Out-of-Band NAC Design Procedures
5-20 Design Procedures
2. Determine the Number of NAC Gateways
ThenumberofNACGatewaystobedeployedonthenetworkisafunctionofthefollowing
parameters:
•ThenumberofSecurityDomainsconfiguredonthenetwork.
EachNACGatewayappliancemaybeassociatedtoonlyoneSecurityDomain.Therefore,the
numberofNACGatewaysdeployedonthenetworkwillbegreater
thanorequaltothe
numberofSecurityDomainsconfiguredinNACManager.Tosupportredundancyper
SecurityDomain,atleasttwoNACGatewaysmustbedeployedperSecurityDomain,as
discussedbelow.
•ThenumberofauthenticatingusersanddevicesthatareconnectedtoeachSecurityDomain.
EachNACGatewayappliance
hasthecapabilityofsupportingamaximumnumberof
authenticatingdevicesasshowninthefollowingtable:
ToroughlydeterminethenumberofrequiredNACGatewaysperSecurityDomain,usethe
followingformula:
Numberofauthenticatingend‐systemsinaSecurityDomain/Concurrentend‐systems
supportedbygatewaytype=the
numberofrequiredgatewaysofthattypeperSecurity
Domain.
Forexample,ifyouhave9000end‐systemsconnectingtoaSecurityDomain,andyouwillbe
usingSNS‐TAG‐ITAappliances,thentheformulawouldbe:
9000/3000=3requiredITAappliances
ForeachswitchinaparticularSecurity
Domain,themaximumnumberofauthenticatingend‐
systemsthatmaybeconnectedtotheswitchatanyonemomentmustbeconsideredwhen
associatingaswitchtoaparticularNACGatewayappliance.Multipleintelligentswitches
residinginsameSecurityDomainmaybepointedtothesameNACGateway,providedthe
maximumnumberofauthenticatingend‐systemsfortheparticularNACGatewayisnot
exceeded.(NotethattwoswitchesindifferentSecurityDomainscannotbeassociatedtothe
sameNACGateway.)
• ConfigurationofNACGatewayredundancyforeachswitchinaSecurityDomain.
NACGatewayredundancyforaparticularswitchisachievedby
configuringtwodifferent
NACGatewaysasprimaryandsecondaryRADIUSserversforthatswitch,asdepictedin
Figure 5‐5onpage 5‐21.WhenconnectivitytotheprimaryNACGatewayislost,the
secondaryNACGatewayisused.Notethatthisconfigurationsupportsredundancyandnot
load‐sharing,andthesecond
NACGatewaywillonlybeusedintheeventthattheprimary
NACGatewaybecomesunreachable.
Table 5-4 End-System Limits for NAC Gateways
NAC Gateway Model Concurrent End-Systems Supported
NSTAG-FE100-TX Up to 500
7S-NSTAG-01(-NPS) Up to 1000
NSTAG-GE250-TX Up to 1250
SNS-TAG-LPA Up to 2000
SNS-TAG-HPA Up to 3000
SNS-TAG-ITA Up to 3000