Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

2-13

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters

Global Device and Subnet Filtering

• CHECK and IGNORE device filter options.

• ROLE and CHECK filters require choosing a User Role from the dropdown menu.

• IGNORE is for OOB only. For IB, checking this option has no effect.

• IGNORE is for global filters only. It does not appear on CAS New/Edit filter pages.

• IGNORE device filters are intended to replace “allow” device filters that were specified for IP

phones in previous releases.

Note Administrators should reconfigure their device filters for IP phones to use the IGNORE

option in order to avoid creating unnecessary MAC notification traps. For more information,

see Device Filters for Out-of-Band Deployment Using IP Phones, page 2-15.

Device filter policies have different applicability in L2 deployments (deployments where the CAS is in

L2 proximity to the end points/user devices) versus L3 deployments (where the CAS may be one or more

hops away from the end points/user devices). Note that in an L3 deployment, the endpoint needs to

access the network using a web browser (Java Applet/ActiveX) or the Agent for Cisco NAC Appliance

to be able to obtain the end point's MAC address. The behavior in L2 and L3 deployments is different,

as described in Table 2-1.

Table 2-1 CAM L2/L3 Device Filter Options

Option L2 L3

ALLOW Allows all traffic from the end-point - no

authentication or posture assessment is

required

Allows all traffic from the end-point once

the MAC address is known until which

time traffic from the end-point is subject to

policies in Unauthenticated Role - no

authentication or posture assessment is

required

DENY Denies all traffic from the end-point Denies all traffic from the end-point once

the MAC address is known until which

time traffic from the end-point is subject to

policies in Unauthenticated Role

ROLE Allows traffic from the end-point without

any authentication or posture assessment

as specified by role traffic policies (for

backward compatibility with Cisco NAC

Appliance 3.x, this will continue to behave

the same way)

Once MAC address is known, posture

assessment is performed if configured

following which traffic is allowed as per

role traffic policies

CHECK Performs posture assessment as specified

for the Role following which traffic is

allowed as per role traffic policies

(Same as above)

IGNORE For OOB only - ignores SNMP traps from

managed switch ports for the specified

MAC address(es)

For OOB only - ignores SNMP traps from

managed switch ports for the specified

MAC address(es)