If between your core switch and access switches you have Layer 2 links, then you can go for either layer 2 or layer 3. If between your access switches and core you have layer 3 links, then you HAVE to go for L3.
As you're using VTP i assume you have layer 2 links. If you want to go for L2, you can put the NAC server on the core and both its interfaces will be trunks. The trusted trunk will contain all your current user vlans. For the untrusted trunk, it will only contain the untrusted vlan(s). The untrusted vlan(s) MUST NOT have an SVI configured.
The untrusted vlans not having and SVI configured for them, all the traffic coming from these vlans will be forced to go threw the NAC server's untrusted interface.
For trusted vlans, traffic will be routed normally without going threw the NAC server as the SVI is configured.
basically, just to answer your question, having multiple VLANs with SVIs on core still makes it possible to use L2.
we have in (VLAN 10, application server, database,exchnge etc,)
the users are the vlans 2,3,4,5 etc
currently for all the vlans we configured SVIs, and configured trunk ports in the core switch for connecting the access switch ( L2).Core Switch is acting as VTP Domain & remaining Access Switchs are in VTP client mode
This is our existing network setup without NAC
My question how can I configure NAC server to put all the user VLANs in the untrusted side & Servers ( vlan 10 )at the Trusted side.NAC server should be L2/L3 OOB VGW
-you will create an untrusted vlan for each user vlan. your user vlans are 2,3,4,5 so lets say you create 102,103,104 and 105. 102 is the untrusted vlan for 2, 103 is the untrusted vlan for 103, ... these new vlans MUST NOT have an SVI configured.
-on the core, you configure the port to which the untrusted interface of the cas server is connect as a trunk and you ONLY allow the untrusted vlans (102,103,104,105), and nothing else.
-on the core, you configure the port on which the trusted interface of the cas is connected as a trunk and you only allow the user vlans (2,3,4,5). No need to add the server vlan as i assume that servers wont go threw nac authentication.
-then on the nac you have to do the configuration for L2, vlan mapping, managed subnets, ...
when a user 1st connects to the network, he will be assigned to an untrusted vlan (101,102,103,104,105) and his traffic will be forced to reach the untrusted interface of the nac server (as there are no SVI for the traffic to be routed). Once the user becomes trusted, his vlan will be changed to a user vlan (2,3,4,5) and his traffic will be routed normally without going through NAC as these vlans have an SVI configured.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...