Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco NAC Appliance (Clean Access)

Cisco NAC Appliance Ordering Guide

Downloads

This document describes the ordering guidelines for the Cisco® NAC Appliance product effective October 1, 2009.

What's New in This Guide?

This version of the guide incorporates the next-generation hardware for the Cisco NAC Appliance.

Next-Generation Appliances

Customers can use the next-generation appliances in combination with the existing, appliance-based Cisco NAC Servers and NAC Managers. Table 1 outlines the additional options customers have.

Table 1. Cisco NAC Appliance Options

Cisco NAC Manager

Cisco NAC Server

Cisco NAC Network Modules for ISRs

Manager for 3 NAC Servers (only those supporting 500 or fewer users)
• 100 users
• 250 users
• 500 users
• 50 users
• 100 users

Manager for 20 NAC Servers (those supporting any number of users)

Manager for 40 NAC Servers (those supporting any number of users)
• 1500 users
• 2500 users
• 3500 users
• 5000 users

Cisco NAC Hardware Platforms

The Cisco NAC Appliance runs on the Cisco NAC Appliance 3300 Series hardware. Each hardware platform in the series supports several license requirements. Table 2 maps the licenses to the corresponding hardware.

Table 2. Mapping of Cisco NAC Appliance 3300 Series to Licenses

 

Cisco NAC Appliance 3315

Cisco NAC Appliance 3355

Cisco NAC Appliance 3395

Cisco NAC Servers
• License for 100 users
• License for 250 users
• License for 500 users
• License for 1500 users
• License for 2500 users
• License for 3500 users
• License for 5000 users
  

Cisco NAC Managers

Supports up to 3 NAC Servers on the 3315 platform

Supports up to 20 NAC Servers (or maximum 25,000 users) on any platform

Supports up to 40 NAC Servers (or maximum 50,000 users) on any platform

Sizing the Deployment

The number of online, concurrent users in a deployment determines the type and quantity of Cisco NAC Servers required. In turn, the type and quantity of Cisco NAC Servers determines the type of Cisco NAC Manager required. Refer to Table 2 above for correct selection of the NAC Manager and Servers for the deployment.

About Failover Bundles

Failover bundles are denoted by the "FB" in each part number. Customers that purchase a failover bundle will receive two appliances and a failover license that counts both appliances as one redundant unit. Failover bundles are not available for the Cisco NAC Network Module.
When sizing the Cisco NAC Manager, it is useful to note that one Cisco NAC Server failover bundle counts as one server toward the capacity of the manager. Thus, a Cisco NAC Super Manager can manage up to 40 Cisco NAC Server failover bundles.

Sample Scenarios

The following scenarios illustrate some Cisco NAC Appliance deployments.

Scenario 1

Customer has one headquarters location with 300 users, and two remote sites with fewer than 50 users at each site. Customer prefers a central deployment, using Layer 3 in-band capability to consolidate the remote sites.

Management

1 Cisco NAC Lite Manager with failover

NACMGR-LTEFB-K9

Headquarters

1 Cisco NAC Server with failover for 500 users

NAC3315-500FB-K9

Scenario 2

Customer has one headquarters location with 500 users. Customer would like to provide wireless guest access for its conference rooms (estimated number of users as high as 200) and enforce security policies on employee wired access in an out-of-band deployment. Based on these requirements, a central deployment is recommended, with one Cisco NAC Server with failover for wireless users, and another for wired users.

Management

1 Cisco NAC Lite Manager with failover

NACMGR-LTEFB-K9

Wireless Guest Access

1 Cisco NAC Server with failover for 250 users

NAC3315-250FB-K9

Wired Employee Access

1 Cisco NAC Server with failover for 500 users

NAC3315-500FB-K9

Scenario 3

Customer has one headquarters location with 4500 users and 10 branch offices with 50 users each. Customer would like to provide posture assessment for all employees. Based on these requirements, a central deployment is recommended.

Management

1 Cisco NAC Standard Manager with failover

NACMGR-STDFB-K9

Headquarters

2 Cisco NAC Servers with failover for 2500 users each

NAC3355-2500FB-K9

Branch Offices

10 Cisco NAC Network Modules for 100 users each

NAC3315-100FB-K9

Part Numbers for Appliances

Tables 3 and 4 list the part numbers for the Cisco NAC Server and Cisco NAC Manager.

Table 3. Part Numbers for Cisco NAC Server

Product Part Number

Description

Coordinating Hardware

NAC3315-100-K9

Cisco NAC Server for 100 users

1 Cisco NAC Appliance 3315

NAC3315-100FB-K9

Cisco NAC Server for 100 users; failover bundle

2 Cisco NAC Appliance 3315s

NAC3315-250-K9

Cisco NAC Server for 250 users

1 Cisco NAC Appliance 3315

NAC3315-250FB-K9

Cisco NAC Server for 250 users; failover bundle

2 Cisco NAC Appliance 3315s

NAC3315-500-K9

Cisco NAC Server for 500 users

1 Cisco NAC Appliance 3315

NAC3315-500FB-K9

Cisco NAC Server for 500 users; failover bundle

2 Cisco NAC Appliance 3315s

NAC3355-1500-K9

Cisco NAC Server for 1500 users

1 Cisco NAC Appliance 3355

NAC3355-1500FB-K9

Cisco NAC Server for 1500 users; failover bundle

2 Cisco NAC Appliance 3355s

NAC3355-2500-K9

Cisco NAC Server for 2500 users

1 Cisco NAC Appliance 3355

NAC3355-2500FB-K9

Cisco NAC Server for 2500 users; failover bundle

2 Cisco NAC Appliance 3355s

NAC3355-3500-K9

Cisco NAC Server for 3500 users

1 Cisco NAC Appliance 3355

NAC3355-3500FB-K9

Cisco NAC Server for 3500 users; failover bundle

2 Cisco NAC Appliance 3355s

NAC3355-5000-K9

Cisco NAC Server for 5000 users

1 Cisco NAC Appliance 3355

NAC3355-5000FB-K9

Cisco NAC Server for 5000 users; failover bundle

2 Cisco NAC Appliance 3355s

Table 4. Part Numbers for Cisco NAC Manager

Product Part Number

Description

Coordinating Hardware

NACMGR-LTE-K9

Cisco NAC Lite Manager for 3 servers

1 Cisco NAC Appliance 3315

NACMGR-LTEFB-K9

Cisco NAC Lite Manager for 3 servers; failover bundle

2 Cisco NAC Appliance 3315s

NACMGR-STD-K9

Cisco NAC Standard Manager for 20 servers

1 Cisco NAC Appliance 3355

NACMGR-STDFB-K9

Cisco NAC Standard Manager for 20 servers; failover bundle

2 Cisco NAC Appliance 3355s

NACMGR-SPR-K9

Cisco NAC Super Manager for 40 servers

1 Cisco NAC Appliance 3395

NACMGR-SPRFB-K9

Cisco NAC Super Manager for 40 servers; failover bundle

2 Cisco NAC Appliance 3395s

Part Numbers for the Cisco NAC FIPS Module

Table 5 lists the part numbers associated with the Cisco NAC FIPS Module.

Table 5. Part Numbers for Cisco NAC FIPS Module

Hardware and Software Part Number

Description

NACMGR-FIPS

FIPS Module for Cisco NAC Standard and Super Manager

NACMGR-FIPSFB

Failover FIPS Module for Cisco NAC Standard and Super Manager

NAC3315-FIPS

FIPS Module for Cisco NAC 250/500-user NAC 3315 Servers

NAC3315-FIPSFB

Failover FIPS Module for Cisco NAC 250/500-user NAC 3315 Servers

NAC3355-FIPS

FIPS Module for Cisco NAC 3355 Servers

NAC3355-FIPSFB

Failover FIPS Module for Cisco NAC 3355 Servers

Part Numbers for the Cisco NAC Network Module

Table 6 lists the part numbers associated with the Cisco NAC Network Module.

Table 6. Part Numbers for Cisco NAC Network Module for Integrated Services Routers

Hardware and Software Part Number

Needed for Supporting Cisco NAC Network Module

NME-NAC-K9

Cisco NAC Network Module for 2800 and 3800 Series Integrated Services Routers

NACNM-50-K9

NAC Network Module Server License (maximum 50 users)

NACNM-100-K9

NAC Network Module Server License (maximum 100 users)

NACNM-50UL=

NAC Network Module Server License Upgrade (50 to 100 users)

NME-NAC-K9=

Cisco NAC Network Module for 2800 and 3800 Series Integrated Services Routers (spare)

When configuring a Cisco 2800 or 3800 Series Integrated Services Router chassis or bundle, select part number NME-NAC-K9 as an option within Network Modules. After confirming the software version for the NAC Network Module, select between the two Cisco NAC Network Module Server Licenses: part number NACNM-50-K9 or NACNM-100-K9.
If you initially purchase the 50-user license (NACNM-50-K9) for the NAC Network Module, you can upgrade to the 100-user license later by ordering part number NACNM-50UL=. You can select the license part numbers and apply them to the module spare (NME-NAC-K9=) in a similar manner.
Licensing information is available at http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html.

Part Numbers for Support

Four types of Cisco SMARTnet® support services are available for Cisco NAC customers:

8x5xNBD: Next business day (order must be received before cutoff time)

8x5x4: Standard 4-hour service

24x7x4: Premium 4-hour service

24x7x2: Premium 2-hour service

For more information about Cisco SMARTnet service offerings, please visit http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_group_home.html.
Support for Cisco NAC Servers and Cisco NAC Managers is sold separately. Support for the Cisco NAC Network Module is included in the SMARTnet service for Integrated Services Routers.
Tables 7 lists the part numbers of the four service options available for Cisco NAC Server. Table 8 lists the part numbers of the four service options available for Cisco NAC Manager. Table 9 lists the part numbers for upgrade licenses for the NAC Servers. Table 10 lists the part numbers for upgrade eDelivery license support.

Table 7. Cisco NAC Server Support Part Numbers

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

NAC3315-100-K9

CON-SNT-NAC5100

CON-SNTE-NAC5100

CON-SNTP-NAC5100

CON-S2P-NAC5100

NAC3315-100FB-K9

CON-SNT-NAC5100F

CON-SNTE-NAC5100F

CON-SNTP-NAC5100F

CON-S2P-NAC5100F

NAC3315-250-K9

CON-SNT-NAC5250

CON-SNTE-NAC5250

CON-SNTP-NAC5250

CON-S2P-NAC5250

NAC3315-250FB-K9

CON-SNT-NAC5250F

CON-SNTE-NAC5250F

CON-SNTP-NAC5250F

CON-S2P-NAC5250F

NAC3315-500-K9

CON-SNT-NAC5500

CON-SNTE-NAC5500

CON-SNTP-NAC5500

CON-S2P-NAC5500

NAC3315-500FB-K9

CON-SNT-NAC5500F

CON-SNTE-NAC5500F

CON-SNTP-NAC5500F

CON-S2P-NAC5500F

NAC3355-1500-K9

CON-SNT-NAC515M

CON-SNTE-NAC515M

CON-SNTP-NAC515M

CON-S2P-NAC515M

NAC3355-1500FB-K9

CON-SNT-NAC515MF

CON-SNTE-NAC515MF

CON-SNTP-NAC515MF

CON-S2P-NAC515MF

NAC3355-2500-K9

CON-SNT-NAC525M

CON-SNTE-NAC525M

CON-SNTP-NAC525M

CON-S2P-NAC525M

NAC3355-2500FB-K9

CON-SNT-NAC525MF

CON-SNTE-NAC525MF

CON-SNTP-NAC525MF

CON-S2P-NAC525MF

NAC3355-3500-K9

CON-SNT-NAC535M

CON-SNTE-NAC535M

CON-SNTP-NAC535M

CON-S2P-NAC535M

NAC3355-3500FB-K9

CON-SNT-NAC535MF

CON-SNTE-NAC535MF

CON-SNTP-NAC535MF

CON-S2P-NAC535MF

NAC3355-5000-K9

CON-SNT-NAC55K

CON-SNTE-NAC55K

CON-SNTP-NAC55K

CON-S2P-NAC55K

NAC3355-5000FB-K9

CON-SNT-NAC55KF

CON-SNTE-NAC55KF

CON-SNTP-NAC55KF

CON-S2P-NAC55KF

Table 8. Cisco NAC Manager Support Part Numbers

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

NACMGR-LTE-K9

CON-SNT-NACMLT

CON-SNTE-NACMLT

CON-SNTP-NACMLT

CON-S2P-NACMLT

NACMGR-LTEFB-K9

CON-SNT-NACMLTFB

CON-SNTE-NACMLTFB

CON-SNTP-NACMLTFB

CON-S2P-NACMLTFB

NACMGR-STD-K9

CON-SNT-NACMST

CON-SNTE-NACMST

CON-SNTP-NACMST

CON-S2P-NACMST

NACMGR-STDFB-K9

CON-SNT-NACMSTFB

CON-SNTE-NACMSTFB

CON-SNTP-NACMSTFB

CON-S2P-NACMSTFB

NACMGR-SPR-K9

CON-SNT-NACMSP

CON-SNTE-NACMSP

CON-SNTP-NACMSP

CON-S2P-NACMSP

NACMGR-SPRFB-K9

CON-SNT-NACMSPFB

CON-SNTE-NACMSPFB

CON-SNTP-NACMSPFB

CON-S2P-NACMSPFB

Table 9. Upgrade License Support Part Numbers

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

NAC3315-100UL=

CON-SNT-5100U

CON-SNTE-5100U

CON-SNTP-5100U

CON-S2P-5100U

NAC3315-100FBUL=

CON-SNT-5100UF

CON-SNTE-5100UF

CON-SNTP-5100UF

CON-S2P-5100UF

NAC3315-250UL=

CON-SNT-5250U

CON-SNTE-5250U

CON-SNTP-5250U

CON-S2P-5250U

NAC3315-250FBUL=

CON-SNT-5250UF

CON-SNTE-5250UF

CON-SNTP-5250UF

CON-S2P-5250UF

NAC3355-1500UL=

CON-SNT-515MU

CON-SNTE-515MU

CON-SNTP-515MU

CON-S2P-515MU

NAC3355-1500FBUL=

CON-SNT-515MUF

CON-SNTE-515MUF

CON-SNTP-515MUF

CON-S2P-515MUF

NAC3355-2500UL=

CON-SNT-525MU

CON-SNTE-525MU

CON-SNTP-525MU

CON-S2P-525MU

NAC3355-2500FBUL=

CON-SNT-525MUF

CON-SNTE-525MUF

CON-SNTP-525MUF

CON-S2P-525MUF

NAC3355-3500UL=

CON-SNT-535MU

CON-SNTE-535MU

CON-SNTP-535MU

CON-S2P-535MU

NAC3355-3500FBUL=

CON-SNT-535MUF

CON-SNTE-535MUF

CON-SNTP-535MUF

CON-S2P-535MUF

Table 10. Upgrade eDelivery License Support Part Numbers (Same as Upgrade License Part Numbers)

Product Part Number

8x5xNBD

8x5x4

24x7x4

24x7x2

L-NAC3315-100UL=

CON-SNT-5100U

CON-SNTE-5100U

CON-SNTP-5100U

CON-S2P-5100U

L-NAC3315-100FBUL=

CON-SNT-5100UF

CON-SNTE-5100UF

CON-SNTP-5100UF

CON-S2P-5100UF

L-NAC3315-250UL=

CON-SNT-5250U

CON-SNTE-5250U

CON-SNTP-5250U

CON-S2P-5250U

L-NAC3315-250FBUL=

CON-SNT-5250UF

CON-SNTE-5250UF

CON-SNTP-5250UF

CON-S2P-5250UF

L-NAC3355-1500UL=

CON-SNT-515MU

CON-SNTE-515MU

CON-SNTP-515MU

CON-S2P-515MU

L-NAC3355-1500FBUL=

CON-SNT-515MUF

CON-SNTE-515MUF

CON-SNTP-515MUF

CON-S2P-515MUF

L-NAC3355-2500UL=

CON-SNT-525MU

CON-SNTE-525MU

CON-SNTP-525MU

CON-S2P-525MU

L-NAC3355-2500FBUL=

CON-SNT-525MUF

CON-SNTE-525MUF

CON-SNTP-525MUF

CON-S2P-525MUF

L-NAC3355-3500UL=

CON-SNT-535MU

CON-SNTE-535MU

CON-SNTP-535MU

CON-S2P-535MU

L-NAC3355-3500FBUL=

CON-SNT-535MUF

CON-SNTE-535MUF

CON-SNTP-535MUF

CON-S2P-535MUF

Q&A

Q. Can a FIPS card be ordered separately for the new appliances?
A. No. On the new Cisco NAC Appliances, the FIPS card can be ordered only at the time of ordering the new appliance, as an option item. If an appliance is ordered without the FIPS card, the card cannot be individually purchased later and added to the appliance.
Q. Can one Cisco NAC Manager manage a deployment containing both Cisco NAC Servers and Cisco NAC Network Modules?
A. Yes. One Cisco NAC Manager can manage deployments with both appliance-based and network-module-based NAC Servers.
Q. Does the Cisco NAC Network Module have the same capabilities as a NAC Server?
A. Yes. The Cisco NAC Network Module has the same capabilities as a Cisco NAC Server.

Note: Current NAC 4.7.0 release does not have support for NAC Network Module. Future NAC 4.7.2 release will have the support for NAC network modules.

Q. Do the software features vary between the different models of Cisco NAC Appliances i.e NAC3315/55/95?
A. No. The only difference is the number of users or the server count allowed by the license.
Q. Can I deploy Cisco NAC Servers either in-band or out-of-band?
A. Yes. All Cisco NAC Servers can be deployed either in-band or out-of-band; however, one server cannot do both simultaneously. A Cisco NAC Manager can manage any combination of in-band and out-of-band servers.
Q. What is the difference between the various models of Cisco NAC Appliances i.e. 3315/55/95?
A. The three models in the Cisco NAC Appliance 3300 Series differ in their hardware specifications. For more information, please refer to the Cisco NAC Appliance data sheets at http://www.cisco.com/go/nac/appliance.
Q. Is a starter kit still available for pilot deployments?
A. Yes. Customers can order a Cisco NAC Server + Manager bundled solution for up to 100 users. The part number is NAC3315-NFR-BUN-K9.

For More Information

For more information about Cisco NAC, visit http://www.cisco.com/go/nac or contact your local account representative. Inquiries on ordering or deployment sizing can also be e-mailed to
cca-questions@external.cisco.com.