45-12
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 45 Configuring Network Admission Control
Configuring NAC
Configuring NAC
This section contains this configuration information:
•
Default NAC Configuration, page 45-12
•
NAC Layer 2 IP Guidelines, Limitations, and Restrictions, page 45-12
•
Configuring EAPoUDP, page 45-17
•
Configuring EAPoUDP, page 45-17
•
Configuring Identity Profiles and Policies, page 45-17
Default NAC Configuration
By default, NAC Layer 2 IP validation is disabled.
NAC Layer 2 IP Guidelines, Limitations, and Restrictions
When configuring NAC Layer 2 IP validation, follow these guidelines, limitations, and restrictions:
•
You must configure Layer 3 routes from the switch to the host for the Layer 2 IP to operate correctly.
•
Layer 2 IP is not allowed if the parent VLAN of the port has VACL capture or Cisco IOS firewall
(CBAC) is configured.
•
LAN Port IP (LPIP) ARP traffic redirected to the CPU cannot be spanned using the SPAN feature.
•
NAC Layer 2 IP validation is not supported on trunk ports, tunnel ports, EtherChannel members, or
routed ports. The Catalyst 6500 series switches support Layer 2 IP on EtherChannels.
•
When NAC Layer 2 IP validation is enabled, you must configure an ACL on the switch port to which
hosts are connected.
•
The ACL must permit EAPoUDP traffic for LPIP to function.
•
NAC Layer 2 IP does not validate the posture of IPv6 traffic and does not apply access policies to
IPv6 traffic.
•
NAC Layer 2 IP is not supported if the switchport is part of a private VLAN.
•
NAC Layer 2 IP ARP traffic redirected to the CPU cannot be spanned using the SPAN feature.
•
A denial-of-service attack might occur if the switch receives many ARP packets with different
source IP addresses. To avoid this problem, you must configure the IP admission MLS rate-limiting
feature using the
mls rate-limit layer2 ip-admission
command.
•
If DAI is also enabled on the parent VLAN of the switch port, the IP admission rate limiting for ARP
packets directed to the CPU is ineffective. In this situation, ARP Inspection rate limiting is
functional. ARP inspection rate limiting is performed in software and IP admission rate limiting is
performed in hardware.
•
DHCP snooping must be enabled if the switch wants to use DHCP lease grants to identify connected
hosts. DHCP packets are permitted in DHCP environments in both the default interface and the
downloaded host policy.
•
If you want the end stations to send DNS requests before posture validation occurs, you must
configure the named downloadable ACL on the switch port with ACEs permitting DNS packets.