Table of Contents
Advertisement
Installing the Clean Access Server
If the CAM is down and the CAS is performing VLAN mapping in "fail open" state, do not reboot the
Note
CAS because the VLAN mapping capability will be lost until the CAM comes back online.
Step 7
For the 802.1q ports configuration on the switch, make sure to prune all other VLANs for switches
trunking to eth0 and eth1 of the CAS except those used for the CAS Management VLAN and the User
VLANs.
Prune VLAN 1 on the switch ports connecting to the CAS eth0 and eth1 interfaces. For details, see:
Step 8
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swvlan.htm#wp1150302.
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
For details on Cisco Catalyst switch model/NME support for the Virtual Gateway VLAN Mapping
feature of the Clean Access Server for either in-band (IB) or out-of-band (OOB) deployments, refer to
Switch Support for Cisco NAC
Determining VLANs For Virtual Gateway
Before you start the initial installation for a Clean Access Server Virtual Gateway deployment, ensure
that following is in place for your deployment:
•
•
•
•
•
•
•
•
See the "Understanding VLAN Settings" and "VLAN Mapping in Virtual Gateway Modes" sections in
the
details.
Cisco NAC Appliance Hardware Installation Guide
3-20
The CAS and CAM must be on different subnets (and VLANs).
The CAS management VLAN must be on a different VLAN than the user authentication and access
VLANs.
Configure the native VLAN to be different than the CAS management VLAN. Setting native
VLANs helps prevent inadvertent switching loops. The native VLAN must not be the same on the
eth0 and eth1 interfaces of the CAS.
CAS native VLAN (eth0) (e.g. unused "dummy" VLAN 999)
–
CAS native VLAN (eth1) (e.g. unused "dummy" VLAN 998)
–
Configure different user authentication and access VLANs on the switches, and configure untrusted
subnets on the CAS as Managed Subnets (refer to
Ensure there are no common VLANs being forwarded on the switch ports connecting the trusted
(eth0) and untrusted (eth1) ports of the CAS. For every VLAN that is allowed on the trunk links
going to the Virtual Gateway CAS, there must be a corresponding VLAN Mapping entry (except for
the CAS management VLAN).
Make sure the eth1 untrusted interface of the CAS is not connected to the network until after VLAN
Mapping is configured.
Switch(es) must not have SVI (Layer 3) interfaces for the user authentication VLANs anywhere on
the network.
User authentication VLANs should be on the CAS untrusted interface only and must be pruned from
all other trunk links.
Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3)
Chapter 3
Installing the Clean Access Manager and Clean Access Server
Appliance.
Configuring Managed
Subnets).
for additional
OL-20326-01
Hide quick links:
Advertisement
Table of Contents
