Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Survey the Network

4-2 Design Planning

accesstoawebbrowsertosafelyremediatetheirquarantinedend‐systemwithoutimpacting

IToperations.

Onceadeploymentmodelisselected,thecurrentnetworkinfrastructuremustbeexaminedto

identifythetechnicaldependenciesandrequirementsimposedbytheNACsolution.

Survey the Network

Thestepsinthissectionwillhelpyouidentifyandevaluatethecurrentnetworkinfrastructureso

thatyoucanmakedesigndecisionsregardingNACcomponentrequirements.

1. Identify the Intelligent Edge of the Network

Thefirststepinsurveyingyournetworkistodeterminewhetherornotyournetworkhasan

“intelligentedge.”ThisinformationwillhelpyoudecidewhethertheNACGatewayorNAC

Controllerappliancebestsuitsyournetworkinfrastructure.

Theterm“intelligent”referstoanetworktopologywheretheaccessedgeis

composedof

Enterasyspolicy‐enabledswitchescapableofsupportingauthenticationandpolicyenforcement,

orthird‐partyswitchescapableofsupportingauthenticationanddynamicVLAN assignmentas

definedinRFC3580.

Non‐intelligentinfrastructuredevices,suchasrepeatersandhubs,arenotcapableofsupporting

authenticationand/orauthorizat ion ofend‐systems,and

simplyprovideconnectivitytothe

infrastructure.

AnintelligentedgeisrequiredwhentheNACGatewayisutilizedforimplementingout‐of‐band

NAC.TheNACGatewayapplianceleveragestheintelligentedgeofthenetworktoimplementthe

authenticationandauthorizationofconnectingend‐systems.TheNACGatewayeffectsthe

assignmentof

policiesorVLANsonEnterasysswitchesorRFC3580‐capableswitcheslocatedat

edgeofthenetwork,toauthorizealevelofnetworkaccesstoconnectingend‐systems.These

assignmentsarebasedonvariousparameters,suchasthelocationoftheend‐systemandsecurity

postureassessmentresults.Theintelligentedge

ofthenetworkalsoimplementsanauthentication

method(802.1X,web‐based,orMACauthentication)forvalidatingthedeviceand/oruseridentity

ofconnectingend‐systems.

However,innetworkswithnon‐intelligentdevicesattheaccessedge,itisnotnecessarytoreplace

thesenon‐intelligentdevicestobeabletoimplement

out‐of‐bandNACwiththeNACGateway.

Instead,theEnterasysMatrixN‐seriesswitchcanbepositionedupstreamfromnon‐intelligent

devices(suchasinthedistributionlayer)toimplementtheauthenti cationandauthorization

functionsfordownstreamconnecteddevices.MatrixN‐SeriesdevicessupportMulti‐User

Authentication(MUA)which

enablestheswitchtoindividuallyauthenticateanduniquely

authorizemultipleend‐systemsconnectedtothesamephysicalport.MUAontheMatrixN‐series

Platinumsupportstheconcurrentauthenticationandauthorizationofover1000end‐systemsona

singleportwiththeallocationofdisparatenetworkresourcestoeachend‐system.

Inthiscase,the

MatrixN‐seriesswitchistheintelligentedgeofthenetworkalthoughitisnotphysicallylocatedin

theaccesslayer.ByutilizingtheMatrixN‐seriesinthistypeofconfiguration,mostofthebenefits

ofout‐of‐bandNACcanbeobtainedwithoutupgrading

theedgeofthenetwork.

previous next