Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get tips for deploying NAC network module for Cisco Integrated Services Router (ISR) to enforce security policies at the branch. with Mahesh Naidu and Alok Agrawal. Mahesh is a product manager for Cisco NAC Appliance, where he is primarily responsible for Cisco NAC Network Module and Cisco NAC Profiler. He has worked at Cisco since 2001, holding engineering positions focusing on service provider technologies before moving to product management. Alok joined Cisco Systems Inc. as an engineer in the Technical Assistance Center (TAC) Lan switching group in September 2003. He is currently the technical marketing engineer for the Cisco NAC Appliance.

Remember to use the rating system to let Mahesh and Alok know if you have received an adequate response.

Mahesh and Alok might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 2, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

48 REPLIES
Silver

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hello -

Which Cisco routers support the NAC network module?

Thanks - Tom

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

The Cisco NAC Network Module is supported on modular integrated services routers with a network module slot; that is, the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Router platforms. Note that the Cisco NAC Network Module is not supported on Cisco 3700 or 2600XM Routers.

Silver

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hi,

Can you tell me how many simultaneous users can the Cisco NAC Network Module support?

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Cisco NAC Network Module comes in 2 licensing options designed for branch office deployments. One is for supporting 50 users and other for 100 simultaneous users.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hello,

Does NAC Network Module need to work with NAC Clean Access Manager server?

And, I noticed before Cisco may release a product called "NAC-one". Can you tell something more about that?

Regards

L.Lai

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Yes NAC Network Module will be managed by NAC Clean Access Manager Server.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

NAC-CAM site failover design scenario:

Customer has two DC - Main and DR. Redundant NAC-CAM is in the main data center, all remote office has a single NAC-NM. If they lost the main DC WAN connection, all remote will connect to the DR site. How to provide NAC-CAM redundant in this scenario? Use another CAM at DR site?

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

i. For intermittent WAN connetivity loss, you can use "Fail-Open" option which will allow users to get onto remote network

ii. If main site goes down (or WAN link), option would be to use another CAM at the DR site.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

What is the best option to deploy NAC for HQ + many remote sites with LAN and WLAN w/ H-REAP AP enabled.

option1: Central NAC L3-OOB for LAN, L2-IB for WLAN(WLAN need IB), not sure how WLAN H-REAP works here??

option2: Edge deployment NAC OOB for LAN and NAC IB for WLAN.

Does NAC-NM support both IB and OOB? if yes, we can only use either IB or OOB at a time, right?

Bronze

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hey Kevin,

Thanks for your post.

The NAC Appliance and the NAC NM can be IB or OOB, but not both at the same time.

For wireless, we have to do IB, for lan we can do OOB.

Both options above are valid, you can have a distributed model with a NAC server or NM at each remote site, or a central model.

With Hreap enabled, the wireless user traffic will be switched by the local AP instead of being tunneled back to the WLC. Hence this depends on where your NAC Server is connected, whether it is behind the WLC or logically behind all the APs.

hope this helps.

regards

-alok

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Thanks Alok for your reply!

I'm trying to put together all different scenarios to fit in different situations for LAN/WLAN access.

Here is another option--option3:

Central Deployment OOB for All LAN access(HQ+Remotes); And edge Deployment IB for ALL WLAN(HQ+Remotes). So we will have a big CAS-FB at HQ for all LANs+Remote LANs, a smaller CAS/or CAS-NM at edge for all WLANs+H-REAP.

Overall the 3 options above, which one would be a best?

From the WLAN deployment and performance perspective, do you think the Edge-IB deployment is easier/better than the Central-IB?

For the H-REAP AP traffic at the Edge-CAS, we don't want to have the Guest SSID to hit the NAC-CAS, internal SSID only. The H-REAP AP is on a trunk port. So I guess the Edge CAS is logically behind the Central WLC. Will this topology works fine when Edge-CAS is a IB-VG mode. All cisco R/S in the design, no other vendors.

thanks.

Bronze

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hey Kevin,

If your WLC is at the central site, then I would recommend a central OOB and a central IB NAC server.

If the wlc is local at the remote site, then you can go with option # 3.

regards

-alok

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

We usually will see a mixed environment for WLC deployment. For large remote site, there's a local WLC, but for small remote site, NO local WLC there, it will be H-REAP APs. So in general, we should deploy NAC-CAS w/ Edge IB mode whenever there's a local WLC. if the site is in H-REAP AP(no WLC), we should use the Central NAC-CAS-IB for wireless user, is that a right approach?

thanks so much.

-Kevin

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

hi

this is ani

i want to know how we will talk cisco router to extreme

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hi all,

We're planning to implement NAC framework in a network.

There are users in LAN and in branch offices.

We have ACS server, switches, routers, Mcfee antivirus.

What's other components do we need for the implementation?

Would you like to give some information about things to do and configuration?

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

This forum is for NAC Network Module and NAC Profiler questions, for generic questions pls use the existing aliases.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Can you pls elaborate more on your question ?

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hi,

Can we also ask questions regarding the NAC framework (especially the ACS Solution Engine / ACS Appliance)? Or is it just the NAC appliance that is discussed?

Thank you

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

This forum is for NAC Network and NAC Profiler questions, for general questions pls use the existing aliases.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

is there a low end profiler on the road map?

NAC3350-PROF-K9 is over killed for most SMB.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Currently we do not have a SMB-type Profiler version, pls send your business case to the alias so that it gets on the roadmap.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

I have a CAM controlling 2 CASs. One CAS is IB the other OOB. I am not happy at all with OOB implementation and am planning on converting the OOB to IB. Are there any problems that you know of or any gotchas that I should be aware of in order to run multiple IB CASs?

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

CAM is capable of handling the CAS in both IB and OOB mode, so there won't be any issues handling multiple IB CAS's.

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

I have point to point connectivity. From router A i am able to ping all VLAN but from Router B i am no table to ping That vlan ip it reaches till Fa0/0

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

pls use generic alias with more details regarding the issue.

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Hi there,

I have this scenario where granular control of the users accessing the net is needed: 1 HQ office (ISR 38xx), 7 Branches (28xx) and each branch has a varying # of satellite offices (87x). All the ISR's have the Adv IP services IOS. How would I propose a NAC scheme? Can branch offices, with NM-NAC, be used to control access to the network for users in their respective satellite offices? Which would be better? IB or OOB? Thanks in advance!

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Yes you can use NM-NAC in the branch offices, such that traffic from the satellite office goes through the NAC module in the branch office. IB would be recommended option.

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

Thanks Mahesh. I have a variation here to my scenario: Probably, I won't be able to use the NM's as I'd have to support more than 100 users. Would you still recommend IB? And, in case I have to implement OOB and have users connecting directly to the switch ports of an ISR 877, will these switch ports play with NAC appliance? Or would I have to resort to compatible switches behind the routers?

New Member

Re: ASK THE EXPERT - NETWORK ADMISSION CONTROL IN BRANCH OFFICE

You are right, for the OOB it needs to be compatible switches (or Etherswitch modules) behind the routers. Here's the switch support URL

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html

Otherwise IB is the option whether using NM or an appliance.

328
Views
14
Helpful
48
Replies