Cisco Cisco NAC Appliance 4.1.0
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Overview
In-Band Versus Out-of-Band
summarizes different characteristics of each type of deployment.
Out-of-Band Requirements
Out-of-band implementation of Cisco NAC Appliance requires the following to be in place:
•
Controlled switches must be supported models (or service modules) that use at least the minimum
supported version of IOS or CatOS (supporting mac-notification or linkup/linkdown SNMP traps).
supported version of IOS or CatOS (supporting mac-notification or linkup/linkdown SNMP traps).
Supported switch models include:
Cisco Catalyst Express 500 Series
Cisco Catalyst 2900 XL
Cisco Catalyst 2940/2950/2950 LRE/2955/2960
Cisco Catalyst 3500 XL
Cisco Catalyst 3550/3560/3750
Cisco Catalyst 4000/4500
Cisco Catalyst 6000/6500
Supported 3750 service modules for Cisco 2800/3800 Integrated Services Router (ISR) include:
NME-16ES-1G
NME-16ES-1G-P
NME-X-23ES-1G
NME-X-23ES-1G-P
Table 4-1
In-Band vs. Out-of-Band Deployment
In-Band Deployment Characteristics
Out-of-Band Deployment Characteristics
The Clean Access Server (CAS) is always inline
with user traffic (both before and following
authentication, posture assessment and
remediation). Enforcement is achieved through
being inline with traffic.
with user traffic (both before and following
authentication, posture assessment and
remediation). Enforcement is achieved through
being inline with traffic.
The Clean Access Server (CAS) is inline with user
traffic only during the process of authentication,
assessment and remediation. Following that, user
traffic does not come to the CAS. Enforcement is
achieved through the use of SNMP to control
switches and VLAN assignments to ports.
traffic only during the process of authentication,
assessment and remediation. Following that, user
traffic does not come to the CAS. Enforcement is
achieved through the use of SNMP to control
switches and VLAN assignments to ports.
The CAS can be used to securely control
authenticated and unauthenticated user traffic by
using traffic policies (based on port, protocol,
subnet), bandwidth policies, and so on.
authenticated and unauthenticated user traffic by
using traffic policies (based on port, protocol,
subnet), bandwidth policies, and so on.
The CAS can control user traffic during the
authentication, assessment and remediation phase,
but cannot do so post-remediation since the traffic
is out-of-band.
authentication, assessment and remediation phase,
but cannot do so post-remediation since the traffic
is out-of-band.
Does not provide switch port level control.
Provides port-level control by assigning ports to
specific VLANs as necessary.
specific VLANs as necessary.
In-Band deployment is required when deploying
for wireless networks.
for wireless networks.
OOB deployment model does not apply to
wireless networks.
wireless networks.
In-Band deployment is compatible with 802.1x
It is not recommended to use 802.1x with OOB
deployment, as conflict will exist between Cisco
NAC Appliance OOB and 802.1x to set the VLAN
on the interface/port.
deployment, as conflict will exist between Cisco
NAC Appliance OOB and 802.1x to set the VLAN
on the interface/port.