IP Telephony Best Practices for Outof Band Mode

If your voice-facing NAC Appliance Server is running in OOB mode, your design becomes a little bit more complex. This makes sense given that with OOB mode you are controlling the actual switch port that the IP phone and its connected client are attached to. The basic rule of thumb is that if you will not have a client connecting to an IP phone, make sure that the phone's switch port is still set to be controlled in NAC Appliance Manager. Use MAC address filters to identify and permit your IP phones. This practice ensures that rogue users cannot gain access by disconnecting an IP phone and plugging in a laptop. If your clients do connect directly to the IP phones, you should consider the following design recommendations:

• Set your switch profiles to never bounce a switch port.

• The MAC addresses of all IP phones must be added and maintained in NAC Appliance Manager's Filter list.

• If you use NAC Appliance in Layer 3 adjacency Out-of-Band mode, you must rely on the DHCP release and renew functionality built into the Clean Access Agent and web login applet.

• If you configure NAC Appliance to change port VLANs dynamically, you must rely on the DHCP release and renew functionality built into the agent and applet to change the client's IP address.

• Use the certified timer in environments where the clients connect to the IP phone and not the switch port.

• You must configure NAC Appliance and your switches to use the MAC Notification SNMP trap and not the Linkup SNMP trap.

The following paragraphs explain these recommendations in more detail.

Be sure to set your port profiles to never bounce a switch port. Switch port bouncing is used to force the client to renew its IP address when it transitions from the authentication VLAN to the access VLAN. However, if you bounced the switch port, it would take down your IP phone as well as your client. Instead of port bouncing, use either virtual gateway mode with the authentication and access VLAN being the same subnet (also called virtual gateway same IP subnet design), or rely on the DHCP release and renew feature built into the Clean Access Agent and web login applet.

The virtual gateway same IP subnet solution is designed to eliminate the client IP address change when moving from the authentication VLAN to the access VLAN. It works by forwarding the client's initial DHCP request to the access VLAN. This means that the client is given a legal address that works for both the authentication VLAN and access VLAN. Therefore, the client never has to change its IP address when it transitions between the authentication and access VLANs. If you choose the DHCP release and renew feature, the agent or web login applet will issue a DHCP release request followed by a DHCP renew request to the host operating system. This works basically the same way as running the ipconfig /renew command on a Windows PC.

The MAC addresses of all IP phones must be added to the NAC Appliance Manager's filter list. Set these MAC exceptions to Ignore, meaning that when NAC Appliance receives a MAC notification trap for an IP phone, it should ignore it and take no action. You can quickly populate the IP phone MAC Exception list by using the bulk administration tool in CallManager and by using MAC address wildcards.

The reason IP phones must be added to the exception list is because when a switch port is controlled using OOB mode, it sends a MAC notification SNMP trap every time a new MAC address is detected. This action does not differentiate between the IP phone connecting and the client PC attached to the IP phone connecting. Therefore, if the IP phone's MAC address is not ignored in the Filter list, NAC Appliance considers it a new client and changes the port's VLANs to the authentication VLAN. It will then wait forever for an authentication request from the new MAC address (the IP phone), but one will never come. This whole time, the client PC connected to this port is stuck on the authentication VLAN as well. It is important to note that the voice VLAN, or aux VLAN, and by extension voice traffic, is not affected by this behavior. Only the data VLAN is manipulated by NAC Appliance.

If you use NAC Appliance in Layer 3 adjacency Out-of-Band mode, you must rely on the DHCP release and renew functionality built into Clean Access Agent and web login applet. Version 4.1 or greater of this feature updates the client's IP address as it transitions from the authentication VLAN to the access VLAN. You cannot use the virtual gateway same IP subnet design referred to previously because it requires NAC Appliance to be Layer 2 adjacent to the clients.

If you configure NAC Appliance to set the access VLAN to the user role VLAN, you must rely on the DHCP release and renew functionality built into Clean Access Agent and applet to change the client's IP address. You cannot use the virtual gateway same IP subnet design. This is because each user role VLAN must have a unique IP subnet of its own. It is not possible for the single shared authentication VLAN to have the same IP subnet as the multiple user role access VLANs. All clients are initially put into a single authentication VLAN, where they receive an IP address. After clients become certified, they are moved to the access VLAN ID configured for their particular user role. As a result, the client must be forced to change its IP address to match the user role access VLAN. Given that port bouncing cannot be used to force this change, the only alternative is to use the DHCP release and renew feature.

You should use the certified timer in environments where the clients connect to the IP phone and not the switch port. This helps with the problem of removing stale users from the certified device list. NAC Appliance normally relies on the switch to send a linkdown trap to the NAC Appliance Manager when a user disconnects from the network. The NAC Appliance Manager then logs out the user previously connected to that port. Relying on the linkdown trap to log off users in an IP telephony environment poses a problem in that an IP phone is always up. When a client disconnects from the IP phone port, the switch never sees it. It still sees linkup on the port because the IP phone is plugged into it. Therefore, the switch never sends a linkdown trap when the client disconnects from the network. The result of this is that the Certified Devices list never ages out and users are never logged off NAC Appliance.

To address this issue, using the certified device timer is recommended. This feature clears the certified devices list at regularly scheduled intervals. This clearing is intrusive, however, because it moves the client's switch port back to the authentication VLAN. It then forces the user to reauthenticate and run through the certification process. Because of this, it is recommended that the clearing be done during nonbusiness hours and about every seven days. Figure 5-12 shows the Certified Devices Timer configuration page.

Figure 5-12 Certified Devices Timer Page

Device Management > Clean Access

Certified Devices | General Setup | Network Scanner

Clean Access Agent

Certified List • Add Exempt Device • Add Floating Device • Tim

3

E Enable certified device list clearing timer Initially clear certified devices at: |3/2/2D06 1 :□□:□□

E Enable certified device list clearing timer Initially clear certified devices at: |3/2/2D06 1 :□□:□□

[date and time; exi 04/2Z/2004 13:00:003

[enter 0 ta dlsehle regular clearing]

UpdHte | Cancel |

[The certified device Net will ftftxt be cleared at 09/02/2DDE 01:00:00.)

You must configure NAC Appliance and your switches to use the MAC Notification SNMP trap and not the Linkup SNMP trap. In an IP telephony environment where clients connect to IP phones, a linkup trap cannot be relied on as an indicator of when a new user connects to the network. This is because from the switch's point of view, it already has linked up with the IP phone and doesn't transition the link state for the user connecting through an IP phone. However, each time a new user connects to the phone port, the downstream switch port does learn the new user's MAC address and generates a MAC notification trap message.

Was this article helpful?

0 0

Post a comment