Specifications

3-7

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 3 Switch Management: Configuring Out-of-Band Deployment

Deployment Modes

In Out-of-Band Virtual Gateway mode, the Clean Access Server uses the VLAN mapping feature to retag

the unauthenticated client’s allowed traffic (such as DNS or DHCP requests) from the Authentication

VLAN to the Access VLAN and vice versa. In this way, no new client IP address is needed when the

client is eventually switched to the Access VLAN, because the DHCP-acquired IP address is already

paired with the Access VLAN ID.

Note In an environment where there is an 802.1q trunk to the CAS, the CAS will bridge two VLANs together.

This “retagging” is the rewriting of the 802.1q Ethernet header with a new VLAN ID. This feature does

not apply when there is only one Authentication VLAN and one Access VLAN, as no frames are tagged.

Figure 3-3 illustrates Out-of-Band Virtual Gateway mode using an L3 router/switch. The router/switch

receives traffic from the Auth VLAN as Layer 2 traffic and forwards it to the untrusted side of the Clean

Access Server. The Virtual Gateway Clean Access Server performs VLAN mapping for allowed traffic

(DNS, DHCP) from the Auth VLAN (untrusted interface) to the Access VLAN (trusted interface) and

vice versa. The router/switch receives traffic from the Access VLAN as Layer 3 traffic and routes it

accordingly. Figure 3-3 illustrates the client authentication and access path for the OOB Virtual Gateway

example described below. In this example, the Authentication VLAN is 100, and the Access VLAN is 10.