For more details, please see ourCookie Policy.

Campus Networks

Campus Network Solution-Deployment Guide: Bradford Networks Network Sentry for BYOD Solution

by on ‎04-11-2013 11:22 AM - edited on ‎04-17-2014 12:10 PM by pmadduru (7,716 Views)

Synopsis: A detailed deployment guide for a BYOD solution using Bradford Network’s Network Sentry NAC appliance and Brocade Campus Network products.





With the increasing demand for Bring Your Own Device (BYOD) solutions for existing campus networks, it is important to understand the network configuration changes required for routers, switches, WLAN Access Points (WAP) and WLAN Controllers. These changes depend on the BYOD solution requirements.


Brocade campus network products include Brocade FastIron, Brocade NetIron, and Brocade Mobility controllers and access points. This solution includes Brocade FastIron SX, Brocade ICX Switches and Brocade Mobility Access Point (WAP) products. The deployment uses a core/distribution/access topology but is not restricted to this topology.


This guide is developed in partnership with Bradford Networks in Brocade’s Strategic Solutions Lab. For more details about Network Sentry, see the Related Documents section.


Purpose of This Document

The document provides step-by-step procedures for configuring an existing network and the Network Sentry NAC appliance including device detection, validation, authentication and administration.



This document is intended for solution, network and IT architects who are evaluating and deploying BYOD solutions in their existing Brocade campus networks.



Examples of how to deploy the Network Sentry NAC appliance in an existing Brocade network are provided with detailed configuration procedures. A companion Bradford Network Sentry BYOD solution design guide is listed in the Related Documents section. Although the deployment procedures use a core/distribution/access topology, the Network Sentry NAC appliance can be used in a variety of network topologies including core/edge.



Related Documents




Key Contributors

The content in this guide was developed by the following key contributors.

  • Lead Architect: Venugopal Nalakonda, Strategic Solutions Lab
  • Technical Author: Brook Reams, Strategic Solutions Lab

Document History

Date                  Version        Description

2013-04-15        1.0                Initial Release



About Brocade

Brocade® (NASDAQ: BRCD) networking solutions help the world’s leading organizations transition smoothly to a world where applications and information reside anywhere. This vision is designed to deliver key business benefits such as unmatched simplicity, non-stop networking, application optimization, and investment protection.

Innovative Ethernet and storage networking solutions for data center, campus, and service provider networks help reduce complexity and cost while enabling virtualization and cloud computing to increase business agility.

To help ensure a complete solution, Brocade partners with world-class IT companies and provides comprehensive education, support, and professional services offerings. (



About Bradford

With solutions that dynamically adapt to changing network conditions and continually combat network threats, Bradford addresses the security needs of a wide variety of organizations in markets including education, financial services, state and local government, healthcare, energy, retail and many others. Bradford’s innovative, award-winning products and solutions are widely recognized by industry analysts including Forrester and Gartner, as well as leading publications including SC Magazine, CRN, and others. Bradford Networks is headquartered in Cambridge, MA and is privately held. (



Technical Architecture

The Bradford BYOD Solution design guide shows a traditional core/distribution/access topology and an efficient core/edge topology. Both topologies meet the needs of campus networks and are supported. Each tier in the topology provides specific services and functionality including:



  • STP-free Layer 2 connectivity between clients and network
  • Provides high-bandwidth uplink 1G/10G LACP LAG connectivity to Distribution
  • Wireless client connectivity via Brocade WAP-7131



  • Layer 2/Layer 3 based connectivity across access/core
  • Layer 2/Layer 3 Link/Node Protection via MCT and VRRP-e
  • Provides Layer 3 connectivity to BYOD Network Sentry NAC appliance in addition to services infrastructure (i.e DHCP/DNS/AD)
  • Centralized wireless WAP management using Brocade controller



  • L3 IP services using IGP (OSPF) connectivity
  • L3 connectivity to MCT-based Distribution



  • STP-free connectivity between clients and the network.
  • Terminates Layer 2 traffic within the device or the stack
  • Layer 2/Layer 3 resiliency via stacking with master/standby switches

Although this deployment guide is based on the traditional core/distribution/access blocks, Network Sentry can be used with the core/edge design blocks as well.


For additional details and configuration of individual features referred such as LACP LAG, MCT and VRRP-e, please refer to the FastIron Family Configuration Guide in the Related Documents section. Other network services such as DHCP, DNS, AD and HTTP are needed for BYOD solution, but are covered in this document.

The Network Sentry appliance integrates with an existing network at Layer 2 or Layer 3 even though it is recommended to deploy the appliance at Layer 3 to simplify future network expansion. The following diagram shows how the Network Sentry appliance integrates into the network providing NAC services for wired and wireless devices.



  Bradford Network Sentry Solution Topology (click to enlarge)



Wired BYOD:  Clients and devices can connect directly into a network access switch or via a VoIP Phone. A directly connected wired client is automatically identified by Network Sentry using SNMP based Link Up, Link Down traps enabled on all access or edge switches. When SNMP is globally enabled on a Brocade Access/Edge switch, by default, it enables Link Up/down traps. The following SNMP and VLAN configuration is required on the Brocade Access/Edge switch, for Network Sentry to auto-detect wired clients via Layer 2 polling:



snmp-server host <Network-Sentry-IP>

snmp-server trap-source <in-band Ethernet Interface>


vlan 33* name Isolation-vlan*

tagged ‘uplink Eth ports’

untagged ‘access Eth ports’


* Corresponding employee-vlan (110) and guest-vlan (120) can be defined globally



A client that connects to the network via a VoIP Phone is identified and monitored using a combination of 802.1x and RADIUS authentication.



Wireless BYOD: Wireless devices using a WAP to connect are automatically identified using 802.1 x/EAP authentication with RADIUS override. Integration of Network Sentry with existing wireless WLAN controllers and WAPs requires configuration of the WLAN Controller and WAP as well as the Network Sentry appliance. This is followed by wireless client connection validation tests to ensure correct end-to-end BYOD policy enforcement.





Configuring Wireless Network for NAC Integration

The example configuration uses Brocade Mobility WAPs installed and connected to POE/PoE+ ports of Edge or Access stacked switches. The WAPs are centrally managed by a Brocade RFS-6000 controller that auto-discovers all WAP devices in the network.


The access switch includes a four-member Brocade ICX-6610, 40GbE stack (ICX-A) to which the WAPs are connected. Multiple stacks are commonly used in the access layer of a campus network, so the configuration procedure is applied to every WAP that is connected.


The ICX-A stack aggregates traffic via LACP LAG for all connected devices forwarding it on uplinks to a pair of Brocade FastIron SX-800 chassis switches configured with a Multi-chassis Trunking (MCT) at the distribution layer. Virtual Router Redundancy Protocol-Extended (VRRP-E) is also configured on the pair of FastIron SX-800 switches to provide a resilient virtual Layer 3 default-gateway for all the devices connected to the access layer switches.


In larger campus networks, multiple distribution layer switches can be deployed so the distribution layer configuration procedure is applied to each of them.



The diagram below shows the example configuration used to document the configuration and deployment procedures in this guide.



  Deployment Configuration (click to enlarge)



The configuration is representative of a traditional core/distribution/access topology commonly found in campus networks. Although multiple access stacks and distribution switches are used depending on the scale of the network, this simple topology makes it easy to document what and where configuration changes need to be made in an existing network.



  1. Since Network Sentry is integrated into the existing campus network, all of the VLAN/IP addressing and client-network connectivity should be working prior to integrating Network Sentry.
  2. Multiple 10GbE uplink ports are used on each ICX switch in a stack. This requires installation of the POD-license prior to connecting the uplink ports.
  3. All switches and routers should be accessible via Telnet, SSH and SNMP on the management network.
  4. All network services such as DHCP, active directory (AD), HTTP, etc., are configured and operational before Network Sentry integration.
  5. The table below shows the VLAN and IP address assignments used in the example configuration.




IP Network


Employee wireless

(including DHCP/AD/DNS)


Guess Wireless Access

(including DHCP)


Isolation VLAN Access


WAPs and Controller

1, 33, 110 and 120

Network Sentry NAC Appliance




Bill of Materials

The following products were used in this example configuration.










Network Sentry Appliance

1RU NAC Linux server appliance

Software License



Core Template Components









SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10G Fiber
  • SX-FI62XG 2-port 10G

FastIron 7.4 (SXR07400)



Distribution Template Components









SX-800 Chassis

  • SX-FI2XGMR6 2-port MP
  • SX-FI-8XG 8-port 10G Fiber
  • SX-FI62XG 2-port 10G

FastIron 7.4 (SXR07400)

RFS Controller


RFS-6000 Mobility Controller

Version 5.4



Access Template Components










  • ICX6610-24F 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)

FastIron 7.4 (FCXR07400)/






  • ICX6610-24P POE 24-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)

FastIron 7.4 (FCXR07400)/






  • ICX6610-48 48-port MP
  • ICX6610-QSFP 10-port 160G
  • ICX6610-8-port Dual Mode(SFP/SFP+)

FastIron 7.4 (FCXR07400)/





Brocade AP-7131 WAP

Version 5.4



Task 1: Controller or WAP Configuration



Network Sentry manages the wireless controller which in-turn manages the WAPs that wireless devices connect to. For additional information on Brocade Mobility Controller and Brocade Mobility Access Point configuration, please refer to the product specific Brocade configuration guides listed in the References

Following configuration steps should be performed across the wireless infrastructure (including controller or WAPs):

  1. Controller Dashboard and WAP Adoption
  2. Define VLAN Scopes across WAPs and Controller (as needed for Guest/Employee/Isolation)
  3. Configure Wireless LAN SSID
  4. Create AAA Policy for RADIUS Authentication
  5. Configure Association ACL for Client Back-listing
  6. Define and Map a Management Policy across WAPs
  7. Map WAP Radios to Global Wireless LAN SSID
  8. The Brocade BR-7131 WAP and Brocade RFS-6000 WLAN controller are installed and WAPs are connected and powered up using the POE/POE+ ports of the ICX-A stack
  9. Each WAP is centrally managed by a RFS-6000 WLAN controller.
  10. To ensure end-to-end connectivity, all access VLANs are configured across every Layer 2 switch in the network.


Step 1: Controller Dashboard and WAP Adoption


The Dashboard provides a single management view for all the wireless devices including controllers and WAPs. Before configuring the controller, access the Dashboard through a web browser by pointing the URL to: https://Controller_IP-addr.




  Network Sentry Dashboard (click to enlarge)



Click ‘Configuration’ tab, to ensure the WAPs are automatically discovered by the controller.



  Network Sentry Configuration Tab (click to enlarge)


Step 2: Define VLAN Scopes across Controller and WAPs


VLANs correspond to the type of client for NAC enforcement such as, guest (120), employee (110) and isolation (33). These VLANs are defined on the controller and WAPs.




  Configure VLANs for NAC Polices (click to enlarge)



Select the WAP profile, default-br71xxx, which matches the WAP in use (BR-7131) and then configure the VLAN scopes across the WAPs



  Assign WAP Profile to VLAN (click to enlarge)



Step 3: Configure Wireless LAN SSID

To allow wireless clients to connect to the network, configure the WAP in a basic bridged mode and configure the WAP radios to broadcast an SSID (Solc-BYOD-1).



  Configure WLAN SSID (click to enlarge)



Step 4: Create AAA Policy for RADIUS Authentication


The AAA policy defines the authentication attributes including Proxy mode via the ‘Through wireless controller’ to ensure RADIUS requests originated from the controller, and the RADIUS server IP address of the Network Sentry appliance.




  Create AAA Policy for RADIUS Authentication (click to enlarge)




  RADIUS Server IP Configuration for Network Sentry Appliance (click to enlarge)



Step 5: Configure Association ACL for Client Back List

Wireless devices transition between different states and the associated VLANs, e.g., isolation, authentication, production and guest. Intitially, Network Sentry black list’s all devices using an association ACL named ‘black-listed-clients’ that has a permit/allow rule to include all possible MACs (i.e 000000000000 to FFFFFFFFFFFF)


  ACL for Client Black-list (click to enlarge)

Step 6: Define and Map a Management Policy across WAPs

A management policy (‘test’) mapped to a WLAN controller defines essential attributes (such as telnet, SSH, FTP and SNMP) across all managed WAPs.


  Map Management Policy to WAPs (click to enlarge)

As shown below, the SNMP tab configures all SNMP attributes including SNMP versions, private/public community strings and SNMP users/passwords.


  SNMP Configuration (click to enlarge)

Next, the wireless controller is mapped to a pre-defined management policy as shown below.


  Associate WAP to Management Policy (click to enlarge)



Step 7: Map WAP Radios to Global Wireless LAN SSID

Choose a particular WAP profile (default-br-71xx corresponds to the BR-7131 WAP in use) and map each radio to the pre-defined SSID to allow clients to connect using this SSID.


  Map WAP Radio to Global WLAN SSID (click to enlarge)

If multiple SSIDs are defined, double-click each radio and select the correct SSID for the radio from the list of SSIDs as shown below


  Select Correct SSID from List of Available SSIDs (click to enlarge)



This completes the basic configuration of centralized wireless infrastructure using the Brocade RFS-6000 controller and Brocade BR-7131 WAPs. For more details, please refer to the product specific configuration guides shown in References below.





Configuring Network Sentry NAC Appliance

To allow for device identification, authorization and administration, the Network Sentry appliance is added to the network with using the Network Sentry Configuration Wizard (aka ConfigWizard) and the Dashboard GUI.

The Network Sentry NAC appliance is connected to a pair of Brocade FastIron SX-800 Switches at the distribution layer. Network services including DHCP, active directory, DNS and HTTP are deployed using VMware ESXi5.0 with NAS storage and Violin-Memory. These services can be deployed on physical servers as well, but many networks use server virtualization to reduce the hardware cost of these services.


Typically, a Network Sentry NAC appliance is installed in an existing network as an out-of band solution. However the network devices that it connects to can be managed in-band or out-of-band.


ConfigWizard Administration

Network Sentry uses a ‘configWizard’ to install the appliance prior to network integration. The procedure selects a network type, defines isolation VLANs and populates the Layer 3 routing database.


Dashboard GUI Administration

Network Sentry provides a comprehensive Java GUI to setup the appliance for NAC policy enforcement. The GUI is also used to manage, monitor and control BYOD client connectivity.



  1. Network infrastructure is pre-provisioned with the required VLAN scopes and connected to the NAC appliance
  2. All the basic Network Sentry setup, and Hardware configuration (including License, installation, hostname, IP address, DNS and passwords) is complete.

Bill of Materials

The following products are used in this deployment.

Bradford Network Sentry Components







Network Sentry

(NS-500 Appliance)

1RU NAC Linux server



Network Sentry Software 5.1 with License

Software License

Task 1: Network Sentry configWizard Administration


The solution uses the Bradford NS-500 BYOD NAC appliance to provide the NAC services. Prior to configuring the appliance for network integration, the appliance should be installed with basic connectivity and the initial software license and then setup for management over the network. The following key steps should be followed for a successfully NAC installation:

  1. Setup Basic Network
  2. Setup Network Type and Isolation VLAN
  3. Define Isolation VLAN Attributes
  4. Define Layer 3 Routing Database
  5. Network Sentry appliance hardware is installed, configured and can be managed via a web browser
  6. Switch ports connected to the NAC appliance should be appropriately defined in a VLAN and configured with an IP address in the same subnet as the appliance interface.


  1. Network Sentry appliance hardware is installed, configured and can be managed via a web browser
  2. Switch ports connected to the NAC appliance should be appropriately defined in a VLAN and configured with an IP address in the same subnet as the appliance interface.


Step 1: Setup Network Type

Connect to the Network Sentry Configuration tool using the configWizard [https://Appliance-IP:8080/configWizard]. Select the network type (Layer 2 or Layer 3) you are using. Click Next.


  Setup Network Type (click to enlarge)

Step 2: Define Isolation VLAN Attributes

Based on the network type selected, define a non-production or isolation VLAN and assign the DHCP scope to the VLAN. As needed, additional VLANs including registration remediation can also be defined.  


  Define Isolation VLAN (click to enlarge)

Step 3: Define Layer 3 Routing Database

In order to enable connectivity from Network Sentry to any device in the network, additional routes can be added to the appliance Layer 3 routing database.


  Define Layer 3 Routing Database (click to enlarge)



Task 2: Network Sentry Dashboard Administration


The following key steps are required to successfully configure and deploy the NAC appliance in an existing campus network:

  1. Network Topology Modeling
  2. Setup LDAP based AD Authentication
  3. Setup Guest Profile for Guest Registration
  4. Network Sentry appliance hardware is installed, configured and can be managed via a web browser
  5. End-end IP connectivity exists between the NAC appliance and all network devices including external DHCP, AD and RADIUS servers.


  1. Network Sentry appliance hardware is installed, configured and can be managed via a web browser
  2. End-end IP connectivity exists between the NAC appliance and all network devices including external DHCP, AD and RADIUS servers



Step 1: Network Topology Modeling

An important step in configuring Network Sentry is to create a Topology View by discovering and modeling each device in the network. This involves logically adding the devices in different types of containers:

  • Controllers for WLAN Controllers,
  • Campus LAN for switches and routers,
  • Servers for DHCP and DNS,  and
  • WLAN for all WAP devices.

Then each container is manual configured, or “modeled”. When topology modeling is complete, each device is graphically shown with all its ports and associated states as shown below for a Brocade WLAN controller and a Brocade network switch.


Bradford_Deployment-CreatingTopologyModel .jpg

  Create a Topology Model (click to enlarge)

Topology model of a network switch stack is shown below:


  Topology Model for a Switch Stack (click to enlarge)

The following diagram shows a wired client connected to a switch port. The topology view of the switch is automatically updated using the SNMP trap received and depicts the client in isolation


  Topology Model Update Shows Wired Device Connection (click to enlarge)




Step 2: Setup LDAP-based AD Authentication

To authenticate devices, an external Active-Directory server is setup with its IP address and login credentials.


  Setup LADAP-based AD Authentication (click to enlarge)

Step 3: Setup Guest Profile for Guest Registration

The guest profile database is used for registering guests. It is on the appliance and each profile contains the guest username, password and Email addresss as shown below:


  Setup Guest Profile (click to enlarge)



A guest profile entry is viewed under the ‘Users’ tab of the GUI.


  Users Tab With Guest Profile Database (click to enlarge)



The Network Sentry appliance is now configured and can be used with any wired or wireless device to provide device detection, authorization and management. For more advanced configuration options, please refer to the Bradford partner documentation.

BYOD Device Validation


  1. BR-7131 wireless AP and RFS-6000 controller are installed, powered up and configured as needed
  2. Network Sentry Integration with the existing campus network is complete
  3. End-End IP connectivity across Network Sentry and devices is verified

Task 1: Wireless Device Authentication


Validate end-to-end policy compliance for a wireless device connected to the Brocade 7131 WAP SSID. The device can be any wireless device such as an iPAD, smartphone or a tablet computer.


  1. Brocade BR-7131 WAP (WAP1) is installed and connected to the ICX-A stack.
  2. WAP1 is configured to broadcast an SSID for wireless devices to use when connecting to the network.
  3. Active Directory services are started and running on the AD server

Step 1: Initiate a wireless connection using SSID

A laptop computer connects to the WLAN network and is placed in the isolation VLAN (33) by Network Sentry. The device is assigned an IP address in the subnet. This can be confirmed using ipconfig on the laptop as shown below.


  WLAN Connection for SSID Assigned to VLAN 33 (click to enlarge)


When Network Sentry detects the wireless device, based on the RADIUS VLAN assignment, it assigns it to the isolation VLAN (33) with IP address: as shown in the Host View screen below.



  Wireless Device Assigned to Isolation VLAN (click to enlarge)


The wireless device can be tracked and managed using the Brocade Mobility WLAN Controller GUI, under ‘Wireless Clients’ as shown below.


  Brocade Mobility WLAN Controller GUI Displaying Status of Wireless Clients (click to enlarge)

Step 2: Wireless Device Registration

Any network access by the device, prior to enforcement, is re-directed to an on-boarding portal hosted by the Network Sentry appliance. The user can select from different options based on the role the device is assigned to.


  Client On-board Portal (click to enlarge)

If the user is an employee, login credentials are authenticated with the AD database.


  Employee Login Screen (click to enlarge)

After successful user authentication, the device is black listed for a short time, while the device is moved from the isolation VLAN (33) to the production VLAN (110) that allows full access to the network.

Bradford_Deployment-EmployeeDeviceAssignmen toProductionVLAN.jpg

  Employee Device Assignment to Production VLAN (click to enlarge)

The user can now access the Intranet until their lease time expires or they disconnect from the network.


  Confirmation of Employee Network Access (click to enlarge)


Step 3: Wireless Device Verification

Brocade Mobility WLAN Controllers track wireless clients under the ‘Statistics’ tab of the controller GUI. User Information includes client MAC, WLAN SSID, production VLAN assigned and DHCP IP address as shown below.


  Brocade Mobility WLAN Controller Statistics Tab (click to enlarge)



Entering ipconfig on the client device shows the production DHCP server assigned an IP address in the subnet used for employee devices.


  Displaying DHCP Assigned Settings for Client Device (click to enlarge)