Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Enterasys NAC Design Guide 3-1

3

Use Scenarios

ThischapterdescribesfourNACusescenariosthatillustratehowthetypeofNACdeploymentis

directlydependentontheinfrastr ucturedevicesdeployedinthenetwork.Forsomenetwork

topologies,inlinenetworkaccesscontrolutilizingtheNACControllermayberequiredwhilefor

othernetworkconfigurations,theNACGatewayimplementingout

‐of‐bandNACmaybeused.

TheEnterasysNACsolutioniscapableofimplementingnetworkaccesscontrolforallfouruse

scenariosaswellasenvironmentswithmixedusescenariosthatmayrequiretheconcurrent

deploymentoftheNACGatewayandtheNACController.Regardlessofthescenariothatis

deployed,

allNACGatewaysandNACControllersarecentrallymanagedbytheNetSightNAC

Managersoftwareapplication.

Fortheintelligentwiredaccessedgeandintelligentwirelessaccessedgeusescenarios,theterm

“intelligent”referstoanetworktopologywheretheaccessedgeiscomposedofEnterasyspolicy‐

enabledswitchescapableofsupporting

authenticationandpolicyenforcement,orthird‐party

switchescapableofsupportingauthenticationanddynamicVLANassignmentasdefinedinRFC

3580.

Scenario 1: Intelligent Wired Access Edge

Intheintelligentwiredaccessedgeusescenario,theedgeswitchesthatcomposethenetwork

accesslayerarecapableofprovidingauthentication(802.1X,web‐based,orMAC)forconnecting

end‐systems,andtheyarealsocapableofbeinganauthorizat ion pointfortheseend‐systems

throughEnterasyspolicyand/ordynamicVLAN

assignmentasspecifiedinRFC3580.

Forthisusescenario,theNACGatewayapplianceisdeployedforout‐of‐bandnetworkaccess

control,leveragingtheintelligentinfrastructuredevicesintheaccessedgeastheauthorization

pointforconnectingend‐systems.

ItisimportanttonotethatEnterasyspolicy‐enabledswitchesprovide

increasedsecurityover

third‐partyswitchesthatsupportRFC3580.Byusingport‐levelgranulartrafficcontrol,users

quarantinedwithEnterasyspolicycanberestrictedfromcommunicatingwithotherquarantined

users,evenifco‐locatedonthesameVLAN.InaQuarantineVLANasimplementedonthird‐

partyRFC3580

capableswitches,aquarantineduserposesathreattootherquarantinedusers

For information about... Refer to page...

Scenario 1: Intelligent Wired Access Edge 3-1

Scenario 2: Intelligent Wireless Access Edge 3-5

Scenario 3: Non-intelligent Access Edge (Wired and Wireless) 3-9

Scenario 4: VPN Remote Access 3-11

Summary 3-13

previous next