NAC 4.1

Answered Question
Apr 29th, 2010

Hello friends,

Pls find the flow chart design for deploying NAC

Installing NAC for the first time, I m little bit confuse what design i shld choose:It is a corporate network with access switches,core switch,asa firewall,ACS.

I have a multi vendor switches in my network HP switches as well as Cisco on acces layer and on core i have a HP 5406,i have read the NAC book from cisco press.It says that u shld choose IN-band mode when u have a multi vendor switches in ur network.So what i m thinking is IN-band mode  layer2 adjacency with real IP gateway or virtual IP.

But wherever i see the document on cisco website it is all for OOB network mode (real as well as virtual) i m not able to find any configuration example for IN-band layer2 adjacency in real ip  gateway or virtual gateway.

Is it my thinking is wrong or please guide me which mode i shld choose.and route me to the proper configuration example.

Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 7 months ago

Kamran,

Not sure I understand the question completely, but I can tell for sure that VPN is supported IB with RIP and VGW both. In VGW the VLANs are different on the trusted and untrusted side and worst case scenario, if a switch misbehaves or doesn't work "right" with NAC, you can place it in true edge deployment to make it work. In short, it's possible

HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Thu, 04/29/2010 - 23:58

Estela,

You're right that with multi-switch vendors IB is your only available option. Your best bet for design help with IB would be the chalk talk series. If you haven't viewed them yet, please give them a whirl.

Chalktalks can be found here: http://bit.ly/chalktalks

Look at the first and second chalk talk in particular.

HTH,

Faisal

surcisco123 Fri, 04/30/2010 - 03:34

Hello Faisal,

In multi vendor switches we shld use IN-BAND mode but is it In-band mode supports virtual gateway,?????  According to my knowledge In IN-band mode traffic is always flowing from NAC server than how we can configure a virtual mode in IN-BAND mode.

pls have a look in the attached file from estela,it is showing in non supported switches IN-BAND mode with layer 2 adjacent in  real ip gateway and also with virtual IP gateway.How it is possible. pls guide??

Thanks

Correct Answer
Faisal Sehbai Fri, 04/30/2010 - 20:53

Kamran,

Not sure I understand the question completely, but I can tell for sure that VPN is supported IB with RIP and VGW both. In VGW the VLANs are different on the trusted and untrusted side and worst case scenario, if a switch misbehaves or doesn't work "right" with NAC, you can place it in true edge deployment to make it work. In short, it's possible

HTH,

Faisal

estelamathew Tue, 05/04/2010 - 11:36

Thanks Faisal

u have provided a very good link to clear the picture for IB and OOB.

Actions

This Discussion