44-2
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 44 Configuring Network Admission Control
Configuring Network Admission Control with LAN Port IP
Configuring Network Admission Control with LAN Port IP
These sections describe how to configure NAC with LAN port IP:
•
Understanding How Network Admission Control with LAN Port IP Works, page 44-2
•
LAN Port IP Posture Validation Summary, page 44-5
•
LAN Port IP Hardware and Software Requirements, page 44-6
•
LAN Port IP Configuration Guidelines and Restrictions, page 44-6
•
Configuring LAN Port IP, page 44-8
•
LAN Port IP CLI Command Examples, page 44-9
•
Configuring Policy-Based ACLs, page 44-21
•
Configuring Inaccessible Authentication Bypass, page 44-24
•
LAN Port IP Configuration Example, page 44-30
•
LAN Port IP Enhancements in Software Release 8.6(1) and Later Releases, page 44-32
Understanding How Network Admission Control with LAN Port IP Works
These sections provide an understanding of LAN port IP:
•
Overview, page 44-2
•
Virus Infections and Their Effect on Networks, page 44-3
•
How Network Admission Control Works, page 44-3
•
Network Access Device, page 44-3
•
Cisco Trust Agent, page 44-4
•
Cisco Secure ACS, page 44-4
•
Redirection, page 44-5
Overview
NAC addresses the increased threat and impact of worms and viruses to networked businesses. This
feature is part of the Cisco Self-Defending Network Initiative that helps customers identify, prevent, and
adapt to security threats.
In its initial phase, NAC enables switches and routers to restrict access privileges from an end point that
is attempting to connect to a network. The access can be based on information about the end-point
device, such as its current antivirus state (version of antivirus software, virus definitions, and version of
scan engine).
NAC systems allow noncompliant devices to be denied access, placed in a quarantined area, or given
restricted access to computing resources, which keeps insecure nodes from infecting the network.
The key component of the Cisco NAC program is the Cisco Trust Agent (CTA), which resides on an
end-point system and communicates with Cisco switches and routers on the network. The CTA collects
security state information, such as the type of antivirus software that is used, and communicates this
information to Cisco switches and routers. The information is then relayed to a Cisco Secure Access
Control Server (ACS) where access control decisions are made. The ACS directs the Cisco switch or
router to perform enforcement against the end point.