Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual Determine the Number of NAC Gateways, NAC Gateway Model

Models: 9034385

1 98
Download 98 pages 26.86 Kb
Page 84
Image 84
2. Determine the Number of NAC Gateways

Out-of-Band NAC Design Procedures

2. Determine the Number of NAC Gateways

The number of NAC Gateways to be deployed on the network is a function of the following parameters:

The number of Security Domains configured on the network.

Each NAC Gateway appliance may be associated to only one Security Domain. Therefore, the number of NAC Gateways deployed on the network will be greater than or equal to the number of Security Domains configured in NAC Manager. To support redundancy per Security Domain, at least two NAC Gateways must be deployed per Security Domain, as discussed below.

The number of authenticating users and devices that are connected to each Security Domain.

Each NAC Gateway appliance has the capability of supporting a maximum number of authenticating devices as shown in the following table:

Table 5-4 End-System Limits for NAC Gateways

NAC Gateway Model

Concurrent End-Systems Supported

 

 

NSTAG-FE100-TX

Up to 500

 

 

7S-NSTAG-01(-NPS)

Up to 1000

 

 

NSTAG-GE250-TX

Up to 1250

 

 

SNS-TAG-LPA

Up to 2000

 

 

SNS-TAG-HPA

Up to 3000

 

 

SNS-TAG-ITA

Up to 3000

 

 

To roughly determine the number of required NAC Gateways per Security Domain, use the following formula:

Number of authenticating end‐systems in a Security Domain / Concurrent end‐systems supported by gateway type = the number of required gateways of that type per Security Domain.

For example, if you have 9000 end‐systems connecting to a Security Domain, and you will be using SNS‐TAG‐ITA appliances, then the formula would be:

9000 / 3000 = 3 required ITA appliances

For each switch in a particular Security Domain, the maximum number of authenticating end‐ systems that may be connected to the switch at any one moment must be considered when associating a switch to a particular NAC Gateway appliance. Multiple intelligent switches residing in same Security Domain may be pointed to the same NAC Gateway, provided the maximum number of authenticating end‐systems for the particular NAC Gateway is not exceeded. (Note that two switches in different Security Domains cannot be associated to the same NAC Gateway.)

Configuration of NAC Gateway redundancy for each switch in a Security Domain.

NAC Gateway redundancy for a particular switch is achieved by configuring two different NAC Gateways as primary and secondary RADIUS servers for that switch, as depicted in Figure 5‐5 on page 5‐21. When connectivity to the primary NAC Gateway is lost, the secondary NAC Gateway is used. Note that this configuration supports redundancy and not load‐sharing, and the second NAC Gateway will only be used in the event that the primary NAC Gateway becomes unreachable.

5-20 Design Procedures

Page 83 Page 85
Page 84
Image 84
Enterasys Networks 9034385 Determine the Number of NAC Gateways, 4 End-System Limits for NAC Gateways, NAC Gateway Model
Page 83 Page 85