Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with NAC real IP/ layer 3/ in-band


I'm deploying a NAC realIP/in-band/layer3, users cannot ping untrusted interface e1 of NAC server, user has to pass core sw 6500 and FW before hitting e1 of NAC server. I have tried to set the gateway of this intterface e1 to itself (as Cisco document) and FW module, but in both cases, user still cannot ping e1.

Anyone can help me? Much appreciate your replying!

User -- Core sw 6500 -- FW module (on core sw) -- NAC server -- NAC manager

New Member

Re: Problem with NAC real IP/ layer 3/ in-band

I have pinged e1 (untrusted) of NAC server already. I have set both managed subnet and static route, something different with Cisco document (Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3)), this document recommends to configure static route for layer 3 deployment, not managed subnet!

Anyone has documents to deploy this scenario, pls share it to me! Thanks!

Re: Problem with NAC real IP/ layer 3/ in-band

Managed subnets are for L2 deployments and Static routes are for L3 deployment.  Both can exist on a CAS but for a individual subnet, ti will be one or the other.

If the client and CAS can see each others broadcast, its a L2.  If not, its a L3.

CreatePlease login to create content