Enterasys-networks 9034385 Manuel d'utilisateur télécharger pdf (Page 54)

Survey the Network

4-2 Design Planning

accesstoawebbrowsertosafelyremediatetheirquarantinedend‐systemwithoutimpacting

IToperations.

Onceadeploymentmodelisselected,thecurrentnetworkinfrastructuremustbeexaminedto

identifythetechnicaldependenciesandrequirementsimposedbytheNACsolution.

Survey the Network

Thestepsinthissectionwillhelpyouidentifyandevaluatethecurrentnetworkinfrastructureso

thatyoucanmakedesigndecisionsregardingNACcomponentrequirements.

1. Identify the Intelligent Edge of the Network

Thefirststepinsurveyingyournetworkistodeterminewhetherornotyournetworkhasan

“intelligentedge.”ThisinformationwillhelpyoudecidewhethertheNACGatewayorNAC

Controllerappliancebestsuitsyournetworkinfrastructure.

Theterm“intelligent”referstoanetworktopologywheretheaccessedgeis

composedof

Enterasyspolicy‐enabledswitchescapableofsupportingauthenticationandpolicyenforcement,

orthird‐partyswitchescapableofsupportingauthenticationanddynamicVLAN assignmentas

definedinRFC3580.

Non‐intelligentinfrastructuredevices,suchasrepeatersandhubs,arenotcapableofsupporting

authenticationand/orauthorizat ion ofend‐systems,and

simplyprovideconnectivitytothe

infrastructure.

AnintelligentedgeisrequiredwhentheNACGatewayisutilizedforimplementingout‐of‐band

NAC.TheNACGatewayapplianceleveragestheintelligentedgeof thenetworktoimplementthe

authenticationandauthorizationofconnectingend‐systems.TheNACGatewayeffectsthe

assignmentof

policiesorVLANsonEnterasysswitchesorRFC3580‐capableswitcheslocatedat

edgeofthenetwork,toauthorizealevelofnetworkaccesstoconnectingend‐systems.These

assignmentsarebasedonvariousparameters,suchasthelocationoftheend‐systemandsecurity

postureassessmentresults.Theintelligentedge

ofthenetworkalsoimplementsanauthentication

method(802.1X,web‐based,orMACauthentication)forvalidatingthedeviceand/oruseridentity

ofconnectingend‐systems.

However,innetworkswithnon‐intelligentdevicesattheaccessedge,itisnotnecessarytoreplace

thesenon‐intelligentdevicestobeabletoimplement

out‐of‐bandNACwiththeNACGateway.

Instead,theEnterasysMatrixN‐seriesswitchcanbepositionedupstreamfromnon‐intelligent

devices(suchasinthedistributionlayer)toimplementtheauthenti cationandauthorization

functionsfordownstreamconnecteddevices.MatrixN‐SeriesdevicessupportMulti‐User

Authentication(MUA)which

enablestheswitchtoindividuallyauthenticateanduniquely

authorizemultipleend‐systemsconnectedtothesamephysicalport.MUAontheMatrixN‐series

Platinumsupportstheconcurrentauthenticationandauthorizationofover1000end‐systemsona

singleportwiththeallocationofdisparatenetworkresourcestoeachend‐system.

Inthiscase,the

MatrixN‐seriesswitchistheintelligentedgeofthenetworkalthoughitisnotphysicallylocatedin

theaccesslayer.ByutilizingtheMatrixN‐seriesinthistypeofconfiguration,mostofthebenefits

ofout‐of‐bandNACcanbeobtainedwithoutupgrading

theedgeofthenetwork.

1 2 ... 49 50 51 52 53 54 55 56 57 58 59 ... 97 98

Commentaires sur ces manuels

Pas de commentaire

Enterasys-networks 9034385 Manuel d'utilisateur Page 54

Commentaires sur ces manuels

Produits connexes et manuels pour Outils Enterasys-networks 9034385