Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

NAC 4.1

Hello friends,

Pls find the flow chart design for deploying NAC

Installing NAC for the first time, I m little bit confuse what design i shld choose:It is a corporate network with access switches,core switch,asa firewall,ACS.

I have a multi vendor switches in my network HP switches as well as Cisco on acces layer and on core i have a HP 5406,i have read the NAC book from cisco press.It says that u shld choose IN-band mode when u have a multi vendor switches in ur network.So what i m thinking is IN-band mode  layer2 adjacency with real IP gateway or virtual IP.

But wherever i see the document on cisco website it is all for OOB network mode (real as well as virtual) i m not able to find any configuration example for IN-band layer2 adjacency in real ip  gateway or virtual gateway.

Is it my thinking is wrong or please guide me which mode i shld choose.and route me to the proper configuration example.

Thanks

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC 4.1

Kamran,

Not sure I understand the question completely, but I can tell for sure that VPN is supported IB with RIP and VGW both. In VGW the VLANs are different on the trusted and untrusted side and worst case scenario, if a switch misbehaves or doesn't work "right" with NAC, you can place it in true edge deployment to make it work. In short, it's possible

HTH,

Faisal

4 REPLIES

Re: NAC 4.1

Estela,

You're right that with multi-switch vendors IB is your only available option. Your best bet for design help with IB would be the chalk talk series. If you haven't viewed them yet, please give them a whirl.

Chalktalks can be found here: http://bit.ly/chalktalks

Look at the first and second chalk talk in particular.

HTH,

Faisal

New Member

Re: NAC 4.1

Hello Faisal,

In multi vendor switches we shld use IN-BAND mode but is it In-band mode supports virtual gateway,?????  According to my knowledge In IN-band mode traffic is always flowing from NAC server than how we can configure a virtual mode in IN-BAND mode.

pls have a look in the attached file from estela,it is showing in non supported switches IN-BAND mode with layer 2 adjacent in  real ip gateway and also with virtual IP gateway.How it is possible. pls guide??

Thanks

Re: NAC 4.1

Kamran,

Not sure I understand the question completely, but I can tell for sure that VPN is supported IB with RIP and VGW both. In VGW the VLANs are different on the trusted and untrusted side and worst case scenario, if a switch misbehaves or doesn't work "right" with NAC, you can place it in true edge deployment to make it work. In short, it's possible

HTH,

Faisal

New Member

Re: NAC 4.1

Thanks Faisal

u have provided a very good link to clear the picture for IB and OOB.

310
Views
0
Helpful
4
Replies