Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

5-20 Design Procedures

2. Determine the Number of NAC Gateways

ThenumberofNACGatewaystobedeployedonthenetworkisafunctionofthefollowing

parameters:

•ThenumberofSecurityDomainsconfiguredonthenetwork.

EachNACGatewayappliancemaybeassociatedtoonlyoneSecurityDomain.Therefore,the

numberofNACGatewaysdeployedonthenetworkwillbegreater

thanorequaltothe

numberofSecurityDomainsconfiguredinNACManager.Tosupportredundancyper

SecurityDomain,atleasttwoNACGatewaysmustbedeployedperSecurityDomain,as

discussedbelow.

•ThenumberofauthenticatingusersanddevicesthatareconnectedtoeachSecurityDomain.

EachNACGatewayappliance

hasthecapabilityofsupportingamaximumnumberof

authenticatingdevicesasshowninthefollowingtable:

ToroughlydeterminethenumberofrequiredNACGatewaysperSecurityDomain,usethe

followingformula:

Numberofauthenticatingend‐systemsinaSecurityDomain/Concurrentend‐systems

supportedbygatewaytype=the

numberofrequiredgatewaysofthattypeperSecurity

Domain.

Forexample,ifyouhave9000end‐systemsconnectingtoaSecurityDomain,andyouwillbe

usingSNS‐TAG‐ITAappliances,thentheformulawouldbe:

9000/3000=3requiredITAappliances

ForeachswitchinaparticularSecurity

Domain,themaximumnumberofauthenticatingend‐

systemsthatmaybeconnectedtotheswitchatanyonemomentmustbeconsideredwhen

associatingaswitchtoaparticularNACGatewayappliance.Multipleintelligentswitches

residinginsameSecurityDomainmaybepointedtothesameNACGateway,providedthe

maximumnumberofauthenticatingend‐systemsfortheparticularNACGatewayisnot

exceeded.(NotethattwoswitchesindifferentSecurityDomainscannotbeassociatedtothe

sameNACGateway.)

• ConfigurationofNACGatewayredundancyforeachswitchinaSecurityDomain.

NACGatewayredundancyforaparticularswitchisachievedby

configuringtwodifferent

NACGatewaysasprimaryandsecondaryRADIUSserversforthatswitch,asdepictedin

Figure 5‐5onpage 5‐21.WhenconnectivitytotheprimaryNACGatewayislost,the

secondaryNACGatewayisused.Notethatthisconfigurationsupportsredundancyandnot

load‐sharing,andthesecond

NACGatewaywillonlybeusedintheeventthattheprimary

NACGatewaybecomesunreachable.

Table 5-4 End-System Limits for NAC Gateways

NAC Gateway Model Concurrent End-Systems Supported

NSTAG-FE100-TX Up to 500

7S-NSTAG-01(-NPS) Up to 1000

NSTAG-GE250-TX Up to 1250

SNS-TAG-LPA Up to 2000

SNS-TAG-HPA Up to 3000

SNS-TAG-ITA Up to 3000

previous next