NAC Design Session - AntiCISCO

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Topologies


NAC Minimum Requirements

Minimum deployment includes: minimum 1 NAC Server and minimum 1 NAC Manager

NAC Managers start from NACMGR-3-K9 with maximum 3 adjacent NAC Servers

NAC Manager can manage any NAC Server, includes NME-NAC-K9 (up to 100 users)

NAC Manager can be placed remotely


NAC Recommendations: CO LAN

Wired: Out-of-Band Layer 2 deployment

• Easy deployment

• Existing network topology Wireless: InBand deployment (L2 or L3)

• All services (guest, QoS, etc)• Security


NAC Recommendations: Remote

IPSec/SSL VPN client: InBand L3 Remote office: InBand deployment

•Server locates behind central office firewall•Manager locates in CO DMZ•All traffic from remote office users bypasses NAC Server

Remote office growth: move Server to remote location (NAC 33xx or NME-NAC)


Remote Site NAC Server (Inband or OOB)R Minimal network changes (same as campus

deployment)d Remote segmentation, or port segmentation using OOB Full feature support - keep ip address (vgw), /30s etc Deploy Inband for both wired and wireless users Deploy OOB for wired only deployments (Starting 4.5

Wireless OOB could be leveraged here) NME-NAC-K9 as a NAC Server can be deployed to

save the existing topology and save money.

Optimal SolutionProvides all the functions of a campus

deployment, contrast with cost

IP Network

NAC Manager


NAC Growth One NAC Server can manage 100 users (3310) and

up to 3500 users (3350) One NAC Manager can serve 3 NAC Servers and up

to 40 Servers Administrator can add additional NAC Guest Server to

provide some services, like guest access and monitoring

NME-NAC modules for ISR 28xx,38xx for greater flexibility

NAC Profiler can be deployed for excellent manageability of both managed and unmanaged devices, such as IpPhones, Printers, terminals etc


NAC Guest Server Provisioning: Allows any internal sponsor to create

guest accounts

Notification: Provides access details to the guest by print, e-mail, or text message

Management: Makes it easy to modify and suspend accounts

Reporting: Provides full reporting on guest accounts and guest activity

Helps IT stuff to manage lots of guest accounts

Can manage guest accounts from NAC Servers and LWAPP AP


NAC Prices (GPL)ServersNME-NAC-K9 Cisco NAC Network Module for 2800, 3800 ISRNAC3310-100-K9 NAC Appliance 3310 Server -max 100 usersNAC3310-500-K9 NAC Appliance 3310 Server -max 500 usersNAC3350-1500-K9 NAC Appliance 3350 Server -max 1500 usersNAC3350-3500-K9 NAC Appliance 3350 Server -max 3500 usersManagersNACMGR-3-K9 NAC Appliance 3310 Manager -max 3 ServersNACMGR-20-K9 NAC Appliance 3350 Manager -max 20 ServersNACMGR-40-K9 NAC Appliance 3390 Manager -max 40 ServersGuest ServerNAC3310-GUEST-K9 NAC Guest ServerProfilerNAC3350-PROF-K9 NAC 3350 Profiler -max upto 40K devices

$2 000,00 $8 990,00

$22 990,00 $41 990,00 $72 990,00

$8 990,00 $21 990,00 $38 990,00

$24 995,00

$58 990,00


CSA minimum deployment CSA agent works only with CSA Management Center Starter kit includes CSA MC, 10 desktop and 1 server

license CSA MC can be placed remotely Server agent can be installed at different OS:

Windows,Linux and Solaris Desktop agent can be at Windows and Linux Data Leakage Protection feature (DLP) is licensed


CSA Growth (version 6.0)* One MC can manage up to

•5000 desktops

•500 servers

•10000 DLP desktops

New features: DLP, signature-based antivirus

Easy deployment and implementing new features and policies

* Starting August 2008


CSA Prices (version 6.0)*

* Approximately. Based on v5.2 prices. Actual 6.0 prices - August 2008

Starter kitCSA-START-6.0-K9= CSA 6.0 Starter Kit [MC, 1 Server, and 10 Desktop Agents]ServerCSA-SRVR-K9= Cisco Security Agent [1 Server Agent Bundle]CSA-B500-SRVR-K9 Cisco Security Agent [500 Server Agent Bundle]DesktopCSA-B25-DTOP-K9 Cisco Security Agent [25 Desktop Agent Bundle]

$3 000,00

$1 050,00 $304 500,00

$1 625,00


11

22

33

44

55

66

77

88

99

1010

1111

1212

Documents

NAC Design Session - AntiCISCO