Cisco Cisco NAC Appliance 4.9.1 Technical Manual
NAC Layer 3 Out of Band Design Guide That Uses
VRF−Lite for Traffic Isolation
VRF−Lite for Traffic Isolation
Document ID: 108540
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Infrastructure Configuration
Topology
Process Flows
Configuration
NAC Configuration for Layer 3 OOB
CAS Setup
Verify
Appendix A: Switch Configurations
Troubleshoot
Related Information
Prerequisites
Requirements
Components Used
Conventions
Configure
Infrastructure Configuration
Topology
Process Flows
Configuration
NAC Configuration for Layer 3 OOB
CAS Setup
Verify
Appendix A: Switch Configurations
Troubleshoot
Related Information
Introduction
Note: Information in this document can change without notice. Confirm all recommendations if possible.
The purpose of this document is to describe a VRF−Lite based implementation of NAC in a Layer 3 Out of
Band (OOB) deployment where the NAC server (CAS) is configured in Real IP Gateway (Routed) mode.
Layer 3 Out of Band has rapidly become one of the most popular deployment methodologies for NAC. This
shift in popularity is based on several dynamics. The first is better utilization of hardware resources. By the
deployment of NAC in a Layer 3 OOB methodology, a single NAC Appliance can be made to scale to
accommodate more users. It also allows the NAC Appliances to be centrally located rather than distributed
across the campus or organization. Thus, Layer 3 OOB deployments are much more cost effective both from a
Capital and Operational expense standpoint. There are two widely used approaches to deploy NAC in a Layer
3 OOB architecture.
Band (OOB) deployment where the NAC server (CAS) is configured in Real IP Gateway (Routed) mode.
Layer 3 Out of Band has rapidly become one of the most popular deployment methodologies for NAC. This
shift in popularity is based on several dynamics. The first is better utilization of hardware resources. By the
deployment of NAC in a Layer 3 OOB methodology, a single NAC Appliance can be made to scale to
accommodate more users. It also allows the NAC Appliances to be centrally located rather than distributed
across the campus or organization. Thus, Layer 3 OOB deployments are much more cost effective both from a
Capital and Operational expense standpoint. There are two widely used approaches to deploy NAC in a Layer
3 OOB architecture.
Discovery−Host based approachUses inherent ability within the NAC Agent in order to reach the
NAC Server (CAS). ACLs applied on the access switch control traffic enforcement on the Dirty
network. Refer to Connecting to the NAC Server (CAS) using the SWISS Protocol for more
information.
NAC Server (CAS). ACLs applied on the access switch control traffic enforcement on the Dirty
network. Refer to Connecting to the NAC Server (CAS) using the SWISS Protocol for more
information.
1.
VRF based approachUses VRFs to route unauthenticated traffic to the CAS. Traffic policies
configured on the NAC server (CAS) are used for enforcement on Dirty network. This approach has
two sub−approaches. In the first approach, VRFs are pervasive throughout the infrastructure, in which
case all Layer 3 devices participate in the tag switching. The second approach uses VRF−Lite and
GRE tunnels to tunnel the VRFs through the Layer 3 devices that do not understand the tag switching.
The benefit to the second approach is that minimal configuration changes are required to your core
infrastructure.
configured on the NAC server (CAS) are used for enforcement on Dirty network. This approach has
two sub−approaches. In the first approach, VRFs are pervasive throughout the infrastructure, in which
case all Layer 3 devices participate in the tag switching. The second approach uses VRF−Lite and
GRE tunnels to tunnel the VRFs through the Layer 3 devices that do not understand the tag switching.
The benefit to the second approach is that minimal configuration changes are required to your core
infrastructure.
2.
Note: While Layer 3 OOB is one of the most common deployment methodologies, it cannot always be the
optimal solution for every environment. There are other options to choose from that can be a more optimum
optimal solution for every environment. There are other options to choose from that can be a more optimum