Table of Contents
Advertisement
Chapter 3
Installing the Clean Access Manager and Clean Access Server
When the Clean Access Server is in Real-IP Gateway mode, it can act as a DHCP Server or DHCP Relay.
With DHCP functionality enabled, the CAS provides the appropriate gateway information (that is, the
CAS's untrusted interface IP address) to the clients. If the CAS is working as a DHCP Relay, then the
DHCP server in your network must be configured to provide the managed clients with the appropriate
gateway information (that is, the Clean Access Server's untrusted interface IP address).
Virtual Gateway Mode Connection Requirements
For all deployments, if planning to configure the Clean Access Server in Virtual Gateway mode (IB or
OOB), do not connect the untrusted interface (eth1) of the standalone CAS or HA-Primary CAS until
after you have added the CAS to the CAM from the web admin console. For Virtual Gateway HA-CAS
pairs, also do not connect the eth1 interface of the HA-Secondary CAS until after HA configuration is
fully complete. Keeping the eth1 interface connected while performing initial installation and
configuration of the CAS for Virtual Gateway mode can result in network connectivity issues.
When setting up a CAS in Virtual Gateway mode, you specify the same IP address for the trusted (eth0)
and untrusted (eth1) network interfaces during the initial installation of the CAS via CLI. At this point
in the installation, the CAS does not recognize that it is a Virtual Gateway. It will attempt to connect to
the network using both interfaces, causing collisions and possible port disabling by the switch.
Disconnecting the untrusted interface until after adding the CAS to the CAM in Virtual Gateway mode
prevents these connectivity issues. Once the CAS has been added to the CAM in Virtual Gateway mode,
you can reconnect the untrusted interface.
Administrators must use the following procedure for correct configuration of a Virtual Gateway Central
Deployment. To prevent looping on any central/core switch as you plug both interfaces of the Clean
Access Server into the switch, perform the following steps:
Before you connect both interfaces of the CAS to the switch, physically disconnect the eth1 interface.
Step 1
Physically connect the eth0 interface of the CAS to the network.
Step 2
Add the CAS to the CAM in the CAM web console under Device Management > CCA Servers > New
Step 3
Server, as described in the
4.8(3).
Manage the CAS by accessing the CAS management pages, via Device Management > CCA Servers
Step 4
> Manage [CAS_IP] as described in the
Guide, Release
Configure VLAN mapping. This is a mandatory step for a Central Deployment where both interfaces
Step 5
of the CAS connect to the same switch. (Note that you can configure VLAN mapping in Edge
Deployments with no adverse affect, but you are not required to do so.)
a.
b.
Note
Once the preceding steps are completed, physically connect the eth1 interface of the CAS to the switch.
Step 6
OL-20326-01
Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release
4.8(3).
Make sure you check the "Enable VLAN Mapping" checkbox and click Update.
Make sure to set the Untrusted VLAN-to-Trusted VLAN mapping under Device Management >
CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. See the "VLAN Mapping in
Virtual Gateway Modes" section in the
Configuration Guide, Release
Enable VLAN Pruning is checked by default on the Virtual Gateway CAS (starting from
release 4.1(1) and later) under Device Management > CCA Servers > Manage [CAS_IP] >
Advanced > VLAN Mapping.
Cisco NAC Appliance - Clean Access Server Configuration
Cisco NAC Appliance - Clean Access Manager
4.8(3).
Cisco NAC Appliance Hardware Installation Guide
Installing the Clean Access Server
3-19
Hide quick links:
Advertisement
Table of Contents
