Configuring Nac; Default Nac Configuration; Nac Layer 2 Ip Guidelines, Limitations, And Restrictions - Cisco 7604 Configuration Manual
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Configuring NAC
Configuring NAC
This section contains this configuration information:
•
•
•
•
•
Default NAC Configuration
By default, NAC Layer 2 IP validation is disabled.
NAC Layer 2 IP Guidelines, Limitations, and Restrictions
When configuring NAC Layer 2 IP validation, follow these guidelines, limitations, and restrictions:
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
45-12
Default NAC Configuration, page 45-12
NAC Layer 2 IP Guidelines, Limitations, and Restrictions, page 45-12
Configuring EAPoUDP, page 45-17
Configuring EAPoUDP, page 45-17
Configuring Identity Profiles and Policies, page 45-17
You must configure Layer 3 routes from the switch to the host for the Layer 2 IP to operate correctly.
Layer 2 IP is not allowed if the parent VLAN of the port has VACL capture or Cisco IOS firewall
(CBAC) is configured.
LAN Port IP (LPIP) ARP traffic redirected to the CPU cannot be spanned using the SPAN feature.
NAC Layer 2 IP validation is not supported on trunk ports, tunnel ports, EtherChannel members, or
routed ports. The Catalyst 6500 series switches support Layer 2 IP on EtherChannels.
When NAC Layer 2 IP validation is enabled, you must configure an ACL on the switch port to which
hosts are connected.
The ACL must permit EAPoUDP traffic for LPIP to function.
NAC Layer 2 IP does not validate the posture of IPv6 traffic and does not apply access policies to
IPv6 traffic.
NAC Layer 2 IP is not supported if the switchport is part of a private VLAN.
NAC Layer 2 IP ARP traffic redirected to the CPU cannot be spanned using the SPAN feature.
A denial-of-service attack might occur if the switch receives many ARP packets with different
source IP addresses. To avoid this problem, you must configure the IP admission MLS rate-limiting
feature using the mls rate-limit layer2 ip-admission command.
If DAI is also enabled on the parent VLAN of the switch port, the IP admission rate limiting for ARP
packets directed to the CPU is ineffective. In this situation, ARP Inspection rate limiting is
functional. ARP inspection rate limiting is performed in software and IP admission rate limiting is
performed in hardware.
DHCP snooping must be enabled if the switch wants to use DHCP lease grants to identify connected
hosts. DHCP packets are permitted in DHCP environments in both the default interface and the
downloaded host policy.
If you want the end stations to send DNS requests before posture validation occurs, you must
configure the named downloadable ACL on the switch port with ACEs permitting DNS packets.
Chapter 45
Configuring Network Admission Control
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
