NAC Inband L2 and L3 Simultaneously not work

Answered Question
Aug 16th, 2010

Dear All,

I have a problem with simultaneous L2 and L3 NAC deployement.

I have a CAS configured as Real IP gateway, Inband. Previosly i can have the NAC running well on L3 deployment using PBR.I configured PBR on distribution switch to intercept the traffic from user to untrusted NAC.

Now our company try to add Wireless, using WLC, which have interface vlan configured in untrusted CAS (Using 'managed subnet' section on CAM). the wireless run perfectly, they able to authenticate to NAC and able to connect to the whole network after NAC authentication.

However now the L3 users cant reach the untrusted to perform NAC authentication. The CAS cant even ping the L3 user which was okay previosly.

Is there any limitation on Cisco NAC for L2 and L3 deployment? I read from Cisco that one CAS can be configured for L3 and L2 simoultaneously so i should work


I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 1 month ago


The way you described it working is pretty close to how one would set it up.

Glad that it works for you now!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Faisal Sehbai Mon, 08/16/2010 - 02:57


What other changes were made to your network when you were enabling the Wireless?

L2 and L3 do work on the same CAS. Need more information on your layout to comment further.


m.imaduddin Tue, 08/17/2010 - 20:43

Hai Faisal,

I give you the logical diagram of our NAC - Wireless. Red line is L3 link, and black line is L2 link.

For the wireless i create the interface vlan on untrusted NAC. For the wired, i configured PBR on routed interface connecting to aggregator switch. the next hop ip for the wired user is virtual ip address for untrusted interface ( we use 2 CAS for failover ).

Basicly we only add managed subnet for wireless user, the ip address for managed subnet is interface vlan for wireless.On the CAS network we enable L3 support, without enable L3 strict mode for NAT.

FYI, We recently upgrade the NAC from 4.7.1 to 4.8

I hope this give you clearer information.

Thank you before, and Happy Ramadhan


m.imaduddin Tue, 08/17/2010 - 21:13


If i can simplify, the problem is: "the interface untrusted can not do routing".

I suspect this because, when i add static route for managed network via untrusted interface, the managed network cant ping the untrusted interface.

If i remove static route for managed network, the managed network can ping the untrusted interface. ( ping echo request from managed network and reply from NAC is sent via trusted interface )



Faisal Sehbai Thu, 08/19/2010 - 05:21


Ramazan mubarak to you also.

Please post the screenshots of your CAS's configuration screens, particularly the Network page, the Managed subnets, the static routes.

Please also post your IP/VLAN information to go along with your network diagram.



m.imaduddin Thu, 08/19/2010 - 21:09

Salam Faisal

Now our NAC is working fine with wireless (L2) and wired (L3).

For wireless network, we keep the interface vlan on "managed subnet". For wired network we remove the static route on the CAS. We do this to overcome the problem with the Untrusted Interface which cant do routing if we add "managed subnet".

So traffic flow for unauthenticated role for wired user:

1. User generate http or https request, traffic go to untrusted interface of CAS ( Because we configure PBR on distribution )

2. CAS reply the request using TRUSTED INTERFACE. During this stage user cant go to protected network

3.  User authenticate via radius, LDAP or SSO

4. After performing authentication and remediation user can go to protected network

I think this is not an ideal solution for NAC, because CAS should  route the L3 user via untrusted interface.

This is also not ideal because this mean that the traffic flow from user to  protected network is asymetric (Traffic from user to protected network flows inband to NAC, traffic from protected network to user doesnt flow via NAC)



Correct Answer
Faisal Sehbai Fri, 08/20/2010 - 22:16


The way you described it working is pretty close to how one would set it up.

Glad that it works for you now!




This Discussion