Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco NAC - L2 0-0-B VG Mode=>Untrusted Networks:How big/how many Untrusted Subnets per CAS?

Network Infrastructure Overview:

-Preferred NAC Mode - L2 O-O-B Virtual Gateway Mode (DHCP Passthrough)

-Roughly 4 Layer 3 Boundary Blocks each terminated by Layer 3 Switch

-Layer 2 communication within block, layer 3 between blocks

- ~ 1500 Nodes per Block; ~10-12 Layer 2 Switches per block

-2 CAMs and Profiler centrally located at CORE tying together the 4 blocks

-1 CAS or 2 CASes per block depending on block size

-KEY QUESTION=>: For UNTRUSTED NETWORK what would be an ideal SIZE PER SUBNET/NUMBER OF SUBNETS needed for smooth operation within one Layer 3 block being served by 1 CAS(or two if significantly large)?

Additional notes:

I just need rough estimate for perspective's sake. Also looking at rules on Cisco website I don't specifically see a mention of how extra untrusted subnets per cas are defined(supposing you wanted to use more than one untrusted subnet per cas or why it would be suitable/unsuitable to use multiple untrusted subnets?)

Your input is appreciated in advance.


Re: Cisco NAC - L2 0-0-B VG Mode=>Untrusted Networks:How big/how


Sizing NAC solutions isn't really my specialty, so take this with a grain of salt, but from what you've described so far, your line of thought would work out well. A single CAS server can easily handle upto 5K users (simultaneous) and your numbers are way below that.

For more questions, please share a network diagram with VLANs and IP Subnets marked to shine more light on them.