IBM Tivoli and Cisco User Manual

Chapter 4. Armando Banking Brothers Corporation

83

Figure 4-3 on page 84 is representative of the ITSO Lab environment used for
NAC Appliance deployment.

VLAN 20

This is the Access VLAN for a Healthy user. All DHCP addresses
are provided from VLAN 20, regardless of whether a user is
compliant or noncompliant.

VLAN 120

This is the authentication VLAN. If a user is classified as
noncompliant by the CAM, that user’s switchport has its VLAN
membership changed from VLAN 20 to VLAN 120. This is done
by the CAM sending the relevant configuration commands to the
switch using SNMP. Once the user is compliant, the CAM will
again change the user’s switchport VLAN membership, this time
from 120 back to 20.

VLAN 9

This is the VLAN on the Core network where the CAM resides.

VLAN 10

This is the VLAN where the CAS sits. Note that both the
untrusted and trusted interfaces of the CAS have the same IP
address. This is a management IP address, and only the trusted
interface is used for management sessions. VLAN 10 is on the
VLAN allowed trunk list for the trusted interface only.

VLAN 998

This is the Native VLAN for the untrusted interface of the CAS.

VLAN 999

This is the Native VLAN for the trusted interface of the CAS.