cancel
Showing results for 
Search instead for 
Did you mean: 

NAC and hosts with static IP issue

NAC and hosts with static IP issue

Bartek
Contributor

Hi Everyone,

I have NMS+NAC version 8.0.5.18 with environment where almost all end systems are using static IP addresses (there is no DHCP service enabled) and most of them are not supporting 802.1x protocol (so I can't use RADIUS Accounting packets to check the end system IP addresses). I know that the "last resort" method for such case is to use the switch SNMP query to it's ipNetToMediaTable. Unfortunately access switches don't have L3 interfaces in hosts VLANs so this solution doesn't work (their ARP tables are empty). When I make manual query to ipNetToMediaTable on a default gateway device I can find MAC to IP mapping for such hosts

In NAC Manager there is an option to enable IP Router Discovery but as I understand this GTAC case article:

https://extremeportal.force.com/ExtrArticleDetail?an=000082196

this method only works with DHCP service enabled networks:

EAC uses these (DHCP) packets to obtain device type information, and for Router IP discovery it uses the gateway address in the DHCP request to identify the router that will have ARP information for the client.

All end systems networks have their default gateway L3 interfaces on one device. Is it possible to configure NAC to query each time this device when a new end system is authenticating on NAC? I know that this solution is not efficient but those devices are most of the time on-line so authentication queries to NAC would be not so often. If you have any other idea how to fix this problem please feel free to share 🙂

Thanks in advance for a help

3 REPLIES 3

Ryan_Yacobucci
Extreme Employee
Hello,

It's recommended to use the Static MAC to IP bindings.

In NAC Manager go Tools --> management and configuration -> Advanced Configurations

Then go into appliance settings and click MAC to IP mapping and you can configure them statically.

The other option you have is to find the global IP subnets in combination with rfc 3576 VLAN IDs.

When you configure the global IP subnets you can configured a VLAN ID. Any end system that has received a policy mapping that has a VLAN ID configured NAC will attempt to query the configured gateway router per the IP Subnet configuration that has the same VLAD ID for IP resolution.

Thanks
Ryan

Bastian_Sprotte
Extreme Employee
Hello,
what type switches do you use.
In EXOS/EOS we support the Node-Alias MIB.

enable nodealias ports (user-ports)

this allow NAC as well to read IP/MAC mappings,

regards
Bastian
-

Hi,

Thanks for nice tip, I've never heard about it. Unfortunately this environment is based on Alcatel switches
GTM-P2G8KFN