Cisco NAC Placemant
Hi,
I am new in to NAC and I have an implementation coming up . we have sold them 2 NAC servers , 1 NAC manager and an ACS server.
Customer has VPN users, Wireless users and 3 remote branches ,I am planing place the devices in OOB , Virtual IP and L2 mode , Is this a good practice ? will this make any complications ?
How can i place ACS server (appliance) in the network . do I need to use 802.1x ? is this a good practice to use NAC solution + 802.1x in a network ?
Kindly suggest me how place ACS .
Thanks in advance .
Hi,
you can use NAC + ACS for VPN and Wireless access.
Basically you can leverage VPN Auth using RADIUS and also Wirelss authentication using RADIUS/802.1x.
Then you can enable VPN/Wireless SSO on the CAS, so to leverage the RADIUS/802.1x authentication also for NAC, and have the clients to go through posture assessment.
Although you cannot do OOB for VPN, you can do this for Wireless with the Cisco WLC.
If you use VPN and/or Wireless clients that are not L2 adjacent to the CAS, you will have to use L3 mode on the CAS.
A CAS can only be IB *OR* OOB.. Virtual-Gateway *OR* Real-IP Gateway at any given time.
So if you want to combine Wireless OOB with VPN, you will need to use separate CAS for Wireless and VPN.
Please look at the following documents for more details:
* CAS config guide:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_vpncon.html
* Wireless NAC OOB Config example:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
* VPN In-Band VGW config example:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
Similar Messages
-
Hi All Cisco NAC Experts, I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
The CAS server was recovered after manually power cycle the hardware.
After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
That will be great if any one can help me out for the same.
Thanks,
EricHi Bro
This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
If all else fail, then a hardware swap would seem like the next best thing. -
Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4
Hi
My Cisco NAC Agent (version 4.9.1.682) doesn't work since I upgraded my Mac OS X 4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
Any update on when a new version is going to be released - Its getting really frustrating?I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
Cisco NAC Web Agent + Windows 8
Hello,
I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
Follow are some informations about my Environment:
ISE 1.2 Patch 3
OS: Windows 8 Enterprise
IE: 10 (In Desktop Mode w and w/o Compatibility View)
NAC Web Agent: 4.9.0.1007
Could you help me ?
Best Regards,
Daniel StefaniHi Charles,
I can download all this files, but I can’t import it in ISE Resourses.
NAC Agent MST files
nacagentsetup-mst-4.9.3.9.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.9.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.9.tar.gz
Mac Agent Installation Package for MacOSX
CCAAgentMacOSX-4.9.3.803.tar.gz
NAC Agent MST files
nacagentsetup-mst-4.9.3.5.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.5.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.5.tar.gz
In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
But in the follow yes…
http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
Best Regards,
Daniel Stefani -
Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315
Hi,
I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
After finishing the Installation, when i type "SETUP"... It gives me the below Error;
# ERROR: INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION! #
# PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA. #
Please advise....
I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
(http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
any idea...
Regards,
Mubasher SultanWhere did you get the recovery media? Did you download from cisco.com?
Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
Supporting link:
http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
Jatin Katyal
- Do rate helpful posts - -
Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "
Hi All,
We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.Closest enhancement I could check on this is
CSCts34764 NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines. Many users disable this and install their own AntiSpyware product. Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date. Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
~BR
Jatin Katyal
**Do rate helpful posts** -
Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO
Hi,
I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683
We have this problem with on of our clients:
"Cisco NAC Agent is having a difficulty with the server. Agent user operation system
is not supported".
Anyone encounter this problem ?
thanks.Hi Tarik,
We have:
Cisco Clean Access Server Version 4.9.0
Cisco Clean Access Lite Manager Version 4.9.0
I can see Your point now, that I should start from upgrading to 4.9.1.
Let me do that, and see if it helps.
thanks very much, I will keep You posted. -
Cisco NAC: AV Defination Update Scenario !!!
Hi,
I just want to brain storm for this scenario to keep check the AV defiantion rule & requirement !!!
I am using the Cisco NAC (4.8.2.3).... NAC updates are working fine and configured.
My customer is using the Trend Micro OfficeScan AV (Ver = 10.5). I have configured the AV installation rule & requirement & mapped to the role. I wanted to check the 15 Days older AV Defnations. Configuration seems working fine.
But, the issue is that, Cisco NAC Agent is showing the "Installed" Defination Date which is different for the each users. The showing date is the one, when they installed the AV on users. So, the users are getting failed to fullfil the 15 days older virus definations. When, i change the 15 days to e.g., 150 days to let th users fulful the requirement, then it works fine.
The AV console is showing the right date on its software. I also found some registry keys which is keep updating & showing the latest date for AV defiantion date. I can use them but then it would need the administration to change it manually after each 15 days. But, i want to keep it automatic.
how can we change in cisco nac agent to check the specified registry key???
Please advise..
BR,
Mubasher SultanYes Correct,... Manuall update of antivirus when the PC is in quarantine state is working...it updates, but same the NAC agent is not triggering the antivirus update,
Ok thanks Nicolas, i think i have to open TAC case for this issue.
One thing more, does it has anything to do with av-posture-pack-win-3.4.16.1.tar.gz ??
should i update this module ??? -
Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus
Hi,
I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
Please, give me some advice.
Thanks in advance,
MladenThanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
I refer to
"Implementing Network Admission Control Phase One Configuration and Deployment";
"Network Admission Control Software Configuration Guide - Information About Network Admission Control".
Thanks in advance,
Mladen -
Hi,
I need help with configuring CASUser Account for NAC AD SSO in a multidomain enviorment.
We have two child domain (based on region) say A & B. We have created the casuser account in domain A. If a user from Domain A login, everything works fine and they are authenticated.
But the problem starts if some one from domian B tries to login - they are authenticated by AD (checked through kerbtray and net time \set (can't see ticket for casuser account)....the NAC agaent keeps on prompting for username & password.
Domain: Windows 20003
Domain functional level: Windows 2000 native
Cisco NAC Agent: Version : 4.8.0.32Hi Sanjeev,
I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.
Do you verify that the created user CASUSER is visible on domain B?
The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&B.
Do you used LDAP user mapping to roles?
Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.
Which version Cisco NAC have you got?
Kamil -
Is there a list somewhere that shows what the status's mean? I have a few users getting this error, while others are working fine -
Failed to download Cisco NAC Web Agent ( status = -2 ) !
Thanks!For the web agent, there are three error states
-1 means that it was unable to launch the control at all,
-2 means it failed to download the agent executable,
-3 means there was an error running the web agent
Are you using the Java or ActiveX version of the web agent? Definitely check the browser settings for both and make sure that it's either allowing or prompting the user for the applets. If you're using the ActiveX version, you could try forcing the Java version, as most users seem to have more lenient browser settings by default for it. -
Hi
I wanted to know if someone can give me some help on a Cisco NAC appliance.
Honestly i've heard of them but i've never installed or worked on one before and i
have a client who wants to have one installed.So i wanted to know can some here
point me in the right direction as far as installation and configuration. Thanks for
the help in advance and have a great evening.Hi
Everything you need to get started:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Dear all,
We have cisco NAC version 4.9.1 and the agent version is 4.9.1.5. We want to know if there is a way to hide the cisco NAC agent window so the user do not see it, i mean run it on the background to make it a bit more transparent to the final user.
Anyone have any ideas?
Thanks in advance.Go to "Administration > User Pages" and make sure you have configured a proper login page for Windows 7.
-
Cisco NAC 4.7 - kclick process - High CPU Usage
Once the CAS is added to the CAM this process uses 100% of the CPU on the CAS. I'm using the 3315 platform for the manager and a 3350 for the CAS.
top - 13:03:21 up 8 min, 1 user, load average: 1.27, 1.06, 0.56
Tasks: 71 total, 3 running, 68 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.3%us, 53.2%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 46.5%si, 0.0%st
Mem: 1943428k total, 865304k used, 1078124k free, 635956k buffers
Swap: 4192956k total, 0k used, 4192956k free, 118224k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3076 root 25 0 0 0 0 R 99.9 0.0 6:35.33 kclick
Any idea if this is normal?I have the same problem,
In the morning,all employees just came to the company,at this time,there will be a lot of requests for verification to NAS.
Often kclick process 100% of the phenomenon, leading to the terminal can not be verified.
[root@CAS1 ~]# sar 2 100
Linux 2.6.18-cisco.nac.1 (CAS1) 11/08/2011
08:55:50 AM CPU %user %nice %system %iowait %steal %idle
08:55:52 AM all 0.00 0.00 100.00 0.00 0.00 0.00
08:55:54 AM all 0.00 0.00 100.00 0.00 0.00 0.00
08:55:56 AM all 0.50 0.00 99.50 0.00 0.00 0.00
08:55:58 AM all 0.00 0.00 100.00 0.00 0.00 0.00
08:56:00 AM all 0.00 0.00 100.00 0.00 0.00 0.00
08:56:02 AM all 0.50 0.00 99.50 0.00 0.00 0.00
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2225 root 25 0 0 0 0 R 99.9 0.0 9775:52 kclick
2435 root 21 0 1229m 134m 8492 S 0.3 7.1 58:33.43 java
30882 root -2 0 4932 4932 2012 S 0.3 0.3 6:27.78 heartbeat
1 root 15 0 2064 624 536 S 0.0 0.0 0:00.57 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.01 ksoftirqd/0
3 root RT -5 0 0 0 S 0.0 0.0 0:00.00 watchdog/0
[root@CAS1 ~]# netstat -an | grep 10.128.17
tcp 0 0 10.128.15.2:443 10.128.17.247:1258 FIN_WAIT2
tcp 0 30 10.128.15.2:443 10.128.17.139:2194 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.217:1742 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.217:1743 TIME_WAIT
tcp 0 30 10.128.15.2:443 10.128.17.28:2058 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.242:1530 TIME_WAIT
tcp 0 38 10.128.15.2:443 10.128.17.29:49440 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.24:1067 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.24:1066 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.175:2184 TIME_WAIT
tcp 0 0 10.128.15.2:80 10.128.17.66:1805 FIN_WAIT2
tcp 0 0 10.128.15.1:80 10.128.17.70:1536 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.70:1539 TIME_WAIT
tcp 0 30 10.128.15.2:443 10.128.17.121:1343 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.70:1540 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.70:1542 TIME_WAIT
tcp 0 38 10.128.15.2:443 10.128.17.76:62769 FIN_WAIT1
tcp 0 38 10.128.15.2:443 10.128.17.76:62771 FIN_WAIT1
tcp 0 38 10.128.15.2:443 10.128.17.76:62770 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.69:1065 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.93:1079 TIME_WAIT
tcp 0 0 10.128.15.2:80 10.128.17.76:62758 FIN_WAIT2
tcp 0 0 10.128.15.1:80 10.128.17.69:1059 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.93:1083 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.93:1081 TIME_WAIT
tcp 0 0 10.128.15.1:443 10.128.17.93:1087 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.69:1060 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.93:1085 TIME_WAIT
tcp 0 0 10.128.15.2:80 10.128.17.179:1596 ESTABLISHED
tcp 0 0 10.128.15.2:80 10.128.17.70:1530 FIN_WAIT2
tcp 0 0 10.128.15.1:80 10.128.17.70:1534 TIME_WAIT
tcp 0 38 10.128.15.2:443 10.128.17.238:49231 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.149:1370 TIME_WAIT
tcp 0 38 10.128.15.2:443 10.128.17.169:49252 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.149:1368 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.149:1372 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1369 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1368 TIME_WAIT
tcp 0 1 10.128.15.1:80 10.128.17.104:1710 FIN_WAIT1
tcp 0 0 10.128.15.1:80 10.128.17.158:1371 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1370 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.149:1366 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1373 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1372 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1375 TIME_WAIT
tcp 0 0 10.128.15.1:80 10.128.17.158:1374 TIME_WAIT
tcp 0 30 10.128.15.1:8905 10.128.17.214:1544 FIN_WAIT1
Maybe you are looking for
-
Hello,iam new in JDeveloper(10.1.3) and iam facing some problems during the transition of an application to the web.I will be graceful if somebody could help me. My questions are: 1)How can i display my error or information messages (that i have stor
-
Dear Experts, We are doing asset transfer as a non valuated material , We have created non valuated material with assasable value and trasfering from one plant to another plant with sto route . create sto in receiving plant , create outbound delivery
-
HP all-in-one c301 will not save scanned doc in Mavericks upgrade
I have recently installed the free OS X Mavericks upgrade to my Macbook Pro. My HP all-in-one c301 will scan, but the scans do not save. The saved pdf looks like a bunch of gray lines when I reopen the saved file. Has anyone already found a work a
-
Forms 11gR2 installed on linux (centos 6.3) cannot start
hello ervery one, I installed weblogic 10.3.5 and jdk first ,and then installed forms11gR2 on my linux virtual machine. I can not start up my forms builder . it report an error: cannot find libjvm.so :cannot open shared object file ,no such file or d
-
OBIEE 11G Performance Threshold
OBIEE 11g / Teradata Is it worth the time and effort to build OBIEE Dashboards / Reports from a database having 500 million records. If not then what is an acceptable number i.e. 100 million? Thanks in advance.