Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is my network ready for Clean Access

The most confusing thing to me is the number of deployment options available for Clean Access. I have a flat network with wireless and VPN users with fewer than 100 hosts. What is the best deployment option and do I have to reconfigure my network. The in-band VG option seems appropriate but I am not sure. Should I create L2 vlans?


Re: Is my network ready for Clean Access

Even though your network is considered small network, you could also deploy CCA in out-of-band mode.

But to choose between in-band and out-of-band, you need to look at the way your network is being designed (simple/complex), LAN switches capabilities, bandwidth/traffic volume and access flow & control and few other factors.

But in a flat & small network with mixture of users, including wireless and VPN users, the design/topology should be less complex/simple. I would say the in-band mode is more suitable.

This is based on few factors like smaller amount of traffic that need to always pass through the CCA inspection, availability of 1 vlan and easy to centralize (fewer) CCA in the network.

Out-of-band is more suitable for medium to large network due to combination of large traffic volume, complexity, routing and L2/L3 design as well as how frequent the traffic need to be inspected plus no of available CCA & its volume capacity.



New Member

Re: Is my network ready for Clean Access

So really, I can have a single VLAN with the CAM and CAS on the same network. Here is my design as an example. The CAM will be My gateway is The CAS is running in-band VG mode and has the same IP address on both the trusted and untrusted. So if this will work, what exactly defines the untrusted network. If I plug a PC in and get an IP address on the network, what makes me untrusted. How does that work? Is it done through ACLs against my IP address?

CreatePlease login to create content