Cisco Cisco Clean Access 3.5
2-3
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 2 Planning Your Deployment
Clean Access Server Operating Modes
Virtual Gateway
In Virtual Gateway deployment, the Clean Access Server operates as a standard Ethernet bridge, but with
the added functionality provided by the IP filter and IPSec module. This configuration is typically used
when the untrusted network already has a gateway and you do not wish to alter the existing
configuration.
the added functionality provided by the IP filter and IPSec module. This configuration is typically used
when the untrusted network already has a gateway and you do not wish to alter the existing
configuration.
For example, if there are two untrusted subnets, 10.1.1.0/24 and 10.1.2.0/24, with gateways 10.1.1.1 and
10.1.2.1, respectively, the CAS in Virtual Gateway mode is deployed between the untrusted subnets and
their gateways (
10.1.2.1, respectively, the CAS in Virtual Gateway mode is deployed between the untrusted subnets and
their gateways (
). The untrusted subnets are configured as “Managed Subnets” in the CAS.
Note especially that:
•
The CAS needs to have an IP address on each managed subnet.
•
Traffic from clients must pass through the CAS before hitting the gateway.
Figure 2-2
Virtual Gateway Configuration
When the CAS is a Virtual Gateway:
•
The CAS and CAM must be on different subnets.
•
eth0 and eth1 of the Clean Access Server can have the same IP address.
•
All end devices in the bridged subnet must be on the untrusted side of the CAS.
•
The CAS should be configured for DHCP forwarding.
•
Make sure to configure managed subnets for the CAS. For the example in
, you would
configure two managed subnets:
–
10.1.1.2 / 255.255.255.0 1001
–
10.1.2.2 / 255.255.255.0 1002
When the CAS is an Out-of-Band Virtual Gateway, the following also applies:
•
The CAS and CAM must be on different VLANs.
•
The CAS should be on a different VLAN than the user or Access VLANs.
Virtual Gateway
Clean Access Server
Rest of the
network
Subnet 10.1.1.0/24
10.1.1.1
10.1.2.1
10.1.2.1
130691
Router
(Gateway)
Subnet 10.1.2.0/24
10.1.1.2
10.1.2.2
10.1.2.2
802.1q Trunk
(1001,1002)
(1001,1002)
VLAN 1001
VLAN 1002