Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Survey the Network

4-10 Design Planning

thiscase,thethickAPdeploymentfallsintothecategoryofnon‐intelligentedgedeviceswiththe

sameNACimplementationsasanon‐intelligentwirededge.Thesenon‐intelligentAPsmustbe

configuredwithinlineNAC,positioningtheNACControlleratastrategicpointinthe network

upstreamfromthenon

‐intelligentAPswhereitwillimplementtheauthenticationand

authorizationofconnectingend‐systems.

Thin Wireless Deployments

Forthinwirelessdeployments,thewirelessswitchusuallysupportstheauthenticationand

authorizationofthewirelessend‐systemsconnectedtotheAPsonthenetwork.Therefore,thin

wirelessdeploymentscanbeconfiguredwithout‐of‐bandNACusingtheNACGateway,withthe

authenticationandauthorizationimplementedonthewirelessswitch.

Ifthewirelessswitchdoes

notsupportdynamicVLANassignmentviaRFC3580,inlineNACmaybeusedbypositioningthe

NACControllerbehindthewirelessswitchtoimplementtheauthenticationandauthorizationof

wirelessend‐systems.

Remote Access WAN

Inmanyenterprisenetworks,largerremotesitesareconnectedtothemainnetworksiteovera

WANconnection,affordingremoteusersaccesstocorporate resources.Iftheremotesitesare

composedofintelligentedgedevicessupportingtheauthenticationandauthorizationofthe

remotelyconnectedend‐systems,thentheNACGatewaycan

beutilizedinthedeploymentof

out‐of‐bandNAC.TheNACGatewaymaybepositionedeitherlocallyattheremotesite(which

maynotbepractical)oratthemainsiteoftheenterprisenetwork.Eitherway,theNACGateway

leveragestheauthenticationandauthorizationcapabilitiesoftheswitches

intheremotesiteto

implementnetworkaccesscontrolforremoteusers.

IftheNACGatewayisimplementedatthemainsite,thenitisimportanttoconsiderwhatimpact

aWANlinkdisconnectionwouldhaveontheNACprocessandremoteend‐systemconnectivity.

Itisrecommendedthatswitchesin

remotesitesbeconfiguredwithadefaultVLANorpolicythat

willbeappliedtotheend‐system inthecasethatconnectivitytothemainsitegoesdown.

Iftheremotesitesarecomposedofnon‐intelligentswitches,thentheNACControllercanbe

strategicallypositionedinl inewithtraffic sourced

fromremoteend‐systemstoimplementthe

authenticationandauthorizationofthesedevices.TheNACControllerismostoftenpositionedat

thecentralsiteʹsWANconnectiontotheremotesites.Inthisconfiguration,theNACControlleris

abletoimplementNACformultipleremotesites,whichisimportantwhen

youconsiderthat

someremotesitesmayhaveonlyafewend‐systemsconcurrentlyconnected.

Site-to-Site VPN

Inmulti‐siteenterpriseenvironments,itiscommontohaveaVPNconcentratorlocatedatthe

mainsiteconnectingtoremotesitesviaaVPNtunnel.SimilartotheremoteaccessWANscenario,

theimplementationofout‐of‐bandorinlineNACdependsonthecapabilitiesoftheedgeswitches

located

attheremotesite.Iftheremotesitesarecomposedofintelligentedgeswitches,thenthe

NACGatewaycanbepositionedatthemainsitetoimplementout‐of‐bandNAC.Iftheremote

sitesarecomposedofnon‐intelligentedgeswitches,thentheNACControllercanbepositioned

behind

theVPNconcentratorthatprovidessite‐to‐siteVPNconnectivity.Itisimportanttonote

thattheNACControllermustseetheactualIPaddressoftheend‐systemwhenanend‐systemʹs

traffictraversesit.Therefore,adownstreamdevicefromtheNACControllercannotimplement

many‐to‐oneNAT

orreverseproxyVPN,sothattheIPaddressoftheend‐systemispreservedat

thepointthatthetraffictraversestheNACController.

previous next