We are currently looking into the features of a NAC appliance. From the reading I have done thus far, it seems like an edge architecture is the best architecture to go with. That being said, my question is this:
How many NAC appliances would I need to have for my entire LAN? I suspect the answer is only one, but I am unsure at this point. Thanks
Good question, I began into looking at NAC myself, you can deploy NAC in your edge network or core network perimeters, what it comes down to is what devices throughout your network will be enforcement points, such as wireless, vpn devices, switches , routers , firewalls etc.. to my understanding you need one NAC applience along with its required componets ACS etc.. but I am quite positive a redundant NAC solution can be deployed as well.
Here are some good links, NAC is a monster so bear with me as I am like you looking into this product.
The number of appliances, and here I'm referring to the servers that will enforce your policies or CAS's as they're known, is driven largely by the access method of your users (wireless, vpn, remote site etc), as well as your current infrastructure. VPN and wireless access for example requires an appliance to be inline whereas regular LAN access users (often lots of them) would usually be addressed by an out of band appliance. Both of these may be deployed centrally.
What I'm getting at here is that you may have some in band appliances AND some out of band appliances - it's all dependent upon YOUR particular infrastructure. I would add that with an edge deployment you would likely require many more CAS's than with a central deployment, but that may just work fine in your infrastructure.
You will probably only need 1 CAS for each LAN or 2 if you want HA. How many remote sites do you have. You can also have the CAM and CAS centrally located and use route-maps to direct the traffic back to the core office
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :