nerdexam
Exams352-001Questions#249
Cisco

352-001 · Question #249

352-001 Question #249: Real Exam Question with Answer & Explanation

The correct answer is A: untrusted VLAN. In a NAC OOB Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so the CAS can act as the Layer 3 default gateway for unauthenticated clients.

Question

You are designing a NAC OOB Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

Options

  • Auntrusted VLAN
  • Buser VLAN
  • Cmanagement VLAN
  • Dauthentication VLAN

Explanation

In a NAC OOB Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so the CAS can act as the Layer 3 default gateway for unauthenticated clients.

Common mistakes.

  • B. The user VLAN carries traffic for clients who have already passed NAC posture checks and do not need to traverse the CAS for authentication.
  • C. The management VLAN carries administrative traffic for device management and is not where unauthenticated client traffic resides.
  • D. In a standard Cisco NAC OOB Real-IP Gateway deployment there is no separate authentication VLAN distinct from the untrusted VLAN - the untrusted VLAN itself serves the pre-authentication role.

Concept tested. Cisco NAC OOB Layer 3 Real-IP Gateway VLAN trunking

Reference. https://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cas/47cas-book/cfg_oob.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 352-001 Practice