Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco NAC Appliance (Clean Access)

Cisco NAC Profiler Ordering Guide

Downloads

PB427643

Overview

This document describes the ordering guidelines for the Cisco® NAC Profiler and Collector products.
The Cisco NAC Profiler enhances the deployment and administration of Cisco NAC by maintaining a real-time list of all network-attached endpoints, such as IP phones and networked printers. This dynamic list can be used in several ways:

• Populating the Cisco NAC Appliance Manager (Cisco Clean Access Manager) filter list to provision connectivity for all non-PC endpoints, such as printers, IP phones, uninterruptible power supplies, and wireless access points

• Providing behavior monitoring to defend against post-admission MAC address spoofing and compromised devices that are not running the Cisco NAC Appliance Agent (Cisco Clean Access Agent)

• Enabling incremental deployment of Cisco NAC Appliances across the enterprise by device type or network segment

• Providing a set of tools that allows the real-time and historical tracking of endpoint location, identity, behavior, and addressing

Additionally, Cisco NAC Profiler can be deployed as an independent solution to provide wired 802.1x customers a means of generating a trusted device list for MAC Authentication Bypass. In many environments the need for administrators to understand what is connected into the network edge is a compelling enough reason for Profiler deployment.

Cisco NAC Profiler Components

Cisco NAC Profiler contains two components: The Profiler Server and the Collector modules (referred to as Collector).
The Cisco NAC Profiler provides the interface to create profiling rule sets. Profiler manages, receives and correlates information from Collector modules then provides external applications access to the profiled device list.
The Cisco NAC Collector modules collect information about clientless devices and relay that information to the Profiler Server. There are two deployment choices for NAC Collector modules. The Collector modules can be installed on a NAC Server (to augment existing posture/remediation service) or as a standalone NAC Collector (no posture/remediation).
As each Cisco NAC Collector gathers information from associated endpoints, it aggregates this data into an Extensible Markup Language (XML) format and sends it over an encrypted connection to the Profiler Server for entry into the endpoint-profiling database. Here, the data from all the Collector modules is combined and represented as a comprehensive list of information. This comprehensive list can be viewed within Cisco NAC Profiler or in deployments with full Cisco NAC posture and remediation through the NAC Manager. Additionally, Cisco NAC Manager administrators can use this list to provision the appropriate endpoint device type with corresponding access privileges.

• The Cisco NAC Profiler (NAC33XX-PROF-K9) enables Profiling capability. Installed on a 3310 or 3350 appliance in stand-alone or failover mode.

• The Cisco NAC Profiler Collector (NAC33XX-CLT-K9) enables Collection capabilities on an existing NAC Server. Used for full NAC deployment where NAC Manager and Nac Servers are providing posture and remediation.

• The Cisco NAC Collector (NAC33XX-X000C[FB]-K9) enables Collection capability only. Used where customers are only interested in MAB, no posture or remediation. Installed on a 3310 or 3350 appliance in stand-alone or failover mode.

About Failover Bundles

The Cisco NAC Profiler components can be installed in standalone or failover (FB) mode on either the 3350 or 3310 hardware platforms.
Failover bundles are identified by the "FB" in the part number. The Cisco NAC Profiler Server or Collector failover bundle includes two discrete appliances. The failover mechanisms (link state and databases) will operate between each other independently of the state of the Cisco NAC Server components.
In the case of the Cisco NAC Collector, a failover bundle must be selected if you have installed or are installing Cisco NAC Servers in failover or high-availability mode. In this scenario, the failover state of each NAC Server will determine the failover state of its corresponding Cisco NAC Collector.
A design will always include a Profiler (with or without failover) and some number of Collectors. The collector modules can be installed either on a NAC Server or as a standalone collector.

Sizing the Deployment

Determining a design for the Cisco NAC Profiler is contingent on if an existing or proposed full Cisco NAC solution is being considered. The following design rules should assist in determining what to order.

Design Rule 1

For NAC Profiler designs that will augment a full Cisco NAC solution, order one (1) Cisco NAC Collector license that matches the hardware platform of the Cisco NAC Servers (either NAC3310 or NAC3350).
Table 1 lists the part numbers and descriptions of Cisco Collector licenses along with their corresponding Cisco NAC Server part numbers for full NAC deployments.

Table 1. Part Numbers of Cisco NAC Collector Licenses to be installed on NAC Servers as part of a full NAC solution

Product Part Number

Product Description

Corresponding Cisco NAC Appliance Clean Access Server Part Numbers

NAC3350-CLT-K9=

Cisco NAC Collector License for Cisco NAC 3350 Appliances
• NAC3350-1500-K9
• NAC3350-2500-K9
• NAC3350-3500-K9

NAC3310-CLT-K9=

Cisco NAC Collector License for Cisco NAC 3310 Appliances
• NAC3310-100-K9
• NAC3310-250-K9
• NAC3310-500-K9

NAC3350-CLT-FB-K9=

Cisco NAC Collector Failover License for Cisco NAC 3350 Appliances
• NAC3350-1500FB-K9
• NAC3350-2500FB-K9
• NAC3350-3500FB-K9

NAC3310-CLT-FB-K9=

Cisco NAC Collector Failover License for Cisco NAC 3310 Appliances
• NAC3310-100FB-K9
• NAC3310-250FB-K9
• NAC3310-500FB-K9

Design Rule 1a

For every Cisco NAC Manager provided in the Cisco NAC design, order one (1) Cisco NAC Profiler Server.
Table 2 lists the part numbers and descriptions of the Cisco NAC Profiler Servers, along with their corresponding Cisco NAC Appliance part numbers.

Table 2. Part Numbers of Cisco NAC Profiler Servers

Product Part Number

Product Description

Corresponding Cisco NAC Manager Part Numbers*

NAC3350-PROF-K9

Cisco NAC Profiler Server-up to 40k devices
• NACMGR-3-K9
• NACMGR-20-K9

NAC3350-PROF-FB-K9

Cisco NAC Profiler Server Failover Bundle-up to 40k devices
• NACMGR-3FB-K9
• NACMGR-20FB-K9

NAC3310-PROF-K9

NAC 3310 Profiler-up to 5K devices
• NACMGR-3-K9
• NACMGR-20FB-K9

NAC3310-PROF-FB-K9

NAC 3310 Profiler Failover Bundle-up to 5K devices
• NACMGR-3FB-K9
• NACMGR-20FB-K9

* For Cisco NAC Profiler Server support of part numbers NACMGR-40-K9 and NACMGR-40FB-K9, please contact cca-questions@external.cisco.com
Design Rule 2 The Cisco NAC Profiler solution (Profiler/Collector) can be deployed independently of other NAC components (Manager/Server). Customers that do not require a full NAC solution may still have the need for clientless endpoint discovery. This is a common requirement for customers implementing 802.1x in wired environments. In these designs there will be one or more NAC Profiler servers receiving information from some number of NAC Collectors.
Table 3 lists the part numbers and descriptions of Cisco NAC Collector licenses

Table 3. Part Numbers of Cisco NAC Collector Licenses

Product Part Number

Product Description

NAC3310-1000C-K9

NAC 3310 Collector-max 1000 devices

NAC3310-1000C-FB-K9

NAC 3310 Collector Failover Bundle-max 1000 devices

NAC3350-3000C-K9

NAC 3350 Collector-max 3000 devices

NAC3350-3000CFB-K9

NAC 3350 Collector Failover Bundle-max 3000 devices

NAC3350-5000C-K9

NAC 3350 Collector-max 5000 devices

NAC3350-5000CFB-K9

NAC 3350 Collector Failover Bundle-max 5000 devices

NAC3350-7000C-K9

NAC 3350 Collector-max 7000 devices

NAC3350-7000CFB-K9

NAC 3350 Collector Failover Bundle-max 7000 devices

Table 4 lists the part numbers and descriptions of Cisco NAC Profiler licenses.

Table 4. Part Numbers of Cisco Profiler Servers

Product Part Number

Product Description

NAC3350-PROF-K9

Cisco NAC Profiler Server-up to 40k devices

NAC3350-PROF-FB-K9

Cisco NAC Profiler Server Failover Bundle-up to 40k devices

NAC3310-PROF-K9

NAC 3310 Profiler-up to 5K devices

NAC3310-PROF-FB-K9

NAC 3310 Profiler Failover Bundle-up to 5K devices

Product List Summary

For your reference, Table 5 outlines the complete list of the Cisco NAC Profiler Server and Cisco NAC Collector part numbers.

Table 5. Cisco NAC Profiler Server and Cisco NAC Collector Part Numbers

Product Part Number

Product Description

NAC3350-PROF-K9

Cisco NAC Profiler Server

NAC3350-PROF-FB-K9

Cisco NAC Profiler Server Failover Bundle

NAC3350-CLT-K9=

Cisco NAC Collector License for Cisco NAC 3350 Appliances

NAC3350-CLT-FB-K9=

Cisco NAC Collector Failover License for Cisco NAC 3350 Appliances

NAC3310-CLT-K9=

Cisco NAC Collector License for Cisco NAC 3310 Appliances

NAC3310-CLT-FB-K9=

Cisco NAC Collector Failover License for Cisco NAC 3310 Appliances

NAC3310-PROF-K9

NAC 3310 Profiler-max upto 5K devices

NAC3310-PROF-FB-K9

NAC 3310 Profiler Failover Bundle-max upto 5K devices

NAC3310-1000C-K9

NAC 3310 Collector-max 1000 devices

NAC3310-1000C-FB-K9

NAC 3310 Collector Failover Bundle-max 1000 devices

NAC3350-3000C-K9

NAC 3350 Collector-max 3000 devices

NAC3350-3000CFB-K9

NAC 3350 Collector Failover Bundle-max 3000 devices

NAC3350-5000C-K9

NAC 3350 Collector-max 5000 devices

NAC3350-5000CFB-K9

NAC 3350 Collector Failover Bundle-max 5000 devices

NAC3350-7000C-K9

NAC 3350 Collector-max 7000 devices

NAC3350-7000CFB-K9

NAC 3350 Collector Failover Bundle-max 7000 devices

NAC3350-3000UL

NAC 3350 Collector License Upgrade-3000 to 5000 devices

NAC3350-3000FBUL

NAC 3350 Collector FB License Upgrade-3000 to 5000 devices

NAC3350-5000UL

NAC 3350 Collector License Upgrade-5000 to 7000 devices

NAC3350-5000FBUL

NAC 3350 Collector FB License Upgrade-5000 to 7000 devices

Table 6 outlines the support part numbers for the Cisco NAC Profiler Server.

Table 6. Cisco NAC Profiler Server Support Part Numbers

Product Part Number

Support Description

For Cisco NAC Profiler, without Failover

CON-S2P-NACP5

SMARTNET 24X7X2 NAC3310-PROF-K9

CON-SNT-NACP5

SMARTNET 8X5XNBD NAC3310-PROF-K9

CON-SNTE-NACP5

SMARTNET 8X5X4 NAC3310-PROF-K9

CON-SNTP-NACP5

SMARTNET 24X7X4 NAC3310-PROF-K9

CON-SNT-NACP50

SMARTnet® 8x5xNBD Service for NAC3350-PROF-K9

CON-SNTE-NACP50

SMARTnet 8x5x4 Service for NAC3350-PROF-K9

CON-SNTP-NACP50

SMARTnet 24x7x4 Service for NAC3350-PROF-K9

CON-S2P-NACP50

SMARTnet 24x7x2 Service for NAC3350-PROF-K9

CON-OS-NACP50

8x5xNBD Onsite Service for NAC3350-PROF-K9

CON-OSE-NACP50

8x5x4 Onsite Service for NAC3350-PROF-K9

CON-OSP-NACP50

24x7x4 Onsite Service for NAC3350-PROF-K9

CON-PREM-NACP50

24x7x2 Onsite Service for NAC3350-PROF-K9

For Cisco NAC Profiler, with Failover

CON-S2P-NACP5F

SMARTNET 24X7X2 NAC3310-PROF-FB-K9

CON-SNT-NACP5F

SMARTNET 8X5XNBD NAC3310-PROF-FB-K9

CON-SNTE-NACP5F

SMARTNET 8X5X4 NAC3310-PROF-FB-K9

CON-SNTP-NACP5F

SMARTNET 24X7X4 NAC3310-PROF-FB-K9

CON-SNT-NACP50F

SMARTnet 8x5xNBD Service for NAC3350-PROF-FB-K9

CON-SNTE-NACP50F

SMARTnet 8x5x4 Service for NAC3350-PROF-FB-K9

CON-SNTP-NACP50F

SMARTnet 24x7x4 Service for NAC3350-PROF-FB-K9

CON-S2P-NACP50F

SMARTnet 24x7x2 Service for NAC3350-PROF-FB-K9

CON-OS-NACP50F

8x5xNBD Onsite Service for NAC3350-PROF-FB-K9

CON-OSE-NACP50F

8x5x4 Onsite Service for NAC3350-PROF-FB-K9

CON-OSP-NACP50F

24x7x4 Onsite Service for NAC3350-PROF-FB-K9

CON-PREM-NACP50F

24x7x2 Onsite Service for NAC3350-PROF-FB-K9

Table 7 outlines the support part numbers for the Cisco NAC Collector.

Table 7. Cisco NAC Collector Support Part Numbers

Product Part Number

Support Description

For Cisco NAC Collectors on the NAC 3310 Appliances, without Failover

CON-SNT-NACC10

SMARTnet 8x5xNBD Service for NAC3310-CLT-K9=

CON-SNTE-NACC10

SMARTnet 8x5x4 Service for NAC3310-CLT-K9=

CON-SNTP-NACC10

SMARTnet 24x7x4 Service for NAC3310-CLT-K9=

CON-S2P-NACC10

SMARTnet 24x7x2 Service for NAC3310-CLT-K9=

CON-OS-NACC10

8x5xNBD Onsite Service for NAC3310-CLT-K9=

CON-OSE-NACC10

8x5x4 Onsite Service for NAC3310-CLT-K9=

CON-OSP-NACC10

24x7x4 Onsite Service for NAC3310-CLT-K9=

CON-PREM-NACC10

24x7x2 Onsite Service for NAC3310-CLT-K9=

For Cisco NAC Collectors on the NAC 3310 Appliances, with Failover

CON-SNT-NACC10F

SMARTnet 8x5xNBD Service for NAC3310-CLT-FB-K9=

CON-SNTE-NACC10F

SMARTnet 8x5x4 Service for NAC3310-CLT-FB-K9=

CON-SNTP-NACC10F

SMARTnet 24x7x4 Service for NAC3310-CLT-FB-K9=

CON-S2P-NACC10F

SMARTnet 24x7x2 Service for NAC3310-CLT-FB-K9=

CON-OS-NACC10F

8x5xNBD Onsite Service for NAC3310-CLT-FB-K9=

CON-OSE-NACC10F

8x5x4 Onsite Service for NAC3310-CLT-FB-K9=

CON-OSP-NACC10F

24x7x4 Onsite Service for NAC3310-CLT-FB-K9=

CON-PREM-NACC10F

24x7x2 Onsite Service for NAC3310-CLT-FB-K9=

For Cisco NAC Collectors on the NAC 3350 Appliances, without Failover

CON-SNT-NACC50

SMARTnet 8x5xNBD Service for NAC3350-CLT-K9=

CON-SNTE-NACC50

SMARTnet 8x5x4 Service for NAC3350-CLT-K9=

CON-SNTP-NACC50

SMARTnet 24x7x4 Service for NAC3350-CLT-K9=

CON-S2P-NACC50

SMARTnet 24x7x2 Service for NAC3350-CLT-K9=

CON-OS-NACC50

8x5xNBD Onsite Service for NAC3350-CLT-K9=

CON-OSE-NACC50

8x5x4 Onsite Service for NAC3350-CLT-K9=

CON-OSP-NACC50

24x7x4 Onsite Service for NAC3350-CLT-K9=

CON-PREM-NACC50

24x7x2 Onsite Service for NAC3350-CLT-K9=

For Cisco NAC Collectors on the NAC 3350 Appliances, with Failover

CON-SNT-NACC50F

SMARTnet 8x5xNBD Service for NAC3350-CLT-FB-K9=

CON-SNTE-NACC50F

SMARTnet 8x5x4 Service for NAC3350-CLT-FB-K9=

CON-SNTP-NACC50F

SMARTnet 24x7x4 Service for NAC3350-CLT-FB-K9=

CON-S2P-NACC50F

SMARTnet 24x7x2 Service for NAC3350-CLT-FB-K9=

CON-OS-NACC50F

8x5xNBD Onsite Service for NAC3350-CLT-FB-K9=

CON-OSE-NACC50F

8x5x4 Onsite Service for NAC3350-CLT-FB-K9=

CON-OSP-NACC50F

24x7x4 Onsite Service for NAC3350-CLT-FB-K9=

CON-PREM-NACC50F

24x7x2 Onsite Service for NAC3350-CLT-FB-K9=

For Cisco NAC Collector on the NAC 3310 Appliances, without Failover

CON-S2P-NACC1

SMARTNET 24X7X2 NAC3310-1000C-K9

CON-SNT-NACC1

SMARTNET 8X5XNBD NAC3310-1000C-K9

CON-SNTE-NACC1

SMARTNET 8X5X4 NAC3310-1000C-K9

CON-SNTP-NACC1

SMARTNET 24X7X4 NAC3310-1000C-K9

CON-SNT-NACC3

SMARTNET 8X5XNBD NAC3350-3000C-K9

For Cisco NAC Collector on the NAC 3310 Appliances, with Failover

CON-S2P-NACC1F

SMARTNET 24X7X2 NAC3310-1000CFB-K9

CON-SNT-NACC1F

SMARTNET 8X5XNBD NAC3310-1000CFB-K9

CON-SNTE-NACC1F

SMARTNET 8X5X4 NAC3310-1000CFB-K9

CON-SNTP-NACC1F

SMARTNET 24X7X4 NAC3310-1000CFB-K9

For Cisco NAC Collector on the NAC 3350 Appliances, without Failover

CON-S2P-NACC3

SMARTNET 24X7X2 NAC3350-3000C-K9

CON-SNT-NACC3

SMARTNET 8X5XNBD NAC3350-3000C-K9

CON-SNTE-NACC3

SMARTNET 8X5X4 NAC3350-3000C-K9

CON-SNTP-NACC3

SMARTNET 24X7X4 NAC3350-3000C-K9

CON-S2P-NACC5

SMARTNET 24X7X2 NAC3350-5000C-K9

CON-SNT-NACC5

SMARTNET 8X5XNBD NAC3350-5000C-K9

CON-SNTE-NACC5

SMARTNET 8X5X4 NAC3350-5000C-K9

CON-SNTP-NACC5

SMARTNET 24X7X4 NAC3350-5000C-K9

CON-S2P-NACC7

SMARTNET 24X7X2 NAC3350-7000C-K9

CON-SNT-NACC7

SMARTNET 8X5XNBD NAC3350-7000C-K9

CON-SNTE-NACC7

SMARTNET 8X5X4 NAC3350-7000C-K9

CON-SNTP-NACC7

SMARTNET 24X7X4 NAC3350-7000C-K9

For Cisco NAC Collector on the NAC 3350 Appliances, with Failover

CON-S2P-NACC3F

SMARTNET 24X7X2 NAC3350-3000CFB-K9

CON-SNT-NACC3F

SMARTNET 8X5XNBD NAC3350-3000CFB-K9

CON-SNTE-NACC3F

SMARTNET 8X5X4 NAC3350-3000CFB-K9

CON-SNTP-NACC3F

SMARTNET 24X7X4 NAC3350-3000CFB-K9

CON-S2P-NACC5F

SMARTNET 24X7X2 NAC3350-5000CFB-K9

CON-SNT-NACC5F

SMARTNET 8X5XNBD NAC3350-5000CFB-K9

CON-SNTE-NACC5F

SMARTNET 8X5X4 NAC3350-5000CFB-K9

CON-SNTP-NACC5F

SMARTNET 24X7X4 NAC3350-5000CFB-K9

CON-S2P-NACC7F

SMARTNET 24X7X2 NAC3350-7000CFB-K9

CON-SNT-NACC7F

SMARTNET 8X5XNBD NAC3350-7000CFB-K9

CON-SNTE-NACC7F

SMARTNET 8X5X4 NAC3350-7000CFB-K9

CON-SNTP-NACC7F

SMARTNET 24X7X4 NAC3350-7000CFB-K9

For Cisco NAC Collector Non-Failover Upgrade Licenses

CON-S2P-NACC3U

SMARTNET 24X7X2 NAC3350-3000UL

CON-SNT-NACC3U

SMARTNET 8X5XNBD NAC3350-3000UL

CON-SNTE-NACC3U

SMARTNET 8X5X4 NAC3350-3000UL

CON-SNTP-NACC3U

SMARTNET 24X7X4 NAC3350-3000UL

CON-S2P-NACC5U

SMARTNET 24X7X2 NAC3350-5000UL

CON-SNT-NACC5U

SMARTNET 8X5XNBD NAC3350-5000UL

CON-SNTE-NACC5U

SMARTNET 8X5X4 NAC3350-5000UL

CON-SNTP-NACC5U

SMARTNET 24X7X4 NAC3350-5000UL

For Cisco NAC Collector Failover Upgrade Licenses

CON-S2P-NACC3UF

SMARTNET 24X7X2 NAC3350-3000FBUL

CON-SNT-NACC3UF

SMARTNET 8X5XNBD NAC3350-3000FBUL

CON-SNTE-NACC3UF

SMARTNET 8X5X4 NAC3350-3000FBUL

CON-SNTP-NACC3UF

SMARTNET 24X7X4 NAC3350-3000FBUL

CON-S2P-NACC5UF

SMARTNET 24X7X2 NAC3350-5000FBUL

CON-SNT-NACC5UF

SMARTNET 8X5XNBD NAC3350-5000FBUL

CON-SNTE-NACC5UF

SMARTNET 8X5X4 NAC3350-5000FBUL

CON-SNTP-NACC5UF

SMARTNET 24X7X4 NAC3350-5000FBUL

Compatibility with Existing Cisco NAC Installations

If the Cisco NAC Appliance is already deployed, it is critical to verify that each NAC Server has enough Ethernet ports to accommodate the Cisco NAC Collector Module requirements. Customers that are currently running the Clean Access Server on the Cisco NAC 3140 hardware platform can purchase additional dual network interface cards (NICs) to support the Cisco NAC Collector modules. More details are available in the Release Notes. This requirement does not pertain to the Cisco NAC Profiler Server.

Frequently Asked Questions

Q. How does the Cisco NAC Profiler Server communicate endpoint information to the Cisco Clean Access Manager?
A. The Cisco NAC Profiler Server communicates endpoint information to the Cisco Clean Access Manager using the NAC Appliance API.
Q. How does the Cisco NAC Profiler determine the endpoints' identities?
A. The Cisco NAC Profiler uses several discovery techniques, including passive and active mechanisms such as Simple Network Management Protocol (SNMP), network traffic analysis, NetFlow data, and active profiling. Data from these discovery mechanisms is aggregated to provide a comprehensive, real-time view of all network-attached endpoints.
Q. Is the Cisco NAC Profiler inline?
A. No. Instead, the Cisco NAC Profiler Collector applications use several discovery techniques, including SNMP, traffic analysis via SPAN, and NetFlow data.
Q. Can I deploy the Cisco NAC Profiler in in-band and out-of-band NAC Appliance deployments?
A. Yes. Cisco NAC Profiler works in either in-band or out-of-band NAC Appliance deployments.
Q. What is the maximum number of endpoints that the Cisco NAC Profiler can manage in a single database?
A. The number of endpoints that Cisco NAC Profiler supports is tied to the Cisco NAC Appliance deployment. Customers should order one Cisco NAC Profiler Server for each Cisco NAC Manager, and one Cisco NAC Profiler Collector license for each Cisco NAC Server they have deployed. Alternatively, in a Profiler deployment without other NAC components, the database size is listed in the ordering description.
Q. Can the Cisco NAC Collector license be deployed independent of the posture capabilities of the Cisco NAC Appliance Server? If so, how would it be ordered?
A. Both components of the Cisco NAC Profiler are intended to be used in support of Cisco NAC implementations. However, if customers want to begin with profiling only, without user posture, the Cisco NAC Profiler Collector license description details the device count support.
Q. My customer has already deployed Profiler and Collectors in their environment and now wish to upgrade the Collectors to full NAC Servers to perform posture and remediation. How is this done?
A. There is no upgrade path for NAC Collectors to be converted to joint NAC Server/Collector deployments.

For More Information

For more information about the Cisco NAC Profiler or Cisco NAC, visit http://www.cisco.com/go/nac/appliance or contact your local account representative. Inquiries on ordering or deployment sizing can also be e-mailed to cca-questions@external.cisco.com.