cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

NAC Zones - design question

NAC Zones - design question

mp2014
New Contributor II
Hi,

i wanna setup NAC Zones, locations/switches being the selector. Got about 20 locations to reflect in Zones, and about 20 for dieferent endsystem classifications across all locations. Because the Zones are applied by NAC rules only, this would result in a very questionable amount of NAC rules. Ist there any other way to use zones just by switch location?
12 REPLIES 12

mp2014
New Contributor II
the only criteria for which end-system belongs to which manager is the switch/port location, not the vlan or end-system group. So this is why it looks tricky to me to achieve this...

Rainer_Adam
New Contributor III
I don't know what you really need, in my customers case there are departments all over there biggest location and there is no limit to witch switch they connect to, it depends on there end-system-group. So a client of end-system "A" will always be authenticated to the same vlan unequal to witch switch they are connected, execpt the switch is in a different location (where we have a different vlan infrastructure).

I would recommend you to create a excel sheet where you define witch user groups (end-system-groups) are allowed to move between location and to witch vlan they should be authenticated.

Per vlan you need one rule matrix entry, that is not depending on a zone management. Zone's can be add additionally to each rule matrix entry. You only have to create and define the zones and users / groups the should be able to manage and add this to the rule-matrix entry where they are authenticated.

Are you having different "managers" for clients within the same vlan? Then I would understand what you mean, but if different "managers" have to admit different vlan's this is really easy.

If you need more details please contact me directly. šŸ™‚

mp2014
New Contributor II
thanks for reply - this is like we do this now. But its a lot work to do so much rules. And on any new endsystem classification wishes, i need to adjust rules for any department...

Rainer_Adam
New Contributor III
And then add "simply" the ID of your Zone, in this example "4", this makes the through this rule matrix line authenticated client viewable in Oneview....

be7ddfa8ca28450996bdbc1a0a576bc7_RackMultipart20160304-40771-jxiw4-nac_zone_details_inline.png

Rainer_Adam
New Contributor III
At first you have to enable the row "zone" in the RuleMatrix to make it view and accessable.....

951ede9ac26746cdb0c11b6dacd04b91_RackMultipart20160304-40778-1kq78is-nac_zone_inline.png


GTM-P2G8KFN