Chapter 10: Configuring Out-of-Band

Cisco Press

1 2 3 4 5 6 Page 4
Page 4 of 6

You can see from the topology in Figure 10-35 that NAC Appliance Server is connected to the central switch. There is a network cloud between the central and edge switch. This cloud could be just a routed campus network, or it could be a WAN connection. The main point in this scenario is that the users are multiple routing hops away from NAC Appliance Server; therefore, it is Layer 3 OOB mode. In this example, the clients are no longer Layer 2 adjacent to NAC Appliance Server—they are now Layer 3 adjacent to it.

With Out-of-Band mode, the goal is to move the user to the untrusted VLAN when that user connects to the network. While the user is in the untrusted VLAN, you want to be able to carry out authentication, posture assessment, and remediation for the user. When the user is in the untrusted VLAN, NAC Appliance Server acts as the enforcement device and communicates with NAC Appliance agent for user authentication, posture assessment, and remediation.

In Out-of-Band mode, NAC Appliance Server has to be able to determine the IP and MAC addresses of the user. When the user is Layer 2 adjacent to NAC Appliance Server (L2OOB) and the user's packets reach NAC Appliance Server, NAS can determine the source IP and MAC addresses of the user from those packets. When the user is one or more hops away from NAC Appliance Server, previous hop routers overwrite the source MAC address of the packets reaching NAS. As a result, NAC Appliance Server is unable to determine the MAC address of the user from the packets.

NAC Appliance Agent from release 4.0.0.0 onward sends the information regarding the user's MAC address and IP to NAC Appliance Server. For users who don't have NAC Appliance Agent, the web login page can be configured to use ActiveX or Java applet controls to get the same information from the user's device.

Chapter 4 explains the various traffic control methods for Layer 3 OOB. In the following example, you will see how to configure Layer 3 OOB using ACLs. As shown in the topology, NAC Appliance Server is configured to be in Real IP Gateway mode. This makes NAC Appliance Server into a router and requires that the untrusted port (eth1) of NAC Appliance Server has a unique IP address and subnet. The following sections form a step-by-step method for configuring Layer 3 OOB deployments using ACLs.

Step 1: Configuring the Switches

The sample topology (see Figure 10-35) has a central switch and an edge switch, both of which are Catalyst 3750 series switches running code 12.2 (25) SEE or later.

Configuring the Central Switch

The first step is configuring the central switch. You have to complete the following configuration steps at a minimum:

  • Configure Virtual LAN Trunking Protocol (VTP) and VLANs

  • Configure SVIs

  • Configure the ports that NAC Appliance Manager and NAC Appliance Server connect to

After these steps are completed, you might have to configure additional interfaces and features if doing so is necessary for your environment.

Configuring VTP and VLANs

It is a best practice campus design not to enable VTP Server mode on switches. You should instead set VTP to Transparent mode, which effectively disables VTP operation. The ip routing command allows the switch to act as a router as well. Example 10-11 shows the VTP and VLAN central switch configuration as it pertains to the sample network topology.

Example 10-11 Central Switch VTP and VLAN Configuration

vtp domain cisco
vtp mode transparent
ip routing
!
vlan 20
 name NAS_Trusted
!
vlan 21
 name NAS_Untrusted
!
vlan 30
 name NAM_mgmt
!

Configuring SVIs

Next configure the switch virtual interfaces on the central switch. An SVI is a Layer 3 virtual interface that is mapped to a VLAN for routing traffic through a switch. Example 10-12 shows the central switch configuration for SVIs in the sample topology (see Figure 10-35).

Example 10-12 Central Switch SVI Configuration

interface Vlan20
 ip address 10.10.20.1 255.255.255.0
description Server Trusted
!
interface Vlan21
 ip address 10.10.21.1 255.255.255.0
description Server Untrusted
!
interface Vlan30
 ip address 10.10.30.1 255.255.255.0
description Manager eth0
!

Configuring Fa1/0/1—The Interface Connecting NAC Appliance Manager

Configure this interface to be an access port in VLAN 30. The Central switch configuration is shown in Example 10-13.

Example 10-13 Switch Configuration of Manager port

interface FastEthernet1/0/1
description Manager
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!

Configuring Fa1/0/1—The Interface Connecting the Trusted Port of NAC Appliance Server

Configure this NAC Appliance Server interface, eth0, as an access port in VLAN 20. Example 10-14 shows the switch configuration.

Example 10-14 Switch Configuration of Trusted Server Port

interface FastEthernet1/0/3
description Server Trusted eth0
 switchport access vlan 20
 switchport mode access
spanning-tree portfast
!

Configuring Fa1/0/4—The Interface Connecting the Untrusted Port of NAC Appliance Server

Configure this interface, eth1, as an access port in VLAN 21, as shown in Example 10-15.

Example 10-15 Switch Configuration of Untrusted Server Port

interface FastEthernet1/0/4
description Server Untrusted eth1
 switchport access vlan 21
 switchport mode access
spanning-tree portfast
!

Configuring the Edge Switch

Next configure the edge switch. You have to complete the following configuration steps at a minimum:

  • Configure VTP and VLANs.

  • Configure ACLs on the switch for added security and traffic control.

  • Configure SVIs.

  • Configure a DHCP server; in this sample case, you are using the switch as the DHCP server.

  • Configure the client ports.

  • Configure SNMP on the switch.

After these steps are completed, you might have to configure additional interfaces and features if doing so is necessary for your environment.

Configuring VTP and VLANs

Using VTP is not recommended, and you accomplish this by setting it to Transparent mode. You enable IP routing by using the ip routing command. Example 10-16 shows the switch configuration for VTP and VLANs as it pertains to the sample network topology (see Figure 10-35).

Example 10-16 Edge Switch VTP and VLAN Configuration

vtp domain cisco
vtp mode transparent
ip routing
!
vlan 10
 name guest
!
vlan 11
 name consultant
!
vlan 12
 name employee
!
vlan 110
 name untrusted
!
vlan 22
 name switch_mgmt
!

Configuring Access Control Lists

In this design, the enforcement piece has moved from NAC Appliance Server to the edge switch. You will configure ACLs on the authentication/untrusted VLAN so as to allow traffic to NAC Appliance Server, remediation servers, DHCP server, Active Directory server (if using AD SSO), and any other resources required for remediation purposes. When the user is in the untrusted VLAN, NAC Appliance Agent starts sending discovery packets that will be allowed by the ACL. After NAC Appliance Server gets the NAC Appliance Agent discovery packets, it will know that there is a new host connected to the network. It can then prompt the user for authentication and posture assessment.

For posture remediation, NAC Appliance Agent facilitates remediation by directing the user to go to the remediation resources. Access to these resources has been allowed by the ACLs. So, a user goes through the complete NAC process while in the untrusted VLAN. The ACLs block access to anything else on the network, thus preventing noncompliant users from getting access to other network resources. Example 10-17 shows a sample of the access list that you will configure for the untrusted VLAN 110.

Example 10-17 Untrusted VLAN 110 ACL

ip access-list 100 permit ip any host 10.10.21.5
ip access-list 100 permit udp any any eq domain
ip access-list 100 permit tcp any any eq domain
ip access-list 100 permit udp any any eq 67
ip access-list 100 permit udp any any eq 68
ip access-list 100 permit ip any host [wsus,av,etc]

Host 10.10.21.5 is NAC Appliance Server. This ACL allows the NAC Appliance Agent discovery packets to reach NAS. Remaining ACLs allow DNS (domain), DHCP (port 67), and access to the WSUS server, antivirus server, and other remediation resources.

In addition to the ACL on the untrusted VLAN, you have to configure an ACL on the trusted VLANs. This is because NAC Appliance Agent is going to send discovery packets every 5 seconds, continuously. So, even when the user is moved to the trusted access VLAN, NAC Appliance Agent continues to send the discovery packets. You want to prevent those packets from reaching NAC Appliance Server. To do so, configure the following ACL on the trusted VLANs:

access-list 101 deny ip any host 10.10.21.5
access-list 101 permit ip any any

This access list will block any traffic from reaching NAC Appliance Server when the user is on the trusted VLAN. You can optionally add to the preceding ACL to further control client traffic. For example, you might create an ACL, specific to consultants, which allows them only limited access to your network. You would then apply this ACL to the consultant VLAN 11.

Configuring SVIs

Example 10-18 shows the switch configuration of the Layer 3 SVI interfaces. Notice the command ip access-group 100 in or ip access-group 101 in on the SVI interfaces. This command applies to the SVI an access list that can limit the access of clients. You can find the access list definitions in the "Configuring Access Control Lists" section.

Example 10-18 Edge Switch SVI Configuration

interface Vlan10
description Guest
 ip address 10.10.10.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan11
description Consultant
 ip address 10.10.11.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan12
description Employee
 ip address 10.10.12.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan110
description Untrusted
 ip address 10.10.110.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan22
description Switch Management
 ip address 10.10.22.2 255.255.255.0
!

Configuring the Switch as a DHCP Server

Almost every network needs a DHCP server. In the sample topology (see Figure 10-35), you will configure the switch to act as the DHCP server. The switch is configured to act as the DHCP server for the user VLANs 10, 11, and 12, and the untrusted VLAN 110. Example 10-19 shows the edge switch DHCP configuration.

Example 10-19 Edge Switch DHCP Server Configuration

ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.11.1
ip dhcp excluded-address 10.10.11.254
ip dhcp excluded-address 10.10.12.1
ip dhcp excluded-address 10.10.12.254
ip dhcp excluded-address 10.10.110.1
ip dhcp excluded-address 10.10.110.254

!
ip dhcp pool vlan10
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
dns-server 192.168.35.2
domain-name  cisco.com

!
ip dhcp pool vlan11
 network 10.10.11.0 255.255.255.0
 default-router 10.10.11.1
dns-server 192.168.35.2
domain-name  cisco.com
!
ip dhcp pool vlan12
 network 10.10.12.0 255.255.255.0
 default-router 10.10.12.1
dns-server 192.168.35.2
domain-name  cisco.com
!
ip dhcp pool vlan110
 network 10.10.110.0 255.255.255.0
 default-router 10.10.110.1
dns-server 192.168.35.2
domain-name  cisco.com
!

Configuring Fa1/0/5—The Interface Connecting the Host

Configuration of the client ports is straightforward; they just need to be set up as access ports. In the sample topology, the client port Fa1/0/5 is configured to be an access port in VLAN 10, as shown in Example 10-20.

Example 10-20 Edge Switch Configuration— Client Port

interface FastEthernet1/0/5
description client port
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!

Configuring SNMP

The switch must be configured with SNMP MAC-notification traps and linkdown traps. The MAC-notification trap is used to detect a new user on the network and to trigger the NAC process. The linkdown trap is used to detect that the user disconnected from the network. Example 10-21 shows the necessary SNMP configuration on the edge switch. An access list 10 is applied to the SNMP configuration to increase security. This allows only NAC Appliance Manager to speak SNMP with the switch.

Example 10-21 Edge Switch SNMP Configuration

snmp-server community public RO 10
snmp-server community private RW 10
snmp-server enable traps snmp linkdown
snmp-server enable traps MAC-Notification
snmp-server host 10.10.30.5 snmpv2c public
access-list 10 permit ip 10.10.30.5

Step 2: Configuring NAC Appliance Manager

On NAC Appliance Manager, you have to do some basic configuration using the configuration script. From the NAC Appliance Manager CLI, you must type in service perfigo config. Initially, you can access the CLI by putting a keyboard and monitor on NAC Appliance Manager or via the serial port (38400bps). After NAC Appliance Manager has an IP address, the CLI can be accessed via SSH. Example 10-22 shows the configuration setup script.

Example 10-22 Running the Configuration Script on the Manager

Related:
1 2 3 4 5 6 Page 4
Page 4 of 6
SD-WAN buyers guide: Key questions to ask vendors (and yourself)