Showing results for 
Search instead for 
Did you mean: 


NAC design question

New NAC design.  Call center is currently using VMPS for dynamic VLAN assignment (6509 running hybrid CatOS and IOS, YUK!!!).  Requirements that PCs (aka users) are assigned to specific VLANs that limit what resources they have access to.  Unregistered MAC addresses go into "penalty box" Visitor VLAN with internet access only.  LAN currently spans three levels in a building with core 6509s.  Core, distribution and access are all Layer 2, with the 6509s centrally routing everything (will be updating this for them later).  NAC must not be a bottleneck for users that are authenticated or trusted.  At first I'm thinking Layer 2 OOB.  They want a NAC Guest server to control the access to the visitor vlan and possibly use with WLC for Visitor access as well.  Based on this information I would think that I would want to use layer 3 OOB with real-ip gateway and create a new authentication VLAN for the untrusted side of the NAC server and assign the trusted VLAN based on the roles (mac addresses) defined in the NAC manager to replace the VMPS functionality.  They also use non Cisco based VoIP.  I'm guessing I can address that simply by having a list of all the mac addresses of the IP phones on the ignore list on the NAC manager.  Any suggestions or pointers? They do not want to address the core, distribution and access architecture at this time.