LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

May 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS May 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OOB Set up guide
From:	Jesse Dubois <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Fri, 2 May 2008 12:33:09 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (62 lines)

Sorry,
    #6 is what i wanted to comment on.
--Jesse

Jesse Dubois wrote:
> Hello,
>    I just want to clarify #7.  VLAN mapping is a core function of most 
> Virtual
>    Gateway setups.  What you won't want to use is "Enable Subnet Based 
> VLAN
>    Retag on the managed subnet page.
> --Jesse
>
> Daniel Sichel wrote:
>> <snip>
>> We are looking at transitioning to Out-of-Band for our CCA deployment
>> here at AU and in preparation are setting up our test hardware in 
>> order to gauge user
>> impact. I'm finding the Cisco provided documentation vague at best 
>> however.
>> <snip>
>>
>> Vague is an understatement. A couple of caveats from one with many
>> bleeding wounds in this battle. 1. Identify the management VLAN and 
>> set it on the protected side.
>> 2. BELIEVE THEM when they say, do not connect up the untrusted interface
>> until the managed subnets are set up. 3. Do not Try this with a flat 
>> network if you don't have to; that is
>> have a layer three boundary between clients on protected side and
>> servers. There was a bug in the click router module that appears to have
>> been fixed in the latest software release for the CAM and CAS. If your
>> servers and clients are on the same LAN segment  (ours are) then you
>> need this release. Alternatively, you can have clients and the servers
>> they access on different LANs if you don't already. This may cause
>> issues with  access to DHCP and remediation sources.
>> 4. Do NOT BELIEVE the diagrams in the manual, they are SOOOO MISLEADING
>> and conflict with each other. 5. Configure static routes to your 
>> authentication servers.
>> 6. I use VLAN mapping, but have been told by Cisco support people that
>> this feature "is of the devil".  Proceed with caution I guess.
>> 7. Talk to your switch people. They will be giving you read/write SNMP
>> access or this stuff won't work. On the plus side v3 is supported so if
>> your switches have the chops, you can encrypt the SNMP traffic to keep
>> it hidden from mischievous visitors. 8. If you can, get a hold of the 
>> Cisco internal training documentation,
>> it's not too bad.
>> 9. You really do need to keep the CAS and CAM on separate vlans, you
>> really do need the dead end vlans for native mode on CAS ports. You
>> really will need to talk to your router and firewall people to
>> facilitate all the different traffic.
>> 10. And finally, if you figure out how to get a signing off client to
>> properly drop itself from the list of online users and certified devices
>> ALL THE TIME, let me know.
>> Cheers
>>
>>
>>
>> Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)
>> Network Engineer
>> Ponderosa Telephone (559) 868-6367
>>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU