Solved: Access Point Switchport configuration for OOB NAC

Victor Eduardo Cossio Quispe · ‎11-20-2012

Hello.

Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.

Greettings.

Scott Fella · ‎11-21-2012

The WLC does not do routing. What is happening is your sort of fooling the network. The egress interface on the WLC is actually putting the traffic in the untrusted vlan. When NAC does its thing:) it moves the traffic to the correct vlan.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Victor Eduardo Cossio Quispe · ‎11-20-2012

Anyone?

Stephen Rodriguez · ‎11-20-2012

Facing the AP it is what ever VLAN you want the AP to be in. The client traffic ingress/egress point is the WLC, not the AP, if in local mode.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Victor Eduardo Cossio Quispe · ‎11-20-2012

I still dont get it. Let's say:

Trusted VLAN 10

UnTrusted VLAN 20

So switchport for WLC is trunking with 10 and 20 allowed only. I need to know which of these VLAN should I configure. As far as I know by configuring another VLAN which is not trunked to WLC for example VLAN 30 would cause to the APs to be unable to communicate with WLC because there is no continuity between them.

Stephen Rodriguez · ‎11-20-2012

That's not true. you can put the APs in VLAN 30, and so long as you can route to the WLC they will join.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Victor Eduardo Cossio Quispe · ‎11-20-2012

Yes. but I dont want to route. I want AP and WLC to be on the same subnet so they can have the same IP range. In this case which vlan should I choose?

Stephen Rodriguez · ‎11-20-2012

then you would put them in the management VLAN.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Victor Eduardo Cossio Quispe · ‎11-20-2012

So if I configure VLAN 30 access port for access point, and assuming VLAN 30 is the managment VLAN, the WLC will receive the packets from wireless clients with VLAN 30 tag from trunk switchport, and it will retransmit them out with untrusted tag VLAN 20, And after remedation It will start to send them with VLAN 10. Is all this right?

Is correct for the WLC to send a packet from wireles clients received on managment interface (vlan 30) to a dynamic interface (access vlan 10 and quarentine vlan 20)? is this posible?

Stephen Rodriguez · ‎11-21-2012

That is correct. The client gets its VLAN from the interface you map to in the WLAN config.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Scott Fella · ‎11-21-2012

Just to add again to another one of Steve's post:) You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC. So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30. Makes sense?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Victor Eduardo Cossio Quispe · ‎11-21-2012

Is the WLC performing a intervlan routing feature on this scenario? From vlan managmente (30) to vlan 10 and 20 for example.

Excuse me for all these questions please, I am a very curious guy.

Scott Fella · ‎11-21-2012

The WLC does not do routing. What is happening is your sort of fooling the network. The egress interface on the WLC is actually putting the traffic in the untrusted vlan. When NAC does its thing:) it moves the traffic to the correct vlan.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎11-21-2012

Put it this way... You need to push traffic to the untrusted interface. So using a layer 2 subnet that has no layer 3 interface is the only way to do it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***