Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Out of Band Virtual GW problem

Hi all,

I have setup a lab with a OOB VGW setup. I have setup an authentication VLAN on the untrust interface of my CAS on vlan 120 which is mapped to internal production vlan 20 when assesment is done. So far everything works fine except the default GW.

I have a DHCP server that gives the following IP while I'm on vlan 120 (authentication vlan on untrust CAS port):

10.100.20.100

255.255.255.0

10.100.20.1

In VGW mode, I had to create a "Manage Subnet" ip address on CAS which is what I did. I've put 10.100.20.1 for VLAN 120. Is this correct ? Anyway, this is the only way I could figure out that I can send traffic across the CAS so my cisco clean agent could trigger.

My problem now is that on my internal network MSFC router I also have IP 10.100.20.1 used as a DG. So in authentication mode my laptop arp entry has the mac for the CAS for 10.100.20.1 ip address. I then authenticate and I'm bounced and switched to the prod VLAN 20 but my laptop still has the arp for the CAS and not my MSFC. Anyone had this problem ? Please send me info on how you fix this.

Maybe I'm wrong with the "Managed Subnet" ip I've put on vlan 120 but then how can my CAS can see traffic from my laptop if DG is different while I'm in authentication mode (vlan 120)?

Thanks in advance for you assistance.

Dominic

2 REPLIES
Bronze

Re: NAC Out of Band Virtual GW problem

Are you running the CAS as Inband, Out of Band and is it in Real IP or Virtual GW mode? If you are running in Real IP GW, Inband, is the CAS your DHCP server or is it doing DHCP relay?

New Member

Re: NAC Out of Band Virtual GW problem

I am setting up OOB VGW right now as well. You need to use another ip address from this subnet. Ideally exclude an ip from the dhcp range (to avoid any potential conflict), and assign it to the managed subnet. Got mine to work nicely.

Cheers,

Alex

132
Views
0
Helpful
2
Replies
CreatePlease login to create content