Specifications

ManualsBrandsEnterasys ManualsComputer equipment9034385

Inline NAC Design Procedures

5-30 Design Procedures

2. Determine the Number of NAC Controllers

ThenumberofNACControllerstobedeployedonthenetworkisafunctionofthefollowing

parameters:

•Thenetworktopology.

BecausetheNACControllerisplacedinlinewithtrafficsourcedfromconnectingend‐

systems,thenumberofNACControllersrequiredisdirectlydependentonthenetwork

topology.Afterthelocationof

theNACControllerisidentifiedfromthenetworktopology,the

minimumnumberofNACControllerscanbedetermined.

•ThenumberofSecurityDomainsconfiguredonthenetwork.

EachNACControllercanbeassociatedtoonlyoneSecurityDomain.Therefore,thenumber

ofNACControllersdeployedonthenetworkwillbegreater

thanorequaltothenumberof

SecurityDomainsconfiguredinNACManager.TosupportredundancyperSecurityDomain,

atleasttwoNACControllersmustbedeployedperSecurityDomain,asdiscussedbelow.

•ThenumberofusersanddevicesthatareconnectedtoeachSecurityDomain.

EachNACControllerappliancehasthe

capabilityofsupportingupto2000end‐systems

connecteddownstreamasshowninthefollowingtable.

ToidentifytheminimumnumberofNACControllersrequiredtosupportinlineNAC,usethe

followingformula:

Numberofconnectingend‐systemsinaSecurityDomain/Concurrentend‐systems

supportedbycontrollertype=

thenumberofrequiredNACControllersofthattype,per

SecurityDomain.

•TheconfigurationofNACControllerredundancy.

ToachieveredundancyateachlocationinthenetworkwheretheNACControlleris

positioned,anadditionalNACControllerisrequired,essentiallydoublingthetotalnumberof

requiredNACControllers.Redundancyimplementationdiffers

betweenLayer2andLayer3

Controllers.

ForaLayer2NACController,redundancyisachievedintwodifferentways.Redundancyfor

theNACPolicyEnforcementPoint(PEP)componentoftheNACControllerisachievedby

implementing802.1w/sspanningtreebetweentheredundantNACControllersasshownin

Figure 5‐9on

page 5‐31.RedundantLayer2NACControllersareactive‐passivewhenonly

onespanningtreeforoneVLANisconfiguredbetweentheNACControllers,andareactive‐

activewhenmultiplespanningtreesformultipleVLANsareconfiguredbetweenthe

redundantNACControllers.IfNACController#1ʹsPolicyEnforcementPoint(PEP)

stops

forwardingtraffic,thenetworkwillautomaticallyconvergevia802.1w/sspanningtreeto

forwardtrafficthroughNACController#2.

RedundancyfortheNACEnginecomponentoftheNACControllerisachievedbythe

redundantNACControllersusingeachotherasbackupRADIUSservers.IfNACController

#1ʹsEnginestops

processingRADIUSauthenticationrequests,theredundantNACEngine

willtakeoverprocessingRADIUSmessagesasshowninFigure 5‐9onpage 5‐31.

Table 5-5 End-System Limits for NAC Controllers

NAC Controller Model Concurrent End-Systems Supported

7S4280-19-SYS Up to 2000

2S4082-25-SYS Up to 2000