LOS PADRES ¿Somos los primeros educadores?”

Out-of-Band mode supports both Virtual Gateway and Real IP Gateway network modes on NAC Appliance Server. Given that OOB mode relies on VLANs for segmentation of clients, you need to be aware of the process NAC Appliance goes through to change a client’s IP address as it transitions from the authentication VLAN to the access VLAN. If you choose to use Real IP Gateway mode, you are required to have different IP subnets for the authentication VLAN and the access VLAN. This is because NAC Appliance is routing between the VLANs, and routers can’t route traffic between two identical IP subnets. If you choose Virtual Gateway mode, you have the flexibility of having the auth VLAN and access VLAN be the same or different IP subnets. This is because NAC Appliance is bridging and uses VLAN remapping.

If you choose to have separate subnets for the auth and access VLANs, you need to consider how you can force the client to change its IP address at the appropriate times. The issue revolves around the difficulty in forcing a client to change its IP address. After a client receives an IP address from a DHCP server, it doesn’t like to relinquish that IP address for a new one. In fact, a number of operating systems—some Linux variants, for example—require you to reboot if you change IP addresses. To deal with the IP address change problem, NAC Appliance uses switch port bouncing and DHCP Release/Renew. Bouncing a port simply means disconnecting and reconnecting it. This port reset action forces the client’s operating system to clear its existing IP address and request a new one. The problem is that this method does not work with all operating systems, Linux being one example.

The second way NAC Appliance can force a client to change its IP address is using DHCP release/renew functionality. The way this works is that Clean Access Agent or the web login applet sends a DHCP release/renew instruction to the host’s operating system. This is

the equivalent of typing ipconfig /release followed by ipconfig /renew in a Windows command prompt. The problem with this method is that only Windows operating systems are unconditionally supported as of this writing. Macintosh systems support release/renew only when using the web login applet; the Clean Access Agent release/renew is not supported as of this writing.

CAUTION In IP telephony environments, port bouncing must be avoided and is not an acceptable method. You must either preserve the client’s IP address as it moves from the authentication VLAN to the access VLAN or use the DHCP release/renew method. Because of the port bounce, IP phones on those client ports will also be reset. This is because the client is plugged into the IP phone and the phone is then plugged into the switch. See Figure 4-10 for an example of this arrangement.

Figure 4-10 Client with an IP Phone

If the host’s IP address needs to be changed, the DHCP release/renew method is recommended. However, if port bouncing is enabled, its physical Ethernet switch port is bounced by NAC Appliance. Port bouncing is an option because it forces the operating system of the host to release the old IP address and request a new one. One of the undesirable effects of port bouncing is that if the host is connected to an IP phone, the IP phone is also bounced.

It is recommended that Virtual Gateway mode be used in any IP telephony environment in which hosts are plugged into IP phones. Only Virtual Gateway mode can be configured to never change the IP address of the host and therefore mitigates the need for port bouncing or DHCP release/renew. This in turn reduces the complexity of the design. Virtual Gateway (transparent bridging) mode can be configured so that the IP address the client receives in the authentication VLAN is also valid in the access VLAN. NAC Appliance will not bounce the switch port because the IP address never changes. Because the switch port never

Client

When the client’s switch port is bounced, the IP Phone also resets.

NAC Appliance Server

IP Phone Cisco Switch

V

Campus LAN

bounces, the IP phone is not affected in any way. The downside to using this method is that you cannot use role-based VLAN assignment. Everyone must be assigned to the same access VLAN. See Figure 4-11 for a look at how IP addressing is typically handled with OOB in Virtual Gateway mode.

Figure 4-11 IP Addressing with OOB in Virtual Gateway Mode

In Real IP Gateway (Routing) mode, the client’s IP address is always changed when it transitions between the authentication and access VLANs. To force this change on the client, the switch port must be bounced or DHCP release/renew must happen. Typically, NAC Appliance Server acts as the DHCP server for the authentication VLAN, but not in the access VLAN. See Figure 4-12 for a look at how IP addressing is typically handled with OOB in Real IP Gateway mode.

Client now has the IP address 10.10.10.5. Packet Payload DHCP Request VLAN Tag 10

Packet is retagged by the Server and sent out the trusted interface. Client requests an IP address on Authentication VLAN 10 using DHCP.

10.10.10.5/24

VLAN 20 10.10.10.0/24

V V

5

Once certified, NAC Appliance moves the client’s switch port to Access VLAN 20.

6

Client already has a valid IP address in the Access VLAN, so no changes are necessary.

7 1 2 4 3 Client 802.1Q Trunk Trusted 802.1Q Trunk Untrusted VLAN 20 10.10.10.0/24 V VLAN 10 10.10.10.0/24 V Client Corporate DHCP Server V Packet Payload DHCP Request VLAN Tag 20 VLAN Tag 10 DHCP Reply Packet 10.10.10.5 VLAN Tag 20 DHCP Reply Packet 10.10.10.5 NAC Appliance

Server Virtual Gateway Gateway Mode

Figure 4-12 IP Addressing with OOB in Real IP Gateway Mode

Login Steps with OOB in L2 Adjacency, Virtual