Sign in or 
30-Segment 2 |
Version 4 - view current page
Segment 2: Server Deployment Modes
OK, now you have it how do you want to deploy it? First off we need to decide on a deployment model. For layer 2 (Virtual IP or bridged mode), it is purdy darn easy! Everything is in one broadcast domain. For layer 3 (Real IP mode), we have a few more options to look at.
You can pretty much have your NAC Manager sitting anywhere on your network. The real design considerations come into place when you have to design for the NAC server. Now depending on which mode you choose, you're going to have traffic from the user flow through the NAC server, which means that it needs to exist somewhere on the network. Now the goal here is that try and make NAC work in anyenvironment, whether it's layer 2, layer 3, multilayer, central campus, remote offices, which is why we have the flexibility in terms of what mode you want to deploy it in.
Inband Vs. Out of Band cage match
Deciding which mode to use with NAC is simply as asking one question; do you have Cisco gear end to end? then you can qualify for Out of Band mode. If you have mixed vendor gear or wireless/VPN then Inband is the mode for you.
Inband mode for the NAC Appliance, NAC is always inline with user traffic (both before and following authentication, posture assessment and remediation). Enforcement is achieved through being inline with traffic, since traffic flows thru the NAC servers forever and ever Amen. Inband can be used to securely control authenticated and unauthenticated user traffic by using traffic policies (based on port, protocol, subnet), bandwidth policies, works great with 802.1X.
With Out of Band mode, the NAC appliance is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not flow thru the appliance. Enforcement is achieved through the use of SNMP to control switches and VLAN assignments to ports. You log in on one VLAN, if you are one of the chosen beautiful people then you are switched over to an authenticated VLAN and life goes on. I would not use 802.1X in this mode because NAC and 802.1X duke it out over who sets the VLAN on a port.
Out of band mode works on the following devices:
Controlled switches must be supported models (or service modules) that use at least the minimum supported version of IOS or CatOS (supporting MAC change notification/MAC move notification or linkup/linkdown SNMP traps). Supported switch models include: –
Cisco Catalyst Express 500 Series –Cisco Catalyst 2900 XL –Cisco Catalyst 2940/2950/2950 LRE/2955/2960 –Cisco Catalyst 3500 XL –Cisco Catalyst 3550/3560/3750 –Cisco Catalyst 4000/4500/4948 –Cisco Catalyst 6000/6500 Supported 3750 service modules for Cisco 2800/3800 Integrated Services Routers (ISR) include: –NME-16ES-1G –NME-16ES-1G-P –NME-X-23ES-1G –NME-X-23ES-1G-P –NME-XD-24ES-1S-P –NME-XD-48ES-2S-P •Your Cisco NAC Appliance product license must enable OOB.
Plus remember the first rule of Computer Fight Club...
OK, now you have it how do you want to deploy it? First off we need to decide on a deployment model. For layer 2 (Virtual IP or bridged mode), it is purdy darn easy! Everything is in one broadcast domain. For layer 3 (Real IP mode), we have a few more options to look at.
You can pretty much have your NAC Manager sitting anywhere on your network. The real design considerations come into place when you have to design for the NAC server. Now depending on which mode you choose, you're going to have traffic from the user flow through the NAC server, which means that it needs to exist somewhere on the network. Now the goal here is that try and make NAC work in anyenvironment, whether it's layer 2, layer 3, multilayer, central campus, remote offices, which is why we have the flexibility in terms of what mode you want to deploy it in.
Inband Vs. Out of Band cage match
Deciding which mode to use with NAC is simply as asking one question; do you have Cisco gear end to end? then you can qualify for Out of Band mode. If you have mixed vendor gear or wireless/VPN then Inband is the mode for you.
Inband mode for the NAC Appliance, NAC is always inline with user traffic (both before and following authentication, posture assessment and remediation). Enforcement is achieved through being inline with traffic, since traffic flows thru the NAC servers forever and ever Amen. Inband can be used to securely control authenticated and unauthenticated user traffic by using traffic policies (based on port, protocol, subnet), bandwidth policies, works great with 802.1X.
With Out of Band mode, the NAC appliance is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not flow thru the appliance. Enforcement is achieved through the use of SNMP to control switches and VLAN assignments to ports. You log in on one VLAN, if you are one of the chosen beautiful people then you are switched over to an authenticated VLAN and life goes on. I would not use 802.1X in this mode because NAC and 802.1X duke it out over who sets the VLAN on a port.
Out of band mode works on the following devices:
Controlled switches must be supported models (or service modules) that use at least the minimum supported version of IOS or CatOS (supporting MAC change notification/MAC move notification or linkup/linkdown SNMP traps). Supported switch models include: –
Cisco Catalyst Express 500 Series –Cisco Catalyst 2900 XL –Cisco Catalyst 2940/2950/2950 LRE/2955/2960 –Cisco Catalyst 3500 XL –Cisco Catalyst 3550/3560/3750 –Cisco Catalyst 4000/4500/4948 –Cisco Catalyst 6000/6500 Supported 3750 service modules for Cisco 2800/3800 Integrated Services Routers (ISR) include: –NME-16ES-1G –NME-16ES-1G-P –NME-X-23ES-1G –NME-X-23ES-1G-P –NME-XD-24ES-1S-P –NME-XD-48ES-2S-P •Your Cisco NAC Appliance product license must enable OOB.Plus remember the first rule of Computer Fight Club...
