Overview
6-2 Initializing the NAC Controller
TheportslocatedinthelowerrowsoftheNACControllerarereferredtoasʺdownstreamports,ʺ
andconnectdownlinktoinfrastructuredevicessuchasaccesslayerswitchesinthenetwork.The
twogigabitEthernetportslocatedatthetopoftheNACControllerarereferredtoasʺupstream
ports,ʺandconnectuplinktoupstreamdevicessuchascorerouters.The10/100Ethernetport
locatedatthetopoftheNACControllersupportsmanagementfunctionalitywithan
Out‐Of‐Bandmanagementconfiguration,asexplainedbelow.SeeFigure 6‐1forthelocationofthe
differentNAC Controllerporttypes.
ItisimportanttonotethattheNACControllerappliancetransparentlybridgespacketsatlayer2
fromdownstreamportstoupstreamports,downstreamportstootherdownstreamports,
upstreamportstodownstreamports,andupstreamporttootherupstreamports.Therefore,itis
notnecessarytohavea1:1downstreamporttoupstreamportconfigurationontheNAC
Controller.Furthermore,thetrafficenforcementpointontheNACControllerisimplementedas
trafficingressedthedownstreamportsperMACaddressorIPaddressbeforethetrafficisbridged
throughtheNACControllertoanyotherport.Asaresultoftrafficsourcedfromanendsystem
beingappropriatelyfiltered(forexample:forwarded,discarded,containedtoaVLAN,or
prioritized)uponingresstotheNACControllerportbeforeitisbridged,theflowoftrafficfrom
eachdownstreamendsystemissecurelycontrolledtoallotherdevicesconnectedtoother
upstreamanddownstreamportsontheNACController.
Figure 6-1 NAC Controller Ports
Figure 6‐3throughFigure 6‐6displaytheconfigurationtopologiesforthefourNAC Controller
installationtypes.Ineachcase,upstreamportsontheNACControllerconnecttothenetworkcore
inthedirectionofwheretheNetSightmanagementserverconnectstothenetwork,althoughitis
notnecessarytoconnecttheNetSightmanagementserverupstreamfromtheNACController.
DownstreamportsontheNACControllerconnecttothenetworkedgewhereendsystemsare
connecting.
Note: Figure 6-1 displays a 2S4082-25-SYS, but NAC Controller ports are in the same
location on both systems.