The following are the prerequisites for NAC Appliance Server load balancing using policy- based routing:
•
The router on the untrusted side and the router on the trusted side of NAC Appliance Server must support policy-based routing.•
Traffic flow to NAC Appliance Server should be symmetric in both directions. This is not a requirement but a best practice.This load-balancing technique was developed specifically for a centralized NAC Appliance Server deployment model with more than 2500 clients. In a centralized NAC Appliance model, the NAC Appliance Servers are located at a central site that is multiple layer three hops away from the remote clients they are inspecting. For example, the clients at a remote office are inspected by a NAC Appliance Server that resides at the HQ site. The PBR load-balancing method requires Layer 3 client adjacency. The goal of the PBR LB technique is to scale the centralized NAC Appliance deployment model past the 2500 client limit imposed by using a single NAC Appliance Server. This is accomplished by using PBR policies to spread clients across several NAC Appliance Servers. For example, a PBR policy could redirect all clients coming from site A IP subnet to NAC Appliance server A. Site B clients could be redirected to server B. Figure 5-18 shows a sample PBR load-balancing design.
The HQ routers PBR policies are set up to redirect all client traffic coming from the 10.1.1.0/24 subnet at site A to NAC Appliance server A. All traffic coming from the 10.1.2.0/24 subnet at site B is redirected to server B, and all traffic coming from the 10.1.3.0/24 subnet at site C is redirected to server C. The PBR policies on 6500 A mirror those on the HQ router. They are identical except that they are redirecting based on traffic going to the sites, not traffic coming from them. This is necessary because of the
requirement that client traffic must flow symmetrically. This means that a client must be consistently balanced to the same NAC Appliance Server in both directions. Here is the traffic flow for the clients in Figure 5-18.
Figure 5-18 NAC Appliance Load Balancing Using PBR
Step 1 The Clean Access Agent on a client at site A sends out discovery packets to the IP address of 6500 A, 10.10.10.1. The Clean Access Agent is searching for a NAC Appliance Server.
Step 2 The site A router forwards the packets to the HQ router.
Step 3 The HQ router does a lookup in its PBR policies looking for a source IP address match. It finds a match associated with the 10.1.1.0/24 subnet. The action for the match says to set the next hop router to NAC Appliance Server A, 10.1.1.2.
Step 4 The HQ router forwards the client’s discovery packets to server A. Step 5 Server A intercepts the Clean Access Agent discovery packets and notifies the client’s Clean Access Agent that it should perform user authentication and certification.
Step 6 The user passes authentication and certification. From now on, all traffic from site A to a trusted side network, such as HQ campus, will be redirected by PBR on the HQ router and sent through NAC Appliance server A.
M G R NAC Appliance Manager WAN CampusHQ HQ Router with PBR Site A Router Site B Router Server B Server A NAC Appliance Server Farm In-Band Real IP Gateway Mode Server C .2 .2 .3 .1 .3 .1 .4 .4 10.1.1.0/24 Untrusted 10.1.4.0/24 Trusted 10.10.10.0/24 10.1.2.0/24 10.1.3.0/24 Site C Router Clients Clients Clients 6500 A with PBR
Step 7 Return traffic from a trusted side network, such as HQ campus, to the untrusted site A network will be redirected by PBR on 6500 A and sent through NAC Appliance server A.
Step 8 The PBR policies on the HQ router and 6500 A are configured to send traffic sent from or destined to site B through server B and site C through server C.
The PBR load-balancing design supports failover and fault tolerance. This is typically done using object tracking with PBR. In the event that a NAC Appliance Server fails, all clients being redirected to that NAC Appliance Server switch to an available server.
Summary
This chapter examined some of the advanced design topics related to a Cisco NAC Appliance solution. The following recommendations were made:
•
Use an external user authentication database instead of the internal user database.•
Use Active Directory or RADIUS attributes to map users into a NAC Appliance user role.•
Whenever possible, configure the network to allow voice traffic to bypass the NAC Appliance solution.•
If it is not possible to allow voice to bypass an In-Band mode NAC Appliance, be sure to exempt all voice subnets from NAC inspection.•
In an OOB deployment, be sure to set your port profiles never to bounce a switch port that has an IP phone connected to it.•
You should use the certified timer in OOB environments where the clients connect to the IP phone and not the switch port.•
When you have NAC Appliance clients connecting through a supported VPN or wireless device, configuring single sign-on is recommended.•
When using VPN or wireless SSO, it is recommended that the NAC Appliance Server be placed Layer 2 adjacent to the VPN concentrator.•
It is highly recommended that you deploy the NAC Appliance Manager using the stateful failover bundle.•
The recommended load-balancing techniques are as follows:— The Cisco Content Switching Module (CSM) or standalone Content Services Switch (CSS)
— Policy-Based Routing LB