NAC Inband RealIP-Gateway address

Unanswered Question
Aug 29th, 2009
User Badges:

Hi Experts,


In this scenario, my clients are in different VLANs say 2 & 3. To all my clients the default gateway should be the IP Address of NAC. Correct?

Where I will configure this IP address in the NAC box so that this IP Address will be the default gateway for my clients.

I know that the "managed subnet" option in the NAS is for ARP resolution only and not this IP can be used as default gateway for Clients.

Do i have to create some virtual IP address in the NAC Ethernet card?

Please help me by sharing your thoughts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
namnt2604 Sun, 08/30/2009 - 20:32
User Badges:

Hi Sairam,

Your diagram should be: client (vlan 1, vlan 2, ...) --> core sw --> NAC server.

Now you can configure the default gw on core switch to forward traffic to the untrusted interface on NAC server.

Clients should set default gw to interface vlans on core sw.

Hope this help!


snarayanaraju Sun, 08/30/2009 - 23:37
User Badges:

Hi Nam,

Thanks for your reply.

But my requirement is not in L3 mode. It is in Layer 2 Inband mode. If this is the case, I hope the default gateway of clients will NAS only.

client (vlan 1, vlan 2, ...) --> NAC server--> core sw

Please comment

Thanks in advance


namnt2604 Mon, 08/31/2009 - 00:42
User Badges:

Hi Sairam,

I put some configure samples about L2 IB for you:


interface GigabitEthernet1/33

description To Trusted


switchport trunk encapsulation dot1q

switchport trunk native vlan 998

switchport trunk allowed vlan 31,40,110

switchport mode trunk


interface GigabitEthernet1/34

description To Untrusted


switchport trunk encapsulation dot1q

switchport trunk native vlan 999

switchport trunk allowed vlan 41,311,400

switchport mode trunk


There are some notes you should know:

1) NAC server -> core sw: trunking (see details on the above configuration)

2) Authen VLan: 311, 400 (these should NOT have SVI (Layer 3) interface anywhere on the network)

Access Vlan: 31, 40

You should map 311 -> 31, 400 -> 40 on NAC server.

3) CAS is going to be the default gateway for users

Hope this help!


mattwilsonuk Wed, 09/02/2009 - 15:45
User Badges:

Hi NamNT

Forgive me if im wrong but isnt that config for L2 VG ?

IE VLANs you are mapping to will be SVI's on the core switches.

I believe that Managed Subnets are the key here.

When the CAS is set to VG mode the manage subnet IP is used for arp requests.

However when the CAS is set to Real IP this address is used to provide your different subnets with default gateways

Then your trusted interface needs to have a default gateway of the next hop into the trusted network

namnt2604 Wed, 09/02/2009 - 17:46
User Badges:

Hi mattwilsonuk,

You're right! This configuration is for L2 VG.


This Discussion