NetCloud Exchange (NCX) is a unified WAN networking and security architecture that brings cellular, SD-WAN, and security into a tightly integrated solution, uniquely designed for lean IT.
NetCloud Exchange enables customers to:
- Connect from anywhere using LTE/5G
- Provide inherent Wireless WAN security by creating a locked-down, zero-trust network
- Deliver application assurance across highly distributed cellular and hybrid WANs through cellular-optimized SD-WAN
- Streamline operations through cloud-based orchestration and intuitive policy management
NetCloud Exchange architecture components:
NetCloud Exchange Service Gateway is a scalable and reliable services delivery platform (or headend) that can reside standalone or in an active/standby configuration in a customer’s data center or hosted cloud. The NCX Service Gateway aggregates traffic from IoT, vehicle, site, and remote work environments, enforces policy, and provides visibility into every flow.
Cradlepoint WAN edge routers for providing persistent, reliable cellular or hybrid connectivity for IoT devices, vehicles, sites, or remote work. The NCX Service Gateway is compatible across Cradlepoint’s primary WAN solutions (excluding standalone adapters), augmenting them with advanced security and SD-WAN services.
NetCloud Manager to simplify the deployment, management, and ongoing troubleshooting of the NetCloud Exchange architecture. It enables scalable end-to-end WAN orchestration, the bulk provisioning of policies across multiple device types, and provides intuitive health dashboards, AI-driven insights into faults, and comprehensive reporting and alerts.
Optional components:
NetCloud Exchange Virtual Edge is a software-based solution that can be easily deployed in an AWS Virtual Private Cloud (VPC) to extend the NCX Secure Connect zero-trust network to resources in the AWS.
NetCloud Exchange Client for enabling secure remote access to a NCX Secure Connect network. The NetCloud Exchange Client supports Windows and macOS laptops and iOS and Android mobile devices. The NetCloud Exchange Client is available with an NCX Zero-Trust Network Access license.
NetCloud Exchange Network Diagram
Common Use Cases
NCX Zero-Trust Network Access for granting internal and third parties secure remote access to IoT devices on the WAN for maintenance and monitoring.
NCX SD-WAN for traffic steering and providing resiliency between multiple modems/service providers, satellite links, or Wi-Fi as WAN connections.
NCX ZTNA for secure remote access to corporate applications in the cloud or data center, or IoT devices on the WAN.
NCX SD-WAN for traffic steering and providing resiliency between wired and cellular connections.
ZTNA for secure remote access to corporate applications in the cloud or data center, or IoT devices on the WAN.
- NCX Service Gateway Specifications
- NCX Secure Connect Site Specifications
- NCX SD-WAN Site Specifications
- NCX ZTNA Specifications
- NCX Virtual Edge Specifications
- Ordering Guide
- NetCloud Add-Ons
Notice: All specifications subject to change without notice.
NetCloud Exchange Service Gateway is the foundation of the NetCloud Exchange architecture enabling organizations to take advantage of fully integrated zero-trust security and SD-WAN as part of their Cradlepoint wireless or hybrid WAN. The NetCloud Exchange Service Gateway aggregates traffic, enforces policy, and provides deep visibility into traffic flows.
NCX Service Gateway benefits:
- Compatible with Cradlepoint IoT, vehicle, site and remote work routers.
- Designed from the ground up to meet zero-trust principles.
- Flexible deployment in a customer-hosted data center or cloud or downloaded on a physical server.
- Optional redundancy with active / standby configuration
|
PERFORMANCE |
||
|
Licensed Capacities: |
|
|
|
SYSTEM REQUIREMENTS (ALL CAPACITIES) |
||
|
Deployment: |
AWS |
Azure |
|
Software Version: |
Ubuntu 18.04 |
Ubuntu 18.04 |
|
Instance: |
c5.2xlarge |
Standard_D8S_v3 |
|
vCPUs: |
8 |
8 |
|
Memory: |
16 GB |
32 GB |
|
Minimum Disk Space: |
16 GB |
16 GB |
|
vNICs: |
3 |
3 |
|
Minimum NCX Service Gateway Release: |
7.22.70 |
7.22.70 |
|
Concurrent Tunnels: |
Up to 4,000 |
Up to 4,000 |
Performance testing was conducted based on requirements as defined in RFC2544 using fixed-frame 1518-byte packets. Throughput results reflect unidirectional. UDP traffic with less than 1% packet loss as tested with wired connections. At the time of release, the number of supported sites and tunnels is a 1:1 ratio. NCX-enabled routers support multiple WAN interfaces simultaneously in NCX SD-WAN mode.
|
PERFORMANCE |
||
|
Licensed Capacities: |
|
|
|
SYSTEM REQUIREMENTS (ALL CAPACITIES) |
||
|
Deployment: |
KVM |
VMware |
|
Software Version: |
Ubuntu 18.04 |
ESXi 6.7 or newer |
|
Instance: |
N/A |
N/A |
|
vCPUs: |
8 |
8 |
|
Memory: |
16 GB |
16 GB |
|
Minimum Disk Space: |
16 GB |
16 GB |
|
vNICs: |
3 |
3 |
|
Minimum NCX Service Gateway Release: |
7.22.70 |
7.22.70 |
|
Concurrent Tunnels: |
Up to 4,000 |
Up to 4,000 |
Performance testing was conducted based on requirements as defined in RFC2544 using fixed-frame 1518 byte packets. Throughput results reflect unidirectional. UDP traffic with less than 1% packet loss as tested with wired connections. At the time of release, the number of supported sites and tunnels is a 1:1 ratio. Each NetCloud Edge router will only support one tunnel on one active WAN interface at a time.
NCX Secure Connect offers a simple-to-manage alternative to complex VPN infrastructures for securely connecting IoT devices, sites, vehicles, and remote workers. As the foundation for all other NCX services, NCX Secure Connect delivers a policy-governed, zero-trust network that can be easily orchestrated to enable highly secure communications from the WAN edge to the cloud.
NCX Secure Connect benefits:
- Dynamic orchestration of zero-trust tunnels at scale.
- Simplified WAN deployments with support for overlapping IP addresses through name-based routing.
- Reduces the network attack surface by hiding network resources, encrypting traffic, and obscuring all public IP addresses.
- Delivers enhanced security by being deny-all by default, with access only enabled through policy.
- Provides containment of breaches and malware by restricting all east/west traffic by default.
- Offers centralized flow-level visibility for detailed traffic analysis and forensics.
- Simplified fault management, isolation, and root cause analysis through AIOps-driven dashboard.
- Improved productivity with virtual expert capabilities to assist with everyday queries through Natural Language Processing.
|
PERFORMANCE |
|||
|
Site Routers |
Typical Client Count |
Throughput |
Concurrent Tunnels |
|
IBR650B, IBR600C/IBR650C, IBR900, R920, S700/S750 |
5 |
10 Mbps |
10 |
NOTE: NCX Secure Connect site performance may vary based on latency conditions.
|
PERFORMANCE |
|||
|
Site Routers |
Typical Client Count |
Throughput |
Concurrent Tunnels |
|
E100, E102 |
5 |
40 Mbps |
20 |
|
IBR1700 |
30 |
40 Mbps |
20 |
NOTE: NCX Secure Connect site performance may vary based on latency conditions.
|
PERFORMANCE |
|||
|
Site Routers |
Typical Client Count |
Throughput |
Concurrent Tunnels |
|
AER2200 |
100 |
40 Mbps |
20 |
|
E300 |
50 |
400 Mbps |
20 |
NOTE: NCX Secure Connect site performance may vary based on latency conditions.
|
PERFORMANCE |
|||
|
Site Routers |
Typical Client Count |
Throughput |
Concurrent Tunnels |
|
E3000, R1900, R2105/R2155 |
100 |
400 Mbps |
20 |
NOTE: NCX Secure Connect site performance may vary based on latency conditions.
NCX SD-WAN is a cellular-optimized network service based on a zero-trust foundation that enhances WAN resilience and quality of experience (QoE) by optimizing traffic over multiple physical or logical connections including, wired, 5G/LTE, satellite, Wi-Fi as WAN, private APNs, and 5G standalone network slices.
NCX SD-WAN benefits:
- Designed on a simple, modern zero-trust foundation that obscures IP addresses, is deny all by default, and where resources must be defined before they are accessible.
- Supports traffic optimization over physical and logical connections, including being the first SD-WAN solution to support 5G network slicing.
- Implementation of application-based policies network-wide in a few simple steps.
- Efficient and cost-effective operation over cellular by considering cellular-specific attributes when steering traffic (for example, signal strength) in addition to latency, loss, and jitter.
- Preserves bandwidth by using inline traffic rather than artificial traffic to measure WAN performance.
- Offers enhanced QoE over lossy links through Forward Error Correction (FEC).†
- Ability to intelligently bond multiple WAN interfaces together to increase resiliency and provide more granular control over traffic.†
- Deep visibility into latency, loss, and available bandwidth from the edge to the cloud.
- Offers centralized flow-level visibility for detailed traffic analysis and forensics.
- Simplified fault management, isolation, and root cause analysis through AIOps-driven dashboard.
- Improved productivity with virtual expert capabilities to assist with everyday queries through Natural Language Processing.
† Available on select SD-WAN appliances. See the technical specifications for further details.
|
PERFORMANCE |
||
|
Site Routers |
Typical Client Count |
Throughput |
|
R920 |
5 |
10 Mbps |
The R920 routers do not yet support the Forward Error Correction (FEC) or Intelligent Bonding features. Other NCX SD-WAN functionality is supported.
|
PERFORMANCE |
||
|
Site Routers |
Typical Client Count |
Throughput |
|
E100, E102 |
5 |
40 Mbps |
|
IBR1700 |
30 |
40 Mbps |
The E100, E102, and IBR1700 routers do not yet support the Forward Error Correction (FEC) or Intelligent Bonding features. Other NCX SD-WAN functionality is supported.
|
PERFORMANCE |
||
|
Site Routers |
Typical Client Count |
Throughput |
|
AER2200 |
100 |
40 Mbps |
|
E300 |
50 |
400 Mbps |
The AER200 router does not yet support the Forward Error Correction (FEC) or Intelligent Bonding features. Other NCX SD-WAN functionality is supported. All features are supported when using E300 routers.
|
PERFORMANCE |
||
|
Site Routers |
Typical Client Count |
Throughput |
|
E3000, R1900, R2105/R2155 |
100 |
400 Mbps |
NCX Zero Trust Network Access (ZTNA) is a security service that integrates with an organization’s existing identity provider to provide isolated user-to-resource access for authenticated users. It enables secure remote access for internal employees and third parties to resources (IoT devices and/or applications) on the Cradlepoint WAN through granular user-based access policies.
NCX ZTNA benefits:
- Simple and safe remote access to required resources on the WAN for internal employees and third parties.
- Flexible authentication to the network through a client (Windows or macOS) or through a Cradlepoint router.
- Enhanced security with granular user-based access policies leveraging SAML-based attributes and context.
- Integration with any SAML 2.0 compliant identity provider.
- Continuous monitoring for changes in context that could revoke or reduce access privileges.
- Offers centralized flow-level visibility for detailed traffic analysis and forensics.
- Simplified fault management, isolation, and root cause analysis through AIOps-driven dashboard.
- Improved productivity with virtual expert capabilities to assist with everyday queries through Natural Language Processing.
|
SYSTEM REQUIREMENTS |
||
|
Operating System: |
Windows |
macOS |
|
Version: |
Windows 10 and 11 |
Monterey 12.x or later |
|
Processor: |
Intel x86 |
Intel or Apple M1/M2 CPU |
|
Memory: |
16 GB |
16 GB |
|
Maximum ZTNA Client Count: |
Unlimited (limited by NCX Service Gateway licensed throughput capacity per network) |
Unlimited (limited by NCX Service Gateway licensed throughput capacity per network) |
NetCloud Exchange Virtual Edge enables a simple extension of the NCX Secure Connect zero-trust network to applications that reside in an Amazon Virtual Private Cloud (Amazon VPC).
NCX Virtual Edge benefits:
- Push button deployment to an Amazon VPC from NetCloud Manager.
- Cost-effective and simple solution for organizations that need to connect to one or more Amazon VPCs.
- Extension of NCX Secure Connect zero-trust network to the cloud to control access to and from cloud-based applications.
|
PERFORMANCE |
|
|
Tunnel Throughput to/from NetCloud Exchange: |
300 Mbps |
|
DEPLOYMENT TARGETS — AWS |
|
|
Instance: |
m4.large |
|
vCPUs: |
2 |
|
Memory: |
8 GB |
|
vNICs: |
2 |
The NetCloud Exchange Service Gateway is a required component to implementing NetCloud Exchange services (Secure Connect, SD-WAN and ZTNA). These services can be purchased as an add-on to any compatible router with a NetCloud Branch, Mobile or IoT service plan, while the NCX Service Gateway is purchased based on required network capacity.
For ordering details, see the following:
- Step 1 (required): Select NetCloud Service plan(s)
- Step 2 (required): Select NCX Service Gateway capacity for entire solution (separate part number for high availability)
- Step 3 (required): Select NCX Secure Connect site license(s) for supported routers
- Step 4 (optional): Select NCX SD-WAN site license(s) for supported routers (selection must match Step 3)
- Step 5 (optional): Select NCX ZTNA Client per user license(s)
- Step 6 (optional): Select NCX Virtual Edge per each Amazon VPC
|
NETCLOUD SERVICE PLAN |
SITE LICENSE |
CAPACITY |
|
NetCloud Service for Branch NetCloud Service for Mobile NetCloud Service for IoT NetCloud Service for SOHO |
Micro Site Small Site Medium Site Large Site |
250 Mbps — up to 4,000 tunnels 500 Mbps — up to 4,000 tunnels 1 Gbps — up to 4,000 tunnels 2 Gbps — up to 4,000 tunnels 4 Gbps — up to 4,000 tunnels |
|
REGION |
NCX PACKAGE |
DESCRIPTION |
PART NUMBER |
|
All Regions: |
Service Gateway |
250 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps |
NCX-000x-SG250MBPS NCX-000x-SG500MBPS NCX-000x-SG1GBPS NCX-000x-SG2GBPS NCX-000x-SG4GBPS |
|
Service Gateway High Availability |
Active + Standby 250 Mbps Active + Standby 500 Mbps Active + Standby 1 Gbps Active + Standby 2 Gbps Active + Standby 4 Gbps |
NCX-002x-SGAS250MBPS NCX-002x-SGAS500MBPS NCX-002x-SGAS1GBPS NCX-002x-SGAS2GBPS NCX-002x-SGAS4GBPS |
|
|
Secure Connect |
Micro Site Small Site Medium Site Large Site |
NCX-000x-SCMICRO NCX-000x-SCS NCX-000x-SCM NCX-000x-SCL |
|
|
SD-WAN |
Micro Site Small Site Medium Site Large Site |
NCX-000x-SDWANMICRO NCX-000x-SDWANS NCX-000x-SDWANM NCX-000x-SDWANL |
|
|
ZTNA |
Per User |
NCX-00Ax-ZTNA
|
|
|
Virtual Edge |
NetCloud Essentials for Virtual Edge with NCX Secure Connect |
NCX-000x-VESC |
|
|
All Regions — Renewal: |
Service Gateway |
Renewal — 250 Mbps Renewal — 500 Mbps Renewal Active + Standby — 250 Mbps Renewal Active + Standby — 500 Mbps |
NCX-000x-SG250MBPS-R NCX-000x-SG500MBPS-R NCX-002x-SGAS250MBPS-R NCX-002x-SGAS500MBPS-R |
|
Secure Connect |
Renewal — Micro Site Renewal — Small Site Renewal — Medium Site Renewal — Large Site |
NCX-000x-SCMICRO-R NCX-000x-SCS-R NCX-000x-SCM-R NCX-000x-SCL-R |
|
|
SD-WAN |
Renewal — Micro Site Renewal — Small Site Renewal — Medium Site Renewal — Large Site |
NCX-000x-SDWANMICRO-R NCX-000x-SDWANS-R NCX-000x-SDWANM-R NCX-000x-SDWANL-R |
|
|
ZTNA |
Renewal NCX ZTNA — Per User |
NCX-00Ax-ZTNA-R |
|
|
Virtual Edge |
Renewal NetCloud Essentials for Virtual Edge — Per Self-Hosted Virtual Appliance |
NCX-000x-VESC-R |
x= 1, 3, or 5 years
