nerdexam
Cisco

352-001 · Question #272

You are designing an Out of Band Cisco Network Admission Control, Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

The correct answer is A. untrusted VLAN. In an Out-of-Band Cisco NAC Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so it can intercept and assess unauthenticated client traffic before granting network access.

Designing Security

Question

You are designing an Out of Band Cisco Network Admission Control, Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

Options

  • Auntrusted VLAN
  • Buser VLAN
  • Cmanagement VLAN
  • Dauthentication VLAN

How the community answered

(34 responses)
  • A
    91% (31)
  • B
    6% (2)
  • D
    3% (1)

Why each option

In an Out-of-Band Cisco NAC Layer 3 Real-IP Gateway deployment, the untrusted VLAN must be trunked to the Clean Access Server so it can intercept and assess unauthenticated client traffic before granting network access.

Auntrusted VLANCorrect

The untrusted VLAN is where clients are initially placed prior to posture assessment and authentication. The Clean Access Server must receive this VLAN traffic directly so it can redirect clients to the authentication portal, evaluate endpoint compliance, and enforce policy before moving users to the trusted network segment.

Buser VLAN

The user VLAN is the trusted segment where clients reside after successful authentication; the CAS does not need to intercept already-authenticated traffic on this VLAN.

Cmanagement VLAN

The management VLAN carries device management traffic such as SSH and SNMP and is not associated with client authentication or posture assessment workflows.

Dauthentication VLAN

There is no separate 'authentication VLAN' in Cisco NAC OOB terminology; the untrusted VLAN itself is the segment that handles pre-authentication client traffic.

Concept tested: Cisco NAC OOB Layer 3 Real-IP Gateway VLAN trunking requirements

Source: https://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/413/cas/413_cas_book/oob.html

Topics

#Cisco NAC#out-of-band NAC#VLAN trunking#Clean Access Server

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice