25
Virtual Gateway
CAUTION:
To avoid switch errors, do not connect the untrusted interface (eth1)
of a Virtual Gateway (IB or OOB) CAS to the switch until after the CAS is added
to the CAM via the web console, and VLAN mapping is configured correctly
under
Device Management > CCA Servers > Manage [CAS_IP] > Advanced >
VLAN Mapping
. See the
Cisco NAC Appliance - Clean Access Server Installation
and Configuration Guide, Release 4.5(1)
for details.
•
The CAS and CAM must be on different subnets (or VLANs).
•
The trusted (eth0) and untrusted interfaces (eth1) of the CAS can have the
same IP address. (Note: this is equivalent to an L3 SVI IP address.)
•
All end devices in the bridged subnet must be on the CAS untrusted side.
•
The CAS is automatically configured for DHCP Passthrough when set to
Virtual Gateway mode.
•
Managed subnets must be configured on the CAS for all the user subnets that
are managed by the CAS. When configuring the Managed subnet, make sure
that you type an unused IP address in that subnet (for the CAS to use), and
not a subnet address.
•
Traffic from clients must pass through the CAS before hitting the gateway.
•
When the CAS is an OOB VGW, the following also applies:
CAS interfaces must be on a separate subnet (or VLAN) from the CAM.
The CAS management VLAN must be on a different VLAN than the user or
Access VLANs.
See also “Determining VLANs For Virtual Gateway” in the
Cisco NAC Appliance
- Clean Access Server Installation and Configuration Guide, Release 4.5(1)
for
further details.
Table 4
CAS Modes— IP addressing Considerations (continued)
CAS Mode
Comments
