Table of Contents
For all switch models/NMEs, Cisco recommends checking for limitations and verifying support for MAC notification and/or linkup-linkdown SNMP traps for the switch OS version you intend to use. See Known Issues with Switches/WLCs for further details.
Administrators update switch and Wireless LAN Controller (WLC) support object IDs (OIDs) using the update function in the CAM Device Management > Clean Access > Updates web console page. For example, if a new model of a supported switch family is released, Cisco NAC Appliance administrators only need to retrieve an update to ensure the latest support for switch OIDs. (That is, you are not required to upgrade the CAM/CAS software image, itself). The update switch OID feature only applies to existing models. If a new switch series is introduced, administrators will still need to upgrade to ensure OOB support for the new switches. Refer to the “Switch Management” (OOB) chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide for details.
- For L2 deployments, user MAC/IP addresses need to be visible to the CAS
- For L3 deployments (i.e. where the CAS can be one or more hops away from the user), the CAS differentiates users by IP address
With Cisco NAC Appliance Out-of-Band deployment, the CAS is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not pass through the CAS. In an OOB deployment, the Clean Access Manager (CAM) uses SNMP to control switches and set VLAN assignments for ports. When the CAM/CAS are set up for OOB, the CAM can control the switch ports of supported switches/NMEs with the corresponding minimum IOS/CatOS versions listed in the collection of switch family support tables in Cisco NAC Appliance Switch Support Matrixes.
- Table 1 “Supported Cisco Catalyst 2900 XL Switches”
- Table 2 “Supported Cisco Catalyst 2940 Switches”
- Table 3 “Supported Cisco Catalyst 2950 Switches”
- Table 4 “Supported Cisco Catalyst 2955 Switches”
- Table 5 “Supported Cisco Catalyst 2960 Switches”
- Table 6 “Supported Cisco Catalyst 2970 Switches”
- Table 7 “Supported Industrial Ethernet 3000 Switches ,”
- Table 8 “Supported Cisco Catalyst 3500 XL Switches”
- Table 9 “Supported Cisco Catalyst 3550 Switches”
- Table 10 “Supported Cisco Catalyst 3560 Switches”
- Table 11 “Supported Cisco Catalyst 3750 Switches”
- Table 12 “Supported Cisco Catalyst 3850 Switches”
- Table 13 “Supported Cisco Catalyst 4000/4500 Switches”
- Table 14 “Supported Cisco Catalyst 6000/6500 Switches”
- Table 15 “Supported Cisco Catalyst Express 500 Switches”
- Table 16 “Supported Cisco Etherswitch Service Modules”
- Table 17 “Supported Cisco Wireless LAN Controllers for Wireless Out-of-Band”
Table 1 Supported Cisco Catalyst 2900 XL Switches 1
Cisco Catalyst 2908XL switch with 8 10/100BaseTX ports 2
1.Cisco NAC Appliance supports Cisco Catalyst 2900 XL and 3500 XL only until the product (switch) end of support. For details, refer to http://www.cisco.com/en/US/products/hw/switches/prod_category_end_of_life.html.
Cisco Catalyst 2940 L2 switch with 8 10/100 copper ports and 1 10/100/1000 copper uplink port 3
5.Cisco IOS 12.1(14)EA1 or above is required for 2950/2950 LRE switches. 2950s running 12.1(11)-12.1(13) may experience caveat CSCea56777 which prevents the VLAN from being changed on the switch itself.
Industrial Ethernet switch with four Ethernet 10/100 ports and two dual-purpose uplink ports (a dual-purpose port has one 10/100/1000BaseTX port and one Small Form-Factor Pluggable [SFP] port, port active).
7.IE 3000/3010 switch series are running the same baseline IOS as Catalyst 2960. To add or configure this switch on the CAM, choose Cisco Catalyst 2960 series from the drop-down in the CAM Switch Management > Profiles > Switch > New > Switch Model web console page.
8.For further details on Cisco Industrial Ethernet 3000 / 3010 Series Switches, refer to http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9703/data_sheet_c78-440930.html and http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9703/datasheet_c78-637080.html
Table 8 Supported Cisco Catalyst 3500 XL Switches 9
Cisco Catalyst 3508G-XL switch with 8 GBIC Gigabit ports 10
9.Cisco NAC Appliance supports Cisco Catalyst 2900 XL and 3500 XL only until the product (switch) end of support. For details, refer to http://www.cisco.com/en/US/products/hw/switches/prod_category_end_of_life.html.
Table 13 Supported Cisco Catalyst 4000/450015 Switches
WS-C2948G CatOS 6
WS-C2948-GGE-TX CatOS 6
WS-C2980-G CatOS 6
WS-C2980-GA CatOS 6
Cisco Catalyst 6000 Series 22
Note Wireless OOB only supports Layer 2 OOB Virtual Gateway deployments that require no IP address change. The Cisco NAC Network Module (NME-NAC) does not support a Layer 2 OOB Virtual Gateway topology, therefore the Cisco NAC Network Module is not supported for Wireless OOB deployments.
Note If CAM is using SNMP V3 for write, wireless clients might not move into Access VLAN even when the NAC agent on the client passed posture validation after WLC reboot. Refer to WLC caveat CSCtb78072.
- Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
- Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment
- Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs) and DHCP
For Cisco NAC Appliance in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the CAS are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
For Cisco NAC Appliance customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB CAM and CAS.
Affected customers can resolve this issue by upgrading their stacked Cisco Catalyst 3750 switches to Cisco IOS release 12.2(25)SEE or above. For further details refer to switch IOS caveat CSCeh80716:
See Cisco NAC Appliance Switch Support Matrixes for additional details on the switches supported for OOB deployments.
Due to changes in DHCP server operation with Cisco NAC Appliance release 4.0(2) and later, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the CAS (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses.
Note For further details on configuring DHCP options, see the “Configuring DHCP” chapter of the Cisco NAC Appliance - Clean Access Server Configuration Guide.
- Preventing Loops on Central Switch for VGW/Central Deployments
- OOB Switch Trunk Ports and Upgrade
- Switch OID Support
- NAC Appliance Device Support
- MAC-Move Notification Support
In Virtual Gateway Central deployment, both interfaces of the CAS are connected to the same switch. Administrators must use the following procedure for correct configuration of a Virtual Gateway Central Deployment. To prevent looping on any central/core switch as you plug both interfaces of the CAS into the switch, perform the following steps:
3. After you have added the CAS to the CAM web console, make sure to set the VLAN to be mapped under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping . Also make sure you check the “ Enable VLAN Mapping ” checkbox and click Update .
4. For the 802.1q ports configuration on the switch, make sure to prune all other VLANs for switches trunking to eth0 and eth1 of the CAS except those used for the CAS Management VLAN and the User VLANs.
5. Prune VLAN 1 on the switch ports connecting to the CAS eth0 and eth1 interfaces. For details, see:
See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB) for additional information.
Because Cisco NAC Appliance can control switch trunk ports for OOB, ensure that the uplink ports for controlled switches are configured as “uncontrolled” ports before or after upgrade. This can be done in one of two ways:
- Before upgrading, change the Default Port Profile for the entire switch to “uncontrolled” under Switch Management > Devices > Switches > List > Config[Switch_IP] > Default Port Profile | uncontrolled , or
- After upgrading, change the Profile to “uncontrolled” for the applicable uplink ports of the switch under Switch Management > Devices > Switches > List > Ports [Switch_IP] | Profile
Administrators can update the object IDs (OIDs) of supported switches by performing a CAM update (under Device Management > Clean Access > Updates ). For example, if a new switch (such as C3750-XX-NEW) of a supported model (Catalyst 3750 series) is released, administrators only need to perform Cisco Updates on the CAM to obtain support for the switch OIDs, instead of performing a software upgrade of the CAM/CAS. The update switch OID feature only applies to existing models. If a new switch series is introduced, administrators will still need to upgrade to ensure OOB support for the new switches.
Cisco NAC Appliance Release 4.9 has Universal Switch Support that makes it possible for Cisco NAC Appliance to support any Cisco Switch as long as it supports the MIBs that are used by NAC. The Universal Device Support is limited only to Cisco Switches and non-Cisco Switches are not supported.
You can verify whether a device is supported by using the Verify tab. This utility verifies a device already added to CAM or a new device that is yet to be added to CAM. This option is available in the CAM Web Console in OOB Management > Devices > Devices > Verify tab.
Refer to Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9 for more details.
Table 18 lists the switch models and OS versions that support the MAC-Move notification.
Refer to the Release Notes for Cisco NAC Appliance, Version 4.1(3) for additional details.
Table 19 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the CAS for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
Yes with 12.2(25) SEE and higher 1
Yes with 12.2(25) SEE and higher 28
28.Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
For additional information on Virtual Gateway Central Deployment, see also Preventing Loops on Central Switch for VGW/Central Deployments.