cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
4
Helpful
6
Replies

NAC Inband RealIP-Gateway address

snarayanaraju
Level 4
Level 4

Hi Experts,

I want to configure NAC appliance in INBAND-CENTRAL DEPLOYMENT-REAL IP GATEWAY.

In this scenario, my clients are in different VLANs say 2 & 3. To all my clients the default gateway should be the IP Address of NAC. Correct?

Where I will configure this IP address in the NAC box so that this IP Address will be the default gateway for my clients.

I know that the "managed subnet" option in the NAS is for ARP resolution only and not this IP can be used as default gateway for Clients.

Do i have to create some virtual IP address in the NAC Ethernet card?

Please help me by sharing your thoughts

Sairam

6 Replies 6

snarayanaraju
Level 4
Level 4

Hi Experts,

Please comment on this.

Thanks in advance

Sairam

namnt2604
Level 1
Level 1

Hi Sairam,

Your diagram should be: client (vlan 1, vlan 2, ...) --> core sw --> NAC server.

Now you can configure the default gw on core switch to forward traffic to the untrusted interface on NAC server.

Clients should set default gw to interface vlans on core sw.

Hope this help!

NamNT

Hi Nam,

Thanks for your reply.

But my requirement is not in L3 mode. It is in Layer 2 Inband mode. If this is the case, I hope the default gateway of clients will NAS only.

client (vlan 1, vlan 2, ...) --> NAC server--> core sw

Please comment

Thanks in advance

sairam

Hi Sairam,

I put some configure samples about L2 IB for you:

!

interface GigabitEthernet1/33

description To Trusted

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 998

switchport trunk allowed vlan 31,40,110

switchport mode trunk

!

interface GigabitEthernet1/34

description To Untrusted

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 999

switchport trunk allowed vlan 41,311,400

switchport mode trunk

!

There are some notes you should know:

1) NAC server -> core sw: trunking (see details on the above configuration)

2) Authen VLan: 311, 400 (these should NOT have SVI (Layer 3) interface anywhere on the network)

Access Vlan: 31, 40

You should map 311 -> 31, 400 -> 40 on NAC server.

3) CAS is going to be the default gateway for users

Hope this help!

NamNT

Hi NamNT

Forgive me if im wrong but isnt that config for L2 VG ?

IE VLANs you are mapping to will be SVI's on the core switches.

I believe that Managed Subnets are the key here.

When the CAS is set to VG mode the manage subnet IP is used for arp requests.

However when the CAS is set to Real IP this address is used to provide your different subnets with default gateways

Then your trusted interface needs to have a default gateway of the next hop into the trusted network

Hi mattwilsonuk,

You're right! This configuration is for L2 VG.

Review Cisco Networking for a $25 gift card