Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get tips for deploying NAC network module for Cisco Integrated Services Router (ISR) to enforce security policies at the branch. with Mahesh Naidu and Alok Agrawal. Mahesh is a product manager for Cisco NAC Appliance, where he is primarily responsible for Cisco NAC Network Module and Cisco NAC Profiler. He has worked at Cisco since 2001, holding engineering positions focusing on service provider technologies before moving to product management. Alok joined Cisco Systems Inc. as an engineer in the Technical Assistance Center (TAC) Lan switching group in September 2003. He is currently the technical marketing engineer for the Cisco NAC Appliance.
Remember to use the rating system to let Mahesh and Alok know if you have received an adequate response.
Mahesh and Alok might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 2, 2007. Visit this forum often to view responses to your questions and the questions of other community members.
The Cisco NAC Network Module is supported on modular integrated services routers with a network module slot; that is, the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Router platforms. Note that the Cisco NAC Network Module is not supported on Cisco 3700 or 2600XM Routers.
Cisco NAC Network Module comes in 2 licensing options designed for branch office deployments. One is for supporting 50 users and other for 100 simultaneous users.
Does NAC Network Module need to work with NAC Clean Access Manager server?
And, I noticed before Cisco may release a product called "NAC-one". Can you tell something more about that?
NAC-CAM site failover design scenario:
Customer has two DC - Main and DR. Redundant NAC-CAM is in the main data center, all remote office has a single NAC-NM. If they lost the main DC WAN connection, all remote will connect to the DR site. How to provide NAC-CAM redundant in this scenario? Use another CAM at DR site?
i. For intermittent WAN connetivity loss, you can use "Fail-Open" option which will allow users to get onto remote network
ii. If main site goes down (or WAN link), option would be to use another CAM at the DR site.
What is the best option to deploy NAC for HQ + many remote sites with LAN and WLAN w/ H-REAP AP enabled.
option1: Central NAC L3-OOB for LAN, L2-IB for WLAN(WLAN need IB), not sure how WLAN H-REAP works here??
option2: Edge deployment NAC OOB for LAN and NAC IB for WLAN.
Does NAC-NM support both IB and OOB? if yes, we can only use either IB or OOB at a time, right?
Thanks for your post.
The NAC Appliance and the NAC NM can be IB or OOB, but not both at the same time.
For wireless, we have to do IB, for lan we can do OOB.
Both options above are valid, you can have a distributed model with a NAC server or NM at each remote site, or a central model.
With Hreap enabled, the wireless user traffic will be switched by the local AP instead of being tunneled back to the WLC. Hence this depends on where your NAC Server is connected, whether it is behind the WLC or logically behind all the APs.
hope this helps.
Thanks Alok for your reply!
I'm trying to put together all different scenarios to fit in different situations for LAN/WLAN access.
Here is another option--option3:
Central Deployment OOB for All LAN access(HQ+Remotes); And edge Deployment IB for ALL WLAN(HQ+Remotes). So we will have a big CAS-FB at HQ for all LANs+Remote LANs, a smaller CAS/or CAS-NM at edge for all WLANs+H-REAP.
Overall the 3 options above, which one would be a best?
From the WLAN deployment and performance perspective, do you think the Edge-IB deployment is easier/better than the Central-IB?
For the H-REAP AP traffic at the Edge-CAS, we don't want to have the Guest SSID to hit the NAC-CAS, internal SSID only. The H-REAP AP is on a trunk port. So I guess the Edge CAS is logically behind the Central WLC. Will this topology works fine when Edge-CAS is a IB-VG mode. All cisco R/S in the design, no other vendors.
If your WLC is at the central site, then I would recommend a central OOB and a central IB NAC server.
If the wlc is local at the remote site, then you can go with option # 3.
We usually will see a mixed environment for WLC deployment. For large remote site, there's a local WLC, but for small remote site, NO local WLC there, it will be H-REAP APs. So in general, we should deploy NAC-CAS w/ Edge IB mode whenever there's a local WLC. if the site is in H-REAP AP(no WLC), we should use the Central NAC-CAS-IB for wireless user, is that a right approach?
thanks so much.
We're planning to implement NAC framework in a network.
There are users in LAN and in branch offices.
We have ACS server, switches, routers, Mcfee antivirus.
What's other components do we need for the implementation?
Would you like to give some information about things to do and configuration?
This forum is for NAC Network Module and NAC Profiler questions, for generic questions pls use the existing aliases.
Can we also ask questions regarding the NAC framework (especially the ACS Solution Engine / ACS Appliance)? Or is it just the NAC appliance that is discussed?
This forum is for NAC Network and NAC Profiler questions, for general questions pls use the existing aliases.
Currently we do not have a SMB-type Profiler version, pls send your business case to the alias so that it gets on the roadmap.
I have a CAM controlling 2 CASs. One CAS is IB the other OOB. I am not happy at all with OOB implementation and am planning on converting the OOB to IB. Are there any problems that you know of or any gotchas that I should be aware of in order to run multiple IB CASs?
CAM is capable of handling the CAS in both IB and OOB mode, so there won't be any issues handling multiple IB CAS's.
I have point to point connectivity. From router A i am able to ping all VLAN but from Router B i am no table to ping That vlan ip it reaches till Fa0/0
I have this scenario where granular control of the users accessing the net is needed: 1 HQ office (ISR 38xx), 7 Branches (28xx) and each branch has a varying # of satellite offices (87x). All the ISR's have the Adv IP services IOS. How would I propose a NAC scheme? Can branch offices, with NM-NAC, be used to control access to the network for users in their respective satellite offices? Which would be better? IB or OOB? Thanks in advance!
Yes you can use NM-NAC in the branch offices, such that traffic from the satellite office goes through the NAC module in the branch office. IB would be recommended option.
Thanks Mahesh. I have a variation here to my scenario: Probably, I won't be able to use the NM's as I'd have to support more than 100 users. Would you still recommend IB? And, in case I have to implement OOB and have users connecting directly to the switch ports of an ISR 877, will these switch ports play with NAC appliance? Or would I have to resort to compatible switches behind the routers?
You are right, for the OOB it needs to be compatible switches (or Etherswitch modules) behind the routers. Here's the switch support URL
Otherwise IB is the option whether using NM or an appliance.