NAC Inband RealIP-Gateway address

Unanswered Question
Aug 29th, 2009

Hi Experts,

I want to configure NAC appliance in INBAND-CENTRAL DEPLOYMENT-REAL IP GATEWAY.

In this scenario, my clients are in different VLANs say 2 & 3. To all my clients the default gateway should be the IP Address of NAC. Correct?

Where I will configure this IP address in the NAC box so that this IP Address will be the default gateway for my clients.

I know that the "managed subnet" option in the NAS is for ARP resolution only and not this IP can be used as default gateway for Clients.

Do i have to create some virtual IP address in the NAC Ethernet card?

Please help me by sharing your thoughts

Sairam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
namnt2604 Sun, 08/30/2009 - 20:32

Hi Sairam,

Your diagram should be: client (vlan 1, vlan 2, ...) --> core sw --> NAC server.

Now you can configure the default gw on core switch to forward traffic to the untrusted interface on NAC server.

Clients should set default gw to interface vlans on core sw.

Hope this help!

NamNT

snarayanaraju Sun, 08/30/2009 - 23:37

Hi Nam,

Thanks for your reply.

But my requirement is not in L3 mode. It is in Layer 2 Inband mode. If this is the case, I hope the default gateway of clients will NAS only.

client (vlan 1, vlan 2, ...) --> NAC server--> core sw

Please comment

Thanks in advance

sairam

namnt2604 Mon, 08/31/2009 - 00:42

Hi Sairam,

I put some configure samples about L2 IB for you:

!

interface GigabitEthernet1/33

description To Trusted

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 998

switchport trunk allowed vlan 31,40,110

switchport mode trunk

!

interface GigabitEthernet1/34

description To Untrusted

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 999

switchport trunk allowed vlan 41,311,400

switchport mode trunk

!

There are some notes you should know:

1) NAC server -> core sw: trunking (see details on the above configuration)

2) Authen VLan: 311, 400 (these should NOT have SVI (Layer 3) interface anywhere on the network)

Access Vlan: 31, 40

You should map 311 -> 31, 400 -> 40 on NAC server.

3) CAS is going to be the default gateway for users

Hope this help!

NamNT

mattwilsonuk Wed, 09/02/2009 - 15:45

Hi NamNT

Forgive me if im wrong but isnt that config for L2 VG ?

IE VLANs you are mapping to will be SVI's on the core switches.

I believe that Managed Subnets are the key here.

When the CAS is set to VG mode the manage subnet IP is used for arp requests.

However when the CAS is set to Real IP this address is used to provide your different subnets with default gateways

Then your trusted interface needs to have a default gateway of the next hop into the trusted network

namnt2604 Wed, 09/02/2009 - 17:46

Hi mattwilsonuk,

You're right! This configuration is for L2 VG.

Actions

This Discussion