Cisco Cisco NAC Appliance 4.9.4 Technical Manual
fit for your particular requirements. Refer to Planning Your Deployment for more information on these other
NAC design options.
NAC design options.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
A basic understanding of Layer 2 and Layer 3 infrastructure operation and configuration
•
A basic understanding of the Cisco NAC appliance, and the differences between the various
implementation methodologies that are associated with it
implementation methodologies that are associated with it
•
All NAC deployments and designs should be based on clear business requirements. These are the
business requirement assumptions for this test setup:
business requirement assumptions for this test setup:
Users must be authenticated prior to being granted access to the network at large.
1.
Your access is limited based on who the users are. These privileges are mapped to Group
Membership in Active Directory. The groups are Guests, Contractors, and Employees.
Membership in Active Directory. The groups are Guests, Contractors, and Employees.
2.
Based on AD Group Membership, users are placed into a VLAN that has Network Access
Privileges that are appropriate for each group.
Privileges that are appropriate for each group.
3.
Guest User traffic continues to be isolated from the rest of the network even after
authentication.
authentication.
4.
After the user is admitted to the network, the NAC Appliance must no longer be in the traffic
path. This prevents the NAC Appliance from becoming a bottleneck and allows the network
to be used to its full potential by validated users.
path. This prevents the NAC Appliance from becoming a bottleneck and allows the network
to be used to its full potential by validated users.
5.
•
NAC has many capabilities that are not covered by this document. The purpose of this guide is to
explore and document the design guidelines and configuration required for a VRF−Lite based Layer 3
Out of Band NAC deployment. This guide does not focus on Posture Assessment or Remediation.
More information about the NAC Appliance and its full capabilities can be found at
www.cisco.com/go/nac (registered customers only) .
explore and document the design guidelines and configuration required for a VRF−Lite based Layer 3
Out of Band NAC deployment. This guide does not focus on Posture Assessment or Remediation.
More information about the NAC Appliance and its full capabilities can be found at
www.cisco.com/go/nac (registered customers only) .
•
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
Infrastructure Configuration
Introduction:
When considering a VRF−Lite based Layer 3 OOB NAC deployment, there are several design principles that
are very important to consider. These principles are listed here, and a brief discussion of their importance is
included.
are very important to consider. These principles are listed here, and a brief discussion of their importance is
included.
Traffic Classification and EngineeringA key concept to realize and remember for this type of
NAC design is that traffic classified as Dirty must flow into the UnTrusted side of the NAC Server
(CAS). Always keep this principle top of mind during the design of a NAC implementation.
NAC design is that traffic classified as Dirty must flow into the UnTrusted side of the NAC Server
(CAS). Always keep this principle top of mind during the design of a NAC implementation.
1.