Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Inline NAC Design Procedures

Enterasys NAC Design Guide 5-29

However,theclosertheNACControllerisplacedtotheedgeofthenetwork,themoreNAC

Controllersarerequiredonthenetwork,increasingNACdeploymentcostandcomplexity.

Conversely,whenmovingtheNACControllertowardsthecoreofthenetwork,fewerNAC

Controllersarerequired,decreasingNACdeploymentcostand

complexity,butalsodecreasing

thelevelofsecurity.

ForimplementingNAConwiredandwirelessLANs,itisrecommendedthattheLayer2NAC

Controllerispositionedbetweentheaccesslay eranddistributionlayerbeforethefirstroutedhop

inthenetwork.Asanalternative,theNACControllermaybepositioned

deeperintothenetwork

afterthefirstroutedhopusingtheLayer3configuration.TheLayer3NACControllercanalsobe

positionedafteraVPNconcentratororWANconnectiontoimplementNACforremoteusers.

Unliketheout‐of‐bandNACdesign,theimplementationofremediationand/orMAC(network)

registrationdoesnotaffectthelocationoftheNACController.TheNACControllerwill

appropriatelyinterceptwebtrafficforthepurposeofremediationandregistration.

Lastly,itshouldbeunderstoodthatsomeadvantagesexistwiththedeploymentofaLayer2NAC

ControlleroveraLayer3NACController,whichmay

affectthedecisionofhowNACControllers

arepositioned.WhileaLayer2NACControlleralwaysknowstheMACaddressofthe

downstreamconnectedend‐system,theLayer3NACControllermaynotbeabletodeterminethe

MACaddressofadownstreamend‐system(denotedas“Unknown”inNACManager.)



TechniquessuchasNetBIOSlookupsandDHCPsnoopingareimplementedtoattempttoresolve

theIPaddressofthedownstreamconnectedend‐systems;however,scenariosexistwheretheIP

addressofthedownstreamend‐systemmaynotbedetermined.

TheMACaddressofadownstreamend‐systemwillbedetermined

bytheNACControllerinthe

followingscenarios:

•End‐systemssupportNetBIOSandahostfirewalldoesnotdropinboundNetBIOSrequests

fortheLANconnection.

•DHCPisimplementedandtheDHCPserverexistsupstreamfromtheNACController.

SincetheLayer3NACControllermaynotbeabletodeterminethe

MACaddressofa

downstreamend‐system,“LockMAC”andMACoverridesarenotapplicabletoLayer3NAC

Controllers.Furthermore,MAC(network)registrationmaynotbeimplementedwhentheMAC

addressofadownstreamconnectedend‐systemisunknown.Inthiscase,theend‐systemis

assignedtheSecurityDomain’s

defaultNACconfiguration.

previous next