Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC OOB L2 VG Managed Subnet

I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.

sometime i change the managed subnet, I work...

I wonder what exact IP address should be typed into the managed subnet?

Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)

IP address for VLAN 10:

IP address for VLAN 11:

IP address for VLAN 12:

IP address for VLAN 13:

I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.

However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page? VLAN20 VLAN21 VLAN22 VLAN23


also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??

I'm green hand in NAC...hope someone guide. Many Thanks


Re: NAC OOB L2 VG Managed Subnet


Always use IP addresses for Managed Subnet entries, and never the subnet address.

As for setting management VLANs, except for some corner cases, it should be nothing on the untrusted side.



New Member

Re: NAC OOB L2 VG Managed Subnet

how about the VLAN in managed subnet? should be untrust or trust VLAN??

Fail to get IP address from DHCP server ..

I added vlan mapping in vlan mapping tab:

vlan 1 is trust vlan, vlan 240 is untrust vlan

vlan 110 is trust vlan, vlan 241 is untrsut vlan

also add managed subnet as following: vlan 1 vlan 110

Traffic Crotrol as following:

unauthentication role

Default <-- DNS* Allow DHCP and DNS

the DHCP server is located in vlan 1 168.18.0.x,

vlan 110 need to go gateway with ip helper-address to 168.18.0.x

would ip helper-address make vlan 241 fail to get IP?

any special need to do in CAM/CAS so that vlan 241 could get IP from DHCP server 168.18.0.x?

Re: NAC OOB L2 VG Managed Subnet


Change those networks to an IP in those networks, so for example should be

Vlan tag should be of the untrusted vlan, so in this case vlan 1, and if you can please move away from vlan 1 and use something else.

There isn't anything special required for dhcp to work other than a correct managed subnet and vlan mapping.



New Member

Re: NAC OOB L2 VG Managed Subnet

oh..might be my explaination is not clear... It should be vlan 240 as untrust, vlan 1 is trust.

i knew from installation guide that vlan 1 is not recommended but in my case, I can't move it away from user access(trsut) vlan.

trust untrust

------ ----------

vlan1 vlan240

using any UNUSED ip address as virtual gateway in managed subnet with related untrust VLAN ID.

for example,

Managed Subnet

------------------------- vlan 240

Should i configure ARP entry too?

Arp entries (i saw installation guide.. it mentioned the entries would be automaticatedly created ... how to verify that?? coz there're no entries in arp tab )

---------------- eth1 ????

Also, not to select "L3 enable"?!!!

Re: NAC OOB L2 VG Managed Subnet


No need to set ARP entries. They are done automatically. If your setup is L2 only, then there's no need to enable L3 also. Enabling it won't make a difference for your L2 clients.

To see the arp entries on a CAS, use the command: cat /proc/click/intern_arpq/table (see entries on untrusted side) or cat /proc/click/extern_arpq/table (to see entries on the trusted side)



New Member

Re: NAC OOB L2 VG Managed Subnet

yes.. Arp could not allow me to add since it is conflicted with managed subnet..

I still have not chance down to server room and take a look on ARP entries. But i would do this next monday.

Thanks for your reply. However, I still could not get any IP from DHCP servers.

I wonder that there're NO untrust VLAN could get IP from DHCP server NOW.

The attached file is captured from real case.

I just use 2 VLAN as testing now.

pic 1 - pic6:

Only L2 is ok.. I uncheck L3 enable already. = VLAN1 <--> VLAN240 = VLAN110 <--> VLAN241

I take 2 unused IP addresses from and as manage subnet.

Unauthenticated role is allowed UDP/DHCP by default..

Could explain what I wrong in configuration?

Re: NAC OOB L2 VG Managed Subnet

Uncheck the "Enable subnet-based VLAN retag" option, reboot your CAS and try again.



New Member

Re: NAC OOB L2 VG Managed Subnet

Help!!.. It still fail to get IP for any untrust vlan.

If i set the port as uncontrol, pc is normally received IP for the related VLAN.

so, all vlan (included "untrust") is normally configured on all switches located between paths from cas/cam.

i attached a screen dump for further help!! many thanks.

New Member

Re: NAC OOB L2 VG Managed Subnet

Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.

Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..

The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.

Extracted as below:

Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment

For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.

So.................... my Question is:

Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???

My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..

SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM

SW2 and SW3 could success performing CAS login.

SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.

Re: NAC OOB L2 VG Managed Subnet


Please post a network diagram of what you're working with. Mark the VLANs and IP addresses and post the switch configurations of the switches in question.



New Member

Re: NAC OOB L2 VG Managed Subnet

get it from SSH console..

cat /proc/click/intern_arpq/table (see entries on untrusted side)  <-- No entries

cat /proc/click/extern_arpq/table (to see entries on the trusted side) <-- Many Entries

Why no entries in intern_arpq/table????

and is it correct ??

fail to get IP X.X

New Member

Re: NAC OOB L2 VG Managed Subnet

Also, more info:

CAS is using vlan 228 (

CAM is using vlan 229 (

They are individual VLAN and using 3750 as inter-VLAN routing to other vlans.

New Member

Re: NAC OOB L2 VG Managed Subnet

Hi to All,

I  would like to ask some help for my nac appliance. Currently im setting  up the nac appliance. I just having trouble what ip address should I use  for the managed subnet. I have setup trusted vlan as it is existing in  our network but what about the untrusted vlan? Should i make new ip  addresses for it and put it in the untrusted? I dont know if made it  correct but I cannot get an ip address everytime i change the switchport  to port profile I made. Please can you guys help me i just need to know  it for my project. thanks.