Table of Contents
Advertisement
Understanding NAC
NAC Layer 2 IP Validation
You can use NAC Layer 2 IP on an access port on an edge switch to which an endpoint system or client
is connected. The device (host or client) can be a PC, a workstation, or a server that is connected to the
switch access port through a direct connection, an IP phone, or a wireless access point, as shown in
Figure
When NAC Layer 2 IP is enabled, EAPoUDP only works with IPv4 traffic. The switch checks the
antivirus status of the endpoint devices or clients and enforces access control policies.
Figure 41-2
Clients running
the Cisco Trust Agent
These sections describe NAC Layer 2 IP validation:
•
•
•
•
•
•
Posture Validation
NAC Layer 2 IP supports the posture validation of multiple hosts on the same switch port, as shown in
Figure
When you enable NAC Layer 2 IP validation on a switch port to which hosts are connected, the switch
can use DHCP snooping and Address Resolution Protocol (ARP) snooping to identify connected hosts.
The switch initiates posture validation after receiving an ARP packet or creating a DHCP snooping
binding entry. When you enable NAC Layer 2 IP validation, ARP snooping is the default method to
detect connected hosts. If you want the switch to detect hosts when a DHCP snooping binding entry is
created, you must enable DHCP snooping.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
41-4
41-2.
Network Using NAC Layer 2 IP
PC
Hub
Workstation
IP phone
IP
PC
software
Posture Validation, page 41-4
Cisco Secure ACS and AV Pairs, page 41-6
Audit Servers, page 41-7
ACLs, page 41-8
NAC Timers, page 41-8
NAC Layer 2 IP Validation and Redundant Supervisor Engines, page 41-10
41-2.
Chapter 41
Configuring Network Admission Control
PC
Cisco
Secure ACS
Switch
Network
Authentication
Access
Server (RADIUS)
Device
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
