nerdexam
Cisco

352-001 · Question #249

You are designing a NAC OOB Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

The correct answer is A. untrusted VLAN. In a NAC OOB Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so the CAS can act as the Layer 3 default gateway for unauthenticated clients.

Designing Security

Question

You are designing a NAC OOB Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

Options

  • Auntrusted VLAN
  • Buser VLAN
  • Cmanagement VLAN
  • Dauthentication VLAN

How the community answered

(24 responses)
  • A
    88% (21)
  • B
    4% (1)
  • D
    8% (2)

Why each option

In a NAC OOB Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so the CAS can act as the Layer 3 default gateway for unauthenticated clients.

Auntrusted VLANCorrect

In an OOB Layer 3 Real-IP Gateway deployment, the Clean Access Server is configured as the default gateway for clients placed in the untrusted VLAN before they complete authentication. The untrusted VLAN must be trunked from the access switch to the CAS so that all unauthenticated client traffic is routed through the CAS for inspection, remediation, and posture validation before being granted access to the trusted network.

Buser VLAN

The user VLAN carries traffic for clients who have already passed NAC posture checks and do not need to traverse the CAS for authentication.

Cmanagement VLAN

The management VLAN carries administrative traffic for device management and is not where unauthenticated client traffic resides.

Dauthentication VLAN

In a standard Cisco NAC OOB Real-IP Gateway deployment there is no separate authentication VLAN distinct from the untrusted VLAN - the untrusted VLAN itself serves the pre-authentication role.

Concept tested: Cisco NAC OOB Layer 3 Real-IP Gateway VLAN trunking

Source: https://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cas/47cas-book/cfg_oob.html

Topics

#NAC out-of-band#Clean Access Server#VLAN trunking#network access control

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice