cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1658
Views
0
Helpful
12
Replies

Access Point Switchport configuration for OOB NAC

Hello.

Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.

Greettings.

1 Accepted Solution

Accepted Solutions

The WLC does not do routing. What is happening is your sort of fooling the network. The egress interface on the WLC is actually putting the traffic in the untrusted vlan. When NAC does its thing:) it moves the traffic to the correct vlan.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

12 Replies 12

Anyone?

Stephen Rodriguez
Cisco Employee
Cisco Employee

Facing the AP it is what ever VLAN you want the AP to be in.  The client traffic ingress/egress point is the WLC, not the AP, if in local mode.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I still dont get it. Let's say:

Trusted VLAN 10

UnTrusted VLAN 20

So switchport for WLC is trunking with 10 and 20 allowed only. I need to know which of these VLAN should I configure. As far as I know by configuring another VLAN which is not trunked to WLC for example VLAN 30 would cause to the APs to be unable to communicate with WLC because there is no continuity between them.

That's not true.  you can put the APs in VLAN 30, and so long as you can route to the WLC they will join.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Yes. but I dont want to route. I want AP and WLC to be on the same subnet so they can have the same IP range. In this case which vlan should I choose?

then you would put them in the management VLAN.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

So if I configure VLAN 30 access port for access point, and assuming VLAN 30 is the managment VLAN, the WLC will receive the packets from wireless clients with VLAN 30 tag from trunk switchport, and it will retransmit them out with untrusted tag VLAN 20, And after remedation It will start to send them with VLAN 10. Is all this right?

Is correct for the WLC to send a packet from wireles clients received on managment interface (vlan 30) to a dynamic interface (access vlan 10 and quarentine vlan 20)? is this posible?

That is correct. The client gets its VLAN from the interface you map to in the WLAN config.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Just to add again to another one of Steve's post:)  You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC.  So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30.  Makes sense?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Is the WLC performing a intervlan routing feature on this scenario? From vlan managmente (30) to vlan 10 and 20 for example.

Excuse me for all these questions please, I am a very curious guy.

The WLC does not do routing. What is happening is your sort of fooling the network. The egress interface on the WLC is actually putting the traffic in the untrusted vlan. When NAC does its thing:) it moves the traffic to the correct vlan.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame
Hall of Fame

Put it this way... You need to push traffic to the untrusted interface. So using a layer 2 subnet that has no layer 3 interface is the only way to do it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: