NAC L3 OOB VGW possible?

Unanswered Question
Nov 28th, 2008
User Badges:

is it possible to do L3 NAC OOB with VGW.

The documentation does not say that it is not possible, but i see some technical difficulties.

In VGW deployment, the Auth IP = Access IP and only the vlan id changes. But on the other end of an L3 link I cannot see vlan id's and there for cannot distinguish between Auth and Access.

So is it correct that OOB L3 VGW is not possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
grant.maynard Mon, 12/01/2008 - 16:16
User Badges:
  • Silver, 250 points or more

It is my understanding that the IP address of the client must change when it moves from auth to access.

It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.

Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.

Once auth is successful, the CAM switches the port to the access vlan.


This Discussion