Is this supposed to be inband or out-of-band?
01-27-2011 05:43 AM
Hi Xavier,
I want to use in INBOUND.
These are the steps which i have gone through.(pls guide if i m wrong)
1. Connected PC(192.168.200.20) to CAM(192.168.200.15) >>
Results : configured CAM as per process with service perfigo config command...used defaults certificate..able to ping CAM from PC & Vice wersa..able to take webconsole...
2. Connected to CAS (192.168.200.16) & PC(192.168.200.20) configured As above,,,results>> able to ping
3. Now i need to add CAS to CAM managemnet domain >>>
hence i connected eth0 CAM & eth0 CAS via cross cable...& tried to ping CAS from CAM it failed....(it shld ping as the devices r in same subnet & connected to Eth0 trusted interafce)
Problem >>>> unable to find MAC entries of CAM in CAS & vice wersa.
01-27-2011 12:38 PM
Hi netlinkin,
The CAS and the CAM need to be on different subnets. This means that you'll need a router or a layer 3 switch to separate them. Once you do this then you'll have to generate SSL certificates on both the CAS and CAM and add them to each other. Once you do this, they'll be able to communicate fine.
Try this and shoot me back if you have any other issues
Hope that helps,
Xavier
01-31-2011 04:07 AM
Hi Xavier,
As suggested I have connected CAM , Router & CAS
1, Connected Router Eth0/0(192.168.100.151/24) to CAM Eth0 (192.168.100.150)
Results >>> Able to ping vice-wersa
Findings >>> All is ok as can ping.
2. Connected Router Eth0/1(192.168.200.151/24) & CAS Eth0 (192.168.200.150)
Results >>> Not able to ping to router IP(192.168.200.151) & vice wersa.
findings>>>> checked CAS config . It shows
Interface Fake0 >> 192.168.200.150 (wonder about FAKE0 interafce ) & arp table also shows the same.
I configured 2-3 times just in case i may i have made mistake...but all the times the interface after configuration interface status is FAKE0.
3. Is it necessary to have SSL certificate ,Bcoz currently i am testing it on TEST LAB setup.
Pls suggets further
01-31-2011 05:12 AM
Hey Pravin,
I'm not sure what fake0 is but I've seen it too and it doesn't interfere with my config at all. You will need the SSL certificate eventually but not for now.
The CAS can't ping the router interface...
Try these and tell me what you get,
~Xavier
01-31-2011 08:32 AM
>>>Hi Xavier
i have resolved the issue by making fake interface down.
Now able to ping from router to CAM & router to CAS. but still failing to have connectivity between CAM & CAS. further I tried to add CAS to CAM, still facing error ("Reached maximum limits for server"..)
01-31-2011 09:24 AM
Once you add the manager licence to the CAM that error should go away
When you say that communication has failed between them...do you mean that they can't ping each other or that you can't add the CAS to the CAM?
If they can't ping each other, can you post the config of your router please? Leave out confidential things like passwords and the like.
02-01-2011 03:32 AM
Hi Xavier,
Please find the config.
--------------------
NAC-TEST#sh run
Building configuration...
Current configuration : 2554 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAC-TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
description Connected to CAM
ip address 192.168.100.151 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description Connected to CAS
ip address 192.168.200.151 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
control-plane
!
-----------------------------------------------------------------------
^^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
------------------------------------------------------------------- END ---------------------------------
Once you add the manager licence to the CAM that error should go away
>>> while adding i m getting this error,
When you say that communication has failed between them...do you mean that they can't ping each other or that you can't add the CAS to the CAM?>>> Cant ping CAM(100.150) from CAS(200.150) & vice wersa.
02-01-2011 05:59 AM
"while adding i m getting this error"
> I'm not talking about adding the CAS to the CAM. I'm talking about adding the licence key to the server. You should have gotten instructions on how to get it when you bought the product. It is a .lic file and you add it by going to CCA Manager -> Licensing
As for the communication...I'm completely stumped. The config is fine...run these two commands from the router and tell me which succeeds and/or fails:
ping 192.168.100.150 source 192.168.200.151
ping 192.168.200.150 source 192.168.100.151
Also...I know I must be grabbing at thin air here but it's better for me to be safe than sorry. Ensure that the CAS and the CAM are plugged in via the second port from the right around the back of the devices. There are 4 ports on each device, two on the left and two on the right. The ones on the right are eth0 and eth1. The left one of the pair is eth0 and the right one is eth1. Make sure that they are both connected via eth0.
02-01-2011 10:28 PM
Dear Xavier,
Thanks for the vlauable thoughts, regarding the license i"ll check with the CISCO, but again i told you that i made the fake interface down, then only i can ping the CAS,but strange things again, next day i came & the server was rebooted ,( the server didnt stored the fake interafce down config.)..
.also as u suggeted the physical connection is same (CAM left port eth0 & CAS left port Eth0) only connected,others are not connected. but CAM config remain unchanged even though the CAM is rebooted. but CAS dosent stores the Config .
so i again made the interace down & ping works from Router to CAM(100.150) & Router to CAS(200.150)
Whats next step ...
NAC-TEST#ping 192.168.200.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
NAC-TEST#ping 192.168.100.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
NAC-TEST#
----------------------------------------------------------------------------------------------
NAC-TEST#ping 192.168.100.150 source 192.168.200.151 <<<< Ping to CAM
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.150, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.151
.....
Success rate is 0 percent (0/5)
NAC-TEST#ping 192.168.200.150 source 192.168.100.151 <<<< Ping to CAS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.150, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.151
.....
Success rate is 0 percent (0/5)
NAC-TEST#
--------------------------------------------------------------
02-02-2011 05:57 AM
Hmm...this really is weird.
Let me see the output of show ip route please.
Also copy and paste the network config of the CAS and CAM from both the GUIs please
02-08-2011 01:12 PM
Those fake interfaces are used for the routing process, so they definitely need to be up and happy
From the CAS CLI, could you please get me the outputs of the following commands:
ifconfig
more /proc/click/real_routing_table/table
Thanks,
Lauren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide