Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 90
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
View all Cisco NAC3350-PROF-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 90 highlights
Installing the Clean Access Server Chapter 3 Installing the Clean Access Manager and Clean Access Server Note If the CAM is down and the CAS is performing VLAN mapping in "fail open" state, do not reboot the CAS because the VLAN mapping capability will be lost until the CAM comes back online. Step 7 Step 8 For the 802.1q ports configuration on the switch, make sure to prune all other VLANs for switches trunking to eth0 and eth1 of the CAS except those used for the CAS Management VLAN and the User VLANs. Prune VLAN 1 on the switch ports connecting to the CAS eth0 and eth1 interfaces. For details, see: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swvlan.htm#wp1150302. Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB) For details on Cisco Catalyst switch model/NME support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band (OOB) deployments, refer to Switch Support for Cisco NAC Appliance. Determining VLANs For Virtual Gateway Before you start the initial installation for a Clean Access Server Virtual Gateway deployment, ensure that following is in place for your deployment: • The CAS and CAM must be on different subnets (and VLANs). • The CAS management VLAN must be on a different VLAN than the user authentication and access VLANs. • Configure the native VLAN to be different than the CAS management VLAN. Setting native VLANs helps prevent inadvertent switching loops. The native VLAN must not be the same on the eth0 and eth1 interfaces of the CAS. - CAS native VLAN (eth0) (e.g. unused "dummy" VLAN 999) - CAS native VLAN (eth1) (e.g. unused "dummy" VLAN 998) • Configure different user authentication and access VLANs on the switches, and configure untrusted subnets on the CAS as Managed Subnets (refer to Configuring Managed Subnets). • Ensure there are no common VLANs being forwarded on the switch ports connecting the trusted (eth0) and untrusted (eth1) ports of the CAS. For every VLAN that is allowed on the trunk links going to the Virtual Gateway CAS, there must be a corresponding VLAN Mapping entry (except for the CAS management VLAN). • Make sure the eth1 untrusted interface of the CAS is not connected to the network until after VLAN Mapping is configured. • Switch(es) must not have SVI (Layer 3) interfaces for the user authentication VLANs anywhere on the network. • User authentication VLANs should be on the CAS untrusted interface only and must be pruned from all other trunk links. See the "Understanding VLAN Settings" and "VLAN Mapping in Virtual Gateway Modes" sections in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) for additional details. 3-20 Cisco NAC Appliance Hardware Installation Guide OL-20326-01