Table Of Contents
Connecting Cisco Network Admission Control Network Modules to the Network
Revised: May 1, 2008, OL-16674-01
This guide describes how to connect Cisco Network Admission Control (NAC) network modules to your network. It contains the following sections:
Cisco NAC Network Modules
Cisco NAC network modules allow network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines before allowing users onto a network. The NAC module identifies whether networked devices, such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it addresses vulnerabilities before permitting access to the network.
The Cisco NAC network module ships from the factory with the following hardware preinstalled.
Note See the Cisco NAC network module data sheet for supported Cisco Internet Operating System (IOS) version information, http://www.cisco.com/en/US/products/ps6128/products_data_sheets_list.html.
Figure 1 NME-NAC-K9 Faceplate
Status of the CompactFlash
Off—CompactFlash is not detected
Flashing—Application detected CompactFlash at bootup
Status of Gigabit Ethernet link
On—Link is enabled
Off—Link is disabled
Status of Gigabit Ethernet activity
Status of hard drive activity
Status of system shutdown
Note Do not remove power without first shutting down the application. See the "Shutting Down the NAC Network Module" section.
On—Application is stable
Off—System is shut down and ready for host power down
Flashing—System shutdown is in progress
Status of the network module
On—Detected by the host Cisco IOS software and enabled
NME-NAC-K9 LED Descriptions
Shutting Down the NAC Network Module
Press the shutdown button on the network module faceplate for less than 2 seconds to perform a graceful shutdown of the hard disk before removing power from the router or before starting an online insertion and removal (OIR) sequence on the router. The application may take up to 2 minutes to fully shut down.
Note See the Getting Started with NAC Network Modules in Cisco Access Routers document on Cisco.com for instructions that describe how to shut down the network module from the command line interface on the router, http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html
Caution If you press the shutdown button for more than 4 seconds, a non-graceful shutdown of the hard disk will occur and may cause file corruption on the network module's hard disk. After a non-graceful shutdown, the DISK and SYS LEDs remain lighted. Press the shutdown button for less than 1 second to gracefully reboot the network module.
Connecting NAC Network Modules
To connect Cisco NAC network modules to an external device use a straight-through two-pair Category 5 unshielded twisted-pair (UTP) cable and connect the RJ-45 Gigabit Ethernet port on the network module to a switch, hub, repeater, or other Gigabit Ethernet network device.
Warning To comply with the Telcordia GR-1089 NEBS standard for electromagnetic compatibility and safety, connect the Network Admission Control Network Modules (NME-NAC-K9) only to intra-building or unexposed wiring or cable. The intrabuilding cable must be shielded and the shield must be grounded at both ends. The intra-building port(s) of the equipment or subassembly must not be metallically connected to interfaces that connect to the OSP or its wiring. These interfaces are designed for use as intra-building interfaces only (Type 2 or Type 4 ports as described in GR-1089-CORE, Issue 4) and require isolation from the exposed OSP cabling. The addition of Primary Protectors is not sufficient protection in order to connect these interfaces metallically to OSP wiring.
Warning To comply with the Telcordia GR-1089 NEBS standard for electromagnetic compatibility and safety, connect the NAM enhanced network module (NME-NAM-80S) only to intra-building or non-exposed wiring or cabling. The intrabuilding cable must be shielded and the shield must be grounded at both ends. The intra-building port(s) of the equipment or subassembly must not be metallically connected to interfaces that connect to the OSP or its wiring. These interfaces are designed for use as intra-building interfaces only (Type 2 or Type 4 ports as described in GR-1089-CORE, Issue 4) and require isolation from the exposed OSP cabling. The addition of Primary Protectors is not sufficient protection in order to connect these interfaces metallically to OSP wiring.
Note RJ-45 cables are not available from Cisco Systems. These cables are widely available and must be Category 5 cables.
Establishing a Gigabit Ethernet Internal Logical Connection
Use the Cisco High-Speed Intrachassis Module Interconnect (HIMI) feature to establish a Gigabit Ethernet (GE) internal logical connection between two NMEs, or between an onboard small-form-factor pluggable (SFP) GE module and an NME on Cisco 3825 and Cisco 3845 routers.
Connections can be established only as follows:
•Between the GE port in an installed onboard SFP module on the Cisco 3825 and Cisco 3845 routers
•Between GE interfaces in NME slots 1 and 2 on the Cisco 3825 router
•Between GE interfaces in NME slots 2 and 4 on the Cisco 3845 router
Note A module interconnection between the GE port on an SFP module and an NME slot or an NME-to-NME cross-connection is permitted at any given time, but both types of connections cannot exist at the same time.
Note Connections between the onboard RJ-45 GE ports and NME slots are not supported.
For details about configuring HIMI connections, see the Cisco High-Speed Intrachassis Module Interconnect (HIMI) Configuration Guide on Cisco.com, http://www.cisco.com/en/US/products/ps5855/prod_configuration_guide09186a008068ea83.html
Online Insertion and Removal of Cisco NAC Network Modules
Some Cisco access routers allow you to replace network modules without switching off the router or affecting the operation of other interfaces. This feature is called online insertion and removal (OIR). Module OIR provides uninterrupted operation to network users, maintains routing information, and ensures session preservation.
Caution Unlike other network modules, the Cisco NAC network module uses a hard disk. Online removal of disks without proper shutdown can result in file system corruption and might render the disk unusable. The operating system on the network module must be shut down in an orderly fashion before the module is removed or powered down.
Caution Cisco routers support OIR with similar modules only. If you remove a module, install another module exactly like it in its place. If you remove a 2-slot module (along with any installed WAN or voice interface cards), install another module and card combination exactly like it.
For a description of informational and error messages that may appear on the console during this procedure, see the hardware installation guide for your router.
To perform online removal of a network module and insertion of a replacement, follow these steps, beginning in privileged EXEC mode:
Step 1 Initiate a network module session using the following command:
Router# service-module integrated-service-engine 1/0 session
Trying 10.10.10.1, 2065 ... OpenPress RETURN to get started!Router> enableRouter#
Step 2 Save the running configuration of the network module by using the following command from the
router # prompt:Router# copy running-config tftp tftp-server-address filename
Step 3 Exit the network module session by pressing Control-Shift-6, followed by x.
Step 4 On the router, clear the integrated-service-engine console session by using the following command:
Router# service-module integrated-service-engine slot/unit session clear
Step 5 Perform a graceful shutdown of the network module disk drive by using the following command:Router# service-module integrated-service-engine slot/unit shutdown
Step 6 Shut down the network module interface:Router (config)# interface integrated-service-engine slot/unitRouter (config-if)# shutdownRouter (config-if)# exit
Step 7 Unplug all network interface cables from the network module.
Step 8 Loosen the two captive screws holding the network module in the chassis slot.
Step 9 Slide the network module out of the slot.
Step 10 Align the replacement network module with the guides in the chassis slot, and slide it gently into the slot.
Note If the router is not fully configured with network modules, make sure that blank panels fill the unoccupied chassis slots to provide proper airflow.
Step 11 Push the module into place until you feel its edge connector mate securely with the connector on the backplane.
Step 12 Reconnect the network interface cables that you disconnected in Step 7.
Step 13 Check that the network module LEDs are on and that the power (PWR) and enable (EN) LEDs on the front panel are also on. This inspection ensures that connections are secure and that the new unit is operational.
Step 14 Initiate a network module session with the following command:Router# service-module integrated-service-engine slot/unit sessionTrying 220.127.116.11, 2130 ... OpenFedora Core release 4 (stentz)Kernel 2.6.11-perfigo on an 1686login:
Step 15 Exit the network module session by pressing Control-Shift-6, followed by x.
Step 16 Restore the network module running configuration by using the following command from the service module prompt:Router# copy tftp running-config tftp-server-address filename
Step 17 On the router, clear the network module session by using the following command:
Router# service-module integrated-service-engine slot/unit session clear
For additional information, see the following documents and resources.
Related Topic Document Title
Cisco Network Admission Control (NAC) software configuration
Regulatory compliance and safety information
Cisco Network Modules and Interface Cards Regulatory Compliance and Safety Information
Cisco IOS software website and reference documentation
Cisco IOS Software http://www.cisco.com/web/psa/products/index.html?c=268438303
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.