Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Exempt Devices in NAC 4.1

Hello friends,

I m setting up layer2 virtual gateway mode,i m little bit confuse regarding which would be the Exempt devices in the layer2 virtual gateway mode.

whenever any device in the authentication vlan it will pass through NAC Server but if i moved the port to normal access vlan in the switch by "switchport mode accces vlan" than the device is out of flow from NAC.

From my knowledge whatever the vlan mapping is done in NAC between authentication and access vlan only those vlan will be affected rest are all out of flow from NAC,they will flow as normal traffic.

Also all my switches in Management vlan so if i dont create mapping for management vlan than they will not flow through NAC.Am i correct ???????

please suggest me what other devices shld be exempted from the networks, for example: printers,  and what else ???

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Exempt Devices in NAC 4.1

Estela,

You're correct in most of your assumptions. The key thing with NAC is to follow the flow of the traffic and make sure that in unauthenticated state the flow of the traffic always goes through the CAS. This follows that if a port is not in a VLAN on your untrusted side, it would never be impacted by NAC. For your unauthenticated VLANs, you have to make sure that the traffic path they're allowed is only through the CAS. Keeping this simple design rule in mind, look at your VLANs again and you'll get most of the answers you're looking for.

HTH,

Faisal

2 REPLIES
New Member

Re: Exempt Devices in NAC 4.1

Hello Friends,

Can anybody reply to the below query.

Thanks

Re: Exempt Devices in NAC 4.1

Estela,

You're correct in most of your assumptions. The key thing with NAC is to follow the flow of the traffic and make sure that in unauthenticated state the flow of the traffic always goes through the CAS. This follows that if a port is not in a VLAN on your untrusted side, it would never be impacted by NAC. For your unauthenticated VLANs, you have to make sure that the traffic path they're allowed is only through the CAS. Keeping this simple design rule in mind, look at your VLANs again and you'll get most of the answers you're looking for.

HTH,

Faisal

233
Views
0
Helpful
2
Replies
CreatePlease to create content