Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC access list question

so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution) our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason sure a workaroud is to put an acl on the CORE itself to block that...

Hope my drawing is enough to assist.....

CORE--------l3 switch--------pc





Cisco Employee

Re: NAC access list question

That's a great idea - the ACL on the management interfaces of the devices.

Is the ACL for the unauthenticated role on the L3 switch or the Core?

I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.


Community Member

Re: NAC access list question

on the L3 switch...yeah, it is the default gw for the unauth vlan...

but do u know why the policy manager on the CAM doesnt enforce when the client reaches any ip addresses on the core or l3 switch?

CreatePlease to create content