Cisco Cisco Clean Access 3.5
4-18
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
Understanding VLAN Settings
Understanding VLAN Settings
The Clean Access Server can serve either as a VLAN termination point or it can perform VLAN
passthrough. In a Virtual Gateway configuration, VLAN IDs are passed through by default.
passthrough. In a Virtual Gateway configuration, VLAN IDs are passed through by default.
In a Real-IP or NAT Gateway configuration, by default the VLAN identifiers are terminated at the CAS
(that is, identifiers are stripped from packets received at the trusted and untrusted interfaces). In contrast,
if you enable VLAN ID passthrough, packets retain their VLAN identifiers.
(that is, identifiers are stripped from packets received at the trusted and untrusted interfaces). In contrast,
if you enable VLAN ID passthrough, packets retain their VLAN identifiers.
Note
If you are unsure of which mode to use, you should use the default behavior of the CAS.
For the VLAN identifier to be retained, passthrough only needs to be enabled for the first of the two
interfaces that receives the message. That is, if VLAN ID passthrough is enabled for the untrusted
interface, but terminated for the trusted interface, packets from the untrusted (managed) clients to the
trusted network retain identifiers, but packets from the trusted network to the untrusted (managed)
clients have their identifiers removed. Note, however, that in most cases you would enable or disable
VLAN ID passthrough on both interfaces.
interfaces that receives the message. That is, if VLAN ID passthrough is enabled for the untrusted
interface, but terminated for the trusted interface, packets from the untrusted (managed) clients to the
trusted network retain identifiers, but packets from the trusted network to the untrusted (managed)
clients have their identifiers removed. Note, however, that in most cases you would enable or disable
VLAN ID passthrough on both interfaces.
A management VLAN identifier is a default VLAN identifier. If a packet does not have its own VLAN
identifier, or if the identifier was stripped by the adjacent interface, a management VLAN identifier
specified at the interface is added to the packets (in order to route them properly through VLAN enabled
equipment on the network).
identifier, or if the identifier was stripped by the adjacent interface, a management VLAN identifier
specified at the interface is added to the packets (in order to route them properly through VLAN enabled
equipment on the network).
Note
The Clean Access Server is typically configured such that the untrusted interface is connected to a
trunk
port with multiple VLANs trunked to the port. In such a situation, the management VLAN ID is the
VLAN ID of the VLAN to which the IP address of the CAS belongs.
VLAN ID of the VLAN to which the IP address of the CAS belongs.
Note
Role mapping rules can use the user’s VLAN ID as one of the attributes when assigning a user to a role.
See the Cisco Clean Access Manager Installation and Administration Guide for details.
See the Cisco Clean Access Manager Installation and Administration Guide for details.
Use care when configuring VLAN settings. Incorrect VLAN settings can cause the CAS to be
inaccessible from the CAM web admin console. If you cannot access the CAS from the CAM after
modifying the VLAN settings, you will need to access the CAS directly to correct its configuration, as
described in
inaccessible from the CAM web admin console. If you cannot access the CAS from the CAM after
modifying the VLAN settings, you will need to access the CAS directly to correct its configuration, as
described in
.
VLAN settings for the CAS are set under Device Management > CCA Servers > Manage [CAS_IP]
> Network > IP. The settings are as follows:
> Network > IP. The settings are as follows:
•
Set management VLAN ID – The default VLAN identifier value added to packets that do not have
an identifier. Set at the untrusted interface to have the VLAN ID added to packets directed to
managed clients, or at the trusted interface to have the VLAN ID added to packets destined for the
trusted (protected) network.
an identifier. Set at the untrusted interface to have the VLAN ID added to packets directed to
managed clients, or at the trusted interface to have the VLAN ID added to packets destined for the
trusted (protected) network.
•
Pass through VLAN ID to managed network / Pass through VLAN ID to protected network –
If selected, VLAN identifiers in the packets are passed through the interface unmodified.
If selected, VLAN identifiers in the packets are passed through the interface unmodified.
As mentioned, by setting the management VLAN ID value for the managed network, you can add VLAN
ID tags to the outbound traffic of the entire managed network. You can also set VLAN IDs based on other
characteristics. Specifically, the CAS can tag outbound traffic by:
ID tags to the outbound traffic of the entire managed network. You can also set VLAN IDs based on other
characteristics. Specifically, the CAS can tag outbound traffic by:
•
Managed network
(under Device Management > CCA Servers > Manage [CAS_IP] > Network > IP)