Chapter 10: Configuring Out-of-Band

Cisco Press

This chapter covers the following topics:

  • Out-of-Band Overview and Design

  • Sample Design and Configuration for Layer 2 Out-of-Band Deployment

  • Sample Design and Configuration for Layer 3 Out-of-Band Deployment

This chapter covers the configuration of the Out-of-Band (OOB) mode in both Layer 2 (where users are Layer 2 adjacent to NAC Appliance Server) and Layer 3 (where users are one or more hops away from NAC Appliance Server) scenarios. For detailed information explaining what OOB is and how it compares to In-Band (IB) mode, see Chapter 4, "Making Sense of All the Cisco NAC Appliance Design Options," earlier in this book. This book does not include a chapter on configuring In-Band mode. The main reason for this is that if you know how to configure OOB mode, you also know how to configure IB mode. To configure IB mode, you follow almost the same steps you would to configure OOB mode, but you leave out the switch and VLAN configuration steps.

Out-of-Band Overview and Design

When planning for an Out-of-Band mode deployment, keep in mind that the following factors will affect the design.

User Access Method

Today, NAC Appliance supports Out-of-Band mode only for users on a wired LAN. Wireless and virtual private network (VPN) users must use In-Band mode.

Switch Support

NAC Appliance Out-of-Band mode works with only Cisco Catalyst switches. NAC Appliance In-Band mode supports most Cisco switches. A complete compatibility matrix of supported switches is at

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/switch.htm

Central Deployment Mode or Edge Deployment Mode

Here the terms central and edge deployment refer to the physical configuration of NAC Appliance Server. Central Deployment mode means that both the trusted interface and the untrusted interface of NAC Appliance Server (NAS) are plugged in to the same physical switch. Edge Deployment mode means that the interfaces are plugged in to two separate switches. Out-of-band deployments use Central Deployment mode. This is because in an out-of-band deployment, NAC Appliance Servers are almost always placed at the distribution or core layer and not at the edge of the network.

Layer 2 or Layer 3

If NAC Appliance Server is placed such that end users are Layer 2 adjacent to it, configure NAC Appliance Server to be in Layer 2 Out-of-Band (L2OOB) mode.

If NAC Appliance Server is placed such that the end users are one or more hops away from it, configure NAC Appliance Server to be in Layer 3 Out-of-Band (L3OOB) mode.

Gateway Mode for NAC Appliance Server

NAC Appliance Server can be configured in Virtual Gateway mode or Real-IP Gateway mode. Most L2OOB deployments will be in Virtual Gateway mode because this mode requires relatively fewer configuration changes as compared to Real-IP Gateway mode.

In Virtual Gateway mode, the IP address configured on the untrusted port of NAC Appliance Server is of no practical use. Remember that, in Virtual Gateway mode, NAC Appliance Server is acting as a Layer 2 transparent bridge and therefore has only one management IP. The IP address configured on the trusted port of NAC Appliance Server is used as the management IP. Therefore, the untrusted port IP address cannot be used for any practical purposes.

In Real-IP Gateway mode, NAC Appliance Server acts as a Layer 3 device (router); therefore, both the trusted and untrusted port IP addresses are usable. Most L3OOB deployments will be in Real-IP Gateway mode. This is because in L3OOB, you must have a usable IP address on the untrusted port. This will become clearer when the L3OOB designs are discussed later in this chapter.

Table 10-1 lists the compatibility matrix for the switches with the type of gateway mode.

Table 10-1 Gateway Mode Switch Compatibility Matrix

L2 or L3 Switch

Virtual Gateway Mode

Real-IP Mode

 

Central Deployment

Edge Deployment

Central or Edge Deployment

6500

Yes

Yes

Yes

4500

Yes

Yes

Yes

3750/3560 (L3 switch)

Yes with 12.2(25)SEE and higher

Yes

Yes

3550 (L3 switch)

No*

Yes

Yes

3750/3560 (L2 switch)

Yes

Yes

Yes

3550 (L2 switch)

Yes

Yes

Yes

2950/2960

Yes

Yes

Yes

*Due to Cisco IOS switch caveat CSCsb62432

Note that the information in Table 10-1 is independent of IB or OOB mode. The one red flag in Table 10-1 is that a NAC Appliance Server in Central Deployment mode, connected to a Catalyst 3550 switch (as a Layer 3 switch), cannot be configured in Virtual Gateway mode. This is due to Cisco IOS switch caveat CSCsb62432 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb62432). Note that user registration or a service contract is required to access some Cisco.com resources.

Simple Network Management Protocol Trap to Trigger the NAC Process

A switch can be configured to generate a linkup or MAC-notification trap to detect that a new user has connected to the switch port. The choice of using linkup or MAC-notification depends on the switch and the code that the switch is running. If you have a choice, you should always use MAC-notification. It is a more efficient and flexible trap.

Other factors that determine the best trap to use are whether you have IP phones and whether user machines are going to connect to the network from behind those IP phones. When a user connects to the network in this scenario, no new linkup is detected; as a result, you have to rely on MAC notifications to detect whether a new user has connected to the network from behind an IP phone.

Port-Based VLAN Assignment or User Role–Based VLAN Assignment

If you use port-based VLAN assignment in Out-of-Band mode, the untrusted VLAN and the trusted VLAN for a particular port are static. When a user connects to that port, the user moves to a preconfigured untrusted VLAN. After the user authenticates and remediates, the user moves to a trusted VLAN that is also preconfigured for that port.

If you use user role–based VLAN assignment, the untrusted VLAN for a particular port is static. However, after the user is authenticated and remediated, the trusted VLAN that the user moves to depends on the role to which the user belongs. This is dynamically determined based on the user's user role.

Sample Design and Configuration for Layer 2 Out-of-Band Deployment

For this Layer 2 Out-of-Band mode example, consider the topology in Figure 10-1.

Figure 10-1

Sample Network Topology

The user PC, NAC Appliance Manager, and NAC Appliance Server are connected to a Catalyst 3750 switch. NAC Appliance Server is configured in Virtual Gateway Central Deployment mode.

NAC Appliance Manager (NAM) is on VLAN 30 and has an IP address (10.10.30.5 /24). NAC Appliance Server management is on VLAN 20 and has an IP address (10.10.20.5 /24).


Note - In Virtual Gateway mode, the NAC Appliance Server management IP has to be on a different subnet than the NAC Appliance Manager. This is because when NAS has to initiate packets while in Virtual Gateway mode, it always sends them out of the untrusted port (except for packets destined for its default gateway or a subnet other than the NAC Appliance Server management subnet). NAC Appliance Manager always resides on the trusted network. Therefore, to talk to NAC Appliance Manager, NAC Appliance Server has to send packets out of the trusted port, which necessitates that NAC Appliance Manager resides on a subnet different from that of NAC Appliance Server.


In this design, you will use user role–based VLAN assignment. There are three user VLANs:

  • VLAN 10 (Guest)

  • VLAN 11 (Consultant)

  • VLAN 12 (Employee)

Based on who connects to a switch port, you want to move the user to one of the VLANs in the preceding list. The VLANs have access control lists (ACLs) associated with their switch virtual interfaces (SVIs) to restrict network access appropriately for those user roles. It is important to note that these ACLs are not managed or controlled by NAC Appliance, and they are applied within the Cisco switches themselves as VLAN ACLs. Now that you have a good idea of the design principles, the remainder of this section shows how to configure a Layer 2 out-of-band deployment.

Step 1: Configuring the Switch

The Catalyst 3750 switch is being used as a Layer 3 switch running code 12.2(25)SEE. (See Figure 10-1.)

Configuring VLAN Trunking Protocol and VLANs

One of the first things you will do is configure your switches to support the OOB deployment. Example 10-1 shows how you would configure the VLANs on the switch shown in Figure 10-1 of the sample network.

Example 10-1 Switch Configuration for OOB Deployment

vtp domain cisco
vtp mode transparent
ip routing
!
vlan 10
 name guest
!
vlan 11
 name consultant
!
vlan 12
 name employee
!
vlan 20
 name NAS_mgmt
!
vlan 30
 name NAM_mgmt
!
vlan 110
 name untrusted_vlan
!
vlan 998-999
!

Configuring SVIs

The next step is to configure the Layer 3 interfaces (SVIs) on the switch. Example 10-2 shows the SVI configurations for the sample network (see Figure 10-1). Note that all these SVIs reside only on the trusted side of NAC Appliance Server. For a client on VLAN 110 (the untrusted side) to reach them, it is forced to go through NAC Appliance Server. The other SVIs are used as default gateways for the different user access VLANs. Remember that after a client is considered "clean," its switch port dynamically reconfigures and the client moves to its access VLAN. At this point, NAC Appliance is no longer in the client's traffic path. In this example, the access VLAN is determined by the client's user role; Employee is VLAN 12, for example.

Example 10-2 Switch SVI Configuration

interface Vlan10
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan11
 ip address 10.10.11.1 255.255.255.0
!
interface Vlan12
 ip address 10.10.12.1 255.255.255.0
!
interface Vlan20
 ip address 10.10.20.1 255.255.255.0
!
interface Vlan30
 ip address 10.10.30.1 255.255.255.0
!

Notice that you did not configure an SVI for VLAN 110. This is necessary to force VLAN 110 traffic through NAC Appliance Server as the only way out of VLAN 110.

Configuring the Switch as a DHCP Server

NAC Appliance Server running in Virtual Gateway mode cannot act as the DHCP server for its untrusted-side networks. NAC Appliance Server functionality is disabled when running in this mode. Therefore, you must provide a DHCP server. Many organizations use the DHCP server functionality built into most Cisco switches. However, any DHCP server will work.

If NAC Appliance Server is running in Real-IP Gateway mode, using the built-in DHCP server functionality of NAC Appliance Server is recommended. In the sample network (see Figure 10-1), NAC Appliance Server is in Virtual Gateway mode. Example 10-3 shows how to configure a Cisco switch to act as a DHCP server. Remember that VLAN 110 (auth VLAN) is mapped to VLAN 10 on the trusted side. The switch is configured to act as the DHCP server for the auth VLAN 10 and the access VLANs 11 and 12.

Example 10-3 Cisco Switch DHCP Server Configuration

ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.11.1
ip dhcp excluded-address 10.10.11.254
ip dhcp excluded-address 10.10.12.1
ip dhcp excluded-address 10.10.12.254
!
ip dhcp pool vlan10
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
dns-server 192.168.35.2
domain-name  cisco.com
!
ip dhcp pool vlan11
 network 10.10.11.0 255.255.255.0
 default-router 10.10.11.1
dns-server 192.168.35.2
domain-name  cisco.com
!
ip dhcp pool vlan12
 network 10.10.12.0 255.255.255.0
 default-router 10.10.12.1
dns-server 192.168.35.2
domain-name  cisco.com
!

Configuring Fa1/0/1—The Interface Connecting the NAC Appliance Manager eth0 Port

Next you must configure the switch port that the eth0 interface of NAC Appliance Manager plugs into. The eth0 interface of NAC Appliance Manager resides on a VLAN on the trusted side. If NAC Appliance Server is running in Virtual Gateway mode, its VLAN must not be the same as the VLAN of NAC Appliance Server management. In the sample network topology (see Figure 10-1), the NAC Appliance Manager eth0 interface connects to the switch's Fa1/0/1 and resides in VLAN 30. Example 10-4 shows this switch configuration.

Example 10-4 Cisco Switch Configuration of the NAC Appliance Manager eth0 Port

interface FastEthernet1/0/1
 description  Manager eth0
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast

Configuring Fa1/0/3—The Interface Connecting the Trusted Port (eth0)of NAC Appliance Server

The switch port that the eth0 interface plugs into will be configured as a trunk link forwarding traffic for the mapped authentication VLANs and the NAC Appliance Server management VLAN. The trunk's native VLAN should be set to something that is not used anywhere else in the network, essentially making it a black hole. Example 10-5 shows the switch configuration for the sample topology (see Figure 10-1). In the sample topology, VLAN 10 is the mapped authentication VLAN, and VLAN 20 is the NAC Appliance Server management VLAN.

Example 10-5 Cisco Switch Configuration for the NAC Appliance Server eth0 Post

interface FastEthernet1/0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 998
 switchport trunk allowed vlan 10,20
 switchport mode trunk

Configuring Fa1/0/4—The Interface Connecting the Untrusted Port (eth1) of NAC Appliance Server

The switch port that the eth1 interface plugs into will be configured as a trunk link forwarding traffic for the authentication VLAN on the untrusted side. Example 10-6 shows the switch configuration based on the sample network topology.

Related:
1 2 3 4 5 6 Page 1
Page 1 of 6
Now read: Getting grounded in IoT