Which three statements are true about the Cisco NAC Appliance solution? (Choose three.)
Click on the arrows to vote for the correct answer
A. B. C. D.ACD.
The Cisco NAC (Network Admission Control) Appliance solution is a security solution that provides access control and enforcement for network devices, hosts, and users. It uses a combination of pre-admission and post-admission policies to ensure compliance with security policies and prevent unauthorized access.
A. In a Layer 3 OOB (Out of Band) ACL (Access Control List) deployment of the Cisco NAC Appliance, the discovery host must be configured as the untrusted IP address of the Cisco NAC Appliance Server.
This statement is true. In an OOB deployment, the Cisco NAC Appliance Server is connected to a switch that mirrors all traffic to the server for policy enforcement. The discovery host is the device that initiates a network connection and is redirected to the Cisco NAC Appliance Server for authentication and authorization. In a Layer 3 OOB ACL deployment, the discovery host's IP address is considered untrusted and must be configured as such on the Cisco NAC Appliance Server.
B. In a Cisco NAC Appliance deployment, the discovery host must be configured on a Cisco router using the "NAC discovery-host" global configuration command.
This statement is not necessarily true. The discovery host can be any device that initiates a network connection and is redirected to the Cisco NAC Appliance Server for authentication and authorization. It can be a user device, such as a laptop, or a network device, such as a switch or router. However, if a Cisco router is used as the discovery host, the "NAC discovery-host" global configuration command can be used to configure it.
C. In a VRF (Virtual Routing and Forwarding)-style OOB deployment of the Cisco NAC Appliance, the discovery host may be the IP address that is on the trusted side of the Cisco NAC Appliance Server.
This statement is true. In a VRF-style OOB deployment, the Cisco NAC Appliance Server is connected to a switch that is configured with multiple VLANs, each with its own VRF. The discovery host can be on any VLAN that is on the trusted side of the Cisco NAC Appliance Server.
D. In a Layer 3 IB (In Band) deployment of the Cisco NAC Appliance, the discovery host may be configured as the IP address of the Cisco NAC Appliance Manager.
This statement is true. In an IB deployment, the Cisco NAC Appliance Server and the discovery host are on the same network segment. The discovery host's IP address can be configured as the IP address of the Cisco NAC Appliance Manager, which is responsible for policy enforcement.
In summary, statements A, C, and D are true about the Cisco NAC Appliance solution, while statement B is not necessarily true.