As NAC is deployed in larger environments the need for flexibility goes up. Cisco has given customers the ability to deploy NAC in a central deployment for users multiple layer 3 hops away from the CAS... Hence Layer 3 OOB. Layer 3 Out of Band has rapidly become one of the most popular deployment methodologies for NAC. This shift in popularity is based on several dynamics. The first is better utilization of hardware resources. By deploying NAC in a L3 OOB methodology a single NAC Appliance can be made to scale to accommodate more users. It also allows the NAC Appliances to be centrally located rather than distributed across the campus or organization. Thus, L3 OOB deployments are much more cost effective both from a Capital and Operational expense standpoint. From the CAS Admin Guide:
Multi-hop L3 support for out-of-band (wired) deployments enables administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind WAN routers in some instances. With L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go through Cisco NAC Appliance for authentication/posture assessment only.
With the benefits of L3 OOB comes a few challenges.
Path Isolation & Quarantine Control:
Because the CAS is multiple hops away, traffic from each user must be engineered to either go through the CAS forcefully(VRF,GRE, L2TP,PBR) or perform the quarantine or isolation closer to the user. Below is the 3 most common deployment options and the pros and cons of each.
Policy Based Routing (PBR)
- Pros - Forces traffic to go through the CAS, easy to configure
- Cons - PBR must be configured on every hop between the user and the CAS
- Pros - If you have an existing MPLS topology, it is easy to create a VRF for NAC.
- Cons - VRF must be configured on every hop between the user and the CAS
- Pros - Everyone knows how to configure ACLs, ACLs are written closest to the user, no changes to every device
- Cons - Management of the ACLs can be difficult without an enterprise tool such as Network Compliance Manager or Cisco Security Manager. Because the user is not inline with the CAS, user must use a URL or have an embedded discovery host to find the CAS.
In Layer 2 deployments, isolation takes place on an Authentication or Quarantine network that is only a layer 2 vlan. With L3 OOB, the authentication network used to require a seperate Layer 3 subnet for the authentication network. This caused many challenges during design, because for each user network in the environment(could be hundreds or even thousands) a new layer 3 ip subnet is required. The other problem associated with this option is each user must change their IP Address when going through the NAC process, slowing the process a little and also causing the online users list in the NAC manager to contain the previous (Authentication Network) IP vs. the Data Network(real ip) of the user.
As a result of this challenge, comes a deployment option that is not highly publicized. L3 OOB with no IP changes. But how, you may ask. If you must create a seperate authentication network with a seperate IP space, how can we keep the same IP Address?
L3 OOB with ACLs - IP CHANGE REQUIRED
Interface Vlan 10
description User Network
ip address 192.168.10.1 255.255.255.0
ip access-group NAC-ACCESS in
!
Interface Vlan 110
description NAC Authentication Network
ip address 192.168.110.1 255.255.255.0
ip access-group NAC-AUTH in
!
ip access-list extended NAC-AUTH
permit udp any eq bootpc any eq bootps <--- DHCP
permit udp any host 192.168.1.50 eq 53 <--- DNS
permit ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any host 192.168.1.25 <--- AD SERVER
permit tcp any host 192.168.1.10 eq 443 <--- REMEDIATION SERVER
!
ip access-list extended NAC-ACCESS
deny ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any any <--- ALLOW ALL TRAFFIC
L3 OOB with ACLs - NO IP CHANGE REQUIRED
Interface Loopback 0
ip address 192.168.10.1 255.255.255.0
!
Interface Vlan 10
description User Network
ip unnumbered loopback 0
ip access-group NAC-ACCESS in
!
Interface Vlan 110
description NAC Authentication Network
ip unnumbered loopback 0
ip access-group NAC-AUTH in
!
ip access-list extended NAC-AUTH
permit udp any eq bootpc any eq bootps <--- DHCP
permit udp any host 192.168.1.50 eq 53 <--- DNS
permit ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any host 192.168.1.25 <--- AD SERVER
permit tcp any host 192.168.1.10 eq 443 <--- REMEDIATION SERVER
!
ip access-list extended NAC-ACCESS
deny ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any any <--- ALLOW ALL TRAFFIC
Using an existing R&S feature gives us the ability to have a user keep the same IP Address on the authentication and access network. The disadvantage of deploying this way is that all existing data networks must be moved to loopbacks and it add complexity to the design, but the advantages are clear.
Summary:
L3 OOB is a increasing common deployment method of cisco nac. With all the benefits comes a few decisions and challenges, but at the end of the day it is still preferred. Obviously you will not learn everything about L3 OOB in this short post and it should be expected that without some existing background with NAC and R&S some or all of this might not make sense, but good luck and happy NACing.
0 comments:
Post a Comment