Cisco Cisco Clean Access 3.5

In Virtual Gateway deployment, the Clean Access Server operates as a standard Ethernet bridge, but with 
the added functionality provided by the IP filter and IPSec module. This configuration is typically used 
when the untrusted network already has a gateway and you do not wish to alter the existing 
configuration. 

For example, if there are two untrusted subnets, 10.1.1.0/24 and 10.1.2.0/24, with gateways 10.1.1.1 and 
10.1.2.1, respectively, the CAS in Virtual Gateway mode is deployed between the untrusted subnets and 
their gateways (

). The untrusted subnets are configured as “Managed Subnets” in the CAS. 

Note especially that:

The CAS needs to have an IP address on each managed subnet.

Traffic from clients must pass through the CAS before hitting the gateway.

When the CAS is a Virtual Gateway: 

The CAS and CAM must be on different subnets.

eth0 and eth1 of the Clean Access Server can have the same IP address.

All end devices in the bridged subnet must be on the untrusted side of the CAS. 

The CAS should be configured for DHCP forwarding. 

Make sure to configure managed subnets for the CAS. For the example in 

, you would 

configure two managed subnets:

10.1.1.2 / 255.255.255.0 1001

10.1.2.2 / 255.255.255.0 1002

When the CAS is an Out-of-Band Virtual Gateway, the following also applies:

The CAS and CAM must be on different VLANs.

The CAS should be on a different VLAN than the user or Access VLANs. 

Virtual Gateway

Clean Access Server

Rest of the

network

Subnet 10.1.1.0/24

10.1.1.1
10.1.2.1

130691

Router

(Gateway)

Subnet 10.1.2.0/24

10.1.1.2
10.1.2.2

802.1q Trunk 
(1001,1002)

VLAN 1001

VLAN 1002