Network Access Protection (NAP) with IPsec policy enforcement is a very powerful method of deploying your NAP solution. You actually get two solutions in one: first, you get the NAP network access control that enables you to block unhealthy machines from connecting to your network and second, you get the power of IPsec domain isolation that prevents rogue machines from connecting to your network. NAP with IPsec domain isolation allows you to create a “virtual network” within the confines of your physical networks. Machines in the IPsec “virtual network” can be on the same network segment or VLAN segment, but virtually segmented from one another by IPsec. Machines without IPsec Health Certificates will be unable to communicate with healthy machines on the network.

Full Article