Unanswered Question
Feb 21st, 2010

I am deploying a NAC 4.7.2 in-house to stage for a customer deployment, the deployment method I used is L2 OOB VG, I configured the switch, managed subnets, and vlan mapping. However, two problems arose:

1. Arp replies from the trusted to the untrusted are not being bridged between the access vlan and authentication vlan

2. dns replies are also not being forwarded from the trusted (access vlan) to the untrusted (authentication vlan)

what's strange is that DHCP is working fine.

I have tried to add an arp entry for the default gateway (client gets mac address of untrusted interface as the default gateway) which nac redirects and provided the login process and remaps my port to the access vlan but then I have to manually remove the arp entry for the switch to discover the real mac-address of the default gateway once the client is in the access vlan.

is there anything else besides managed subnets, and vlan mapping for L2 OOB VG to work. from my understanding , DHCP, DNS, and arp should be bridged normally between the trusted <--> untrusted interfaces with no additional configurations.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Sun, 02/21/2010 - 09:17


Did you reboot your CAS after setting up the managed subnets and mappings?


HannyKhasawneh Sun, 02/21/2010 - 22:56

Hello Faisal,

Thanks a lot for your prompt response, I did restart NAS/NAM once, twice and even thrice to no avail. can you just confirm my understanding that DHCP, ARP, DNS are allowed by default without any extra traffic policies set.

In other words, by connecting the CAS to CAM, and adding the managed subnets, vlan mapping and login page. L2 OOB VG should start working.

Best Regards,

Faisal Sehbai Sun, 02/21/2010 - 22:59


I wouldn't say it should start working, but if those are set right and CAS rebooted at least once after setting those, you should see traffic traversing across the CAS and ending up on the trusted side. This of course assumes that the trunks (if you're using those) are set right on the switch ports, that you're using the correct code on the switch if you're doing Central Deployment (95% of all deployments are central deployments) etc etc

So in short, yes it should work, but there are still other factors in the mix that might hamper.

Do you have a network diagram that you can share with us detailing VLANs, IPs, physical and logical depiction?



HannyKhasawneh Tue, 02/23/2010 - 01:36

Hi Faisal,

OK, so in other words, there is no need for an arp entry of the subnets gateway in NAS, anyhow, I have attached a topology describing the setup done. I thank you for your time for assisting me in this matter.

Faisal Sehbai Tue, 02/23/2010 - 07:25


No you shouldn't have to set any sort of ARP entries on the NAS. One thing I spotted wrong in your PDF was that you had VLANs allowed on the trusted side, but your port isn't marked as a trunk. You need to add swithport mode trunk statement on your trusted side.

Also, what sort of switch are the CAM/CAS connecting to? What IOS is it running?


HannyKhasawneh Wed, 02/24/2010 - 00:12

Dear Faisal,

sorry for that mistake, Yes the ports are set to trunks it was just a typo. As for the IOS and make of the switch please find it below:

Switch Ports Model              SW Version            SW Image                

------ ----- -----              ----------            ----------              

*    1 26    WS-C3560-24PS      12.2(52)SE            C3560-IPSERVICESK9-M

So, if my set up is correct, then why do you suppose I'm facing this problem, I have tested it using L3 OOB RG and it works, am I missing something?!?

Faisal Sehbai Thu, 02/25/2010 - 09:33


Can you verify what the setting is for the "Enable Subnet-based VLAN retag" checkbox on your CAS?


HannyKhasawneh Thu, 02/25/2010 - 14:28

dear Faisal,

If you are asking about enable vlan re-tagging in the managed subnet form, then it is unchecked, and as per the documentation of NAS, this is a recommended setting when wireless AP roaming is used. correct me if i'm wrong but for wired deplyoments, this shouldn't affect my setup. and aside from that, DHCP packets are being processed in both interfaces and correct vlan.

Faisal Sehbai Thu, 02/25/2010 - 19:30


Sorry I couldn't look at your diagram in detail before. So there's something wrong here.

You claim in the PDF that VLAN 5 and 6 are untrusted, mapping to 15 and 16, for which you have the SVIs defined.

You also claim that FA0/17 is the untrusted interface and FA0/13 is the trusted interface, yet your interface definitions are the inverse of your network diagram. Is it just as simple as you plugging in the interfaces wrong? Or the error is in the diagram? Or the interface definitions in the PDF?

Please clarify. If you can also, please post the Network tab from your CAS, the Advanced tab from your CAS showing the managed subnets and the VLAN Mapping tab from your CAS. Also please post your sanitized show running-config from your switch and verify where each of the interfaces are plugged in?




This Discussion