2. Determine the Number of NAC Gateways
The number of NAC Gateways to be deployed on the network is a function of the following parameters:
•The number of Security Domains configured on the network.
Each NAC Gateway appliance may be associated to only one Security Domain. Therefore, the number of NAC Gateways deployed on the network will be greater than or equal to the number of Security Domains configured in NAC Manager. To support redundancy per Security Domain, at least two NAC Gateways must be deployed per Security Domain, as discussed below.
•The number of authenticating users and devices that are connected to each Security Domain.
Each NAC Gateway appliance has the capability of supporting a maximum number of authenticating devices as shown in the following table:
Table
NAC Gateway Model | Concurrent |
|
|
Up to 500 | |
|
|
Up to 1000 | |
|
|
Up to 1250 | |
|
|
Up to 2000 | |
|
|
Up to 3000 | |
|
|
Up to 3000 | |
|
|
To roughly determine the number of required NAC Gateways per Security Domain, use the following formula:
Number of authenticating end‐systems in a Security Domain / Concurrent end‐systems supported by gateway type = the number of required gateways of that type per Security Domain.
For example, if you have 9000 end‐systems connecting to a Security Domain, and you will be using SNS‐TAG‐ITA appliances, then the formula would be:
9000 / 3000 = 3 required ITA appliances
For each switch in a particular Security Domain, the maximum number of authenticating end‐ systems that may be connected to the switch at any one moment must be considered when associating a switch to a particular NAC Gateway appliance. Multiple intelligent switches residing in same Security Domain may be pointed to the same NAC Gateway, provided the maximum number of authenticating end‐systems for the particular NAC Gateway is not exceeded. (Note that two switches in different Security Domains cannot be associated to the same NAC Gateway.)
•Configuration of NAC Gateway redundancy for each switch in a Security Domain.
NAC Gateway redundancy for a particular switch is achieved by configuring two different NAC Gateways as primary and secondary RADIUS servers for that switch, as depicted in Figure 5‐5 on page 5‐21. When connectivity to the primary NAC Gateway is lost, the secondary NAC Gateway is used. Note that this configuration supports redundancy and not load‐sharing, and the second NAC Gateway will only be used in the event that the primary NAC Gateway becomes unreachable.