352-001 · Question #249
You are designing a NAC OOB Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?
The correct answer is A. untrusted VLAN. In a NAC OOB Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so the CAS can act as the Layer 3 default gateway for unauthenticated clients.
Question
You are designing a NAC OOB Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?
Options
- Auntrusted VLAN
- Buser VLAN
- Cmanagement VLAN
- Dauthentication VLAN
How the community answered
(24 responses)- A88% (21)
- B4% (1)
- D8% (2)
Why each option
In a NAC OOB Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so the CAS can act as the Layer 3 default gateway for unauthenticated clients.
In an OOB Layer 3 Real-IP Gateway deployment, the Clean Access Server is configured as the default gateway for clients placed in the untrusted VLAN before they complete authentication. The untrusted VLAN must be trunked from the access switch to the CAS so that all unauthenticated client traffic is routed through the CAS for inspection, remediation, and posture validation before being granted access to the trusted network.
The user VLAN carries traffic for clients who have already passed NAC posture checks and do not need to traverse the CAS for authentication.
The management VLAN carries administrative traffic for device management and is not where unauthenticated client traffic resides.
In a standard Cisco NAC OOB Real-IP Gateway deployment there is no separate authentication VLAN distinct from the untrusted VLAN - the untrusted VLAN itself serves the pre-authentication role.
Concept tested: Cisco NAC OOB Layer 3 Real-IP Gateway VLAN trunking
Source: https://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cas/47cas-book/cfg_oob.html
Topics
Community Discussion
No community discussion yet for this question.