Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
4
Helpful
6
Replies

NAC Inband RealIP-Gateway address

snarayanaraju
Level 4
Level 4

‎08-29-2009 08:35 PM - edited ‎02-21-2020 03:39 AM

Hi Experts,

I want to configure NAC appliance in INBAND-CENTRAL DEPLOYMENT-REAL IP GATEWAY.

In this scenario, my clients are in different VLANs say 2 & 3. To all my clients the default gateway should be the IP Address of NAC. Correct?

Where I will configure this IP address in the NAC box so that this IP Address will be the default gateway for my clients.

I know that the "managed subnet" option in the NAS is for ARP resolution only and not this IP can be used as default gateway for Clients.

Do i have to create some virtual IP address in the NAC Ethernet card?

Please help me by sharing your thoughts

Sairam

0 Helpful
6 Replies 6

snarayanaraju
Level 4
Level 4

‎08-30-2009 08:29 PM

Hi Experts,

Please comment on this.

Thanks in advance

Sairam

0 Helpful

namnt2604
Level 1
Level 1

‎08-30-2009 08:32 PM

Hi Sairam,

Your diagram should be: client (vlan 1, vlan 2, ...) --> core sw --> NAC server.

Now you can configure the default gw on core switch to forward traffic to the untrusted interface on NAC server.

Clients should set default gw to interface vlans on core sw.

Hope this help!

NamNT

snarayanaraju
Level 4
Level 4
In response to namnt2604

‎08-30-2009 11:37 PM

Hi Nam,

Thanks for your reply.

But my requirement is not in L3 mode. It is in Layer 2 Inband mode. If this is the case, I hope the default gateway of clients will NAS only.

client (vlan 1, vlan 2, ...) --> NAC server--> core sw

Please comment

Thanks in advance

sairam

0 Helpful

namnt2604
Level 1
Level 1
In response to snarayanaraju

‎08-31-2009 12:42 AM

Hi Sairam,

I put some configure samples about L2 IB for you:

!

interface GigabitEthernet1/33

description To Trusted

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 998

switchport trunk allowed vlan 31,40,110

switchport mode trunk

!

interface GigabitEthernet1/34

description To Untrusted

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 999

switchport trunk allowed vlan 41,311,400

switchport mode trunk

!

There are some notes you should know:

1) NAC server -> core sw: trunking (see details on the above configuration)

2) Authen VLan: 311, 400 (these should NOT have SVI (Layer 3) interface anywhere on the network)

Access Vlan: 31, 40

You should map 311 -> 31, 400 -> 40 on NAC server.

3) CAS is going to be the default gateway for users

Hope this help!

NamNT

0 Helpful

mattwilsonuk
Level 1
Level 1
In response to namnt2604

‎09-02-2009 03:45 PM

Hi NamNT

Forgive me if im wrong but isnt that config for L2 VG ?

IE VLANs you are mapping to will be SVI's on the core switches.

I believe that Managed Subnets are the key here.

When the CAS is set to VG mode the manage subnet IP is used for arp requests.

However when the CAS is set to Real IP this address is used to provide your different subnets with default gateways

Then your trusted interface needs to have a default gateway of the next hop into the trusted network

0 Helpful

namnt2604
Level 1
Level 1
In response to mattwilsonuk

‎09-02-2009 05:46 PM

Hi mattwilsonuk,

You're right! This configuration is for L2 VG.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card