Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

100

3-2

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 3 Switch Management: Configuring Out-of-Band Deployment

Overview

In-Band Versus Out-of-Band

Table 3-1 summarizes different characteristics of each type of deployment.

Out-of-Band Requirements

Out-of-band implementation of Cisco NAC Appliance requires the following to be in place:

• Controlled switches must be supported models (or service modules) that use at least the minimum

supported version of IOS or CatOS (supporting MAC change notification/MAC move notification

or linkup/linkdown SNMP traps).

Supported switch models include:

–

Cisco Catalyst Express 500 Series

–

Cisco Catalyst 2900 XL

–

Cisco Catalyst 2940/2950/2950 LRE/2955/2960

–

Cisco Catalyst 3500 XL

–

Cisco Catalyst 3550/3560/3750/3850

–

Cisco Catalyst 4000/4500/4948

–

Cisco Catalyst 6000/6500

Table 3-1 In-Band vs. Out-of-Band Deployment

In-Band Deployment Characteristics Out-of-Band Deployment Characteristics

The Clean Access Server (CAS) is always inline

with user traffic (both before and following

authentication, posture assessment and

remediation). Enforcement is achieved through

being inline with traffic.

The Clean Access Server (CAS) is inline with user

traffic only during the process of authentication,

assessment and remediation. Following that, user

traffic does not come to the CAS. Enforcement is

achieved through the use of SNMP to control

switches and VLAN assignments to ports.

The CAS can be used to securely control

authenticated and unauthenticated user traffic by

using traffic policies (based on port, protocol,

subnet), bandwidth policies, and so on.

The CAS can control user traffic during the

authentication, assessment and remediation phase,

but cannot do so post-remediation since the traffic

is Out-of-Band.

Does not provide switch port level control. Provides port-level control by assigning ports to

specific VLANs as necessary.

In-Band deployment is supported when deploying

for wireless networks.

Wireless OOB requires a specific network

topology and configuration. For more

information, see Chapter 4, “Wireless LAN

Controller Management: Configuring Wireless

Out-of-Band Deployment.”

Cisco NAC Appliance In-Band deployment with

supported Cisco switches is compatible with

802.1x

Cisco does not recommend using 802.1x in an

OOB deployment, as conflicts will likely exist

between Cisco NAC Appliance OOB and 802.1x

to set the VLAN on the switch interfaces/ports.