Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with NAC IB VG

Hi there,

I'm deploying NAC IB VG, but got the problem as the following:

My diagram:



user -- Core sw -- NACmanager



...........NAC server

and the configuration for Core sw:

interface GigabitEthernet1/33

description To Trusted


switchport trunk encapsulation dot1q

switchport mode trunk


interface GigabitEthernet1/34

description To Untrusted


switchport trunk encapsulation dot1q

switchport mode trunk

There are also many other trunk ports on Core sw, so traffic from user vlan always uses other trunk ports (it does not use port connecting to untrusted NAC server) to go to outside. How can I resolved this problem ?

Much appreciate your replying!

New Member

Re: Problem with NAC IB VG

My configuration on NAC server:

- Trusted interface:



Default GW:

Management VLAN: 110

- Untrusted interface:



Default GW:

- Managed Subnet: / / vlan 96

- Mapping vlan:

Untrusted: 96

Trusted: 16

- Static route:

Subnet: 16


Link: untrusted

My configuration is wrong ?Anyone can help me?

Re: Problem with NAC IB VG

Take a look at the chalk talk series


- in a L2 VGW solution, static routes are not used.

-confirm there is not L3 interface on the core switch for vlan 96

-change the native vlan on the trunks into the CAS to be different from each other.  Default is for a port to use native vlan 1.

-on the untrusted trunk, only allow the untrusted vlan.

- on the trusted trunk, only allow the trusted vlan and vlan associated with CAS management.



New Member

Re: Problem with NAC IB VG

Hi daladen,

I have removed static routes in my configuration and also do something like:

- sure that don't have interface for vlan 96

- native vlan on trunks is different from each other

- just allow untrusted vlan on the untrusted trunk; allow trusted vlan and CAS management vlan on the trusted vlan

However, my NAC system is still not operating! I think the problem is that when PCs connect to the network, they are immediately gave IPs of Access Vlan (16), so they always pass though CAS without blocking (I have been set "deny all" on CAS server).

An other problem is that with this modified configuration the clients could not access to web interface of CAS via https.

Could pls give me some other advices? Thank you so much!

CreatePlease to create content