400-007 Question #44: Real Exam Question with Answer & Explanation

The correct answer is C: untrusted VLAN. In Cisco NAC Out of Band Layer 3 Real-IP Gateway mode, unauthenticated client traffic resides on the untrusted VLAN, which must be trunked to the Clean Access Server for posture assessment and authentication.

Question

You are designing an Out of Band Cisco Network Admission Control. Layer 3 Real-IP Gateway deployment for a customer. Which VLAN must be trunked back to the Clean Access Server from the access switch?

Options

Aauthentication VLAN
Buser VLAN
Cuntrusted VLAN
Dmanagement VLAN

Explanation

In Cisco NAC Out of Band Layer 3 Real-IP Gateway mode, unauthenticated client traffic resides on the untrusted VLAN, which must be trunked to the Clean Access Server for posture assessment and authentication.

Common mistakes.

A. An authentication VLAN is not a standard component in the OOB Layer 3 Real-IP Gateway model; the untrusted VLAN serves as the holding segment for unauthenticated clients requiring CAS inspection.
B. The user VLAN is the trusted, post-authentication segment where clients are placed after passing posture checks, so it does not need to be trunked to the CAS for admission control.
D. The management VLAN carries out-of-band device management traffic and is unrelated to client posture assessment or admission control logic in NAC deployments.

Concept tested. Cisco NAC OOB Layer 3 Real-IP Gateway VLAN trunking

Reference. https://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/413/cas/413cas-book/413_C08_OOB.html

Community Discussion

No community discussion yet for this question.

Full 400-007 Practice