Cisco Cisco NAC Appliance 4.1.0
2-9
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 2 Planning Your Deployment
CAS Operating Mode Summary
CAS Operating Mode Summary
summarizes the features and advantages for each operating mode.
Table 2-1
CAS Operating Mode Summary
CAS Type
Features
Advantages
Virtual
Gateway
Gateway
•
CAS acts like a bridge for the managed network
•
CAS acts as a DHCP passthrough.
•
CAS acts in an unobtrusive manner.
•
Good if you do not want to modify the existing
network.
network.
•
There is no need to define static routes on the
main router.
main router.
Real-IP
Gateway
Gateway
•
CAS acts as a gateway for the managed subnet.
•
CAS is designated as a static route for the
managed subnet.
managed subnet.
•
CAS can perform DHCP services, or act as a
DHCP relay.
DHCP relay.
•
Good for situations in which a new subnet can be
used for the managed network.
used for the managed network.
•
Clients are assigned real IP addresses.
•
Takes advantage of the CAS’s advanced DHCP
services.
services.
NAT
Gateway
Gateway
•
CAS performs NAT (Network Address
Translation) or PAT (Port Address Translation)
services, so that clients can use private addresses
Translation) or PAT (Port Address Translation)
services, so that clients can use private addresses
•
Performs DHCP address allocation for managed
clients.
clients.
•
All traffic originating from managed clients
appears on the trusted side as originating from the
Clean Access Server.
appears on the trusted side as originating from the
Clean Access Server.
•
Allows the use of a private address range for
managed clients.
managed clients.
•
Setup is easy: does not involve setting up routes or
creating subnets.
creating subnets.
•
Only requires two IP addresses.
OOB
Virtual
Gateway
Virtual
Gateway
•
CAS acts like a bridge for the managed network
only during the authentication, posture
assessment and remediation process.
only during the authentication, posture
assessment and remediation process.
•
CAS acts as a DHCP passthrough for
Authentication VLAN.
Authentication VLAN.
•
Once successfully logged on, user traffic bypasses
the CAS and traverses the switch ports directly.
the CAS and traverses the switch ports directly.
•
User can be logged out via role-based session
timer or link-down SNMP traps.
timer or link-down SNMP traps.
•
Can be deployed in Edge or Core (central)
switches.
switches.
•
No need to bounce client ports.
•
Recommended configuration if sharing ports
between IP phones and PCs.
between IP phones and PCs.