Cisco Cisco NAC Appliance 4.1.0
5-20
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
Configuring Managed Subnets or Static Routes
Figure 5-7
Configuring Static Routes for CAS in L3 Real-IP Gateway Deployment
Configure Managed Subnets for L2 Deployments
When the Clean Access Server is first added to the Clean Access Manager, the untrusted IP address
provided for the CAS is automatically assigned a VLAN ID of -1 to denote a Main Subnet. By default,
the untrusted network the Clean Access Server initially manages is the Main Subnet.
provided for the CAS is automatically assigned a VLAN ID of -1 to denote a Main Subnet. By default,
the untrusted network the Clean Access Server initially manages is the Main Subnet.
You can configure the CAS to manage additional subnets by adding them under Device Management >
CCA Servers > Manage [CAS_IP] > Advanced > Managed Subnet. In this case, the Clean Access
Server acts as the virtual default gateway for the managed subnets, and puts a virtual IP for the added
managed subnet on the untrusted interface.
CCA Servers > Manage [CAS_IP] > Advanced > Managed Subnet. In this case, the Clean Access
Server acts as the virtual default gateway for the managed subnets, and puts a virtual IP for the added
managed subnet on the untrusted interface.
Note
If the Clean Access Server is a Real-IP Gateway, you will need to add a static route on the upstream
router to send traffic to the CAS. For example, for managed subnet 10.0.0.0/24, you will need to add
static route 10.0.0.0/255.255.0.0 gateway <CAS_trusted_IP> to the upstream router.
router to send traffic to the CAS. For example, for managed subnet 10.0.0.0/24, you will need to add
static route 10.0.0.0/255.255.0.0 gateway <CAS_trusted_IP> to the upstream router.
To modify the Main Subnet of the CAS, go to Device Management > CCA Servers > Manage
[CAS_IP] > Network > IP. To change the VLAN ID of the Main Subnet, enter it in the Set management
VLAN ID field in the Untrusted Interface side of the form. If modifying the IP Address, Subnet Mask,
Default Gateway, or management VLAN ID for the untrusted interface of the CAS, you must click
Update then Reboot for the new settings to take effect on the CAS and on the network.
[CAS_IP] > Network > IP. To change the VLAN ID of the Main Subnet, enter it in the Set management
VLAN ID field in the Untrusted Interface side of the form. If modifying the IP Address, Subnet Mask,
Default Gateway, or management VLAN ID for the untrusted interface of the CAS, you must click
Update then Reboot for the new settings to take effect on the CAS and on the network.
When you create a managed subnet, an ARP entry is automatically generated for the gateway of the
subnet. Therefore, to manage a subnet of 10.1.1.0/255.255.255.0, configure the managed subnet with the
following values:
subnet. Therefore, to manage a subnet of 10.1.1.0/255.255.255.0, configure the managed subnet with the
following values:
•
IP Address: 10.1.1.1 (if 10.1.1.1 is the desired default gateway)
10.10.0.1 / 255.255.0.0
Rest of the
Network
Clean Access
Server
L3 switch
10.10.10.1
10.10.20.1
Client
Client
10.10.10.0/24
10.10.20.0/24
Client
Client
1
44606
eth0
eth1