Enterasys Networks 7S4280-19-SYS, 2S4082-25-SYS General Management Considerations

General Management Considerations

Enterasys NAC Controller Hardware Installation Guide 6-3

General Management Considerations

ThefollowingaregeneralNAC Controllermanagementconfigurationconsiderations:

•TheLayer3NACControllerispositionedinbetweentworoutersonthenetwork.Onlyone

VLAN/subnetspansbetweentheseroutersasshowninFigure 6‐2.ForLayer3NAC

Controllerconfiguration,alldatatraffic(non‐managementtraffic)traversingtheNAC

Controllerbetweentheupstreamrouterandthedownstreamroutermustbeuntagged.The

reasonforthisisthattheNACControllerdoesnotpreserveVLANtaggingfordatatraffic

traversingtheappliance,regardlessofwhetherin‐bandorout‐of‐bandmanagementis

configured.Theupstreamanddownstreamroutersmustbeconfiguredwithroutedinterfaces

forthisVLAN/subnetasshownbelowwithIPaddresses20.20.20.2/24and202020.1/24.

Figure 6-2 Layer 3 NAC Controller Positioning

•WhenusingIn‐Bandmanagement:

–TwoIPaddressesareassignedtotheNACControllerwhenconfiguredforin‐band

management;amanagementIPaddressfortheNACControllerEngineanda

managementIPaddressfortheNACControllerPEP.

–TheNACControllerEngineIPaddressandNACControllerPEPIPaddresses,masks,and

gatewaymustbepartofthesamesubnetthatspanstheupstreamanddownstream

routers.

–NomanagementVLANIDisrequired.AllmanagementtrafficsourcedfromtheNAC

ControllerEngineandNACControllerPEPegressestheupstreamanddownstreamports

oftheNACControlleruntaggedontotheVLANthatspansthetworouters,showas

shownbelow.

–AremediationwebserverIPaddressisnotrequired.Theremediationwebserverisrun

offofthemanagementIPaddressoftheNACControllerEngine.

–AlldirectlyconnectedmanagementandrouterIPaddressesonthissubnetmustbe

specifiedduringthesetupprocessinordertoestablishIPconnectivityintothetopology.

SeeFigure 6‐5onpage 6‐5foradiagramonlayer3In‐Bandmanagement.SeeFigure 6‐3on

page 6‐4foradiagramonlayer2In‐Bandmanagement.

•WhenusingOut‐Of‐Bandmanagement:

–ThreeIPaddressesareassignedtotheLayer3NACControllerwhenconfiguredfor

out‐of‐bandmanagement;amanagementIPaddressandremediationIPaddressforthe

NACControllerEngineandamanagementIPaddressfortheNACControllerPEP.