This document describes the NAC ordering guidelines utilizing the Cisco Secure Network Server effective July 5, 2013.
What's New in This Guide?
This version of the guide incorporates the Cisco Secure Network Server into the Cisco NAC Manager and NAC Server configurations.
Next-Generation Appliances
Customers can utilize the Cisco Secure Network Server in combination with the existing, appliance-based Cisco NAC Servers and NAC Managers. Table 1 outlines additional options customers have.
Table 1. Cisco NAC Manager and NAC Server Options
Cisco NAC Manager
Cisco NAC Server
Manager for 3 NAC Servers (servers supporting 500 or fewer endpoints)
• 100 endpoints
• 250 endpoints
• 500 endpoints
Manager for 20 NAC Servers (servers supporting any number of endpoints)
• 100 endpoints
• 250 endpoints
• 500 endpoints
• 1500 endpoints
• 2500 endpoints
• 3500 endpoints
• 5000 endpoints
Manager for 40 NAC Servers (servers supporting any number of endpoints)
• 100 endpoints
• 250 endpoints
• 500 endpoints
• 1500 endpoints
• 2500 endpoints
• 3500 endpoints
• 5000 endpoints
Cisco NAC Hardware Platforms
Cisco NAC Server and NAC Manager run on either the Cisco Secure Network Server 3415 or the Cisco Secure Network Server 3495. Each hardware platform in the series supports several license requirements. Table 2 maps the licenses to the corresponding hardware.
Table 2. Mapping Cisco Secure Network Servers to Licenses
Cisco Secure Network Server 3415
Cisco Secure Network Server 3495
Cisco NAC Servers
• License for 100 endpoints
• License for 250 endpoints
• License for 500 endpoints
• License for 1500 endpoints
• License for 2500 endpoints
• License for 3500 endpoints
• License for 5000 endpoints
Cisco NAC Managers
Supports up to 3 NAC Servers as listed in Table 1.
Supports up to 40 NAC Servers (or a maximum of 50,000 endpoints) as listed in Table 1.
Sizing the Deployment
Licensing is based upon the number of concurrent endpoints that are connected to the network. Each server is licensed to support a specified number of endpoints, indicated by the server description (e.g., Cisco NAC Server for 250 endpoints).
The NAC Manager is used to configure and manage the NAC Servers in the network. Each NAC Manager can support a maximum number of NAC Servers or maximum number of endpoints by adding the user count per server.
For details on the NAC Manager sizing, please see Table 2.
Ordering NAC Server
When ordering a NAC Server, select one item from each of the hardware, software, and licensing steps. For a failover (redundant) pair, order both a NAC Server and a standby NAC Server. Details on how to order the standby NAC Server are outlined in a separate section below.
Step 1 - Hardware
Select one of the following appliances from Table 3:
Table 3. Cisco Secure Network Servers
Product Part Number
Description
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 500 endpoints)
SNS-3495-K9
Cisco Secure Network Server 3495 (for greater than 500 endpoints)
Step 2 - Software
Select the following software packages in Table 4:
Table 4. Cisco NAC Server Software
Product Part Number
Description
SNS-NACS-K9
Cisco NAC Server Software
Step 3 - Licensing
Choose one of the following licenses in Table 5 that corresponds to the hardware selected in Table 3:
Table 5. Cisco NAC Server Licenses
Product Part Number
Description
Hardware Required
NAC-100-K9
Cisco NAC Server License for up to 100 endpoints
SNS-3415-K9
NAC-250-K9
Cisco NAC Server License for up to 250 endpoints
SNS-3415-K9
NAC-500-K9
Cisco NAC Server License for up to 500 endpoints
SNS-3415-K9
NAC-1500-K9
Cisco NAC Server License for up to 1500 endpoints
SNS-3495-K9
NAC-2500-K9
Cisco NAC Server License for up to 2500 endpoints
SNS-3495-K9
NAC-3500-K9
Cisco NAC Server License for up to 3500 endpoints
SNS-3495-K9
NAC-5000-K9
Cisco NAC Server License for up to 5000 endpoints
SNS-3495-K9
Ordering NAC Server Failover Configurations
Customers who desire availability in the event of a server hardware failure must order a separate standby NAC Server configuration in addition to the primary NAC Server. The combination of the primary and the standby configurations creates a redundant pair. In the event of a failure in the primary NAC Server, the primary server will fail over to the standby server. The standby configuration must be ordered with the same license as the primary configuration.
Select one item from each of the hardware, software, and licensing steps.
Step 1 - Hardware
Select one of the following appliances from Table 6:
Table 6. Cisco Secure Network Servers
Product Part Number
Description
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 500 endpoints)
SNS-3495-K9
Cisco Secure Network Server 3495 (for greater than 500 endpoints)
Step 2 - Software
Select the following software packages in Table 6:
Table 7. Cisco NAC Server Software
Product Part Number
Description
SNS-NACS-K9
Cisco NAC Server Software
Step 3 - Licensing
Select one of the following licenses from Table 8 that corresponds to the hardware from Table 6:
Table 8. Cisco NAC Server Standby Licenses
Product Part Number
Description
Hardware Required
NAC-100SB-K9
Cisco NAC Server Standby License for up to 100 endpoints
SNS-3415-K9
NAC-250SB-K9
Cisco NAC Server Standby License for up to 250 endpoints
SNS-3415-K9
NAC-500SB-K9
Cisco NAC Server Standby License for up to 500 endpoints
SNS-3415-K9
NAC-1500SB-K9
Cisco NAC Server Standby License for up to 1500 endpoints
SNS-3495-K9
NAC-2500SB-K9
Cisco NAC Server Standby License for up to 2500 endpoints
SNS-3495-K9
NAC-3500SB-K9
Cisco NAC Server Standby License for up to 3500 endpoints
SNS-3495-K9
NAC-5000SB-K9
Cisco NAC Server Standby License for up to 5000 endpoints
SNS-3495-K9
For customers ordering NAC Server failover configurations, it is useful to note that one Cisco NAC Server failover pair (primary and standby) counts as one server toward the capacity of the Cisco NAC Manager.
Ordering NAC Manager
When ordering a NAC Manager, select one item from each of the hardware, software, and licensing steps. For a failover (redundant) pair, order both a NAC Manager and a NAC Standby Manager. Details on how to order the standby NAC Manager are outlined in a separate section below.
Step 1 - Hardware
Select one of the following appliances from Table 9:
Table 9. Cisco Secure Network Servers
Product Part Number
Description
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 3 NAC Servers supporting 500 or fewer endpoints per server)
SNS-3495-K9
Cisco Secure Network Server 3495 (for up to 40 NAC Servers supporting any number of endpoints per server)
Step 2 - Software
Select the following software package from Table 10:
Table 10. Cisco NAC Manager Software
Product Part Number
Description
SNS-NACM-K9
Cisco NAC Manager
Step 3 - Licensing
Select one of the following licenses from Table 11 that corresponds to the hardware from Table 9:
Table 11. Cisco NAC Manager Licenses
Product Part Number
Description
Hardware Required
NACMGR-SNSLTE-K9
Cisco NAC Manager License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
SNS-3415-K9
NACMGR-SNSSTD-K9
Cisco NAC Manager License for up to 20 NAC Servers supporting any number of endpoints per server
SNS-3495-K9
NACMGR-SNSSPR-K9
Cisco NAC Manager License for up to 40 NAC Servers supporting any number of endpoints per server
SNS-3495-K9
Ordering NAC Manager Failover Configurations
Customers who desire availability in the event of a server hardware failure must order a separate standby NAC Manager configuration in addition to the primary NAC Manager. The combination of the primary and the standby configurations creates a redundant pair. In the event of a failure in the primary, the NAC Manager will fail over to the standby. The standby configuration must be ordered with the same license as the primary configuration.
Step 1 - Hardware
Select one of the following appliances from Table 12:
Table 12. Cisco Secure Network Servers
Product Part Number
Description
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 3 NAC Servers supporting 500 or fewer endpoints per server)
SNS-3495-K9
Cisco Secure Network Server 3495 (for up to 40 NAC Servers supporting any number of endpoints per server)
Step 2 - Software
Select the following software package from Table 13:
Table 13. Cisco NAC Manager Software
Product Part Number
Description
SNS-NACM-K9
Cisco NAC Manager
Step 3 - Licensing
Select one of the following licenses from Table 14 that corresponds to the hardware from Table 12:
Table 14. Cisco NAC Manager Standby Licenses
Product Part Number
Description
Hardware Required
NACMGR-SNSLTESB-K9
Cisco NAC Manager Standby License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
SNS-3415-K9
NACMGR-SNSSTDSB-K9
Cisco NAC Manager Standby License for up to 20 NAC Servers supporting any number of endpoints per server
SNS-3495-K9
NACMGR-SNSSPRSB-K9
Cisco NAC Manager Standby License for up to 40 NAC Servers supporting any number of endpoints per server
SNS-3495-K9
Customer Scenarios
The following scenarios illustrate some Cisco Secure Network Server NAC deployments.
Scenario 1
Customer has one headquarters location with 300 endpoints and two remote sites with fewer than 50 endpoints at each site. Customer prefers a redundant central deployment, using Layer 3 in-band capability to consolidate the remote sites.
Management
1 Cisco NAC Lite Manager with failover
Headquarters
1 Cisco NAC Server with failover for 500 endpoints
The customer would order the following Manager configuration:
Quantity
Product Part Number
Description
2
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 3 NAC Servers supporting 500 or fewer endpoints per server)
2
SNS-NACM-K9
Cisco NAC Manager
1
NACMGR-SNSLTE-K9
Cisco NAC Manager License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
1
NACMGR-SNSLTESB-K9
Cisco NAC Manager Standby License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
The customer would also need to order the following Server configuration:
Quantity
Product Part Number
Description
2
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 500 endpoints)
2
SNS-NACS-K9
Cisco NAC Server version 4.9.2
1
NAC-500-K9
Cisco NAC Server License for up to 500 endpoints
1
NAC-500SB-K9
Cisco NAC Server Standby License for up to 500 endpoints
Scenario 2
Customer has one headquarters location with 300 endpoints and two remote sites with fewer than 50 endpoints at each site. Customer prefers a redundant central deployment, using Layer 3 in-band capability to consolidate the remote sites. However, the customer has decided not to have redundancy on the Manager.
Management
1 Cisco NAC Lite Manager
Headquarters
1 Cisco NAC Server with failover for 500 endpoints
The customer would order the following non-redundant Manager configuration:
Quantity
Product Part Number
Description
1
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 3 NAC Servers supporting 500 or fewer endpoints per server)
1
SNS-NACM-K9
Cisco NAC Manager
1
NACMGR-SNSLTE-K9
Cisco NAC Manager License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
The customer would also need to order the following redundant Server configuration:
Quantity
Product Part Number
Description
2
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 500 endpoints)
2
SNS-NACS-K9
Cisco NAC Server Software
1
NAC-500-K9
Cisco NAC Server License for up to 500 endpoints
1
NAC-500SB-K9
Cisco NAC Server Standby License for up to 500 endpoints
Scenario 3
Customer has one headquarters location with 500 endpoints. Customer would like to provide wireless guest access for its conference rooms (estimated number of endpoints as high as 200) and enforce security policies on employee wired access in an out-of-band deployment. Based on these requirements, a central deployment is recommended, with one Cisco NAC Server with failover for wireless endpoints, and another for wired endpoints.
Management
1 Cisco NAC Lite Manager with failover
Wireless Guest Access
1 Cisco NAC Server with failover for 250 endpoints
Wired Employee Access
1 Cisco NAC Server with failover for 500 endpoints
The customer would order the following Manager configuration:
Quantity
Product Part Number
Description
2
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 3 NAC Servers supporting 500 or fewer endpoints per server)
2
SNS-NACM-K9
Cisco NAC Manager
1
NACMGR-SNSLTE-K9
Cisco NAC Manager License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
1
NACMGR-SNSLTESB-K9
Cisco NAC Manager Standby License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
The customer would also need to order the following Server configuration:
Quantity
Product Part Number
Description
4
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 500 endpoints)
4
SNS-NACS-K9
Cisco NAC Server Software
1
NAC-250-K9
Cisco NAC Server License for up to 250 endpoints
1
NAC-250SB-K9
Cisco NAC Server Standby License for up to 250 endpoints
1
NAC-500-K9
Cisco NAC Server License for up to 500 endpoints
1
NAC-500SB-K9
Cisco NAC Server Standby License for up to 500 endpoints
Upgrade Licenses
Customer who would like to upgrade the number of endpoints supported on existing Cisco 3400 Series NAC Server(s) may order one or more of the following upgrades per server as shown in Table 15:
Table 15. Cisco 3400 Series NAC Server Upgrade License Part Numbers
Product Part Number
Description
NAC Server electronic delivery licenses
L-NAC-100SBUL=
Cisco Secure Network Server 3415 NAC Server Standby License Upgrade for 100 to 250 endpoints
L-NAC-100UL=
Cisco Secure Network Server 3415 NAC Server License Upgrade for 100 to 250 endpoints
L-NAC-250SBUL=
Cisco Secure Network Server 3415 NAC Server Standby License Upgrade for 250 to 500 endpoints
L-NAC-250UL=
Cisco Secure Network Server 3415 NAC Server License Upgrade for 250 to 500 endpoints
L-NAC-1500SBUL=
Cisco Secure Network Server 3495 NAC Server Standby License Upgrade for 1500 to 2500 endpoints
L-NAC-1500UL=
Cisco Secure Network Server 3495 NAC Server License Upgrade for 1500 to 2500 endpoints
L-NAC-2500SBUL=
Cisco Secure Network Server 3495 NAC Server Standby License Upgrade for 2500 to 3500 endpoints
L-NAC-2500UL=
Cisco Secure Network Server 3495 NAC Server License Upgrade for 2500 to 3500 endpoints
L-NAC-3500SBUL=
Cisco Secure Network Server 3495 NAC Server Standby License Upgrade for 3500 to 5000 endpoints
L-NAC-3500UL=
Cisco Secure Network Server 3495 NAC Server License Upgrade for 3500 to 5000 endpoints
Customer Upgrade Licensing Scenarios
The following scenarios illustrate potential Cisco NAC Server license upgrades:
Scenario 1
Customer has a Cisco 3415 NAC Server licensed for 100 endpoints and would like to increase the server to support 500 endpoints. The customer would order the following upgrade licenses:
Quantity
Product Part Number
Description
1
L-NAC-100UL=
Cisco Secure Network Server 3415 NAC Server License Upgrade for 100 to 250 endpoints
1
L-NAC-250UL=
Cisco Secure Network Server 3415 NAC Server License Upgrade for 250 to 500 endpoints
Scenario 2
Customer has a Cisco 3495 NAC Server and a standby Cisco 3495 NAC Server, creating a redundant pair. The customer would order the following to increase the number of endpoint supported from 2500 to 3500:
Quantity
Product Part Number
Description
1
L-NAC-2500UL=
Cisco Secure Network Server 3495 NAC Server License Upgrade for 2500 to 3500 endpoints
1
L-NAC-250SBUL=
Cisco Secure Network Server 3495 NAC Server Standby License Upgrade for 2500 to 3500 endpoints
Cisco SMARTnet® Support
Table 16 lists the part numbers of the service options available for Cisco Secure Network Servers.
Table 16. Cisco Secure Network Server Support Part Numbers
Product Part Number
SMARTnet Part Number
Description
SNS-3415-K9
CON-SNT-SNS-3415
Cisco SMARTnet support for SNS-3415-K9 - 8x5 Next Business Day
SNS-3495-K9
CON-SNT-SNS-3495
Cisco SMARTnet support for SNS-3495-K9 - 8x5 Next Business Day
Other levels of SMARTnet support are available. Support for Cisco NAC Servers and Cisco NAC Managers is sold separately. All support licenses will be in effect for one year from the purchase date. Service contract and licensing support information is available at http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html.
Customer Support Scenario
A customer is purchasing a Cisco NAC Manager Lite with a standby Manager for redundancy and a NAC Server for 500 endpoints with a standby Server for redundancy as well.
As a result the customer would order the following Manager configuration:
Quantity
Product Part Number
Description
2
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 3 NAC Servers supporting 500 or fewer endpoints per server)
2
SNS-NACM-K9
Cisco NAC Manager
1
NACMGR-SNSLTE-K9
Cisco NAC Manager License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
1
NACMGR-SNSLTESB-K9
Cisco NAC Manager Standby License for up to 3 NAC Servers supporting 500 or fewer endpoints per server
The customer would also be ordering the following Server configuration:
Quantity
Product Part Number
Description
2
SNS-3415-K9
Cisco Secure Network Server 3415 (for up to 500 endpoints)
2
SNS-NACS-K9
Cisco NAC Server Software
1
NAC-500-K9
Cisco NAC Server License for up to 500 endpoints
1
NAC-500SB-K9
Cisco NAC Server Standby License for up to 500 endpoints
To support this order with Cisco SMARTnet, the customer would order:
Quantity
SMARTnet Part Number
Description
4
CON-SNT-SNS-3415
Cisco SMARTnet support for SNS-3415-K9 - 8x5 Next Business Day
Q&A
Q. Do the software features vary between the different Cisco Secure Network Server models (e.g., 3415 or 3495)?
A. No. The only difference is the number of endpoints or the server count allowed by the license.
Q. Can I deploy Cisco NAC Servers either in band or out of band?
A. Yes. All Cisco NAC Servers can be deployed either in band or out of band; however, one server cannot do both simultaneously. A Cisco NAC Manager can manage any combination of in-band and out-of-band servers.
Q. What is the difference between the various Cisco Secure Network Server models?
