Cisco Cisco NAC Appliance 4.9.4 Technical Manual
Additionally, Clean and Dirty networks should not be allowed to communicate directly with each
other. In a Layer 3 OOB design with VRFs, the NAC server (CAS) acts as the enforcement point or
controller that ensures segregation and secure communication between the Clean and Dirty networks.
Traffic IsolationIt is important to be sure that an appropriate enforcement mechanism is selected to
provide traffic and path isolation for all traffic sourced from non−authenticated and non−authorized
hosts. VRF−Lite is used here to achieve complete data and control−plane isolation (VRF).
other. In a Layer 3 OOB design with VRFs, the NAC server (CAS) acts as the enforcement point or
controller that ensures segregation and secure communication between the Clean and Dirty networks.
Traffic IsolationIt is important to be sure that an appropriate enforcement mechanism is selected to
provide traffic and path isolation for all traffic sourced from non−authenticated and non−authorized
hosts. VRF−Lite is used here to achieve complete data and control−plane isolation (VRF).
2.
Centralized EnforcementBecause the VRF−Lite methodology follows the natural path selection
created by routing: topology changes, access control requirements, and/or address changes do not
create the need to manipulate ACLs across the infrastructure. If you use a GRE tunnel in conjunction
with VRF−Lite, this gives you the flexibility to drop the dirty traffic right in front of the NAC server
without the need to configure multiple hops. VRF−Lite in conjunction with GRE only require
configuration on Edge Layer 3 devices. This dramatically reduces the number of devices that must be
touched in order to provide the path isolation requirement.
created by routing: topology changes, access control requirements, and/or address changes do not
create the need to manipulate ACLs across the infrastructure. If you use a GRE tunnel in conjunction
with VRF−Lite, this gives you the flexibility to drop the dirty traffic right in front of the NAC server
without the need to configure multiple hops. VRF−Lite in conjunction with GRE only require
configuration on Edge Layer 3 devices. This dramatically reduces the number of devices that must be
touched in order to provide the path isolation requirement.
3.
DifficultyDifficulty of implementation as well as ongoing maintenance. When you determine the
approach that you are likely to use for NAC Layer 3 OOB in your network, it is important to consider
the ease of implementation and ongoing operational cost and complexity of implementing that
technology, particularly in a dynamic environment.
approach that you are likely to use for NAC Layer 3 OOB in your network, it is important to consider
the ease of implementation and ongoing operational cost and complexity of implementing that
technology, particularly in a dynamic environment.
4.
Note: The NAC Appliance is oblivious to how traffic is presented to it. In other words, the Appliance itself
has no preference whether the traffic arrives through a GRE tunnel, or was re−directed through Policy Based
Routing configuration, VRF Routed and so forth.
has no preference whether the traffic arrives through a GRE tunnel, or was re−directed through Policy Based
Routing configuration, VRF Routed and so forth.
Note: For the best end−user experience possible, remember to use certificates that are trusted by the browser
of the end−user. The use of Self−generated certificates on the NAC Server is not recommended for a
production environment.
of the end−user. The use of Self−generated certificates on the NAC Server is not recommended for a
production environment.
Note: Always generate the certificate for the NAC Server with the IP Address of its UNTRUSTED interface.
An illustration of device virtualization with VRFs can be seen here. This methodology provides Control Plane
and Data Plane for path isolation.
and Data Plane for path isolation.
Topology
This diagram is representative of the topology used for the creation of this paper. The Internal Network is
routing through the Global Routing Table and has no VRF associated with it. The DIRTY VRF contains only
the Dirty_VLAN and the associated transit networks that are required to force all data sourced from the
DIRTY_VLAN to flow through the Dirty Side of the NAC Appliances. The Guest VRF contains the
GUEST_VLAN and associated transit networks required to terminate all data sourced from the
routing through the Global Routing Table and has no VRF associated with it. The DIRTY VRF contains only
the Dirty_VLAN and the associated transit networks that are required to force all data sourced from the
DIRTY_VLAN to flow through the Dirty Side of the NAC Appliances. The Guest VRF contains the
GUEST_VLAN and associated transit networks required to terminate all data sourced from the