Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

101

102

103

104

105

106

107

108

109

110

3-15

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 3 Switch Management: Configuring Out-of-Band Deployment

Configure Your Switches

• If implementing High-Availability, do not enable Port Security on the switch interfaces to which the

CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.

• You must ensure your switch has the Access VLAN in its VLAN database to ensure proper

switching behavior. On some models of Cisco switches (e.g. 6506, IOS Version 12.2(18) SXD3),

MAC address(es) connected to a particular port may not be available when the Access VLAN of the

port does not exist in the VLAN database.

• Only Ethernet (Fa, Gi, fiber) port types (reported by SNMP) are displayed.

• If no healthy Clean Access Manager is in service, ports remain in the VLAN they are in until

connectivity to the CAM is restored.

• For SNMP V3, each switch to be managed by the CAM must have unique Engine ID.

• The syntax for "mac-address notification" commands varies for different switch versions. When a

switch is upgraded, the change in the syntax should be evaluated. The modified commands should

be re-applied to the switch configuration after upgrading and reloading the switch.

Example Switch Configuration Steps

Step 1 Connect the machines and switches. Write down the admin VLAN, Access VLAN, Authentication

VLAN and other information (see Table 3-2 for a detailed list).

The trusted interface of the CAS is connected to the trunk port for Access VLANs 10, 20 and the

untrusted interface of the CAS is connected to the trunk port for Auth VLANs 31, 41.

Refer the switch documentation for details on configuring your specific switch model.

Step 2 Configure the switch IP address (172.16.1.64) and Access VLANs (10, 20).

Step 3 When using Virtual Gateway with VLAN mapping, make sure there is no VLAN interface for any of the

Auth VLANs on your existing Layer 3 switch or router (e.g. CAT 6500). For example, for an Access

VLAN 10 and Auth VLAN 31 for which VLAN mapping has been configured on the CAS, and if an

interface already exists on the L3 switch/router for the Auth VLAN, you can turn it off using the

following commands:

(config)# no int vlan 31

(config)# vlan 31

The first command turns off the interface and the second ensures VLAN 31 (Auth VLAN) is in the

VLAN database table.You will also need to Enable VLAN Mapping in the CAS as described in

Figure 3-8 on page 3-27.

Clean Access Manager (CAM): 172.16.1.61

CAM management VLAN: VLAN 2

Clean Access Server (CAS): 10.60.3.2

CAS management VLAN: VLAN 3

Access VLANs: 10, 20

Authentication VLANs: 31, 41

Switch (Catalyst 2950): 172.16.1.64