Cisco Cisco Clean Access 3.5
4-4
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
Add the CAS to the CAM
IP Addressing Considerations
Note the following:
•
eth0 and eth1 generally correlate to the first two network cards—NIC 1 and NIC 2—on most types
of server hardware.
of server hardware.
•
If using DHCP relay, make sure the DHCP server has a route back to the managed subnets.
Real-IP:
•
The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets.
•
On the L3 router in your network, you must add a static route for the managed subnets to the trusted
interface (eth0) of the CAS.
interface (eth0) of the CAS.
NAT Gateway Mode:
•
The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets.
Virtual Gateway Mode:
•
The CAS and CAM must be on different subnets.
•
The trusted (eth0) and untrusted interfaces (eth1) of the CAS can have the same IP address.
•
All end devices in the bridged subnet must be on the untrusted side of the CAS.
•
The CAS should be configured for DHCP forwarding.
•
Make sure to configure managed subnets for the CAS.
•
The CAS needs to have an IP address on each managed subnet.
•
Traffic from clients must pass through the CAS before hitting the gateway.
When the CAS is an Out-of-Band Virtual Gateway, the following also applies:
•
The CAS interfaces must be on a separate VLAN from the CAM.
•
The CAS should be on a different VLAN than the user or Access VLANs.
Note
•
For Virtual Gateway (In-Band or OOB), it is recommended to connect the untrusted interface (eth1)
of the CAS to the switch only after the CAS has been added to the CAM via the web console.
of the CAS to the switch only after the CAS has been added to the CAM via the web console.
•
For Virtual Gateway with VLAN mapping (In-Band or OOB), the untrusted interface (eth1) of the
CAS should not be connected to the switch until VLAN mapping has been configured correctly
under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.
See
CAS should not be connected to the switch until VLAN mapping has been configured correctly
under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.
See
.
Additional Notes for Virtual Gateway with VLAN Mapping (L2 Deployments)
1.
There should be a management VLAN setting on the CAS IP page (and in your network
configuration) to allow communication to the CAS’s trusted and untrusted IP addresses.
configuration) to allow communication to the CAS’s trusted and untrusted IP addresses.
2.
The Native VLAN ID on the switch ports to which CAS eth0 and eth1 are connected should ideally
be two otherwise unused VLAN IDs (e.g. 999, 998). Choose any two VLAN IDS from a range that
you are not using anywhere on your network.
be two otherwise unused VLAN IDs (e.g. 999, 998). Choose any two VLAN IDS from a range that
you are not using anywhere on your network.