Cisco Cisco NAC Appliance 4.1.0
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure Your Switches
After upgrade, change the Profile for the applicable uplink ports of the switch to “unmanaged”
(see
(see
).
This will prevent unnecessary issues when the Default Port Profile for the switch has been
configured as a managed/controlled port profile.
configured as a managed/controlled port profile.
•
Cisco NAC Appliance OOB supports 3750 StackWise technology. With stacks, when
mac-notification is used and there are more than 252 ports on the stack, mac-notification cannot be
set/unset for the 252nd port using the CAM. There are two workarounds: 1) Use linkup/linkdown
SNMP notifications only. 2) If using mac-notification, do not use the 252nd port and ignore the
error; other ports will work fine.
mac-notification is used and there are more than 252 ports on the stack, mac-notification cannot be
set/unset for the 252nd port using the CAM. There are two workarounds: 1) Use linkup/linkdown
SNMP notifications only. 2) If using mac-notification, do not use the 252nd port and ignore the
error; other ports will work fine.
•
Switch clusters are not supported. As a workaround, assign an IP address to each switch.
•
It is recommended to enable ifindex persistence on the switches.
•
It is recommended to turn on portfast on access ports (those directly connected to client machines).
•
It is recommended to set the mac-address aging-time to a minimum of 3600 seconds.
•
On some models of Cisco switches (e.g. 4507R, IOS Version 12.2(18) EW), the MAC address(es)
connected to a particular port may not be available after Port Security is enabled.
connected to a particular port may not be available after Port Security is enabled.
•
If implementing High-Availability, do not enable Port Security on the switch interfaces to which the
CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.
CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.
•
You must ensure your switch has the Access VLAN in its VLAN database to ensure proper
switching behavior. On some models of Cisco switches (e.g. 6506, IOS Version 12.2(18) SXD3),
MAC address(es) connected to a particular port may not be available when the Access VLAN of the
port does not exist in the VLAN database.
switching behavior. On some models of Cisco switches (e.g. 6506, IOS Version 12.2(18) SXD3),
MAC address(es) connected to a particular port may not be available when the Access VLAN of the
port does not exist in the VLAN database.
•
Only Ethernet (Fa, Gi, fiber) port types (reported by SNMP) are displayed.
•
If no healthy Clean Access Manager is in service, ports remain in the VLAN they are in until
connectivity to the CAM is restored.
connectivity to the CAM is restored.
Example Switch Configuration Steps
1.
Connect the machines and switches. Write down the admin VLAN, Access VLAN, Authentication
VLAN and other information (see
VLAN and other information (see
2.
The following example illustrates a sample out-of-band Virtual Gateway setup.
The trusted interface of the CAS is connected to the trunk port for Access VLANs 10, 20.
The untrusted interface of the CAS is connected to the trunk port for Auth VLANs 31, 41.
Refer the switch documentation for details on configuring your specific switch model.
Clean Access Manager (CAM): 10.201.2.15
CAM management VLAN
2
Clean Access Server (CAS):
10.201.5.15
CAS management VLAN
5
Access VLANs:
10, 20
Authentication VLANs:
31, 41
Switch (Catalyst 2950):
10.201.3.16