Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

2-16

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters

Global Device and Subnet Filtering

Once you build a list of the applicable IP phone MAC addresses, ensure that Cisco NAC Appliance

ignores them by enabling the Change VLAN according to global device filter list option for the Port

Profile (under OOB Management > Profiles > Port > New or Edit) when you configure your Cisco

NAC Appliance system for OOB. This ensures that the IP phones MAC notification behavior cannot

initiate a switch from one VLAN to another (from Access to Authentication VLAN, for example), thus

inadvertently terminating the associated client machine’s connection. See Configure OOB Switch

Management on the CAM, page 3-25 for details.

In-Band and Out-of-Band Device Filter Behavior Comparison

VLAN assignments and whether or not the users appear in the Online Users list and associated client

machines appear in the Certified Devices List differ depending on which filter type (ALLOW, DENY,

ROLE, CHECK, or IGNORE) you configure. The following general guidelines apply when determining

client traffic behavior for In-Band and Out-of-Band deployments:

• In-Band traffic is subject to both global and CAS-specific filter assignments, depending on the

hierarchy defined in Device Management > Filters > Devices > Order.

• If the Port Profile has the Change VLAN according to global device filter list option enabled, the

CAM directs the switch to follow global device filter configuration when assigning VLANs to ports.

• Out-of-Band client machines associated with a specific Port Profile are only governed by global

device filters.

Table 2-2 Layer 2 and Layer 3 In-Band and Out-of-Band MAC Address FIlter Behavior

Device Filter Type

Layer 2 In-Band

(Global and CAS)

Layer 3 In-Band

(Global and CAS)

Out-of-Band without

Port Profile option

(Global)—Out-of-Band

(CAS)

Out-of-Band with Port

Profile option (Global

only)

ALLOW Allow traffic Allow traffic (add

Online Users

list/Certified Devices

List entries, no posture

assessment)

Allow traffic in

In-Band mode

Client traffic is directed

to default Access

VLAN

DENY Deny traffic Deny traffic once MAC

address is known

Deny traffic in In-Band

mode

Client traffic is directed

to Authentication

VLAN

ROLE Put in role and apply

role policies

Do posture assessment,

add Online Users

list/Certified Devices

List entries, put in role

and apply role policies

Put in role and apply

role policies in In-Band

mode

Client traffic is directed

to Access VLAN

(based on Port Profile)

CHECK (device in

Certified Devices List)

Put in role and apply

role policies (no Online

Users list entry)

Do posture assessment,

add Online Users

list/Certified Devices

List entries, put in role

and apply role policies

Put in role and apply

role policies in In-Band

mode (no Online Users

list entry)

Client traffic is directed

to Access VLAN

(based on Port Profile

and no Online Users

list entry)