<snip> We are looking at transitioning to Out-of-Band for our CCA deployment here at AU and in preparation are setting up our test hardware in order to gauge user impact. I'm finding the Cisco provided documentation vague at best however. <snip>
Vague is an understatement. A couple of caveats from one with many bleeding wounds in this battle. 1. Identify the management VLAN and set it on the protected side. 2. BELIEVE THEM when they say, do not connect up the untrusted interface until the managed subnets are set up. 3. Do not Try this with a flat network if you don't have to; that is have a layer three boundary between clients on protected side and servers. There was a bug in the click router module that appears to have been fixed in the latest software release for the CAM and CAS. If your servers and clients are on the same LAN segment (ours are) then you need this release. Alternatively, you can have clients and the servers they access on different LANs if you don't already. This may cause issues with access to DHCP and remediation sources. 4. Do NOT BELIEVE the diagrams in the manual, they are SOOOO MISLEADING and conflict with each other. 5. Configure static routes to your authentication servers. 6. I use VLAN mapping, but have been told by Cisco support people that this feature "is of the devil". Proceed with caution I guess. 7. Talk to your switch people. They will be giving you read/write SNMP access or this stuff won't work. On the plus side v3 is supported so if your switches have the chops, you can encrypt the SNMP traffic to keep it hidden from mischievous visitors. 8. If you can, get a hold of the Cisco internal training documentation, it's not too bad. 9. You really do need to keep the CAS and CAM on separate vlans, you really do need the dead end vlans for native mode on CAS ports. You really will need to talk to your router and firewall people to facilitate all the different traffic. 10. And finally, if you figure out how to get a signing off client to properly drop itself from the list of online users and certified devices ALL THE TIME, let me know. Cheers Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367
