Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

Enterasys NAC Design Guide 5-21

Figure 5-5 NAC Gateway Redundancy

ItisimportantthatthesecondaryNACGatewaydoesnotexceedmaximumcapacityifthe

primaryNACGatewayfailsonthenetwork.Forexample,let’ssaythattwoNACGateways,

bothrunningatmaximumloadonthenetwork,arebeingusedbysixswitches.NACGateway

#1istheprimary

gatewayforswitchA,switchB,andswitchC,andNACGateway#2isthe

primarygatewayforswitchD,switchE,andswitchF.Inthisscenario,NACGateway#1

shouldnotbeconfiguredtoserveassecondaryforNACGateway#2andviceversa.Thisis

becauseifNAC

Gateway#1fails,NACGateway#2,whichisalreadyrunningatmaximum

capacitybeforeNACGateway#1ʹsfailure,willnotbeabletohandletheend‐systemsfailing

overfromNACGateway#1.Toavoidexceedingtheselimits,extraNACGatewayappliances

mustbedeployedonthenetworkto

serveassecondaryNACGatewaysforthesesixswitches.

Tosummarize,NACGatewayredundancymaybeaccomplishedusingtwodifferentapproaches:

•Active‐standbyredundancy

Inthisredundancyapproach,asetofswitchesareconfiguredtousethesameprimaryNAC

Gateway(assumingtheseswitchesobservetheNACGatewayʹscapacitylimitations

previously

described)andusethesamesecondaryNACGatewayasabackup(assumingthe

secondaryNACGatewayisthesamemodelastheprimary).ThesecondaryNACGatewayis

notconfiguredasaprimaryNACGatewayforanyswitchonthenetworkandthereforeis

inactiveuntilaprimaryNACGateway

fails.Forexample,ifswitchA,switchB,andswitchC

useNACGateway#1asaprimarygateway,thenallthreeswitchescanbeconfiguredtouse

NACGateway#2onthenetworkasthebackup.Inthisconfiguration,ifswitchA,switchB,or

switchClosesconnectivityto

NACGateway#1,theswitchwouldseamlesslytransitionto

usingNACGateway#2.Intheworst‐casescenariowhereallthreeswitchesloseconnectivity

toNACGateway#1,NACGateway#2wouldbeabletohandleallauthenticationrequests

fromthesethreeswitches.Inthisredundancyconfiguration,NACGateway#2

iscompletely

idleonthenetworkandonlyutilizedifoneoftheswitchescannotcommunicatetoNAC

Gateway#1.

•Active‐activeredundancy

Inthisredundancyapproach,theprim aryNACGatewayforoneswitchisasecondaryNAC

Gatewayforanotherswitch.Forthisconfiguration,thesameprimaryNACGatewayis

utilized

foragroupofswitches,withthisNACGatewayrunningatonlyhalfthemaximum

load.AnothergroupofswitchesutilizesadifferentprimaryNACGateway(assumingitisthe

samemodel)alsorunninghalfthemaximumload.Then,eachgroupofswitchescanusethe

otherNACGatewayas

thesecondarygateway.Thisredundancyconfigurationguarantees

thatintheworst‐casescenario,whenallswitchesinonegrouplosecommunicationtotheir

previous next