Cisco Cisco Clean Access 3.5
2-5
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 2 Planning Your Deployment
NAT Gateway
NAT Gateway
•
CAS performs NAT (Network Address
Translation) or PAT (Port Address
Translation) services, so that clients can use
private addresses
Translation) or PAT (Port Address
Translation) services, so that clients can use
private addresses
•
Performs DHCP address allocation for
managed clients.
managed clients.
•
All traffic originating from managed clients
appears on the trusted side as originating
from the Clean Access Server.
appears on the trusted side as originating
from the Clean Access Server.
•
Allows the use of a private address range for
managed clients.
managed clients.
•
Setup is easy: does not involve setting up
routes or creating subnets.
routes or creating subnets.
•
Only requires two IP addresses.
OOB Virtual
Gateway
Gateway
•
CAS acts like a bridge for the managed
network only during the authentication,
posture assessment and remediation process.
network only during the authentication,
posture assessment and remediation process.
•
CAS acts as a DHCP passthrough for
Authentication VLAN.
Authentication VLAN.
•
Once successfully logged on, user traffic
bypasses the CAS and traverses the switch
ports directly.
bypasses the CAS and traverses the switch
ports directly.
•
User can be logged out via role-based session
timer or link-down SNMP traps.
timer or link-down SNMP traps.
•
Can be deployed in Edge or Core (central)
switches.
switches.
•
No need to bounce client ports.
•
Recommended configuration if sharing ports
between IP phones and PCs.
between IP phones and PCs.
OOB Real-IP
Gateway
Gateway
•
CAS acts as an inline L3 router for the
managed network only during the
authentication, posture assessment and
remediation process.
managed network only during the
authentication, posture assessment and
remediation process.
•
CAS can perform DHCP services, or act as a
DHCP relay.
DHCP relay.
•
User obtains DHCP address from
Authentication VLAN.
Authentication VLAN.
•
L3 Switch/router configuration: Configure
CAS as default gateway for managed
subnets.
CAS as default gateway for managed
subnets.
•
Clients are assigned real IP addresses.
•
Once successfully logged on, user traffic
bypasses the CAS and traverse the switch
ports directly.
bypasses the CAS and traverse the switch
ports directly.
•
Need to bounce interface for client to acquire
new DHCP address from Access VLAN.
new DHCP address from Access VLAN.
OOB NAT Gateway
•
CAS acts as an inline L3 router for the
managed network only during the
authentication, posture assessment and
remediation process.
managed network only during the
authentication, posture assessment and
remediation process.
•
CAS can perform DHCP services, or act as a
DHCP relay.
DHCP relay.
•
User obtains DHCP address from
Authentication VLAN.
Authentication VLAN.
•
Allows private address range via NAT
configuration.
configuration.
•
L3 Switch/router configuration: Turn off
routing for managed network on L3 Switch
or router
routing for managed network on L3 Switch
or router
•
Clients are assigned NAT IP addresses while
on Authentication VLAN.
on Authentication VLAN.
•
Once successfully logged on, user traffic
bypasses the CAS and traverses the switch
ports directly.
bypasses the CAS and traverses the switch
ports directly.
•
Need to bounce interface for client to acquire
new DHCP address from Access VLAN.
new DHCP address from Access VLAN.
Table 2-1
CAS Operating Mode Summary
CAS Type
Features
Advantages