Cisco Layer 3 Switch Integration Script (Nexus 9300/9500)
This document provides scripts required to complete the installation of the NAC Solution
NAC Router Integration Script
x
conf t!feature pbr feature dhcp feature sflow!sflow collector-ip x.x.x.x vrf management y.y.y.y (replace x.x.x.x with IP of NAC server and y.y.y.y with source IP, remove this comment)sflow collector-port 50001sflow agent-ip x.x.x.x (replace x.x.x.x with management IP of switch)!(data sources must be local to switch, for FEX has to be on uplink interface)sflow data-source interface x (Layer 2 interface(s) for any layer 3 interface with the redirect-group applied, remove this comment)!ip access-list extended impulse_block permit ip any host 198.31.193.211!ip access-list extended intranet remark allow DNS permit udp any any eq domain remark allow DHCP permit udp any any eq bootps remark allow access to AD server permit ip any host x.x.x.x (Replace with IP of AD server and remove this comment) remark allow access to AV server permit ip any host x.x.x.x (Replace with IP of AV server and remove this comment) remark allow RDP access to blocked hosts permit tcp any eq 3389 any!route-map impulse deny 10 match ip address intranet! route-map impulse permit 20 match ip address impulse_block set ip next-hop x.x.x.x (replace x.x.x.x with IP of NAC server and remove this comment)!interface X (Layer 3 interface(s) which is/are default gateway for subnet(s) to be placed under policy – recommend a test subnet first, remove this comment)ip policy route-map impulseip dhcp relay address x.x.x.x (replace with IP of NAC appliance and remove this comment)!end*Note – Be sure to also allow the NAC Enforcer access to the router if a VTY/SSH access-list is present on the router.
Was this page helpful?