NAC version 4.5 L3OOB Virtual Gateway

Unanswered Question
Jun 2nd, 2009
User Badges:

hi all,

We are planning to implement NAC server version 4.5 in L3 OOB Virtual Gateway ( central deployent ), but we got stuck in the middle of the design

the problem we are facing is that

1. we have a VPN concentrator 3005 at the head office for remote access vpn, my question is whether we can integrate VPN Concentrator with NAC in L3 OOB VGW

for authentication,posture accessment etc.

2.we are also planning to do Site-site VPN with ASA, whether this support this deployment?

3.IF not possible try to provide a better solution



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
trevora Tue, 06/09/2009 - 09:56
User Badges:

As far as I know NAC for VPN is not supported in OOB deployments as there is no way to switch the traffic to an access vlan. You have to use IB which usually means a second NAC Server on the campus.

pranavam_dileep Sat, 06/13/2009 - 05:36
User Badges:

Dear trivora & halim

thanks for your valuable replies.

I have another doubt regarding the deployment of NAC server centrally

we are having a core switch ( 3560 G)configured for VTP Domain & having 10 Vlans.We configured SVI & IP routing & the remaining switchs are in VTP client mode.

My question is as there are different VLANS how can I place the NAC server ( Client Adjacency )L2 /L3.

I think as there are different VLANs Client Adjacency should be L3 with NAC Server.Iam I right?

Another Question is that as we configured VTP Domain what are the things that we have to taken into consideration while configuring L2/L3 OOB Vitual Gateway.

Expecting your Valuable replies.



halim.abouzeid Sat, 06/13/2009 - 07:11
User Badges:

If between your core switch and access switches you have Layer 2 links, then you can go for either layer 2 or layer 3. If between your access switches and core you have layer 3 links, then you HAVE to go for L3.

As you're using VTP i assume you have layer 2 links. If you want to go for L2, you can put the NAC server on the core and both its interfaces will be trunks. The trusted trunk will contain all your current user vlans. For the untrusted trunk, it will only contain the untrusted vlan(s). The untrusted vlan(s) MUST NOT have an SVI configured.

The untrusted vlans not having and SVI configured for them, all the traffic coming from these vlans will be forced to go threw the NAC server's untrusted interface.

For trusted vlans, traffic will be routed normally without going threw the NAC server as the SVI is configured.

basically, just to answer your question, having multiple VLANs with SVIs on core still makes it possible to use L2.

pranavam_dileep Sun, 06/14/2009 - 07:58
User Badges:

hi halim,

we have in (VLAN 10, application server, database,exchnge etc,)

the users are the vlans 2,3,4,5 etc

currently for all the vlans we configured SVIs, and configured trunk ports in the core switch for connecting the access switch ( L2).Core Switch is acting as VTP Domain & remaining Access Switchs are in VTP client mode

This is our existing network setup without NAC

My question how can I configure NAC server to put all the user VLANs in the untrusted side & Servers ( vlan 10 )at the Trusted side.NAC server should be L2/L3 OOB VGW



halim.abouzeid Sun, 06/14/2009 - 09:09
User Badges:

Lets consider you go for Layer2:

-you will create an untrusted vlan for each user vlan. your user vlans are 2,3,4,5 so lets say you create 102,103,104 and 105. 102 is the untrusted vlan for 2, 103 is the untrusted vlan for 103, ... these new vlans MUST NOT have an SVI configured.

-on the core, you configure the port to which the untrusted interface of the cas server is connect as a trunk and you ONLY allow the untrusted vlans (102,103,104,105), and nothing else.

-on the core, you configure the port on which the trusted interface of the cas is connected as a trunk and you only allow the user vlans (2,3,4,5). No need to add the server vlan as i assume that servers wont go threw nac authentication.

-then on the nac you have to do the configuration for L2, vlan mapping, managed subnets, ...

when a user 1st connects to the network, he will be assigned to an untrusted vlan (101,102,103,104,105) and his traffic will be forced to reach the untrusted interface of the nac server (as there are no SVI for the traffic to be routed). Once the user becomes trusted, his vlan will be changed to a user vlan (2,3,4,5) and his traffic will be routed normally without going through NAC as these vlans have an SVI configured.

check this link if you want a step by step description of how to configure nac in layer 2 out of band mode:

for other mods (L2 inband, L3 IB, L3 OOB, ...) check this page:

i hope this helps you


This Discussion