Subject: | |
From: | |
Reply To: | |
Date: | Fri, 2 May 2008 12:33:09 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Sorry,
#6 is what i wanted to comment on.
--Jesse
Jesse Dubois wrote:
> Hello,
> I just want to clarify #7. VLAN mapping is a core function of most
> Virtual
> Gateway setups. What you won't want to use is "Enable Subnet Based
> VLAN
> Retag on the managed subnet page.
> --Jesse
>
> Daniel Sichel wrote:
>> <snip>
>> We are looking at transitioning to Out-of-Band for our CCA deployment
>> here at AU and in preparation are setting up our test hardware in
>> order to gauge user
>> impact. I'm finding the Cisco provided documentation vague at best
>> however.
>> <snip>
>>
>> Vague is an understatement. A couple of caveats from one with many
>> bleeding wounds in this battle. 1. Identify the management VLAN and
>> set it on the protected side.
>> 2. BELIEVE THEM when they say, do not connect up the untrusted interface
>> until the managed subnets are set up. 3. Do not Try this with a flat
>> network if you don't have to; that is
>> have a layer three boundary between clients on protected side and
>> servers. There was a bug in the click router module that appears to have
>> been fixed in the latest software release for the CAM and CAS. If your
>> servers and clients are on the same LAN segment (ours are) then you
>> need this release. Alternatively, you can have clients and the servers
>> they access on different LANs if you don't already. This may cause
>> issues with access to DHCP and remediation sources.
>> 4. Do NOT BELIEVE the diagrams in the manual, they are SOOOO MISLEADING
>> and conflict with each other. 5. Configure static routes to your
>> authentication servers.
>> 6. I use VLAN mapping, but have been told by Cisco support people that
>> this feature "is of the devil". Proceed with caution I guess.
>> 7. Talk to your switch people. They will be giving you read/write SNMP
>> access or this stuff won't work. On the plus side v3 is supported so if
>> your switches have the chops, you can encrypt the SNMP traffic to keep
>> it hidden from mischievous visitors. 8. If you can, get a hold of the
>> Cisco internal training documentation,
>> it's not too bad.
>> 9. You really do need to keep the CAS and CAM on separate vlans, you
>> really do need the dead end vlans for native mode on CAS ports. You
>> really will need to talk to your router and firewall people to
>> facilitate all the different traffic.
>> 10. And finally, if you figure out how to get a signing off client to
>> properly drop itself from the list of online users and certified devices
>> ALL THE TIME, let me know.
>> Cheers
>>
>>
>>
>> Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)
>> Network Engineer
>> Ponderosa Telephone (559) 868-6367
>>
|
|
|