Cisco Cisco Clean Access 3.5
4-20
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
VLAN Mapping in Virtual Gateway Modes
VLAN Mapping in Virtual Gateway Modes
For Clean Access Servers in Virtual Gateway mode only, the VLAN mapping form appears under Device
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. This forms allows
you to map an untrusted interface VLAN ID to a trusted network VLAN ID.
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. This forms allows
you to map an untrusted interface VLAN ID to a trusted network VLAN ID.
Traffic going through the CAS will be VLAN-retagged according to this VLAN Mapping setting.
VLAN Mapping for In-Band
When a Clean Access Server operates in Virtual Gateway mode, it passes network traffic from its eth0
interface to eth1 and from eth1 to eth0 without changing the VLAN tag.
interface to eth1 and from eth1 to eth0 without changing the VLAN tag.
For In-Band configurations, in order to pass traffic from both interfaces through the same Layer 2 switch
without creating a loop, it is necessary to place incoming traffic to the Clean Access Server on a different
VLAN from the outgoing traffic of the Clean Access Server.
without creating a loop, it is necessary to place incoming traffic to the Clean Access Server on a different
VLAN from the outgoing traffic of the Clean Access Server.
VLAN Mapping for Out-of-Band
In Out-of-Band Virtual Gateway mode, the OOB Cisco Clean Access Server uses VLAN mapping to
retag an unauthenticated client’s allowed traffic (e.g. DHCP/DNS) from the Auth VLAN to the Access
VLAN and vice versa. See the Cisco Clean Access Manager Installation and Administration Guide for
further information.
retag an unauthenticated client’s allowed traffic (e.g. DHCP/DNS) from the Auth VLAN to the Access
VLAN and vice versa. See the Cisco Clean Access Manager Installation and Administration Guide for
further information.
Switch Configuration for Out-of-Band Virtual Gateway Mode
Obtain the following VLAN IDs for Cisco Clean Access:
•
VLAN for the Clean Access Manager (the management VLAN, e.g. 64)
•
VLAN for the Clean Access Server (must be different from the CAM, a new management VLAN,
e.g. 222)
e.g. 222)
•
VLAN(s) for Access (e.g., 10, 20, 30, 40)
•
VLAN(s) for Authentication (e.g. 610, 620, 630, 640)
•
Dummy (unused) VLAN for native VLAN settings (e.g. 999)
Switch configuration on the switch interfaces connecting to eth0 of the CAS:
•
switchport trunk encapsulation dot1q
•
switchport trunk native vlan 999
•
switchport trunk allowed vlan 10,20,30,40
Switch configuration on the switch interfaces connecting to eth1 of the CAS
•
switchport trunk encapsulation dot1q
•
switchport trunk native vlan 999
•
switchport trunk allowed vlan 610,620,630,640
CAS eth0 and eth1 network settings:
(Device Management > CCA Servers > Manage [CAS_IP] > Network > IP):
•
Set Trusted management VLAN ID (e.g. 222)