nerdexam
Exams352-001Questions#272
Cisco

352-001 · Question #272

352-001 Question #272: Real Exam Question with Answer & Explanation

The correct answer is A: untrusted VLAN. In an Out-of-Band Cisco NAC Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so it can intercept and assess unauthenticated client traffic before granting network access.

Question

You are designing an Out of Band Cisco Network Admission Control, Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

Options

  • Auntrusted VLAN
  • Buser VLAN
  • Cmanagement VLAN
  • Dauthentication VLAN

Explanation

In an Out-of-Band Cisco NAC Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so it can intercept and assess unauthenticated client traffic before granting network access.

Common mistakes.

  • B. The user VLAN is the trusted segment where clients reside after successful authentication; the CAS does not need to intercept already-authenticated traffic on this VLAN.
  • C. The management VLAN carries device management traffic such as SSH and SNMP and is not associated with client authentication or posture assessment workflows.
  • D. There is no separate 'authentication VLAN' in Cisco NAC OOB terminology; the untrusted VLAN itself is the segment that handles pre-authentication client traffic.

Concept tested. Cisco NAC OOB Layer 3 Real-IP Gateway VLAN trunking requirements

Reference. https://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/413/cas/413_cas_book/oob.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 352-001 Practice