Cisco Cisco Clean Access 3.5
4-12
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
Configuring Managed Subnets or Static Routes
Configuring Managed Subnets or Static Routes
This section describes the following:
•
•
•
Overview
For all CAS modes in L2 deployment (Real-IP/NAT/Virtual Gateway) when configuring additional
subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with
appropriate VLAN IDs for client machines on the untrusted interface.
subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with
appropriate VLAN IDs for client machines on the untrusted interface.
For all CAS modes in L3 deployments, only Static Routes should be configured in the CAS, and
managed subnets should be removed if previously configured. See
managed subnets should be removed if previously configured. See
for details.
Note
In the case of a multi-hop L3 deployment where the VPN concentrator performs Proxy ARP for client
machines, managed subnets can be used instead of static routes and should be created in the CAS.
machines, managed subnets can be used instead of static routes and should be created in the CAS.
summarizes the steps required for each deployment. Forms mentioned below are located in the
CAS management pages under Device Management > CCA Servers > Manage [CAS_IP].
Table 4-2
Guidelines for Adding Managed Subnets vs. Static Routes
Layer 2—In-Band or Out-of-Band
(CAS has L2 proximity to users)
(CAS has L2 proximity to users)
Layer 3 (Multi-Hop) —In-Band Only
(e.g. CAS is behind VPN Concentrator or Router or L3 Switch)
(e.g. CAS is behind VPN Concentrator or Router or L3 Switch)
For Real-IP and NAT Gateways:
For Real-IP and NAT Gateways:
If the router below the CAS
performs proxy ARP:
performs proxy ARP:
If the router below the CAS does NOT perform proxy ARP:
Add a managed subnet under
Advanced > Managed Subnet to
assign the gateway IP address of the
subnet to the CAS. For example, for
managed subnet:
Advanced > Managed Subnet to
assign the gateway IP address of the
subnet to the CAS. For example, for
managed subnet:
10.10.10.1/255.255.255.0 vlan x
The CAS is the gateway (10.10.10.1)
for this VLAN/subnet
for this VLAN/subnet
Always add a managed
subnet under Advanced
> Managed Subnet
subnet under Advanced
> Managed Subnet
1.
Always add static routes for the subnets on the untrusted
side under Advanced > Static Routes. For example:
side under Advanced > Static Routes. For example:
Network Mask
Interface
Gateway
10.10.10.0 /24
eth1
10.10.10.1
10.10.20.0 /24
eth1
10.10.20.1
Note
/24 subnet mask = 255.255.255.0
2.
Specify an ARP entry for the gateway IP that the CAS
needs to hold under Advanced > ARP. For example:
needs to hold under Advanced > ARP. For example:
10.10.10.0 255.255.255.255 eth1
See
.