Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco NAC Appliance (Clean Access)

Cisco NAC Appliance Ordering Guide

Downloads

This document describes the ordering guidelines for the Cisco® NAC Appliance product (formerly Cisco Clean Access), effective September 10, 2007.

What's New in This Guide?

This version of the guide incorporates the latest form factor for the Cisco NAC Appliance: the Cisco NAC Network Module. In addition to offering the Cisco NAC Appliance components as discrete appliances, customers can now order the Cisco Clean Access Server as a network module that fits into the Cisco Series 2800 and 3800 Integrated Services Routers.

New Network Module

The Cisco® NAC Network Module for Integrated Services Routers brings the feature-rich Cisco Clean Access Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers. By extending the Cisco NAC Appliance portfolio of products to smaller locations, the Cisco NAC Network Module allows network administrators to manage a single device in the branch office for data, voice, and security requirements.
For more information about the Cisco NAC Network Module, please read the datasheet available at http://www.cisco.com/go/NACNM.
Customers can use the Cisco NAC Network Module in combination with the existing, appliance-based Cisco Clean Access Servers and Clean Access Managers. The following table outlines the additional options customers have.

Table 1. Cisco NAC Appliance Options

Cisco Clean Access Manager

Cisco Clean Access Server as an Appliance

Cisco NAC Network Module for ISRs

Manager for 3 Clean Access Servers (only those supporting 500 or fewer users)
• 100 users
• 250 users
• 500 users
• 50 users
• 100 users

Manager for 20 Clean Access Servers (those supporting any number of users)

Manager for 40 Clean Access Servers (those supporting any number of users)
• 1500 users
• 2500 users
• 3500 users

Cisco NAC Hardware Platforms

The Cisco NAC Appliance runs on the Cisco NAC Appliance 3300 Series hardware. Each hardware platform in the series supports several license requirements. Table 2 maps the licenses to the corresponding hardware.

Table 2. Mapping of Cisco NAC Appliance 3300 Series to Licenses

 

Cisco NAC Appliance 3310

Cisco NAC Appliance 3350

Cisco NAC Appliance 3390

Cisco Clean Access Servers
• License for 100 users
• License for 250 users
• License for 500 users
• License for 1500 users
• License for 2500 users
• License for 3500 users
-

Cisco Clean Access Managers
• License for Cisco Clean Access Lite Manager
• Supports up to 3 Clean Access Servers on the 3310 platform plus the network module
• License for Cisco Clean Access Standard Manager
• Supports up to 20 Clean Access Servers on any platform plus the network module
• License for Cisco Clean Access Super Manager
• Supports up to 40 Clean Access Servers on any platform plus the network module

Sizing the Deployment

The number of online, concurrent users in a deployment determines the type and quantity of Cisco Clean Access Servers required. In turn, the type and quantity of Cisco Clean Access Servers determines the type of Cisco Clean Access Manager required. Figure 1 explains the selection process for the Cisco Clean Access Manager.

Figure 1. Cisco Clean Access Manager Selection Process

About Failover Bundles

Failover bundles are denoted by the "FB" in each part number. Customers that purchase a failover bundle will receive two appliances and a failover license that counts both appliances as one redundant unit. Failover bundles are not available for the Cisco NAC Network Module.
When sizing the Cisco Clean Access Manager, it is useful to note that one Cisco Clean Access Server failover bundle counts as one server toward the capacity of the manager. Thus, a Cisco Clean Access Super Manager can manage up to 40 Cisco Clean Access Server failover bundles.

Sample Scenarios

The following scenarios illustrate two typical deployments of the Cisco NAC Appliance.

Scenario 1

Customer has one headquarters location with 300 users and two remote sites with fewer than 50 users at each site. Customer prefers a central deployment, using Layer 3 in-band capability to consolidate the remote sites.

Management

1 Cisco Clean Access Lite Manager with failover

NACMGR-3FB-K9

Headquarters

1 Cisco Clean Access Server with failover for 500 users

NAC3310-500FB-K9

Scenario 2

Customer has one headquarters location with 500 users. Customer would like to provide wireless guest access for its conference rooms (estimated number of users as high as 200) and enforce security policies on employee wired access in an out-of-band deployment. Based on these requirements, a central deployment is recommended, with one Cisco Clean Access Server with failover for wireless users, and another for wired users.

Management

1 Cisco Clean Access Lite Manager with failover

NACMGR-3FB-K9

Wireless Guest Access

1 Cisco Clean Access Server with failover for 250 users

NAC3310-250FB-K9

Wired Employee Access

1 Cisco Clean Access Server with failover for 500 users

NAC3310-500FB-K9

Scenario 3

Customer has one headquarters location with 4500 users and ten branch offices with 50 users each. Customer would like to provide posture assessment for all employees. Based on these requirements, a central deployment is recommended.

Management

1 Cisco Clean Access Standard Manager with failover

NACMGR-20FB-K9

Headquarters

2 Cisco Clean Access Servers with failover for 2500 users each

NAC3350-2500FB-K9

Branch offices

10 Cisco NAC Network Modules for 50 users each

NACNM-50-K9

Part Numbers for Appliances

Tables 3 and 4 list the part numbers for Cisco Clean Access Server and Cisco Clean Access Manager.

Table 3. Part Numbers for Cisco Clean Access Server

Product Part Number

Description

Coordinating Hardware

NAC3310-100-K9

Cisco Clean Access Server for 100 users

1 Cisco NAC Appliance 3310

NAC3310-100FB-K9

Cisco Clean Access Server for 100 users; failover bundle

2 Cisco NAC Appliance 3310s

NAC3310-250-K9

Cisco Clean Access Server for 250 users

1 Cisco NAC Appliance 3310

NAC3310-250FB-K9

Cisco Clean Access Server for 250 users; failover bundle

2 Cisco NAC Appliance 3310s

NAC3310-500-K9

Cisco Clean Access Server for 500 users

1 Cisco NAC Appliance 3310

NAC3310-500FB-K9

Cisco Clean Access Server for 500 users; failover bundle

2 Cisco NAC Appliance 3310s

NAC3350-1500-K9

Cisco Clean Access Server for 1500 users

1 Cisco NAC Appliance 3350

NAC3350-1500FB-K9

Cisco Clean Access Server for 1500 users; failover bundle

2 Cisco NAC Appliance 3350s

NAC3350-2500-K9

Cisco Clean Access Server for 2500 users

1 Cisco NAC Appliance 3350

NAC3350-2500FB-K9

Cisco Clean Access Server for 2500 users; failover bundle

2 Cisco NAC Appliance 3350s

NAC3350-3500-K9

Cisco Clean Access Server for 3500 users

1 Cisco NAC Appliance 3350

NAC3350-3500FB-K9

Cisco Clean Access Server for 3500 users; failover bundle

2 Cisco NAC Appliance 3350s

Table 4. Part Numbers for Cisco Clean Access Manager

Product Part Number

Description

Coordinating Hardware

NACMGR-3-K9

Cisco Clean Access Lite Manager for 3 servers

1 Cisco NAC Appliance 3310

NACMGR-3FB-K9

Cisco Clean Access Lite Manager for 3 servers; failover bundle

2 Cisco NAC Appliance 3310s

NACMGR-20-K9

Cisco Clean Access Standard Manager for 20 servers

1 Cisco NAC Appliance 3350

NACMGR-20FB-K9

Cisco Clean Access Standard Manager for 20 servers; failover bundle

2 Cisco NAC Appliance 3350s

NACMGR-40-K9

Cisco Clean Access Super Manager for 40 servers

1 Cisco NAC Appliance 3390

NACMGR-40FB-K9

Cisco Clean Access Super Manager for 40 servers; failover bundle

2 Cisco NAC Appliance 3390s

Part Numbers for Cisco NAC Network Module

Table 5 lists the part numbers associated with the Cisco NAC Network Module.

Table 5. Part Numbers for Cisco NAC Network Module for Integrated Services Routers

Hardware and Software Part Number

Needed for Supporting Cisco NAC Network Module

NME-NAC-K9

Cisco NAC Network Module for 2800 & 3800 ISR

NACNM-50-K9

NAC Network Module Server License -max 50 users

NACNM-100-K9

NAC Network Module Server License -max 100 users

NACNM-50UL=

NAC Network Module Server License Upgrade -50 to 100 users

NME-NAC-K9=

Cisco NAC Network Module for 2800 & 3800 ISR (spare)

When configuring a Cisco 2800 or 3800 Integrated Services Router chassis or bundle, select part number NME-NAC-K9 as an option within Network Modules. After confirming the software version for the NAC network module, select between the two Cisco NAC Network Module Server Licenses: part number NACNM-50-K9 or NACNM-100-K9.
If you initially purchase the 50-user license (NACNM-50-K9) for the NAC network module, you can upgrade to the 100-user license later by ordering part number NACNM-50UL=. You can select the license part numbers and apply them to the module spare (NME-NAC-K9=) in a similar manner. Licensing information is available at http://www.cisco.com/en/US/products/ps6128/prod_pre_installation_guide09186a008073136b.html

License and Hardware Upgrades for Appliances

Because of the different hardware models in the Cisco NAC Appliance 3300 Series, all license upgrades for the Cisco Clean Access Manager, and some for the Cisco Clean Access Server, require participation in the Cisco Technology Migration Program (TMP) in order to upgrade the hardware. Table 6 lists the product part numbers that require hardware upgrades.

Table 6. Cisco NAC Appliance Products Requiring Hardware Upgrades

Product Part Number

Description

NACMGR-3-K9

Cisco Clean Access Lite Manager for 3 servers

NACMGR-3FB-K9

Cisco Clean Access Lite Manager for 3 servers; failover bundle

NACMGR-20-K9

Cisco Clean Access Standard Manager for 20 servers

NACMGR-20FB-K9

Cisco Clean Access Standard Manager for 20 servers; failover bundle

NACMGR-40-K9

Cisco Clean Access Super Manager for 40 servers

NACMGR-40FB-K9

Cisco Clean Access Super Manager for 40 servers; failover bundle

NAC3310-500-K9

Cisco Clean Access Server for 500 users

NAC3310-500FB-K9

Cisco Clean Access Server for 500 users; failover bundle

In the case of some Cisco Clean Access Server licenses, customers may upgrade to a larger user license by purchasing a software upgrade license. Table 7 lists the product part numbers that do not require a hardware upgrade, along with their appropriate software upgrade license product number.

Table 7. Cisco NAC Appliance Products Eligible for Software Upgrade Licenses

Product Part Number

Description

Upgrade Part Number

Upgrade Description

NAC3310-100-K9

Cisco Clean Access Server for 100 users

NAC3310-100UL

Upgrades the 100-user Cisco Clean Access Server license to a 250-user license

NAC3310-100FB-K9

Cisco Clean Access Server for 100 users; failover bundle

NAC3310-100FBUL

Upgrades the 100-user Cisco Clean Access Server license with failover to a 250-user license with failover

NAC3310-250-K9

Cisco Clean Access Server for 250 users

NAC3310-250UL

Upgrades the 250-user Cisco Clean Access Server license to a 500-user license

NAC3310-250FB-K9

Cisco Clean Access Server for 250 users; failover bundle

NAC3310-250FBUL

Upgrades the 250-user Cisco Clean Access Server license with failover to a 500-user license with failover

NAC3350-1500-K9

Cisco Clean Access Server for 1500 users

NAC3350-1500UL

Upgrades the 1500-user Cisco Clean Access Server license to a 2500-user license

NAC3350-1500FB-K9

Cisco Clean Access Server for 1500 users; failover bundle

NAC3350-1500FBUL

Upgrades the 1500-user Cisco Clean Access Server license with failover to a 2500-user license with failover

NAC3350-2500-K9

Cisco Clean Access Server for 2500 users

NAC3350-2500UL

Upgrades the 2500-user Cisco Clean Access Server license to a 3500-user license

NAC3350-2500FB-K9

Cisco Clean Access Server for 2500 users; failover bundle

NAC3350-2500FBUL

Upgrades the 2500-user Cisco Clean Access Server license with failover to a 3500-user license with failover

Part Numbers for Support

Four types of Cisco SMARTnet support services are available for Cisco NAC Appliance customers:

• 8x5xNBD: Next business day (order received before cutoff time)

• 8x5x4: Standard 4-hour service

• 24x7x4: Premium 4-hour service

• 24x7x2: Premium 2-hour service

For more information about Cisco SMARTnet service offerings, please visit http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_group_home.html.
Support for Cisco Clean Access Servers and Cisco Clean Access Managers is sold separately, while support for the Cisco NAC Network Module is included in SMARTNet for the Integrated Services Router.
Table 8 lists the part numbers of the four service options available for the Cisco Clean Access Server. Table 9 lists the part numbers of the four service options available for the Cisco Clean Access Manager. Table 10 lists the part numbers for upgrade licenses for the Clean Access Servers.

Table 8. Cisco Clean Access Server Support Part Numbers

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

NAC3310-100-K9

CON-SNT-NAC100

CON-SNTE-NAC100

CON-SNTP-NAC100

CON-S2P-NAC100

NAC3310-100FB-K9

CON-SNT-NAC100F

CON-SNTE-NAC100F

CON-SNTP-NAC100F

CON-S2P-NAC100F

NAC3310-250-K9

CON-SNT-NAC250

CON-SNTE-NAC250

CON-SNTP-NAC250

CON-S2P-NAC250

NAC3310-250FB-K9

CON-SNT-NAC250F

CON-SNTE-NAC250F

CON-SNTP-NAC250F

CON-S2P-NAC250F

NAC3310-500-K9

CON-SNT-NAC500

CON-SNTE-NAC500

CON-SNTP-NAC500

CON-S2P-NAC500

NAC3310-500FB-K9

CON-SNT-NAC500F

CON-SNTE-NAC500F

CON-SNTP-NAC500F

CON-S2P-NAC500F

NAC3350-1500-K9

CON-SNT-NAC1500

CON-SNTE-NAC1500

CON-SNTP-NAC1500

CON-S2P-NAC1500

NAC3350-1500FB-K9

CON-SNT-NAC1500F

CON-SNTE-NAC1500F

CON-SNTP-NAC1500F

CON-S2P-NAC1500F

NAC3350-2500-K9

CON-SNT-NAC2500

CON-SNTE-NAC2500

CON-SNTP-NAC2500

CON-S2P-NAC2500

NAC3350-2500FB-K9

CON-SNT-NAC2500F

CON-SNTE-NAC2500F

CON-SNTP-NAC2500F

CON-S2P-NAC2500F

NAC3350-3500-K9

CON-SNT-NAC3500

CON-SNTE-NAC3500

CON-SNTP-NAC3500

CON-S2P-NAC3500

NAC3350-3500FB-K9

CON-SNT-NAC3500F

CON-SNTE-NAC3500F

CON-SNTP-NAC3500F

CON-S2P-NAC3500F

Table 9. Cisco Clean Access Manager Support Part Numbers

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

NACMGR-3-K9

CON-SNT-NACM3

CON-SNTE-NACM3

CON-SNTP-NACM3

CON-S2P-NACM3

NACMGR-3FB-K9

CON-SNT-NACM3F

CON-SNTE-NACM3F

CON-SNTP-NACM3F

CON-S2P-NACM3F

NACMGR-20-K9

CON-SNT-NACM20

CON-SNTE-NACM20

CON-SNTP-NACM20

CON-S2P-NACM20

NACMGR-20FB-K9

CON-SNT-NACM20F

CON-SNTE-NACM20F

CON-SNTP-NACM20F

CON-S2P-NACM20F

NACMGR-40-K9

CON-SNT-NACM40

CON-SNTE-NACM40

CON-SNTP-NACM40

CON-S2P-NACM40

NACMGR-40FB-K9

CON-SNT-NACM40F

CON-SNTE-NACM40F

CON-SNTP-NACM40F

CON-S2P-NACM40F

Table 10. Upgrade License Support Part Numbers

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

NAC3310-100UL

CON-SNT-NAC100U

CON-SNTE-NAC100U

CON-SNTP-NAC100U

CON-S2P-NAC100U

NAC3310-100FBUL

CON-SNT-NAC100UF

CON-SNTE-NAC100UF

CON-SNTP-NAC100UF

CON-S2P-NAC100UF

NAC3310-250UL

CON-SNT-NAC250U

CON-SNTE-NAC250U

CON-SNTP-NAC250U

CON-S2P-NAC250U

NAC3310-250FBUL

CON-SNT-NAC250UF

CON-SNTE-NAC250UF

CON-SNTP-NAC250UF

CON-S2P-NAC250UF

NAC3350-1500UL

CON-SNT-NAC1500U

CON-SNTE-NAC1500U

CON-SNTP-NAC1500U

CON-S2P-NAC1500U

NAC3350-1500FBUL

CON-SNT-NAC1500W

CON-SNTE-NAC1500W

CON-SNTP-NAC1500W

CON-S2P-NAC1500W

NAC3350-2500UL

CON-SNT-NAC2500U

CON-SNTE-NAC2500U

CON-SNTP-NAC2500U

CON-S2P-NAC2500U

NAC3350-2500FBUL

CON-SNT-NAC2500W

CON-SNTE-NAC2500W

CON-SNTP-NAC2500W

CON-S2P-NAC2500W

Q&A

Q. Can one Cisco Clean Access Manager manage a deployment containing both Cisco Clean Access Servers and Cisco NAC Network Modules?
A. Yes. One Cisco Clean Access Manager can manage deployments with both appliance- and network module-based Clean Access Servers.
Q. Does the Cisco NAC Network Module have the same functionality as a Clean Access Server?

Yes. The Cisco NAC Network Module has exactly the same functionality as the Cisco Clean Access Server.

Q. Do the software features vary between the models in the Cisco NAC Appliance 3300 Series?
A. No. The only difference is the number of users or the server count allowed by the license.
Q. Are customers still able to purchase the Cisco NAC Appliance software separately?
A. Yes, although this is not recommended. Customers that prefer to purchase their own hardware must first review the certified hardware list at http://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.html
Q. Can I deploy Cisco Clean Access Servers either in-band or out-of-band?
A. Yes. All Cisco Clean Access Servers can be deployed either in-band or out-of-band; however, one server cannot do both simultaneously. A Cisco Clean Access Manager can manage any combination of in-band and out-of-band servers.
Q. What is the difference between the models within the Cisco NAC Appliance 3300 Series?
A. The three models in the Cisco NAC Appliance 3300 Series differ in their hardware specifications. For more information, please refer to the Cisco NAC Appliance data sheets at http://www.cisco.com/go/nac/appliance.
Q. Is a starter kit still available for pilot deployments?
A. Yes. Customers can still order a bundled Cisco Clean Access Server + Manager software solution for up to 100 users. The part number is CCA-100-SM-BUN-K9. For the hardware, customers can purchase one failover pair to accommodate both components using the part number CCA-3140-H1-FB.

For More Information

For more information about Cisco NAC Appliance hardware and software, visit http://www.cisco.com/go/nac/appliance or contact your local account representative. Inquiries on ordering or deployment sizing can also be e-mailed to cca-questions@external.cisco.com.