NAC access list question

Unanswered Question
Jul 6th, 2009
User Badges:

so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution) our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason sure a workaroud is to put an acl on the CORE itself to block that...

Hope my drawing is enough to assist.....

CORE--------l3 switch--------pc





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pcomeaux Thu, 07/16/2009 - 11:37
User Badges:
  • Cisco Employee,

That's a great idea - the ACL on the management interfaces of the devices.

Is the ACL for the unauthenticated role on the L3 switch or the Core?

I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.


szajihsaniatan Fri, 07/17/2009 - 04:31
User Badges:

on the L3 switch...yeah, it is the default gw for the unauth vlan...

but do u know why the policy manager on the CAM doesnt enforce when the client reaches any ip addresses on the core or l3 switch?


This Discussion