Cisco NAC - L2 0-0-B VG Mode=>Untrusted Networks:How big/how many Untrusted Subnets per CAS?

Unanswered Question
Jun 11th, 2010
User Badges:

Network Infrastructure Overview:

-Preferred NAC Mode - L2 O-O-B Virtual Gateway Mode (DHCP Passthrough)

-Roughly 4 Layer 3 Boundary Blocks each terminated by Layer 3 Switch

-Layer 2 communication within block, layer 3 between blocks

- ~ 1500 Nodes per Block; ~10-12 Layer 2 Switches per block

-2 CAMs and Profiler centrally located at CORE tying together the 4 blocks

-1 CAS or 2 CASes per block depending on block size

-KEY QUESTION=>: For UNTRUSTED NETWORK what would be an ideal SIZE PER SUBNET/NUMBER OF SUBNETS needed for smooth operation within one Layer 3 block being served by 1 CAS(or two if significantly large)?

Additional notes:

I just need rough estimate for perspective's sake. Also looking at rules on Cisco website I don't specifically see a mention of how extra untrusted subnets per cas are defined(supposing you wanted to use more than one untrusted subnet per cas or why it would be suitable/unsuitable to use multiple untrusted subnets?)

Your input is appreciated in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Fri, 06/11/2010 - 20:05
User Badges:
  • Gold, 750 points or more


Sizing NAC solutions isn't really my specialty, so take this with a grain of salt, but from what you've described so far, your line of thought would work out well. A single CAS server can easily handle upto 5K users (simultaneous) and your numbers are way below that.

For more questions, please share a network diagram with VLANs and IP Subnets marked to shine more light on them.




This Discussion