Chapter 45
Configuring Network Admission Control
•
•
•
•
•
•
Configuring NAC Layer 2 IP Validation
To configure NAC Layer 2 IP validation, beginning in privileged EXEC mode, perform this task:
Command
Step 1
Router# configure terminal
Step 2
Router(config)# ip admission name rule_name
eapoudp
Step 3
Router(config)# mls ratelimit layer2 ip
ip-admission pps ( burst )
OL-4266-08
If you want to forward the HTTP and HTTPS requests from an endpoint device to a specific URL,
you must enable the HTTP server feature. The url-redirect-acl AV pair should be defined as the URL
ACL name. This ACL should contain a deny tcp any remediation server address eq www command
followed by the permit ACEs for the HTTP traffic that is being redirected.
If NAC Layer 2 IP validation is configured on a switch port that belongs to a voice VLAN, the switch
does not validate the posture of the IP phone. Make sure that the IP phone is on the exception list.
If NAC Layer 2 IP validation is enabled, the NAC Layer 2 IP configuration takes precedence over
VLAN ACLs and router ACLs that are configured on ingress interfaces. For example, when a VLAN
ACL and a router ACL are configured, the operation applies the policies serially in the order of the
LPIP policy to VLAN ACL to router ACL. The next policy is applied only when the traffic passes
through the previous policy check. Any policy in the serial order denying the traffic causes the traffic
to be denied. The downloaded LPIP host policy always overrides the default interface policy.
The DHCP traffic should be permitted in the interface default ACL and the host policy for DHCP
snooping to function.
If dynamic ARP inspection is enabled on the ingress VLAN, the switch initiates posture validation
only after the ARP packets are validated.
The traffic sent to the URL-redirect deny ACEs is forwarded in hardware without applying the
default interface and the downloaded host policies. If this traffic (that is, the traffic matching the
deny URL-redirect ACEs) requires filtering, you should define a VLAN ACL on the switch port
access VLAN. This configuration allows you to bypass the redirection of the HTTP traffic destined
for the remediation servers.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Purpose
Enters global configuration mode.
Creates and configures an IP NAC rule by specifying the
rule name.
To remove the IP NAC rule on the switch, use the no ip
admission name rule-name eapoudp global
configuration command.
Enables the rate limiting of the IP admission traffic to the
CPU.
Configuring NAC
45-13