NAC is not ready for L3 OOB

Unanswered Question
Jul 10th, 2010

This is what I think after spending a few weeks trying to load balance the traffic using 3 CAS servers for L3 OOB mode.


I understand the need of PBR or ACL to force the traffic from auth VLAN to the untrusted side of the CAS.


Once the CAS is selected, the CAS server should be bale to perform NAT (or PAT) to change the source address to the trusted side address so that the return traffic will come back to the right CAS and there is no need to do PBR for the return traffic from DNS or to apply class maps to the ACE etc.


Why can't Cisco make it easier by doing NAT on the trusted side and all we have to do is take care of the load balancing on the untrusted side?


Unless Cisco does this, I do not think the L3 OOB is ready for enterpises in my opinion.


Meena

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jideji Wed, 07/28/2010 - 11:38



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Are you asking to do NAT on the trusted side of the CAS itself? I think this can be a good feature request please you can run this by your account Thanks

Actions

This Discussion