I have a problem with simultaneous L2 and L3 NAC deployement.
I have a CAS configured as Real IP gateway, Inband. Previosly i can have the NAC running well on L3 deployment using PBR.I configured PBR on distribution switch to intercept the traffic from user to untrusted NAC.
Now our company try to add Wireless, using WLC, which have interface vlan configured in untrusted CAS (Using 'managed subnet' section on CAM). the wireless run perfectly, they able to authenticate to NAC and able to connect to the whole network after NAC authentication.
However now the L3 users cant reach the untrusted to perform NAC authentication. The CAS cant even ping the L3 user which was okay previosly.
Is there any limitation on Cisco NAC for L2 and L3 deployment? I read from Cisco that one CAS can be configured for L3 and L2 simoultaneously so i should work
I give you the logical diagram of our NAC - Wireless. Red line is L3 link, and black line is L2 link.
For the wireless i create the interface vlan on untrusted NAC. For the wired, i configured PBR on routed interface connecting to aggregator switch. the next hop ip for the wired user is virtual ip address for untrusted interface ( we use 2 CAS for failover ).
Basicly we only add managed subnet for wireless user, the ip address for managed subnet is interface vlan for wireless.On the CAS network we enable L3 support, without enable L3 strict mode for NAT.
FYI, We recently upgrade the NAC from 4.7.1 to 4.8
Now our NAC is working fine with wireless (L2) and wired (L3).
For wireless network, we keep the interface vlan on "managed subnet". For wired network we remove the static route on the CAS. We do this to overcome the problem with the Untrusted Interface which cant do routing if we add "managed subnet".
So traffic flow for unauthenticated role for wired user:
1. User generate http or https request, traffic go to untrusted interface of CAS ( Because we configure PBR on distribution )
2. CAS reply the request using TRUSTED INTERFACE. During this stage user cant go to protected network
3. User authenticate via radius, LDAP or SSO
4. After performing authentication and remediation user can go to protected network
I think this is not an ideal solution for NAC, because CAS should route the L3 user via untrusted interface.
This is also not ideal because this mean that the traffic flow from user to protected network is asymetric (Traffic from user to protected network flows inband to NAC, traffic from protected network to user doesnt flow via NAC)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :