Cisco Cisco Clean Access 3.5
4-19
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
Understanding VLAN Settings
•
Managed subnet
(under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > Managed
Subnet)
Subnet)
•
User role
(under User Management> User Roles > User Roles > New or Edit Role)
For example, if you set the VLAN ID for the faculty role to 1005, the CAS would set that VLAN ID on
every packet belonging to a user in that role as the packet went from the untrusted side to the trusted side
of the Clean Access Server.
every packet belonging to a user in that role as the packet went from the untrusted side to the trusted side
of the Clean Access Server.
In addition, once VLAN tagging is configured, traffic from users on a particular VLAN ID and
authenticated by an external authentication source can be mapped to a specific user role (under User
Management> Auth Servers > Mapping Rules). See the Cisco Clean Access Manager Installation and
Administration Guide for details.
authenticated by an external authentication source can be mapped to a specific user role (under User
Management> Auth Servers > Mapping Rules). See the Cisco Clean Access Manager Installation and
Administration Guide for details.
Enable Subnet-Based VLAN Retag in Virtual Gateway Mode
The Managed Subnet form (Device Management > CCA Servers > Manage [CAS_IP] > Advanced >
Managed Subnet) allows you to add managed subnets for Clean Access Servers in Real-IP, NAT and
Virtual Gateway modes as described in
Managed Subnet) allows you to add managed subnets for Clean Access Servers in Real-IP, NAT and
Virtual Gateway modes as described in
.
Traffic originating from the untrusted interface of the CAS is tagged according to the VLAN ID set for
the managed subnet. For CASes in Virtual Gateway mode only, the Enable subnet-based VLAN retag
option appears at the top of the Managed Subnet for, as shown in
the managed subnet. For CASes in Virtual Gateway mode only, the Enable subnet-based VLAN retag
option appears at the top of the Managed Subnet for, as shown in
.
Figure 4-10
Enable Subnet-Based VLAN Retag for Virtual Gateway
This feature is more useful on wireless networks than on wired networks. For example, assume that a
single CAS in Virtual Gateway mode is managing multiple subnets/VLANs, with each subnet is a
separate VLAN. If a user is initially connected to an Access Point on VLAN A, the user will receive an
IP address on subnet A. Assume that due to overlapping wireless signals, the user subsequently is
connected to an AP on VLAN B. If the Enable subnet-based VLAN retag feature is not enabled, the
user’s traffic will not be routed correctly since their address is on subnet A (i.e. VLAN A) but their
packets are tagged with VLAN B. This feature allows the CAS to retag packets based on the subnet to
which they belong, thus enabling the packets to be routed correctly.
single CAS in Virtual Gateway mode is managing multiple subnets/VLANs, with each subnet is a
separate VLAN. If a user is initially connected to an Access Point on VLAN A, the user will receive an
IP address on subnet A. Assume that due to overlapping wireless signals, the user subsequently is
connected to an AP on VLAN B. If the Enable subnet-based VLAN retag feature is not enabled, the
user’s traffic will not be routed correctly since their address is on subnet A (i.e. VLAN A) but their
packets are tagged with VLAN B. This feature allows the CAS to retag packets based on the subnet to
which they belong, thus enabling the packets to be routed correctly.
Virtual
Gateway
only
Gateway
only