Cisco Cisco NAC Appliance 4.1.0
5-29
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
VLAN Mapping in Virtual Gateway Modes
VLAN Mapping for In-Band
When a Clean Access Server operates in Virtual Gateway mode, it passes network traffic from its eth0
interface to eth1 and from eth1 to eth0 without changing the VLAN tag.
interface to eth1 and from eth1 to eth0 without changing the VLAN tag.
For In-Band configurations, in order to pass traffic from both interfaces through the same Layer 2 switch
without creating a loop, it is necessary to place incoming traffic to the Clean Access Server on a different
VLAN from the outgoing traffic of the Clean Access Server.
without creating a loop, it is necessary to place incoming traffic to the Clean Access Server on a different
VLAN from the outgoing traffic of the Clean Access Server.
VLAN Mapping for Out-of-Band
In Out-of-Band Virtual Gateway mode, the OOB Clean Access Server uses VLAN mapping to retag an
unauthenticated client’s allowed traffic (e.g. DHCP/DNS) from the Authentication VLAN to the Access
VLAN and vice versa.
unauthenticated client’s allowed traffic (e.g. DHCP/DNS) from the Authentication VLAN to the Access
VLAN and vice versa.
Note
See the Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide for all
other details on OOB configuration.
other details on OOB configuration.
Switch Configuration for Out-of-Band Virtual Gateway Mode
Obtain the following VLAN IDs for Cisco NAC Appliance:
•
VLAN for the Clean Access Manager (the management VLAN, e.g. 64)
•
VLAN for the Clean Access Server (a new management VLAN, e.g. 222)
Note
For a Virtual Gateway, the management VLAN for the CAS must be different from the CAM.
•
VLAN(s) for Access (e.g., 10, 20, 30, 40)
•
VLAN(s) for Authentication (e.g. 610, 620, 630, 640)
•
Dummy (unused) VLAN for native VLAN settings on switch interfaces connected to the CAS
interfaces (e.g. 998, 999)
interfaces (e.g. 998, 999)
Example switch configuration on the switch interfaces connecting to eth0 of the CAS:
•
switchport trunk encapsulation dot1q
•
switchport trunk native vlan 998
•
switchport trunk allowed vlan 10,20,30,40,222
Example switch configuration on the switch interfaces connecting to eth1 of the CAS:
•
switchport trunk encapsulation dot1q
•
switchport trunk native vlan 999
•
switchport trunk allowed vlan 610,620,630,640
CAS eth0 and eth1 network settings:
(Device Management > CCA Servers > Manage [CAS_IP] > Network > IP):
•
Set Trusted management VLAN ID (e.g. 222)