topic Problem with NAC real IP/ layer 3/ in-band in Network Security

Problem with NAC real IP/ layer 3/ in-band

namnt2604 — Fri, 21 Feb 2020 11:12:16 GMT

Hi,

I'm deploying a NAC realIP/in-band/layer3, users cannot ping untrusted interface e1 of NAC server, user has to pass core sw 6500 and FW before hitting e1 of NAC server. I have tried to set the gateway of this intterface e1 to itself (as Cisco document) and FW module, but in both cases, user still cannot ping e1.

Anyone can help me? Much appreciate your replying!

User -- Core sw 6500 -- FW module (on core sw) -- NAC server -- NAC manager

Re: Problem with NAC real IP/ layer 3/ in-band

namnt2604 — Sat, 10 Jan 2009 17:59:17 GMT

I have pinged e1 (untrusted) of NAC server already. I have set both managed subnet and static route, something different with Cisco document (Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3)), this document recommends to configure static route for layer 3 deployment, not managed subnet!

Anyone has documents to deploy this scenario, pls share it to me! Thanks!

Re: Problem with NAC real IP/ layer 3/ in-band

Daniel Laden — Sun, 01 Feb 2009 20:35:17 GMT

Managed subnets are for L2 deployments and Static routes are for L3 deployment. Both can exist on a CAS but for a individual subnet, ti will be one or the other.

If the client and CAS can see each others broadcast, its a L2. If not, its a L3.