Cisco Cisco NAC Appliance 4.1.0
5-28
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
VLAN Mapping in Virtual Gateway Modes
VLAN Mapping in Virtual Gateway Modes
For Clean Access Servers in Virtual Gateway mode only, the VLAN mapping form appears under Device
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. This forms allows
you to map an untrusted interface VLAN ID to a trusted network VLAN ID.
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. This forms allows
you to map an untrusted interface VLAN ID to a trusted network VLAN ID.
Traffic going through the CAS will be VLAN-retagged according to this VLAN Mapping setting.
Native VLAN, Management VLAN, Dummy VLAN
For best practice purposes, and to prevent trunking configuration issues for Virtual Gateway
deployments, Cisco NAC Appliance requires differentiating native, management, and dummy VLANs
when configuring your switches.
deployments, Cisco NAC Appliance requires differentiating native, management, and dummy VLANs
when configuring your switches.
Caution
Do not put the Clean Access Server on VLAN 1.
A native VLAN is present whether or not one is declared; the default is VLAN 1. By default all Cisco
switches have their ports configured to be in VLAN 1, and a trunk link has the native VLAN set as VLAN
1. In addition to the well-known vulnerabilities associated with VLAN 1, as a security appliance, Cisco
explicitly recommends setting the native VLAN to a VLAN other than VLAN 1. This ensures that no
traffic is unknowingly passed to or through the CAS on this VLAN. For example, if there is a
misconfiguration on the trunk link or any unknown traffic on VLAN 1 (such as a user connecting a laptop
on an unused port on default VLAN 1) this will not cause any problems on the CAS.
switches have their ports configured to be in VLAN 1, and a trunk link has the native VLAN set as VLAN
1. In addition to the well-known vulnerabilities associated with VLAN 1, as a security appliance, Cisco
explicitly recommends setting the native VLAN to a VLAN other than VLAN 1. This ensures that no
traffic is unknowingly passed to or through the CAS on this VLAN. For example, if there is a
misconfiguration on the trunk link or any unknown traffic on VLAN 1 (such as a user connecting a laptop
on an unused port on default VLAN 1) this will not cause any problems on the CAS.
Note
The VLAN 1 restriction is required for the CAS, and highly recommended for the CAM. Because of the
configuration requirements on the CAS in Virtual Gateway mode, where no common VLANs should
exist between the trusted and untrusted port, VLAN 1 should not be used at all on either the trusted port
or the untrusted port. This ensures that a Layer 2 loop cannot occur on VLAN 1 due to misconfiguration.
configuration requirements on the CAS in Virtual Gateway mode, where no common VLANs should
exist between the trusted and untrusted port, VLAN 1 should not be used at all on either the trusted port
or the untrusted port. This ensures that a Layer 2 loop cannot occur on VLAN 1 due to misconfiguration.
Although the management VLAN could be the native VLAN, setting the management VLAN to another
value also ensures that all traffic that passes to or through the CAS is tagged and that there is no question
that the CAS properly associates the traffic either to the Management VLAN of the CAS or to the VLAN
mappings from the untrusted to trusted interface of the CAS. For this reason, the “dummy” VLAN is
also used so that any untagged packet is correctly dropped.
value also ensures that all traffic that passes to or through the CAS is tagged and that there is no question
that the CAS properly associates the traffic either to the Management VLAN of the CAS or to the VLAN
mappings from the untrusted to trusted interface of the CAS. For this reason, the “dummy” VLAN is
also used so that any untagged packet is correctly dropped.
Note
The Management VLAN for the CAS is set under Network > IP. VLAN mappings are set on the CAS
under Advanced > VLAN Mapping.
under Advanced > VLAN Mapping.
Best practice dictates the use of different dummy VLAN IDs, for example 998 and 999, for the native
VLANs on the eth0 and eth1 interfaces of the CAS. This ensures that untagged traffic is dropped and is
never passed unknowingly between the Untrusted and Trusted CAS interfaces. The CAS should not pass
the traffic in either case without a VLAN mapping. However, the use of different dummy VLAN IDs
prevents the possibility of manual/administrator errors resulting in the incorrect passing of traffic to or
through the CAS via the native VLAN.
VLANs on the eth0 and eth1 interfaces of the CAS. This ensures that untagged traffic is dropped and is
never passed unknowingly between the Untrusted and Trusted CAS interfaces. The CAS should not pass
the traffic in either case without a VLAN mapping. However, the use of different dummy VLAN IDs
prevents the possibility of manual/administrator errors resulting in the incorrect passing of traffic to or
through the CAS via the native VLAN.