Cisco Cisco NAC Appliance 4.1.0
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes
Once the client is authenticated and certified (i.e. on the Certified List), the CAM instructs the switch to
change the VLAN of the client port to the Access VLAN specified in the Port Profile of the port
(
change the VLAN of the client port to the Access VLAN specified in the Port Profile of the port
(
). Once the client is on the Access VLAN, the switch no longer directs the client’s traffic to
the untrusted interface of the CAS. At this point the client is on the trusted network and is considered to
be out-of-band.
be out-of-band.
In the event the user reboots the client machine, unplugs it from the network, or the switch port goes
down, this triggers the switch to send a linkdown trap to the CAM. Thereafter, the client port behavior
depends on the Port profile settings for the specific port (see
down, this triggers the switch to send a linkdown trap to the CAM. Thereafter, the client port behavior
depends on the Port profile settings for the specific port (see
for details).
Note
You can configure the Initial VLAN of the port to be the Access VLAN. See
for details.
Out-of-Band Virtual Gateway Deployment
An out-of-band Virtual Gateway deployment provides the following benefits:
•
The client never needs to change its IP address from the time it is acquired to the time the client
gains actual network access on the Access VLAN.
gains actual network access on the Access VLAN.
•
For L2 users, static routes are not required.
In out-of-band Virtual Gateway mode, the Clean Access Server uses the VLAN mapping feature to retag
the unauthenticated client’s allowed traffic (such as DNS or DHCP requests) from the Authentication
VLAN to the Access VLAN and vice versa. In this way, no new client IP address is needed when the
client is eventually switched to the Access VLAN, because the DHCP-acquired IP address is already
paired with the Access VLAN ID.
the unauthenticated client’s allowed traffic (such as DNS or DHCP requests) from the Authentication
VLAN to the Access VLAN and vice versa. In this way, no new client IP address is needed when the
client is eventually switched to the Access VLAN, because the DHCP-acquired IP address is already
paired with the Access VLAN ID.
Note
In an environment where there is an 802.1q trunk to the CAS, the CAS will bridge two VLANs together.
This “retagging” is the rewriting of the 802.1q Ethernet header with a new VLAN ID. This feature does
not apply when there is only one Authentication VLAN and one Access VLAN, as no frames are tagged.
This “retagging” is the rewriting of the 802.1q Ethernet header with a new VLAN ID. This feature does
not apply when there is only one Authentication VLAN and one Access VLAN, as no frames are tagged.
illustrates out-of-band Virtual Gateway mode using an L3 router/switch. The router/switch
receives traffic from the Auth VLAN as Layer 2 traffic and forwards it to the untrusted side of the Clean
Access Server. The Virtual Gateway Clean Access Server performs VLAN mapping for allowed traffic
(DNS, DHCP) from the Auth VLAN (untrusted interface) to the Access VLAN (trusted interface) and
vice versa. The router/switch receives traffic from the Access VLAN as Layer 3 traffic and routes it
accordingly.
Access Server. The Virtual Gateway Clean Access Server performs VLAN mapping for allowed traffic
(DNS, DHCP) from the Auth VLAN (untrusted interface) to the Access VLAN (trusted interface) and
vice versa. The router/switch receives traffic from the Access VLAN as Layer 3 traffic and routes it
accordingly.
illustrates the client authentication and access path for the OOB Virtual Gateway
example described below. In this example, the Authentication VLAN is 100, and the Access VLAN is 10.