Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CCA OOB VGW and trunk ports??

I've been spinning my wheels for the past week trying to get this to work.

My Goal: To have users switched back to their initial vlan after successful authentication/remediation.

I was able to get this to work in the lab with a single vlan. I had a 1:1 ratio of 1 auth vlan for 1 access vlan by using vlan-mapping.

In production, we have approximately 40 access vlans. Does this mean I need to create an additional 40 non-routable authentication vlans. (one for every access vlan??)


Can I simply create one auth vlan and set a policy to switch users back to their initial vlan? In doing so, i would assume I would need to make both eth0 and eth1 trunk ports.... and if this is the case, what else do I need to do?? How would dhcp pass-through work since everyone will be coming into the auth vlan and then placed into their initial vlan?? How does the DHCP server (not the service on the CAS)know which scope to use?

The documentation is very very vague.



New Member

Re: CCA OOB VGW and trunk ports??

Since you're deploying virtual gateway, you probably want 1:1 ratio for Auth and Access VLANs. This is also better for Spanning Tree - you should limit you VLANs at each closet, and manually prune them "switchport trunk allowed vlan #,#,#"

Typical example:

IDFA - Access Vlan 10 - Auth Vlan 110

IDFB - Access Vlan 20 - Auth Vlan 120

Since the CAS is in VGW it's a bridge, and DHCP will pass through it once your VLAN mappings are setup under the CAS adv onfiguration (through the CAM interface).

You'll need to configure VLAN mappings like so:

Untrusted VLAN 110 maps to Trusted VLAN 10

Untrusted VLAN 120 maps to Trusted VLAN 20

And yes you'll need to trunk the eth0 and eth1 and make sure you have the correct vlans on the allow list of the switchport trunk.

I've also had luck tagging the management subnet on both eth0 and eth1 which is the subnet/vlan you setup durin the install wizard. To tag the eth0 and eth1 CAS management VLAN/subnet login to the cas/admin page and click the check box on both eth0 and eth1 to tag traffic with VLAN ID and enter the VLAN ID. Leave the passthrough check box unchecked.

This seems to help eliminate the CDP native vlan mismatch messages on switches.

Hope this helps.