I am trying to authenticate/posture access vpn users through a nac module connected into the same 2800. The issue Im facing is the segration of vpn traffic/normal traffic and the traffic flow. I dont want normal Internet/email traffic to have to go through the nac. Currently, the 2800 is connected into a core switch by a routed link. If I were to turn that link into a trunk, is there a way to designate vpn traffic on one vlan and other traffic on another vlan. I could then switch the non-routed vpn vlan to the core switch, continue it on the non-routed vlan to the untrusted port of the nac module. It could then be validated and then routed across the normal vlan from the 2800 to the core swith.
If thats not possible, I could do policy routing on the core switch and just specify traffic to be policy routed with a source of the vpn traffic. This traffic would then be routed to the nac svr. The problem with this is once its validated and gone through the nac, it will go through the router, then go across the link to the core switch again. The switch would then policy route it again, causing a loop.