Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC L3 OOB VGW possible?

is it possible to do L3 NAC OOB with VGW.

The documentation does not say that it is not possible, but i see some technical difficulties.

In VGW deployment, the Auth IP = Access IP and only the vlan id changes. But on the other end of an L3 link I cannot see vlan id's and there for cannot distinguish between Auth and Access.

So is it correct that OOB L3 VGW is not possible?


Re: NAC L3 OOB VGW possible?

It is my understanding that the IP address of the client must change when it moves from auth to access.

It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.

Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.

Once auth is successful, the CAM switches the port to the access vlan.

CreatePlease login to create content