45-19
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 45 Configuring Network Admission Control
Configuring NAC
Step 3
Router(config)# access-list
access-list-number
{deny | permit}
source
[
source-wildcard
] [log]
Defines the default port ACL by using a source address and wildcard.
The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Enter deny or permit to specify whether to deny or permit access if
conditions are matched.
The source is the source address of the network or host from which the
packet is being sent specified as follows:
• The 32-bit quantity in dotted-decimal format.
• The keyword any as an abbreviation for source and source-wildcard
value of 0.0.0.0 255.255.255.255. You do not need to enter a
source-wildcard value.
• The keyword host as an abbreviation for source and source-wildcard
of source 0.0.0.0.
(Optional) Applies the source-wildcard wildcard bits to the source.
(Optional) Enters log to cause an informational logging message about the
packet that matches the entry to be sent to the console.
Step 4
Router(config-if)# interface
interface-id
Enters interface configuration mode.
Step 5
Router(config-if)# ip access-group
{
access-list-number
|
name
} in
Controls access to the specified interface.
Step 6
Router(config-if)# ip admission
name
rule-name
Applies the specified IP NAC rule to the interface.
To remove the IP NAC rule that was applied to a specific interface, use the
no ip admission rule-name interface configuration command.
Step 7
Router(config)# exit
Returns to global configuration mode.
Step 8
Router(config)# aaa new-model
Enables AAA.
Step 9
Router(config)# aaa authentication
eou default group radius
Sets authentication methods for EAPoUDP.
To remove the EAPoUDP authentication methods, use the no aaa
authentication eou default global configuration command.
Step 10
Router(config)# aaa authorization
network default local
Sets the authorization method to local. To remove the authorization method,
use no aaa authorization network default local command.
Step 11
Router(config)# ip device tracking
Enables the IP device tracking table.
To disable the IP device tracking table, use the no ip device tracking
global configuration commands.
Step 12
Router(config)# ip device tracking
[probe {count
count
| interval
interval
}]
(Optional) Configures these parameters for the IP device tracking table:
• count count—Sets the number of times that the switch sends the ARP
probe. The range is from 1 to 5. The default is 3.
• interval interval—Sets the number of seconds that the switch waits
for a response before resending the ARP probe. The range is from 30
to 300 seconds. The default is 30 seconds.
Command Purpose
To Next Page
Loading...
Need help?
General
