Sie sind auf Seite 1von 426

UASEBC

Unified Access SE
Boot Camp
Student Guide
Version 1.0
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Table of Contents
Course Introduction .......................................................................................................... 1
Overview ................................................................................................................................................1
Learner Skills and Knowledge ...............................................................................................................2
Course Goal and Objectives ..................................................................................................................3
What is Unified Access ..........................................................................................................................4
Class Scenario – HTA Hospitals............................................................................................................7
Course Flow ...........................................................................................................................................8
General Administration ....................................................................................................................... 10
Student Introductions .......................................................................................................................... 11
One Network—Building the Wired Foundation ........................................................... 1-1
Wired Unified Access Infrastructure and Advanced Features .......................................... 1-3
Overview ............................................................................................................................................ 1-3
Objectives .................................................................................................................................... 1-4
Cisco Unified Access Architecture ..................................................................................................... 1-5
Cisco Unified Access Wired Architecture High Availability Features .............................................. 1-12
Virtual Switch Identifiers ............................................................................................................ 1-20
Virtual Switch Link ..................................................................................................................... 1-20
Virtual Switch Roles .................................................................................................................. 1-20
Control and Data Plane ............................................................................................................. 1-20
Router MAC Address ................................................................................................................ 1-21
Cisco Catalyst Smart Operations ..................................................................................................... 1-31
Cisco Auto-QoS ............................................................................................................................... 1-34
Cisco Auto Smartports ..................................................................................................................... 1-37
Cisco Smart Install ........................................................................................................................... 1-43
Cisco Easy Virtual Network ............................................................................................................. 1-52
Summary.......................................................................................................................................... 1-62
Module Self-Check .......................................................................................................................... 1-63
Module Self-Check Answer Key................................................................................................ 1-65
One Management Foundation—Basic Prime Infrastructure Setup ............................ 2-1
Prime Infrastructure Setup for Wired and Wireless Clients .............................................. 2-3
Overview ............................................................................................................................................ 2-3
Objectives .................................................................................................................................... 2-3
Prime Infrastructure Overview, Direction, and Roadmap .................................................................. 2-4
Lifecycle Management of Wired and Wireless Devices .................................................................. 2-13
Assurance Management .................................................................................................................. 2-23
Operationalizing the Cisco Advantage ............................................................................................ 2-30
Cisco Prime Infrastructure Field Resources .................................................................................... 2-40
Summary.......................................................................................................................................... 2-44
References ................................................................................................................................ 2-44
Module Self-Check .......................................................................................................................... 2-45
Module Self-Check Answer Key................................................................................................ 2-47
One Policy Foundation .................................................................................................. 3-1
Basic Cisco ISE AAA and Guest Server Setup for Wired and Wireless Networks .......... 3-3
Overview ............................................................................................................................................ 3-3
Objectives .................................................................................................................................... 3-3
Cisco ISE Solution Overview and Positioning ................................................................................... 3-4
Secure Access ................................................................................................................................. 3-21
Cisco Setup Assistant ...................................................................................................................... 3-62
Guest Portal ..................................................................................................................................... 3-64
Summary.......................................................................................................................................... 3-89
References ................................................................................................................................ 3-89
Module Self-Check .......................................................................................................................... 3-93
Module Self-Check Answer Key................................................................................................ 3-96
One Network—Building the Wireless Network ............................................................ 4-1
Wireless Network Architecture ........................................................................................... 4-3
Overview ............................................................................................................................................ 4-3
Objectives ................................................................................................................................... 4-3
HTA Hospital Use Case ..................................................................................................................... 4-4
Cisco Wireless LAN Deployment Architectures ................................................................................ 4-5
Cisco Wireless LAN Portfolio of Products ......................................................................................... 4-7
Access Points .............................................................................................................................. 4-8
Controllers ................................................................................................................................... 4-9
Cisco Mobility Services Engine ................................................................................................. 4-10
Cisco Wireless LAN Compatibility Matrix ........................................................................................ 4-11
Cisco Wireless LAN Roadmap ........................................................................................................ 4-12
IOS Controllers .......................................................................................................................... 4-14
Summary ......................................................................................................................................... 4-15
Basic Wireless Connectivity and Functionality ............................................................... 4-17
Overview .......................................................................................................................................... 4-17
Objectives ................................................................................................................................. 4-17
Maintaining Optimum RF Conditions in a Changing Environment .................................................. 4-18
Band Select ..................................................................................................................................... 4-24
Cisco ClientLink ............................................................................................................................... 4-26
Cisco CleanAir Technology ............................................................................................................. 4-28
High Availability Solutions ............................................................................................................... 4-31
Summary ......................................................................................................................................... 4-36
Wireless Network Security ................................................................................................ 4-37
Overview .......................................................................................................................................... 4-37
Objectives ................................................................................................................................. 4-37
Traffic Segmentation Needs and Methods ...................................................................................... 4-38
One Network—Cisco Prime Infrastructure and ISE Integration ...................................................... 4-44
Adaptive wIPS ................................................................................................................................. 4-45
Summary ......................................................................................................................................... 4-49
References ................................................................................................................................ 4-49
Wireless Network QoS ....................................................................................................... 4-51
Overview .......................................................................................................................................... 4-51
Objectives ................................................................................................................................. 4-51
Where and When QoS Is Applied.................................................................................................... 4-52
802.11e Metal Profiles ..................................................................................................................... 4-56
Alloy QoS and Traffic Control Techniques ...................................................................................... 4-64
Summary ......................................................................................................................................... 4-72
References ................................................................................................................................ 4-72
Additional Wireless Features ............................................................................................ 4-73
Overview .......................................................................................................................................... 4-73
Objectives ................................................................................................................................. 4-73
Cisco VideoStream .......................................................................................................................... 4-74
Cisco Bonjour Gateway ................................................................................................................... 4-81
Mobility Services .............................................................................................................................. 4-85
Summary ......................................................................................................................................... 4-92
Module Summary............................................................................................................................. 4-93
References ................................................................................................................................ 4-94
Module Self-Check .......................................................................................................................... 4-95
Module Self-Check Answer Key ............................................................................................... 4-98
Converged Access Solution Design Overview ............................................................ 5-1
Converged Access Solution................................................................................................ 5-3
Overview ............................................................................................................................................ 5-3
Objectives ................................................................................................................................... 5-3
Solutions and Platforms Overview..................................................................................................... 5-4

ii Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Architecture and Components Review ............................................................................................ 5-16
Roaming........................................................................................................................................... 5-26
Features and Licensing Overview ................................................................................................... 5-40
Quality of Service ............................................................................................................................. 5-50
Security ............................................................................................................................................ 5-59
Multicast ........................................................................................................................................... 5-68
Design Options and Migration ......................................................................................................... 5-80
Wrap-up and Final Thoughts ........................................................................................................... 5-92
Summary.......................................................................................................................................... 5-94
Module Self-Check .......................................................................................................................... 5-95
Module Self-Check Answer Key................................................................................................ 5-98
Securing Any Access .................................................................................................... 6-1
Securing AnyAccess with ISE ............................................................................................. 6-3
Overview ..................................................................................................................................... 6-3
Objectives .................................................................................................................................... 6-3
Securing BYOD Access Overview ..................................................................................................... 6-4
Implementing Authentication and Authorization for BYOD through ISE............................................ 6-7
BYOD On-boarding through ISE...................................................................................................... 6-11
ISE BYOD with MDM Eco-System .................................................................................................. 6-18
Profiler Service Overview ................................................................................................................ 6-20
Summary.......................................................................................................................................... 6-30
References ................................................................................................................................ 6-30
Setting Up Secure Group Access for a BYOD Environment ........................................... 6-33
Overview .......................................................................................................................................... 6-33
Objectives .................................................................................................................................. 6-33
Security Group Access Overview .................................................................................................... 6-34
Security Group Tagging in the Wired and Wireless Infrastructure .................................................. 6-39
Transporting SGT and the SGT eXchange Protocol ....................................................................... 6-41
ISE Security Groups, SG-ACLs, and Security Group Matrix ........................................................... 6-47
Implementing SGT for Employee BYOD ......................................................................................... 6-52
Implementing MACsec Encryption for Employee BYOD ................................................................. 6-55
Summary.......................................................................................................................................... 6-59
Module Self-Check .......................................................................................................................... 6-61
Module Self-Check Answer Key................................................................................................ 6-63
SmartOperations ............................................................................................................ 7-1
SmartOperations Overview Including EEM with GOLD and IP SLA ................................. 7-3
Overview ............................................................................................................................................ 7-3
Objectives .................................................................................................................................... 7-3
HTA Hospital Case Study .................................................................................................................. 7-4
EEM Overview ................................................................................................................................... 7-5
EEM Configuration on Catalyst Series Switches ............................................................................. 7-18
Automated Diagnostic Features ...................................................................................................... 7-24
Cisco GOLD Overview ..................................................................................................................... 7-27
Understanding IP SLA Benefits ....................................................................................................... 7-37
Best Practices .................................................................................................................................. 7-44
Summary.......................................................................................................................................... 7-45
References ................................................................................................................................ 7-45
Module Self-Check .......................................................................................................................... 7-47
Module Self-Check Answer Key................................................................................................ 7-49
Application Visibility and Control ................................................................................. 8-1
Application Visibility and Control Overview and Configuration ....................................... 8-3
Overview ............................................................................................................................................ 8-3
Objectives .................................................................................................................................... 8-3
Cisco Application Visibility and Control ............................................................................................. 8-4
Cisco Medianet ................................................................................................................................ 8-15

© 2013 Cisco Systems, Inc. Unified Access SE Boot Camp (UASEBC) v1.0 iii
Cisco Mediatrace ............................................................................................................................. 8-20
Cisco Medianet Auto Configuration via Auto Smartports ................................................................ 8-28
Cisco Media Service Interface and Media Service Proxy ............................................................... 8-34
Cisco Flexible NetFlow .................................................................................................................... 8-39
Cisco Packet Capture Technologies ............................................................................................... 8-46
Summary ................................................................................................................................... 8-53
References ................................................................................................................................ 8-53
Module Self-Check .......................................................................................................................... 8-55
Module Self-Check Answer Key ............................................................................................... 8-57
Monitoring, Reporting, and Troubleshooting with PI and ISE .................................... 9-1
Monitoring, Reporting, and Troubleshooting with PI and ISE .......................................... 9-3
Overview ............................................................................................................................................ 9-3
Objectives ................................................................................................................................... 9-3
Troubleshooting Overview with PI and ISE ....................................................................................... 9-4
PI and ISE Integration ....................................................................................................................... 9-6
ISE Monitoring ................................................................................................................................. 9-22
PI Reporting ..................................................................................................................................... 9-29
ISE Reporting and Logging ............................................................................................................. 9-31
ISE Troubleshooting ........................................................................................................................ 9-35
Leveraging Advanced Device Capabilities under the Hood ............................................................ 9-45
Summary ......................................................................................................................................... 9-49
Module Self-Check .......................................................................................................................... 9-51
Module Self-Check Answer Key ............................................................................................... 9-53
Student Guide Supporting Material.................................................................................. S
One Network—Building the Wired Foundation Supporting Material .............................. S1-1
Overview .......................................................................................................................................... S1-1
Cisco Unified Access Architecture................................................................................................... S1-2
Cisco Unified Access Wired Architecture High Availability Features .............................................. S1-4
Cisco AutoQoS .............................................................................................................................. S1-26
Configuring AutoQoS for Catalyst 3850 Switch ...................................................................... S1-29
Verifying AutoQoS for Catalyst 3850 Switch........................................................................... S1-29
Cisco Smartports ........................................................................................................................... S1-30
Cisco Smart Install ......................................................................................................................... S1-33
Cisco EVN ..................................................................................................................................... S1-41
One Policy Foundation Supporting Material .................................................................... S3-1
Overview .......................................................................................................................................... S3-1
One Network—Building the Wireless Network Supporting Material .............................. S4-1
Overview .......................................................................................................................................... S4-1
Supporting Material for Lesson 1: Wireless Network Architectures ................................................ S4-2
Mobility Services Engine ........................................................................................................... S4-4
Supporting Material for Lesson 2: Basic Wireless Connectivity and Functionality .......................... S4-5
Supporting Material for Lesson 3: Wireless Network Security ........................................................ S4-7
Cisco AP SSO Implementation ................................................................................................. S4-7
Adaptive wIPS Scalability........................................................................................................ S4-24
3600 AP Monitor module......................................................................................................... S4-26
Supporting Material for Lesson 4: Wireless Network QoS ............................................................ S4-27
QoS Rate Limiting additional information................................................................................ S4-27
Securing Any Access Supporting Material ...................................................................... S6-1
Overview .......................................................................................................................................... S6-1
TrustSec Guides .............................................................................................................................. S6-2
TrustSec Planned Releases ............................................................................................................ S6-3
SGT Access Layer Functions .......................................................................................................... S6-6
Support Matrix for IOS Routers ....................................................................................................... S6-7
SGT/SGACL Platform ...................................................................................................................... S6-8
SGFW Platform................................................................................................................................ S6-9

iv Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
SmartOperations Supporting Material .............................................................................. S7-1
Overview .......................................................................................................................................... S7-1
EEM Overview ................................................................................................................................. S7-2
Event Detector: Syslog .............................................................................................................. S7-2
Event Detector: SNMP .............................................................................................................. S7-2
Event Detector: Timer ............................................................................................................... S7-3
Event Detector: Counter ............................................................................................................ S7-3
Event Detector: Interface .......................................................................................................... S7-4
Event Detector: CLI ................................................................................................................... S7-4
Event Detector: OIR .................................................................................................................. S7-4
Event Detector: RF .................................................................................................................... S7-6
Event Detector: IOSWDSYSMON ............................................................................................. S7-6
Event Detector: GOLD .............................................................................................................. S7-6
Event Detector: APPL ............................................................................................................... S7-7
Event Detector: SNMP-Notification ........................................................................................... S7-7
Event Detector: RPC ................................................................................................................. S7-7
Event Detector: Track................................................................................................................ S7-8
Event Detector: None ................................................................................................................ S7-9
Routing Event Detector ............................................................................................................. S7-9
Flexible NetFlow Event Detector ............................................................................................... S7-9
IP SLA Event Detector .............................................................................................................. S7-9
Enhanced CLI Event Detector ................................................................................................... S7-9
EEM Configuration on Catalyst Series Switches ........................................................................... S7-12
Event Register Keyword .......................................................................................................... S7-12
Importing Namespaces ........................................................................................................... S7-13
Tcl Script ................................................................................................................................. S7-13
Tcl Script Elements ................................................................................................................. S7-13
Cisco Generic Online Diagnostics (GOLD) Overview ................................................................... S7-17
Understanding IP SLA Benefits ..................................................................................................... S7-22
Application Visibility and Control Supporting Material ................................................... S8-1
Overview .......................................................................................................................................... S8-1
Cisco Medianet ................................................................................................................................ S8-2
Cisco Mediatrace ............................................................................................................................. S8-4
Cisco IOS Flexible NetFlow ............................................................................................................. S8-7
Cisco Auto Smartports ................................................................................................................... S8-16
Cisco MSI and MSP ....................................................................................................................... S8-19
Cisco Packet Capture Technologies.............................................................................................. S8-24

© 2013 Cisco Systems, Inc. Unified Access SE Boot Camp (UASEBC) v1.0 v
vi Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
UASEBC

Course Introduction
Overview
UA SE Boot Camp (UASEBC) v1.0 is a five-day instructor-led course. The UASEBC course
presents concepts, wired and wireless platforms, technologies and services that are required for
a comprehensive approach to effectively design, manage, and control the access of a Unified
Access Architecture network. The reference network selected as a case study in this course is
the fictitious Health To All (HTA) Hospital.
This complete solution starts with Cisco design guides and professional services that lead you
from planning and design to day-to-day operations at HTA Hospital. This Unified Access
solution also provides the necessary infrastructure, including Wireless Access points, Wireless
LAN Controllers, Security Appliances, and Network Management Tools.
This infrastructure supports a highly secure, high-performing network that is accessible to a
wide range of devices. HTA Hospital users include guests, corporate users, employees and
patients. Users have personal computers and VoIP phones at their desks as well as mobile
computers, tablets, and smartphones. The network is used for accessing critical patient data, for
voice and video traffic, accessing different servers as well as for web browsing. The Cisco
solution addresses all the aspects of the HTA Hospital and meets all the requirements for
building a secure, scalable BYOD network.
The course will introduce the concept of One Network, One Policy and One Management.
Learner Skills and Knowledge
This topic lists the skills and knowledge that learners must possess to benefit fully from the
course. The topic also includes recommended Cisco learning offerings that learners should first
complete to benefit fully from this course.

The prerequisite knowledge and skills that a learner must have before
attending this course are as follows:
• Good understanding of networking protocols and 802.1X
• Cisco CCNA Certification, or equivalent work experience
• Cisco CCNA Wireless Certification, or equivalent work experience
• Attended the Unified Access Roadshow

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-2

2 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Course Goal and Objectives
This topic describes the course goal and objectives.

• Provide training that will lead to


increased sales of the Unified
Access solution components
• Demonstrate, through hands-on
labs and lecture, the One Policy,
One Management, One Network
Unified Access Solution
• Identify the key differentiators of
the Cisco Unified Access solution
*This is not a 3850 • Instill confidence by building, from
Converged Access the ground up, a complete UA
design with all components
bootcamp working together

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-3

Upon completing this course, you will be able to meet these objectives:
 Design and configure the wired network foundation upon which the Unified Access
solution will be built.
 Implement Cisco Best Practices for the initial configuration of PI as design references for
implementing the Unified Access Architecture.
 Utilize the Cisco Identity Services Engine (ISE) authentication, authorization, and
accounting (AAA) setup and guest server setup for wired and wireless networks.
 Implement a wireless network that comprises APs, CUWN WLCs, switches, Cisco Prime
Infrastructure, and MSE.
 Design and configure a Converged Access solution using Cisco Catalyst 3850 Series
Switches and Cisco 5700 Series Wireless LAN Controllers.
 Design and configure any access security using 802.1x and ISE.
 Utilize Cisco IOS Embedded Event Manager (EEM) with Cisco Generic Online
Diagnostics (GOLD) and IP SLA to assess health and readiness of a Unified Access
Architecture.
 Configure the AVC features Medianet and Mediatrace, Cisco Modular QoS, Cisco IOS
Flexible NetFlow Traffic Records and Wireshark to ensure proper allocation of resources to
high priority applications.
 Utilize PI and ISE to Monitor and troubleshoot a Unified Access Network
 Implement ISE on-boarding, Secure AnyConnect, ISE Device Registration Procedures,
802.1x, and ISE Profile for a secure BYOD solution.

© 2013 Cisco Systems, Inc. CONFIDENTIAL Course Introduction 3


What is Unified Access

ONE Network
• Converged wired and ONE Policy
wireless • Central policy
• Consistent Network Wide platform for
Intelligence and Operations Secure wired/wireless/VPN
• Integrated into Cisco Open
Network Environment (ONE) Consistent User • Context-aware:
Experience Who, What, Where,
ONE Management When, How
• Single platform for Simplified • BYOD & MDM
wired/wireless integration
• Lifecycle management,
assurance, compliance
• 360 degree user experience
The Intelligent Platform for a Connected World

One Policy
Cisco Identity Services Engine (ISE)
Define network policy as an
Product
Bookings extension of business goals
Corporate Customer
issued laptop Data
Policy extends to all access
X
Finance types (wired, wireless, VPN)
Manager
SalesForce
.com Lifecycle services integration –
Personal iPad
guest, BYOD, profiling, posture
to support compliance
Distributed enforcement: wireless,
switches, router, firewalls, remote
access

ISE
© 2012 Cisco and/or its affiliates. All rights reserved.
Unified Policy Cisco Confidential 5

4 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Prime
• A single integrated solution for
comprehensive lifecycle
management of wired/wireless
access, campus, and branch
networks
• Utilizes rich performance data for
end-to-end network visibility to
assure application delivery and
optimal end-user experience

• Single Pane of Glass


• Consolidation, Convergence, Cisco Advantage

© 2010 Cisco and/or its affiliates. All rights reserved. 6

Converged
Access Infrastructure Controller Infrastructure
Catalyst 3850 Catalyst 4500-E w/ For Large Campus For SP
Sup. 8-E 5508 WISM2 5760 8500

For Branch / Small Campus


WLC on ISR G2 2500 Virtual Controller

One Management and Policy with Prime and ISE

Access Switches
3750x Series 4500E 6500 Series
3850 Series Series

Converged Backbone & Instant


Access Stackable Converged
Access Access
Access
Modular
© 2013 Cisco and/or its affiliates. All rights reserved. Stackable Cisco Confidential 7

© 2013 Cisco Systems, Inc. CONFIDENTIAL Course Introduction 5


Cisco Cisco Wireless
Access Point LAN Controller Branch
Application
Unified Unified Unified
Visibility & Control
Access Services Access
Edge
Router
Corporate WA
Network N

Catalyst AP
WAAS
Switch
Firewall WAN Path
& VPN Control

LAN Mgmt Access


Solution Control
Wireless Control Identity NAC Guest
Server
Server
One Management System Mgmt
One Policy
Profiler

Prime ISE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-9

6 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Class Scenario – HTA Hospitals

Customer: Health to All Hospitals


Your role: Lead IT engineer for HTA
Background: HTA is building a new hospital. You, as their IT
engineer, are tasked with building the network from scratch.
Design Guidance: In general, HTA wants a Cisco best of
breed, very reliable network that is BYOD enabled and easy to
manage.
Specific HTA design objectives will be provided in each lab.
You will build the foundation of the network first and then
enable several Cisco differentiating features.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-10

One Policy, One Management, One Network Realized


Core, distribution and wired & wireless access design enhanced with smart
operations features.

• Increased resiliency, scalability, adaptability and visibility

• Improved ease of troubleshooting with quicker problem resolution

• Ready for the future, simple migration to new technologies like Converged Access

Prime Infrastructure provides One Management, central pane of glass for


wired and wireless Unified Access
• Comprehensive network lifecycle management including user access visibility,
inventory, configuration management, radio frequency planning, 360 view, and reporting

• End-to-end application and service assurance visibility leveraging flexible NetFlow,


Network Based Application Recognition (NBAR), and Medianet Performance Agent

• Greatly enhances the visibility and troubleshooting capabilities of IT

Identity Services Engine provides centralized One Policy for Unified Access
• HTA UA Network is Guest and BYOD ready

• Policy convergence with wired and wireless, all campus ingress points are secured

• The SGA enabled UA network simplifies the security policy for HTA
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-11

© 2013 Cisco Systems, Inc. CONFIDENTIAL Course Introduction 7


Course Flow
This topic presents the suggested flow of the course materials.

UASEBC Program
DAY ONE DAY TWO DAY THREE DAY FOUR DAY FIVE

Mod 6 Labs Module 9 Labs


Class Introductions (Lab 6-2) (Lab 9-2)
Module 3 Labs
Module 1 - Module 5 - Module 7 - Module 10 -
(3-3 & 3-4)
MORNING Network Foundation
Module 4 -
Converged Access SmartOperations BYOD &Wrap-up
Intro to Labs Module 5 Labs Module 7 Labs dCloud Enablement
Wireless Foundation
Module 1 Labs Module 8 - Exam Review
AVC UASEBC Exam

LUNCH LUNCH LUNCH LUNCH LUNCH

Module 2 -
Network Management Module 8 Labs
Module 6 -
Module 2 Labs Module 4 Labs Module 9 -
Security/TrustSec
AFTERNOON Module 3 - Module 5 -
Module 6 Labs
Troubleshooting
Policy Foundation Converged Access Module 9 Labs
(Lab 6-1)
Module 3 Labs (Lab 9-1)
(3-1 & 3-2)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-12

The schedule reflects the recommended structure for this course. This structure allows enough
time for the instructor to present the course information and for you to work through the lab
activities. The exact timing of the subject materials and labs depends on the pace of your
specific class. This course has been created as a ‘Boot Camp’ and therefore the agenda for these
tasks and the length of each day is set accordingly.
The first six modules in the course implement the Health to All network. While the remaining
modules in the course describe advanced features which may be implemented in a Unified
Access network as well as how to maintain and troubleshooting the network, which can be
characterized as maintaining network health.
This course has been written as a “boot camp’ to empower Cisco Pre-Sales engineers, through
the hands-on learning activities of the course, to speak with confidence to their clients when
selling Cisco Unified Access and BYOD solutions.
During the initial modules of the course you will be guided through building the HTA Hospital
Network. You will gain practical and valuable hands-on experience by building this network
from the ground up.
In the course of Modules 1-3, you will build the ‘One Network’ infrastructure, to which you
will then add a ‘One Management’ server through the implementation of Cisco Prime
Infrastructure. You will then add a “One Policy’ server with the inclusion Cisco ISE as the
central policy server for that network.
You will also gain first-hand experience deploying a wireless access network as part of the
‘One Network” architecture to learn how to transition a customer from a traditional Wired /
Wireless solution to the Unified Access Solution Architecture. During the lab you will
demonstrate the ability for network users to access resources regardless of where or how they
connect based upon centralized authentication policies managed through ISE.
During the second part of the course you will modify the network you have built and
implement advanced networking features such as Converged Access and QoS in support of
multimedia traffic. You will migrate user policies to this new portion of the network
architecture to demonstrate that the same resources are available to end users.

8 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
You will also gain insight into deploying Cisco Unified Architecture Solution Differentiators
such as: Security with Cisco TrustSec, Smart Operations and Application Visibility and
Control.
You will also experience onboarding of end user devices to the network you have configured in
preparation for BYOD.
As a final wrap-up to the course you will be given additional tools in the form of a dCloud
Walkthrough and 819 Router presentation to allow you to effectively demonstrate to your
clients the features you have worked with.

© 2013 Cisco Systems, Inc. CONFIDENTIAL Course Introduction 9


General Administration
This topic presents the general administration for this course.

Class-related: Facilities-related:
• Sign-in sheet • Course materials
• Length and times • Site emergency procedures
• Break and lunch room locations • Restrooms
• Attire • Telephones and faxes

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-14

10 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Student Introductions
This topic presents the student introduction for this course.

• Your name
• Your company
• Job responsibilities
• Skills and knowledge
• Brief history
• Objective

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL UACBC v1.0—0-15

© 2013 Cisco Systems, Inc. CONFIDENTIAL Course Introduction 11


12 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Module 1

One Network—Building the


Wired Foundation
1-2 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Lesson 1

Wired Unified Access


Infrastructure and Advanced
Features
Overview
This lesson will guide you through the wired reference architecture foundation, which is
applied to the HTA Hospital. HTA Hospital employees have many wired clients including
servers (video streaming and data), personal computers, wired VoIP phones, medical
instruments, and other devices that are connected to LANs.
Topics that are covered will include the requirements that are needed to build the wired
network that will become the basis for this course. This module will showcase features
applicable to the Unified Architecture network for the HTA Hospital. The HTA Hospital
requires 24/7 availability of the network, minimal downtime of the services, and a scalable
solution for managing many wired and wireless network devices and clients. These features
will include wired resiliency features, Smart Operations features, and Cisco Easy Virtual
Network (EVN) features, which will be implemented in a Cisco Unified Access network.
Configuration examples will be provided for all features. Use cases from HTA Hospital will
provide examples for how each of the highlighted features is implemented.
This module features a hands-on lab that will require you to build the required reference
architecture for HTA Hospital. This reference architecture will be used in future labs.
The lab challenge for this module will be to establish a reliable wired network and achieve
connectivity between wired clients and guest accessible servers that are attached to the wired
network infrastructure of the HTA Hospital.
Objectives
Upon completing this lesson, you will be able to explain the resiliency features implemented in
the Cisco Unified Access solutions architecture of the HTA Hospital network. You will be able
to meet the following objectives:
 Identify Cisco Unified Access as an intelligent network platform supporting bring your
own device (BYOD)
 Describe Cisco Unified Access wired architecture high availability features
 Identify Cisco Catalyst SmartOperations technologies and features
 Describe Cisco Auto Smartports operation
 Describe Cisco Smart Install operation
 Describe Cisco Auto-QoS deployment on the access ports on the campus switches
 Describe Cisco EVN, an IP-based network virtualization solution

1-4 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Unified Access Architecture
This topic describes Cisco Unified Access architectures and the concept of One Network, One
Management, and One Policy.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-5

Today’s networks are facing several challenges in order to support technology advancement.
Faced with the major trends of Internet of Everything (IoE), BYOD, and mobility, businesses
are confronted with the inevitable proliferation of devices at the workplace. Businesses must
meet growing demands for bandwidth and network performance, as well as mitigate the
security risks of company data on mobile devices. In addition, they must maintain control of
and visibility into mobile users and devices accessing their networks. When addressing these
technological trends, enterprises must meet the following challenges:
 Securing any access
 Managing complexity and scale
 Delivering a high-quality experience
The Cisco Borderless Network Architecture is the technical architecture that allows
organizations to connect anyone, anywhere, anytime, and on any device—securely, reliably,
and seamlessly. It is the foundation for the Cisco Intelligent Network, providing optimization,
scale, and security to collaboration and virtualization. The architecture is built on an
infrastructure of scalable and resilient hardware and software. Components of the architecture
come together to build network systems that span your organization from network access to the
cloud.
Borderless network services are the advanced, differentiated capabilities that Cisco Borderless
Networks deliver across its routing, switching, security, wireless, and WAN optimization
portfolios. Based on One Policy, One Management, and One Network, the Cisco Unified
Access solution delivers an integrated and simplified intelligent network platform.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-5
Identity Services
Engine and
Cisco Prime TrustSec
Infrastructure Good
MDM
Manager
Cisco
Catalyst
Switches Cisco WLAN
Controller

Wireless One
Wired Network Policy
Network

One
Management

AnyConnect VPN
One
Network

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-6

Traditionally, companies looked at themselves as isolated enterprises within a perimeter. These


companies had external facing applications, internal operations, and everything was secured.
Today, company borders are shifting. Networks are becoming borderless. As the number of
mobile and remote workers continues to rise, it is necessary to overcome the location border so
work can be performed from anywhere. At the same time, the increasingly broad range of
devices being used (MACs, PCs, iPhones, smartphones, tablets, and so on) in the office, at
home, or on the go require a reconsideration of the device border. Another shift is the
application border. Applications must work everywhere, regardless of device or location.
Cisco Unified Access is wired, wireless, and offers virtual private network (VPN) access with
Cisco Prime and Cisco Identity Services Engine (ISE).
Cisco Unified Access brings together the security and mobility you need to deliver a consistent
access experience to your organization regardless of location or device. By being able to
identify devices and their users, people easily access the information that they need, based on
policy settings, from anywhere at any time on any device which is an approach that protects
critical assets while empowering the workforce.
Cisco Unified Access solutions give IT the unified policy, management, and network platform
it needs to adapt to rapidly changing business needs, technologies, and user expectations. It
does this by employing a single network infrastructure with central policy and management
across wired and wireless networks and VPNs.
The three pillars of Cisco Unified Access are as follows:
 One Policy: World-class unified policy platform and distributed enforcement
 One Management: Single solution for comprehensive life-cycle management and
visibility
 One Network: Wired and wireless networks that converge into a single unified
infrastructure
Cisco One Policy is delivered by the Cisco ISE. Cisco ISE simplifies design and
implementation of policy and security with one policy across the entire wired and wireless

1-6 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
network and VPN infrastructure. Cisco ISE allows consistent enforcement of context-aware
policies and control with comprehensive input information, including information about the
user, device, location, time, and applications. Cisco ISE improves the user experience with self-
service on-boarding, guest handling, and location-based services.
New enhancements that are offered by Cisco ISE 1.2 include the following:
 Third-party mobile-device management integration, enabling the flexibility to choose a
mobile-device management vendor and simplified single-pane access for policy
management
 Device profiler feed service to provide dynamic new device information updates
 International language support and greater scalability, up to 250,000 endpoint devices
Cisco One Management is delivered by Cisco Prime Infrastructure. Cisco Prime Infrastructure
provides comprehensive Cisco Unified Access life-cycle management, end-user connectivity,
and application performance visibility to enable IT departments to deliver services that meet
today’s business demands.
Coupling client awareness with application performance visibility and network control, Cisco
Prime Infrastructure enables an uncompromised end-user experience and makes BYOD a
reality.
New enhancements that are offered by Cisco Prime Infrastructure 2.0 include the following:
 Cisco Prime 360-degree views for devices, applications, and users, simplifying
management and troubleshooting to improve the end-user experience and service assurance
 Enhanced automated workflows and integrated best practices for easy deployment and
management of Cisco advanced technologies and services, including Cisco Adaptive
Wireless Intrusion Prevention System (wIPS), Cisco CleanAir Technology, VPN, zone-
based firewall, Cisco ScanSafe, and application visibility and control
Cisco One Management is further enhanced with the Cisco Mobility Services Engine (MSE).
Cisco MSE provides advanced spectrum analysis and Cisco Adaptive wIPS Software to detect,
track, and trace the following:
 Rogue devices
 Interferers
 Wi-Fi clients
 Radio frequency ID (RFID) tags
 Over-the-air threats with location and mitigation capabilities
Advanced location services within the Cisco Mobile Concierge (part of the Cisco Connected
Mobile Experiences Solution) allow wireless LAN monetization and location analytics.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-7
Mobility Services Engine
Physical or Virtual Access Points

Indoor Teleworker
3310 and 3355

Wireless LAN Controllers 1600 600 Series

Outdoor
Identity and Policy
Data Integration 2500 WLC on 2600
Series SRE

NCS 1550 Series

5500 WiSM2 3500 Density


Physical Series
or Virtual ISE
vWLC
Distribution 3600 3500p Series
Switches 8500 7500

Access Switches

6500 Series
Compact 2960-S 3750-X/3560-X 3850 4500E

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-7

This figure shows the borderless network architecture which provides Cisco customers the
power of choice.
Cisco One Network is the convergence of the wired and wireless networks into one physical
infrastructure with greater intelligence and performance. The network offers an open interface
that enables software-defined networking, providing an industry-leading network solution.
The foundation of Cisco One Network includes the following:
 Converged wired and wireless infrastructure: One physical infrastructure that increases
business agility and scalability and delivers greater operation efficiency.
 Consistent networkwide intelligence and operations: One common set of network
capabilities and context-aware intelligence for policy, visibility, analytics, and detailed
control of quality of service (QoS) across the entire wired and wireless network
infrastructure. This feature provides simplicity and a consistent user experience.
 Integration with Cisco Open Network Environment (ONE): The industry’s first
common interface across wired and wireless networks, providing a blueprint for delivery of
a programmable data plane with the Cisco ONE Platform Kit (onePK) for the enterprise
campus, support for software-defined networking, and enhanced business agility.

1-8 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Differentiating capabilities at • WLC 5760
FCS
- Optimized for 802.11ac
deployments - 60 Gbps wireless throughput
- Distributed forwarding and - Up to 1000 APs
services
- Up to 12,000 clients
- 802.11n Gen2 access points
- Common IOS and feature set • Catalyst 3850
- Granular QoS
- Downloadable ACLs
- EEM/TCL scripting, secure copy - 40 Gbps wireless throughput
- Flexible NetFlow v9 - Up to 50 APs per stack
- Multiple LAGs - Up to 2000 clients per
switch/stack
- Right-to-use license model

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-8

Cisco One Network includes the following core products:

Cisco Catalyst 3850 Series Switch


The Cisco Catalyst 3850 Series Switch is a converged access switch for wired and wireless
networks. This series brings the best of wired and wireless together by supporting wireless
tunnel termination and full wireless LAN controller capabilities.
The main features of the Cisco Catalyst 3850 Series include the following:
 Converged wired and wireless access: The Cisco Catalyst 3850 Series brings the excellence
of Cisco IOS Software to wireless networking by extending wired infrastructure features,
resiliency, detailed QoS control, and scalability to wireless networks. This series can
provide one common set of network capabilities and context-aware intelligence across
wired and wireless access for operation simplicity, accelerated service deployment, and
easier change management. The Cisco Catalyst 3850 Series provides integrated wireless
controller capabilities with 40-Gb/s wireless throughput, support for 50 access points and
2000 wireless clients per switch and stack, and support for IEEE 802.11ac.
 Distributed intelligent services: The Cisco Catalyst 3850 Series delivers rich common
intelligent services across wired and wireless networks for security and policy, application
visibility and control, network resiliency, smart operations, and more. Only the Cisco
Catalyst 3850 Series enables multilevel QoS based on detailed information such as the
service set ID (SSID), client, radio, and application and fair share policies for wireless
networks.
 The Cisco Catalyst 3850 Series currently offers the industry’s highest 480-Gb/s stacking
bandwidth, meeting network demand, including the demands of gigabit desktop and IEEE
802.11ac wireless technologies. The series delivers advanced capabilities such as high-
performance 24- and 48-port Gigabit Ethernet switching, 480-Gb/s stacking, full Enhanced
Power over Ethernet Plus (PoE+), and Cisco Flexible NetFlow on all ports as well as many
other features.
 Foundation for Cisco ONE with programmable ASIC: The core of the Cisco Catalyst 3850
Series is the new ASIC with programmability for future features and intelligence, providing
© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-9
investment protection. The new ASIC provides a foundation for converged application
programming interfaces (APIs) across wired and wireless networks, software-defined
networking support, and Cisco onePK.

Cisco 5760 Wireless LAN Controller


Cisco 5760 Wireless LAN Controller (WLC) is an industry leading, standalone appliance that
supports both centralized and converged wireless infrastructure. It is designed for 802.11ac
networks with maximum performance and services at scale, which is combined with high
availability for mission-critical wireless networks.
The Cisco 5760 is the first controller that is based on Cisco IOS Software. It provides the
industry’s highest wireless throughput (60 Gb/s) and consistent networkwide intelligence and
operations. The Cisco 5760 supports highly scalable mobility architecture and a large Layer 3
roaming domain, with up to 72,000 access points and 864,000 wireless clients.

Cisco Catalyst 6500 Series WiSM2 Software Enhancements


Cisco Catalyst 6500 Series Wireless Services Module 2 (WiSM2) is an integrated switch blade
for Cisco Catalyst 6500 Series Switch chassis. This module is an optional alternative to the
Cisco 5760 to support the scalable Cisco Unified Access mobility architecture.

1-10 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
FCS
Q4 CY13

• Catalyst 6880-X • Catalyst 6807-XL


- Semi-modular fixed form factor - High-density modular form factor
- Only 4.5 RU height (smaller than - Only 10 RU height (smaller than
6504-E) 6506-E)
- 80 to 220 Gbps per half slot - 220 to 880 Gbps per slot capable
capable - Compatible with Sup2T, 6900,
- 16 to 80 x 1/10GE Ethernet port 6800, 6700, and latest service
density modules
- The most feature-rich platform in - 100% Catalyst 6500 IOS feature-
fixed class with all 3000+ Catalyst compatible
6500 features - Next gen. ASIC-compatible for
- Highest 1G/10G port density with unified campus switching (future)
rich BGP and MPLS in Cisco’s
entire switching portfolio

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-9

This figure describes the capabilities of the new Catalyst 6880-X and 6807-XL.
Note the highlighted items as they are the two most important things to make sure that
customers understand when discussing the new hardware.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-11
Cisco Unified Access Wired Architecture High
Availability Features
This topic describes the purpose and use of the redundancy features.

• Cisco StackPower technology provides power stacking among stack


members for power redundancy.
• Dual redundant, modular power supplies and three modular fans provide
redundancy.
• Uses stacking technology called Cisco StackWise-480, supporting SSO.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-11

Cisco StackPower Technology


The Cisco Catalyst 3850 Series uses the Cisco StackPower technology present on the Cisco
Catalyst 3850 Series. StackPower is innovative powers interconnect system that allows the
power supplies in a stack to be shared as a common resource among all the switches. Cisco
StackPower unifies the individual power supplies installed in the switches and creates a pool of
power, directing that power where it is needed. Up to four switches can be configured in a
StackPower stack with the special connector at the back of the switch using the StackPower
cable, which is different from the StackWise-480 cables.
StackPower can be deployed in either power-sharing mode or redundancy mode. In power-
sharing mode, the power of all the power supplies in the stack is aggregated and distributed
among the switches in the stack. In redundant mode, when the total power budget of the stack is
calculated, the wattage of the largest power supply is not included. That power is held in
reserve and used to maintain power to switches and attached devices when one power supply
fails, enabling the network to operate without interruption. Following the failure of one power
supply, the StackPower mode becomes power-sharing. StackPower allows customers to simply
add one extra power supply in any switch of the stack and either provide power redundancy for
any of the stack members or simply add more power to the shared pool. StackPower eliminates
the need for an external redundant power system or installation of dual power supplies in all of
the stack members. StackPower is available in LAN Base license level (or higher). For LAN
Base, cables need to be purchased separately.

Dual Redundant Modular Power Supplies


The Cisco Catalyst 3850 Series Switches support dual redundant power supplies. The switch
ships with one power supply by default. The second power supply can be purchased when

1-12 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
ordering the switch or later. If only one power supply is installed, it should always be in power
supply bay 1. The switch also ships with three field-replaceable fans.
Different power supplies available in these switches provide different available PoE power (no
PoE power, 435W, and 800W).

Cisco StackWise-480 Technology


Cisco StackWise-480 technology is built on the highly successful industry-leading StackWise
technology, which is a premium stacking architecture. StackWise-480 has a stack bandwidth of
480 Gb/s. StackWise-480 uses Cisco IOS Software Stateful Switchover (SSO) for providing
resiliency within the stack. The stack behaves as a single switching unit that is managed by an
active switch that is elected by the member switches. The active switch automatically elects a
standby switch within the stack. The active switch creates and updates all the switching,
routing, and wireless information and constantly synchronizes that information with the
standby switch. If the active switch fails, the standby switch assumes the role of the active
switch and continues to the keep the stack operational. Access points continue to remain
connected during an active-to-standby switchover. A working stack can accept new members or
delete old ones without service interruption. StackWise-480 creates a highly resilient single
unified system of up to four switches, providing simplified management using a single IP
address, single Telnet session, single CLI, autoversion checking, autoupgrading, auto-
configuration, and more. StackWise-480 also enables local switching in Cisco Catalyst 3850
Series Switches.
In addition to StackWise-480 and StackPower, the Cisco Catalyst 3850 Series supports high-
availability features including but not limited to the following:
 Cross-Stack EtherChannel provides the ability to configure Cisco EtherChannel technology
across different members of the stack for high resiliency.
 Flexlink provides link redundancy with convergence time less than 100 ms.
 IEEE 802.1s/w Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree
Protocol (MSTP) provide rapid spanning-tree convergence independent of spanning-tree
timers and also offer the benefit of Layer 2 load balancing and distributed processing.
Stacked units behave as a single spanning-tree node.
 Per-VLAN Rapid Spanning Tree Plus (PVRST+) allows rapid spanning-tree reconvergence
on a per-VLAN spanning-tree basis, without requiring the implementation of spanning-tree
instances.
 Switch-port autorecovery (Err-disable) automatically attempts to reactivate a link that is
disabled because of a network error.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-13
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-12

Stacking is 3 x 40 Gb/s in each direction, giving 240 Gb/s of total bandwidth. By employing
spatial reuse, Cisco states 480 Gb/s can be achieved in optimal circumstances by using two
parallel sections of the ring simultaneously. The spatial-reuse technology enables multipath
parallel switching across each stack ring to double the throughput.

1-14 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Redundant supervisor configurations
increase system availability
- Increase the system MTBF
- Reduce MTTR
- Reduce downtime associated with software
upgrades
- Deterministic convergence independent of
the route table size
• SSO and Cisco NSF technologies avoid
network convergence events
• ISSU and EFSU reduce downtime
associated with software upgrade

Catalyst 6500 Supervisor 2T

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-13

Availability is the degree to which a system resists degradation or interruption of service as a


consequence of the failure of one or more components. Different statistical models exist to
measure the availability of a given system. One method calculates availability by amortizing
the mean time to repair (MTTR) over the mean time between failures (MTBF). This method
can be expressed mathematically as a fraction of the MTBF divided by the sum of MTBF and
MTTR. With this model, 99.999 percent availability equates to five minutes of downtime per
year and 99.9999 percent availability equates to 30 seconds of downtime per year. Although the
definition of high availability changes depending on customer requirements and deployment
scenarios, the accepted benchmark for availability has become 99.999 percent, also known as
five 9s.
Catalyst 4500 and 6500 Series Switches are deployed in many of the most critical parts of
enterprise and service provider networks. Therefore, a Catalyst 4500 or 6500 Series Switch
must achieve close to 100 percent availability. The platforms have evolved over the years to
achieve higher levels of availability by providing more advanced resiliency mechanisms.
Examples of high-availability device level redundancy include redundant supervisors,
redundant switches, redundant power supplies, redundant fans, and virtual switching systems.
Examples of high-availability networkwide redundancy mechanisms include redundant links,
EtherChannel technology, Spanning Tree Protocol (STP), UniDirectional Link Detection
(UDLD) protocol, and First Hop Redundancy Protocol (FHRP).
When two supervisors are installed in the Catalyst 4500 or 6500, one will act as the active
supervisor and the other acts as the standby supervisor. The active supervisor is running the
active control plane and is running the data plane as well, running all the switching
components. The standby supervisor is waiting to take over if needed. It is not used in the
active forwarding path. There is no load balancing of the switch fabrics. It is true 1:1
redundancy.
When a supervisor switchover occurs and Cisco Nonstop Forwarding (NSF) is enabled, SSO
maintains all the directly connected routes through the out-of-band synchronization, so the
neighbors are not even aware of the switchover. The Cisco NSF-capable router signals Cisco
NSF-aware routing peers of a routing protocol restart. Cisco NSF-aware routers detect the

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-15
restarting router and assist in re-establishing full adjacency as well as maintain forwarding to
and from the restarting router.
Cisco IOS In-Service Software Upgrade (ISSU) enables a Catalyst 4500 with dual supervisors
to virtually eliminate planned outages for full feature software upgrades. It provides the means
to upgrade or, if needed, downgrade the Cisco IOS Software in a redundant Cisco Catalyst
4500 supervisor system without incurring a service outage. ISSU adds additional functionality
to the Cisco Catalyst 4500 high-availability capabilities that are already provided by SSO and
Cisco NSF. Since the underlying technology supporting ISSU is based on the SSO architecture,
the downtime that is associated during a switchover is less than 200 ms. ISSU is a user-initiated
and user-controlled process through a set of executive-level CLI commands that are issued in a
specific order to upgrade or downgrade a Cisco IOS Software image running on a Cisco
Catalyst 4500 dual-supervisor configuration. This process differs from “hitless” software
upgrades in that it provides the ability to do a hitless “full feature” upgrade rather than just a
system patch.
Enhanced Fast Software Upgrade (eFSU) enables an increase in network availability by
reducing the downtime that is caused by software upgrades. eFSU reduces the downtime by
bringing up the standby supervisor engine in SSO mode even when the active and the standby
supervisor engines have different software versions, or with Virtual Switching System (VSS)
configured, when the supervisor engines in the two chassis have different software versions.
Keep in mind that during an eFSU upgrade, modules are restarted or reset after the switchover
that occurs between the supervisor engines. In VSS mode, the effect of the module restart is
minimized when devices are dual homed to the VSS.

1-16 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• SSO allows redundant supervisor engines to run a stateful IOS and
stateful applications to exchange state to minimize outage at the time of
a switchover from active to standby supervisor.
- The redundant supervisor engine is fully initialized.
- Upon switchover, physical links stay up
and protocols do not reset.
- Traffic interruption is sub second
(less than 200 ms).
- IOS images need to be identical.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-14

Functions like Cisco IOS ISSU depend on the facilities that are provided by SSO. Catalyst
4500 E-Series Switches allow a redundant supervisor engine to quickly take over operation of
the switch if the active supervisor engine fails. Supervisor engine redundancy is enabled by
running the redundant supervisor engine in SSO operating mode. With supervisor engine
redundancy enabled, if the active supervisor engine fails, Cisco IOS ISSU commands are
issued, or a manual switchover is performed, and the redundant supervisor engine becomes the
active supervisor engine. The redundant supervisor engine is automatically initialized with the
startup configuration of the active supervisor engine. This automatic initialization shortens the
switchover time from 30 seconds or longer in Route Processor Redundancy (RPR) mode to less
than 200ms in SSO mode.
When a redundant supervisor engine runs in SSO mode, the engine starts up in a fully
initialized state. The engine then synchronizes with the persistent configuration and the running
configuration of the active supervisor engine. The engine subsequently maintains the state of
SSO client protocols. All changes in hardware and software states for features that support SSO
are kept in sync. Consequently, the engine offers almost zero interruption to Layer 2 sessions in
a redundant supervisor engine configuration.
Because the redundant supervisor engine recognizes the hardware link status of every link,
ports that were active before the switchover remain active, including the uplink ports. However,
because uplink ports are physically on the supervisor engine, the ports are disconnected if the
supervisor engine is removed. If the active supervisor engine fails, the redundant supervisor
engine becomes active. This newly active supervisor engine uses Layer 2 switching information
that exists to continue forwarding traffic. Unless Cisco NSF is configured, Layer 3 forwarding
is delayed until the routing tables have been repopulated in the newly active supervisor engine.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-17
• Packet forwarding is not disrupted during Cisco NSF/SSO failover.
• Routing adjacencies stay up.
• Routing converges while packet forwarding continues.

X
Forwarding table
Standby (SSO synched)

Graceful restart Graceful restart

Routing updates Routing updates

Forwarding table
Standby (SSO synched)
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-15

Cisco NSF works with SSO to minimize the amount of time that the network is unavailable
following a supervisor engine switchover.
When switching from the active supervisor engine to the standby supervisor engine, the switch
loses connectivity to its routing peers.
Since the routing peers are Cisco NSF-aware and the interfaces to the Cisco NSF-capable
switch are still up, they keep sending data packets to the Cisco NSF-capable switch.
When the supervisor switchover is done, the new supervisor engine will conduct a graceful
restart for all of the configured routing protocols and therefore receive all of the routing
information from its peers. After that, the forwarding information base (FIB) will be updated
and normal routing operation continues.
Cisco NSF uses capabilities of Layer 3 routing protocols and Cisco Express Forwarding to
prevent disruption of traffic forwarding. The Border Gateway Protocol (BGP), Open Shortest
Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) routing protocols
have been enhanced with Cisco NSF capability and awareness. That enhancement means that
routers running these protocols can detect a switchover and take the necessary actions to
continue forwarding network traffic and to recover route information from the peer devices.
The Intermediate System-to-Intermediate System (IS-IS) protocol can be configured to use
state information that has been synchronized between the active and the redundant supervisor
engine. The protocol can recover route information following a switchover instead of
information that was received from peer devices.

1-18 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Traditional Campus Design VSS Campus Design VSS Campus Design

Optimized Simplified
Network Operation

• Complex network design • Optimized network design • Simplified system


and operation • Double switching capacity operation
• Underutilize network • Deterministic application • Single neighbor and
resources and network performance network per layer
• Suboptimal application and • Simplified and highly
network performance redundant network
topologies
* MEC is used to eliminate the loops
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-16

Network operators increase network reliability by configuring redundant pairs of network


devices and links. Redundant network elements and redundant links can add complexity to
network design and operation. Virtual switching simplifies the network by reducing the number
of network elements and hiding the complexity of managing redundant switches and links.
A VSS combines a pair of Catalyst 4500 or 6500 Series Switches into a single network
element. The VSS manages the redundant links, which externally act as a single port channel.
The VSS simplifies network configuration and operation by reducing the number of Layer 3
routing neighbors and by providing a loop-free Layer 2 topology.
VSS functionality is used to combine two Catalyst 4500 or 6500 Series Switches into a single
network element using the Supervisor Engine 7-E, Supervisor Engine 720-10G (VSS 1440), or
Supervisor Engine 2T (VSS 4T). This functionality is achieved by forming a virtual switch link
(VSL) between two chassis, each containing this supervisor engine.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-19
Cisco Catalyst 4500 or 6500 that operates Defines two Cisco Catalyst 4500s or 6500s that are
as the active control plane for the VSS participating together as a VSS

Virtual Switch Domain


Virtual Switch Primary Virtual Switch Secondary

Active Control Plane Hot Standby Control Plane


Active Data Plane Active Data Plane

Virtual Switch Link

Special link bundle joining two Cisco Catalyst


4500s or 6500s, allowing them to operate as Cisco Catalyst 4500 or 6500 that operates as the
a single logical device hot standby control plane for the VSS
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-17

Virtual Switch Identifiers


 A virtual switch domain ID is allocated during the migration process and represents the
logical grouping of the two physical chassis within a VSS. It is possible to have multiple
virtual switch domains throughout the network. The configurable values for the domain ID
are 1 to 255. It is always recommended to use a unique virtual switch domain ID for each
virtual switch domain throughout the network.
 A switch identifier is a unique number (1 or 2) for each switch to determine the role within
the VSS.

Virtual Switch Link


The VSL is the special link bundle that binds the two chassis of a VSS together. With the
Catalyst 4500, the VSL can be either multi-1G or multi-10G EtherChannel. With the Catalyst
6500, the VSL must be a multi-10G EtherChannel.

Virtual Switch Roles


When a VSS is created or restarted, the peer chassis negotiate their roles. One chassis becomes
the active chassis and the other chassis becomes the standby.
The active chassis controls the VSS and runs the Layer 2 and Layer 3 control protocols for the
switching modules on both chassis. The active chassis also provides management functions for
the VSS, such as line card online insertion and removal (OIR) and the console interface. The
active and standby chassis perform packet forwarding for ingress data traffic on their locally
hosted interfaces. However, the standby chassis sends all control traffic to the active chassis for
processing.

Control and Data Plane


In virtual switch mode, while there is a unified control plane, both data planes are active.
Therefore, each can actively participate in the forwarding of data.

1-20 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Since both data planes are active, each forwarding engine has a full copy of the forwarding
tables and security and QoS policies in hardware so that each can make a fully informed local
forwarding decision.

Router MAC Address


In a VSS, since there is only a single routing entity, there is also only one single router MAC
address. The MAC address that is allocated to the VSS is negotiated at system initialization.
Regardless of either switch being brought down or up, the same MAC address will be retained
so that neighboring network nodes and hosts do not need to resubmit an Address Resolution
Protocol (ARP) request (gratuitous ARP) for a new address.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-21
• MEC is a Layer 2 multipathing technology.
• MEC and VSS bring powerful and very effective changes to the campus
topology. The following are three key benefits:
- Eliminates loops in multilayer design.
- Doubles the available bandwidth for forwarding.
- Improves availability of delay-sensitive applications.
Active Standby
VSL

MEC

Physical Topology Logical Topology

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-18

Traditional EtherChannel aggregates multiple physical links between two switches.


Multichassis EtherChannel (MEC) is a Layer 2 multipathing technology. This form of
EtherChannel allows a connected node to terminate the EtherChannel across the two physical
Cisco Catalyst 6500 Series Switches that make up the VSS leading to creating simplified loop-
free Layer 2 topology. VSS allows for distributed forwarding and a unified control plane so that
the MEC appears as a single port channel interface existing on both the active and hot-standby
switches. Even though the access layer is connected to a distinct physical chassis via two
physical links, from an access-layer switch perspective, this port-channel connection enables a
single logical link that is connected to a single logical switch (referred to as VSS with MEC).
The MEC and VSS bring powerful and very effective changes to the campus topology. The
following are two key benefits:
 Eliminates loops in multilayer design. Traditionally, spanning VLANs over multiple closets
would create an STP-looped topology because one of the uplinks would be blocked by
STP. MEC with VSS eliminates loops in the campus topology which is because STP now
operates on the EtherChannel logical port and each physical switch appears to be connected
via a single logical link to a single logical switch.
 Doubles the available bandwidth for forwarding. MEC replaces spanning tree as the means
to provide link redundancy. This means that all physical links under the MEC are available
for forwarding traffic. The STP can no longer block individual links since its database does
not have those links available to calculate a loop-free path. For the network with a looped
topology, the total forwarding capacity is half the available bandwidth of physical links.
VSS with MEC makes all links available for forwarding and thus doubles the bandwidth
available.

Note MEC configuration is only possible in the VSS. However, access-layer switches requiring
connectivity to the VSS are configured with traditional EtherChannel interfaces.

1-22 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• There is a default redundancy mechanism between the two VSS chassis
and their associated supervisor is NSF/SSO.
• Cisco NSF and SSO must be enabled on both for Catalyst 4500 VSS to
work.
• A mismatch of information between the active and standby results in the
following:
- For the Catalyst 4500, the standby does not boot.
- For the Catalyst 6500, the standby boots in RPR mode; RPR is the
predecessor to SSO.
Switch1 VSL Switch2
Code Version 1 Code Version 2

NSF/SSO
Active Standby

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-19

VSS functionality is used to combine two Catalyst 4500 or 6500 Series Switches into a single
network element which is achieved by forming a VSL between two chassis, each containing the
supervisor engine.
From a redundancy point of view, it does not matter whether the supervisor engines are in one
or two chassis. The redundancy mechanism is, as discussed before, SSO with Cisco NSF. The
keepalives being sent over the fabric when two supervisor engines are installed in one chassis
are sent now over the VSL. Cisco NSF works the same way as in a single chassis and has to be
configured the same way.
RPR was the first feature that was introduced in IOS Software for the Catalyst 6500 Series
Switch. RPR manages the redundant supervisor hardware to provide redundant network
services through automatic failover to a standby supervisor if the active supervisor fails. RPR
failover times vary based on the configuration of the Catalyst 6500 Series Switch. At the
conclusion of the failover time interval, the standby supervisor is fully activated and switching
operations can continue.
In RPR mode, the startup configuration and boot registers are synchronized between the active
and standby supervisors, but the standby supervisor is not yet fully initialized. When a failover
occurs, the standby supervisor automatically becomes active, but must first complete the boot
process. Additionally, all line cards are reloaded and the hardware is reprogrammed.

Note RPR mode is not supported with Catalyst 4500 VSS.

SSO establishes one supervisor engine as the active supervisor and designates the other
supervisor as the hot standby supervisor. SSO synchronizes the information between the two
supervisors. When the active supervisor fails, is removed from the switch, or is manually shut
down for maintenance, a switchover occurs from the active to the redundant supervisor. In
networking devices running SSO, the FIB and adjacency entries are preserved during an SSO
switchover, so that Layer 2 and Layer 3 forwarding can continue after a switchover has
occurred.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-23
Cisco NSF works with SSO to minimize the amount of time a network is unavailable to its
users following a switchover. The main objective of Cisco NSF is to continue forwarding IP
packets following a route processor (RP) switchover.
Usually, when a networking device restarts, all routing peers of that device detect that the
device went down and then came back up. This transition results in what is called a routing
flap. Cisco NSF helps to suppress routing flaps in SSO-enabled devices, thus reducing network
instability. Cisco NSF allows for the forwarding of data packets to continue along known routes
while the routing protocol information is being restored following a switchover. The ability of
line cards to remain up through a switchover and to be kept current with the FIB on the active
RP is the key to Cisco NSF operation. The Cisco NSF feature has several benefits, including
the following:
 Improved network availability: Cisco NSF continues forwarding network traffic and
application state information so that user session information is maintained after a
switchover.
 Overall network stability: Network stability may be improved with the reduction in the
number of route flaps that had been created when routers in the network failed and lost
their routing tables.
 Neighboring routers do not detect link flapping: Because the interfaces remain up across
a switchover, neighboring routers do not detect a link flap (that is, the link does not go
down and come back up).
 Prevents routing flaps: Because SSO continues forwarding network traffic in the event of
a switchover, routing flaps are avoided.
 No loss of user sessions: User sessions are established before the switchover is maintained.

Note Cisco NSF and SSO must be configured for Catalyst 4500 VSS to work.

1-24 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Redundant supervisors fully boot Cisco IOS to ICHS redundancy mode.
• All information is in sync between VSS active and VSS hot-standby as
well as between in-chassis active and in-chassis hot standby
supervisors.
• All uplinks on all supervisors are active.
• After active supervisor failure, the hot-standby supervisor takes over.
• If VSS active supervisor fails, the VSS hot-standby becomes the VSS
active.
Switch 1 Switch 2

VSL
VSS Active VSS Hot-Standby
In-Chassis Hot Standby In-Chassis Hot Standby

SSO Sync
SSO SSO
Sync Sync

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-20

VSS Quad-Supervisor Uplink Forwarding


Cisco IOS Software Release 15.1(1) SY1 introduces support for VSS quad supervisor SSO
with the Supervisor 2T.
When a VSS with quad-supervisor SSO is used, the In-Chassis Hot-Standby (ICHS) supervisor
engine acts the same as a hot-standby supervisor in a standalone chassis. During the bootup,
once the chassis level role is resolved, the ICHS downloads the image from the In-Chassis
Active (ICA) supervisor engine.
These ICHS supervisors can also be used to forward traffic on the uplink ports, therefore
enabling all four supervisors in a VSS system to actively forward traffic under normal
conditions. Furthermore, the additional supervisors can act as hot-standby supervisors within
each chassis which provides resilient network connectivity to single-homed devices and
maximum bandwidth availability to both upstream and downstream connected devices.
From a control plane point of view there is only one supervisor engine active. Between the
chassis, the high availability mechanism is the same as with dual supervisor engines. From a
data plane perspective, all of the uplink ports on all four supervisor engines are active and
forwarding.
The switchover mode of the supervisor engines can be verified by entering the show module
command.
The procedure when the active VSS supervisor fails is as follows:
1. Active VSS supervisor in switch 1 incurs a hardware failure.
2. SSO fails over to the hot-standby supervisor in switch 2, making it the new VSS active.
3. SSO fails over to the ICHS supervisor in switch 1, making it the new VSS hot-standby.
4. All bandwidth is available during the SSO switchover.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-25
• Software maintenance windows
are significant causes of
downtime.
• On redundant systems, the IOS
ISSU process allows the running
IOS software to be upgraded
while packet forwarding
continues. 03.01.00.SG
• The IOS ISSU mechanism 03.02.00.SG
leverages architecture for high
availability—NSF/SSO <200 ms.
• Cisco Catalyst 4500 uses full
image upgrades for the addition of
new features, defects, and
PSIRTs.
• IOS ISSU increases network
availability and reduces downtime
caused by planned upgrades. Targets Planned Downtime
• There is an 18-month rolling Due to Software Upgrades
window.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-21

Cisco IOS ISSU is available on the Catalyst 4500 Series and allows customers to virtually
eliminate planned outages for full feature software upgrades. ISSU provides the means to
upgrade or, if needed, downgrade the Cisco IOS Software in a redundant Catalyst 4500
supervisor system without incurring a service outage.
IOS ISSU adds functionality to the Catalyst 4500 high-availability capabilities that are already
provided by SSO and Cisco NSF. Since the underlying technology supporting IOS ISSU is
based on the SSO architecture, the downtime that is associated with a switchover is less than
200 ms.
IOS ISSU is a user-initiated and user-controlled process that is executed through a set of
executive-level CLI commands. Those commands are issued in a specific order to upgrade or
downgrade a Cisco IOS Software image running on a Catalyst 4500 dual-supervisor
configuration. The process differs from hitless software upgrades in that it provides the ability
to do a hitless full feature upgrade rather than just a system patch.

1-26 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
1. Standby supervisor in slot
issu changeversion bootflash:New_Image quick 6 is reset.
2. Boots with new image.
3. Initiate SSO between
active supervisor in slot 5
and standby supervisor in
slot 6.
4. Active supervisor in slot 5
Slot 5 New Image resets.
Slot 6 New Image 5. Standby supervisor in slot
6 takes over as active
supervisor.
6. Supervisor in slot 5 boots
up as a standby supervisor
with the new image.
7. Completes the IOS ISSU
Active Standby
process.
Supervisor Supervisor

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-22

The IOS ISSU process in Cisco IOS XE is a single-line command. The process starts with
rebooting the standby supervisor with the new image and performing an SSO, which means that
SSO mode is required for performing a Cisco IOS ISSU. Also, there is no PoE loss during this
switchover. The data loss is expected to be less than 200 ms.
Once the standby supervisor assumes the active role, the other supervisor engine reboots with
the new image. Both supervisors come up in SSO mode. In case there is any failure during the
process, then the IOS ISSU process automatically reverts to the old IOS image and alerts the
user via syslog.

Use changeversion Command to Automate an IOS ISSU Upgrade


You can use the issu changeversion command to perform a one-step IOS ISSU upgrade.
The following are prerequisites:
 Ensure that the new Cisco IOS XE Software image is present in the file system of both the
active and standby supervisor engines. Also, ensure that appropriate boot parameters
(BOOT string and config-register) are set for the active and standby supervisor engines.
 Optionally, perform additional tests and commands to determine the current state of peers
and interfaces for later comparison.
 Ensure the system (both active and standby supervisor engines) is in SSO redundancy
mode. If the system is in RPR mode, you can still upgrade the system using the IOS ISSU
CLI commands, but the system will experience extended packet loss during the upgrade.
Refer to the section in this document on SSO for more details on how to configure SSO
mode on supervisor engines.
 For IOS ISSU to function, the IOS XE Software image file names on the active and
standby supervisor engines must match.
The following example shows how to initiate an ISSU upgrade process using the issu
changeversion command on slot number 5, the slot for the current active supervisor engine.
The show issu state detail and show redundancy command output is included to show the
supervisor state before and after the upgrade procedure.
© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-27
Note The success messages included in the output below are displayed after some delay
because the IOS ISSU upgrade procedure progresses through the IOS ISSU states.

Switch# show issu state detail


Slot = 5
RP State = Active
ISSU State = Init
Operating Mode = Stateful Switchover
Current Image = bootflash:x.bin
Pre-ISSU (Original) Image = N/A
Post-ISSU (Targeted) Image = N/A
Slot = 6
RP State = Standby
ISSU State = Init
Operating Mode = Stateful Switchover
Current Image = bootflash:x.bin
Pre-ISSU (Original) Image = N/A
Post-ISSU (Targeted) Image = N/A
Switch# show redundancy
Redundant System Information :
------------------------------
Available system uptime = 12 minutes
Switchovers system experienced = 0
Standby failures = 0
Last switchover reason = none
Hardware Mode = Duplex
Configured Redundancy Mode = Stateful Switchover
Operating Redundancy Mode = Stateful Switchover
Maintenance Mode = Disabled
Communications = Up
Current Processor Information :
------------------------------
Active Location = slot 5
Current Software state = ACTIVE
Uptime in current state = 9 minutes
Image Version = Cisco IOS Software, IOS-XE
Software, Catalyst 4500 L3
Switch Software (cat4500e-UNIVERSALK9-M), Version
03.00.00.1.68 CISCO UNIVERSAL
DEVELOPMENT K10 IOSD TEST VERSION
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Sun 29-Aug-10 03:57 by gsbuprod
Configuration register = 0x2920
Peer Processor Information :
------------------------------
Standby Location = slot 6
Current Software state = STANDBY HOT
Uptime in current state = 2 minutes

1-28 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Image Version = Cisco IOS Software, IOS-XE
Software, Catalyst 4500 L3
Switch Software (cat4500e-UNIVERSALK9-M), Version
03.00.00.1.68 CISCO UNIVERSAL
DEVELOPMENT K10 IOSD TEST VERSION
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Sun 29-Aug-10 03:57 by gsbuprod
Configuration register = 0x2920
Switch# issu changeversion bootflash:y.bin
% 'issu changeversion' is now executing 'issu loadversion'
% issu loadversion executed successfully, Standby is being
reloaded
% changeversion finished executing loadversion, waiting for
standby to reload and reach
SSO ...

Note Standby reloads with the target image.

.....
.....
*Feb 25 20:41:00.479: %INSTALLER-7-ISSU_OP_SUCC: issu
changeversion is now executing
'issu runversion'
*Feb 25 20:41:03.639: %INSTALLER-7-ISSU_OP_SUCC: issu
changeversion successfully executed
'issu runversion'

Note Switchover occurs.

......
Look at the console of new active supervisor engine.
*Feb 25 20:47:39.859: %RF-5-RF_TERMINAL_STATE: Terminal state
reached for (SSO)
*Feb 25 20:47:39.971: %INSTALLER-7-ISSU_OP_SUCC: issu
changeversion is now executing
'issu commitversion'
.....

Note The new standby supervisor engine reloads with the target image. The command
changeversion is successful when SSO terminal state is reached.

*Feb 25 20:54:16.092: %HA_CONFIG_SYNC-6-BULK_CFGSYNC_SUCCEED:


Bulk Sync succeeded
*Feb 25 20:54:16.094: %RF-5-RF_TERMINAL_STATE: Terminal state
reached for (SSO)
Switch#
Switch# show issu state detail
Slot = 6
RP State = Active
ISSU State = Init
Operating Mode = Stateful Switchover

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-29
Current Image = bootflash:y.bin
Pre-ISSU (Original) Image = N/A
Post-ISSU (Targeted) Image = N/A
Slot = 5
RP State = Standby
ISSU State = Init
Operating Mode = Stateful Switchover
Current Image = bootflash:y.bin
Pre-ISSU (Original) Image = N/A
Post-ISSU (Targeted) Image = N/A
Switch# show redundancy
Redundant System Information :
------------------------------
Available system uptime = 12 minutes
Switchovers system experienced = 0
Standby failures = 0
Last switchover reason = none
Hardware Mode = Duplex
Configured Redundancy Mode = Stateful Switchover
Operating Redundancy Mode = Stateful Switchover
Maintenance Mode = Disabled
Communications = Up
Current Processor Information :
------------------------------
Active Location = slot 6
Current Software state = ACTIVE
Uptime in current state = 9 minutes
Image Version = Cisco IOS Software, IOS-XE
Software, Catalyst 4500 L3
Switch Software (cat4500e-UNIVERSALK9-M), Version
03.00.00.1.68 CISCO UNIVERSAL
DEVELOPMENT K10 IOSD TEST VERSION
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Sun 29-Aug-10 03:57 by gsbuprod
Configuration register = 0x2920
Peer Processor Information :
------------------------------
Standby Location = slot 5
Current Software state = STANDBY HOT
Uptime in current state = 2 minutes
Image Version = Cisco IOS Software, IOS-XE
Software, Catalyst 4500 L3
Switch Software (cat4500e-UNIVERSALK9-M), Version
03.00.00.1.68 CISCO UNIVERSAL
DEVELOPMENT K10 IOSD TEST VERSION
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Sun 29-Aug-10 03:57 by gsbuprod
Configuration register = 0x2920

1-30 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Catalyst Smart Operations
This topic describes Cisco Catalyst Smart Operations.

Smart Install
Flexible NetFlow
Auto Smartports
IP SLAs
Auto-QoS

Cisco Catalyst
SmartOperations
Mediatrace
ERSPAN Flexible NetFlow

Smart Call Home IP SLAs

Protocol Analyzer EEM

TDR, GOLD

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-24

Organizations today are looking for ways to increase productivity and efficiency. Industries
such as health care, education, government, manufacturing, financial, and banking are all facing
the same challenge of reduced budgets. As a result, new and innovative practices are needed to
run and grow the business.
As networks evolve to better support data, voice, video, and building control, they become
critical to operation and innovation. The goal for all business is nonstop, constant
communications and maximum uptime for network services. Yet downtime risks exist,
stemming from a range of causes that includes human error such as incorrect design,
misconfigurations, planned software and hardware upgrades, and unplanned hardware or
software faults. When outages occur, companies suffer lost business, lowered customer
satisfaction, and lower productivity.
Ultimately, implementing the right intelligence in your network can enable your organization to
meet your business goals.
In this topic the focus will be on the deployment phase of lifecycle management representing
the following:
 Cisco Smart Install is a zero-touch deployment solution that allows new or replacement
switches to be automatically imaged and configured over the network.
 Cisco Auto Smartports automatically configures switch ports that are based on the
connected device type, eliminating the need to allocate fixed ranges of switch ports for
specific device types or manually reconfiguring ports each time a device is added or
removed.
 Cisco Auto-QoS simplifies generating and applying quality of service configurations
across the network, ensuring priority treatment of voice, video, and real-time applications.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-31
The following features are part of the planning, monitoring, and troubleshooting phases:
 Cisco Flexible NetFlow provides detailed network traffic statistics, which allows
administrators to identify anomalies, intelligently manage capacity, and plan upgrades.
 Cisco IP Service-Level Agreements (SLAs) assess network performance and readiness to
deploy new IP services such as voice, video, or virtual desktop infrastructure (VDI).
 Cisco Embedded Event Manager (EEM) is a scripting system that can detect network
events and automatically take a customized action, for example executing commands or
sending an email.
 Cisco Smart Call Home communicates network status information to the Cisco Technical
Assistance Center (TAC) to enable proactive service interventions.
 Cisco Generic Online Diagnostics (GOLD) runs diagnostic tests to detect preliminary
warnings of hardware failure, allowing network administrators to prevent potential outages.
 Cisco Mediatrace monitors voice, video, and other real-time traffic as it traverses the
network allowing administrators to pinpoint bottlenecks that degrade performance.
 Cisco Encapsulated Remote Switched Port Analyzer (ERSPAN) captures traffic on
switch ports or VLANs and sends it across a Layer 3-routed network for remote analysis
and diagnostics. The port can be configured to be monitored and then the traffic that is sent
or received on that port can be redirected on the port on the same switch Switched Port
Analyzer (SPAN) or on a different switch Remote Switched Port Analyzer (RSPAN) or can
be directed to different switches, which provide remote monitoring of multiple switches
across your network (ERSPAN). ERSPAN uses a Generic Routing Encapsulation (GRE)
tunnel to carry traffic between switches.
 Protocol Analyzer leverages the Wireshark open-source packet capture platform to collect
and interpret traffic on an interface, enabling sophisticated protocol analysis and
debugging.
 Time Domain Reflectometer (TDR) uses switch hardware to test the integrity, length, and
connectivity of Ethernet cables to enable rapid debugging of wiring issues.

1-32 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Director Catalyst 6K

Access
Switches

Auto-QoS Auto Smartports Smart Install


Automatically Creates Relevant Plug and Play for End Devices Zero-Touch Deployments
QoS Configuration and Maintenance

New Configuration New Device Attached New Switch Connected

No in-depth QoS knowledge Port configuration: Applied Software image downloaded


needed QoS policy: Enforced Configuration automatically
VoIP feature simplifies QoS applied
Security policy: Enforced
implementation
Can use existing Cisco
commands to modify the
automatically generated
configuration
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-25

Smart Install
Smart Install can deliver substantial IT cost savings by providing zero-touch deployment,
replacement, and automatic configuration backup for Cisco Catalyst switching products. Smart
Install uses a director device, which can be a 6500 Series Sup 2T, 4500E Sup 7-E, 4500E Sup
7L-E, 4500 Sup 6-E, 4500 Sup 6L-E, 3850, 3750-X, 3750-E, 3750-G, 3750V2-24FS, 3560-X,
3560-E, 3560-G, 3560V2-24S, 3560C, or Cisco Integrated Services Router (ISR). Optionally,
Smart Install uses an external server to store configurations and appropriate Cisco IOS
Software images for client switch groups. When a new or replacement switch is added to the
group, the director discovers it and pushes the appropriate configuration and software image to
it. This action eliminates manual configuration of new hardware and creates a single point of
management. Smart Install also helps with configuration backup of all switches in the network.

Auto Smartports
Auto Smartports enables true plug-and-play deployment of Cisco endpoint devices by
automatically applying port configuration policies, QoS policies, and security policies that are
based on Cisco best practices. Users can create their own Auto Smartports macros to extend
this functionality more broadly and to customize settings to meet their specific needs. By
combining Auto Smartports with Smart Install, users can enable zero-touch deployment of both
their switching infrastructure and endpoints.
Cisco Catalyst 4500 and 3850 Series Switches feature Auto Smartports. The feature is expected
to be added for the Catalyst 6500.

Auto-QoS
Cisco Auto-QoS for the enterprise provides automation for deployment of QoS policies in a
general business environment, particularly for mid-size companies and branch offices of larger
companies. It can be used to generate and deploy suggested Modular QoS CLI (MQC) policies
and also to deploy those policies. Auto-QoS is supported with Catalyst 3000, 4000, and 6000
Series of switches.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-33
Cisco Auto-QoS
This topic describes Cisco Auto-Qos as it implemented on the supervisor engine.

• Strengthens integration of voice and video


- Protects voice and video traffic from congestion
• Simplifies deployment of QoS policies
- Minimal configuration needed to deploy policies
• Automates QoS policy creation and application
- Creates class and policy maps and attaches to interfaces automatically
• Accelerates voice and video deployments
- Simplified QoS configuration provides faster deployment and easier support

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-27

Cisco Auto-QoS employs the MQC model. Instead of using certain global configurations (like
mls qos and QoS DBL), Cisco Auto-QoS applied to any interface configures several global
class maps and policy maps.
Cisco Auto-QoS matches traffic and assigns each matched packet to QoS groups. This
matching allows the output policy map to put specific QoS groups into specific queues,
including into the priority queue.
QoS is needed in both directions, on inbound and outbound. Inbound, the switch port needs to
trust the differentiated services code point (DSCP) in the packet (done by default). Outbound,
the switch port needs to give voice packets “front of line” priority. If voice or video is delayed
too long by waiting behind other packets in the outbound queue, the end host drops the packet.
This packet dropping happens because the packet arrives outside of the receive window for that
packet.

Note Cisco Auto-QoS cannot be applied to EtherChannel interfaces or VLANs.

1-34 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Unconditionally Trusted
Endpoints Example:
Trust Boundary Catalyst 4500E
IP Phone + PC

Trust COS from Phone


Trust DSCP from PC

qos trust device cisco-phone

Trust Boundary
qos trust extend

Conditionally Trusted
Endpoints Example:

IP Phone + PC
Trust COS from IP Phone
Trust DSCP from PC
COS 0 written by IP Phone

qos trust device cisco-phone


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-28

In the first example that is shown in the figure, the Cisco Auto-QoS VoIP trusts the marked
frames and datagrams from the telephone. Auto-QoS tells the phone not to change any marked
DSCP values of the IP datagrams sent from the PC to the switch.
In the second example that is shown in the figure, the Cisco Auto-QoS VoIP also trusts the QoS
values of the phone, but the phone changes the DSCP value of the IP datagrams sent by the
switches to zero.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-35
Device Trust Override Example:
Trust Boundary Catalyst 4500E
IP Phone + PC

Trust COS from IP-Phone


Trust DSCP from PC
COS 2 written by IP Phone for PC

qos trust device cisco-phone


qos trust extend cos 2

Untrusted Example:

PC DSCP/COS
rewritten to 0 by switch

qos trust device cisco-phone

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-29

In the figure, the phone at the top is again trusted and the phone marks the traffic of the
connected device to a class of service (CoS) of two.
In the bottom example that is shown, the traffic from the PC will be rewritten to the default
CoS that is configured on the interface of the switch.

1-36 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Auto Smartports
This topic describes Cisco Auto Smartports macros.

Challenges Solution Provided by ASP


Manual configuration of every port Configuration moves with device
-Devices move Interfaces in ready state waiting for a device to
Wasted ports – preconfigured dedicated attach
interfaces and no device -More efficient use of valuable ports
Unsure how to mix multiple features together Best Practices for mixing interface level
Not knowing what is connected configurations
-Which interface has the printer? Device classification
-What is attached on every interface

Switches in the network

Auto
Smartports

Endpoint devices connected to the network


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-31

Auto Smartports provides automatic configuration as devices connect to the switch port,
allowing auto detection and plug-and-play of the device onto the network.
Auto Smartports uses triggers to map macros to the source port of the event. Triggers are events
that tell the switch that a known device is detected. Macros are a set of device-specific interface
CLIs that get applied to a port. The most common triggers are based on Cisco Discovery
Protocol and Link Layer Device Protocol (LLDP) messages that are received from a connected
device. A Cisco Discovery Protocol event trigger occurs when the following devices are
detected:
 Cisco switch
 Cisco router
 Cisco IP phone
 Cisco wireless access point including autonomous and lightweight access points
 Cisco IP video surveillance camera
Additional event triggers for Cisco and third-party devices are user-defined MAC address
groups, MAC authentication bypass (MAB) messages, IEEE 802.1X authentication messages,
and LLDP messages.
LLDP supports a set of attributes that are used to discover neighbor devices. These type, length,
and value attributes and descriptions are referred to as TLVs. LLDP-supported devices use
TLVs to receive and send information. This protocol advertises details such as device
configuration information, capabilities, and identity. Auto Smartports uses the LLDP system
capabilities TLVs as the event trigger. Use the event trigger control feature to specify if the
switch applies a macro that is based on the detection method, device type, or configured trigger.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-37
You can also create user-defined macros by using the Cisco IOS Shell scripting capability,
which is a Bourne again shell (bash)-like language syntax for command automation and
variable replacement.
Static Smartports macros provide port configurations that you apply manually based on the
device that is connected to the port. When you apply a static macro, the macro CLI commands
are added to the existing port configuration. When there is a link-down event on the port, the
switch does not remove the static macro configuration.
You can designate a remote server location for user-defined macro files. You can then update
and maintain one set of macro files for use by multiple switches across the network.
The macro persistence feature causes macro configurations to remain applied on the switch
ports regardless of a link-down event which eliminates multiple system log and configuration
change notifications when the switch has link-up and link-down events or is a domain member
or an endpoint in a Cisco EnergyWise network.

Auto Smartports and Cisco Medianet


Cisco Medianet enables intelligent services in the network infrastructure for a variety of video
applications. A service of Medianet is autoprovisioning for Cisco Digital Media Players
(DMPs) and Cisco IP video surveillance cameras through Auto Smartports. The switch
identifies Cisco and third-party video devices by using Cisco Discovery Protocol, 802.1X,
MAB, LLDP, and MAC addresses. The switch applies the applicable macro to enable the
appropriate VLAN, standard QoS, and auto-QoS settings for the device. The switch also uses a
built-in MAC address group to detect the legacy Cisco DMP, based on an Organizationally
Unique Identifier (OUI) of 4400 or 23ac00. You can also create custom user-defined macros
for any video device.

1-38 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Order of events for IP Phone attachment and configuration applied
PoE

CDP/LLDP

1 Attach IP phone to interface Gig 1/0/4 Attach IP phone to interface Gig 1/0/4

2 Power up via PoE Apply power to Gig 1/0/4

3 Exchange CDP/LLDP with switch Exchange CDP/LLDP with device

4 Get voice VLAN config Detects if device is an IP phone

5 Register with Call Manager Apply CISCO_IP_PHONE_MACRO to Gig 1/0/4

Contents of macro
Voice and data VLAN applied
QoS applied
Cisco best practice security applied to IP
Phone interface
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-32

Enable Auto Smartports macros globally on a switch using the macro auto global processing
global configuration command.
Once the device has powered on and is able to pass information, the application service
provider (ASP)-enabled switch snoops incoming packets for the following:
 Source MAC address
 Cisco Discovery Protocol
 LLDP
 DHCP discover from end device
If the source MAC address is matched to a MAC OUI configured on the switch, then that takes
precedent. Then Cisco Discovery Protocol and LLDP are used to determine device type. If
none of the above work, then DHCP options are used to determine the device.
Once the device type is determined, a predefined macro (in this case,
CISCO_IP_PHONE_MACRO) is applied to the interface to which the device connected. That
macro contains a set of CLI commands that can execute any number of configurations for the
port. In this example, the macro applies voice and data VLANs, QoS, and best practice security
features.
There are a number of built-in macros for well-known devices:
 Access-point
 IP-camera
 Lightweight-ap
 Media-player
 Phone
 Router
 Switch

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-39
The content of these macros can be seen with the show macro auto device name command.
There are some optional steps that can be taken when configuring ASP:
 Use your switch-specific values to replace macro default parameter values.
 Configure MAC address groups.
 Configure macro persistence.
 Configure built-in macro options.
 Create user-defined event triggers.
 Configure user-defined macros.

1-40 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Enable Auto Smartports macros globally on a switch using macro auto
global processing global configuration command.
• Additionally disable the Auto Smartports macro per interface using no
macro auto processing interface configuration command.
Switch# configure terminal Catalyst 3850
Switch(config)# macro auto global processing
Switch(config)# interface gigabitethernet0/4
Switch(config-if)# no macro auto processing
Gi 0/1
Gi 0/4

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-33

Use the macro auto global processing global configuration command to globally enable
macros on the switch. To disable macros on a specific port, use the no macro auto processing
command in interface mode.
Use the macro auto processing interface configuration command to enable macros on a
specific interface. To disable macros on a specific interface, use the no macro auto processing
interface configuration command.
The figure shows an example where Auto Smartports macros are globally enabled on a switch.
Additionally macros are disabled on the Gigabit Ethernet interface.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-41
• Use show macro auto command to verify Auto Smartports macro
information.
Switch# show macro auto device

<output omitted>

Device:access-point
Default Macro:CISCO_AP_AUTO_SMARTPORT
Current Macro:CISCO_AP_AUTO_SMARTPORT
Configurable Parameters:NATIVE_VLAN
Defaults Parameters:NATIVE_VLAN=1
Current Parameters:NATIVE_VLAN=1

Device:phone
Default Macro:CISCO_PHONE_AUTO_SMARTPORT
Current Macro:CISCO_PHONE_AUTO_SMARTPORT
Configurable Parameters:ACCESS_VLAN VOICE_VLAN
Defaults Parameters:ACCESS_VLAN=1 VOICE_VLAN=2
Current Parameters:ACCESS_VLAN=1 VOICE_VLAN=20

<output omitted>

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-34

Use the show macro auto device privileged EXEC command to display the configurable Auto
Smartports macro parameters for a device.

1-42 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Smart Install
This topic describes Cisco Smart Install.

Challenges Solution Provided by Smart Install


Branch office locations with not-so-technical Zero touch so anyone can install a client
staff -No need to travel for switch
Hard to maintain IOS and configuration installs/replacements
consistency across large number of switches Automated image and configuration
Upgrading code on a large number of clients management ensures consistency across
is cumbersome and time consuming clients
Automated upgrades can be pushed from the
director to all clients in a group

Catalyst 6500 Supervisor 2T Smart


Install
Switches in the network

Endpoint devices connected to the network

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-36

Smart Install is a plug-and-play configuration and image-management feature that provides


zero-touch deployment for new switches. You can ship a switch to a location, then place it in
the network, and then power it on with no configuration required on the device.
A network using Smart Install includes clients that are served by the director. Director acts as a
single point of management and provides image and configuration downloads for any client
switch. The figure shows the Catalyst 6500 Series Sup 2T switch acting as director in the
campus network. This setup shows positioning of the Catalyst 6500 as the lead backbone
switch.
Supported switch platforms as of December 2012 are as follows:
 Director Cisco Catalyst Switches
— 6500 Series Supervisor Engine 2T, 4500E Supervisor Engine 7-E,
— 4500E Supervisor Engine 7L-E, 4500 Supervisor 6-E, 4500 Supervisor 6L-E,
— 3850, 3750-X, 3750-E, 3750-G, 3750V2-24FS, 3560-X, 3560-E, 3560-G, 3560V2-
24S, 3560C
 Client Cisco Catalyst switches:
— Cisco Catalyst 3000 Series: 3850, 3750V2, 3750-E, 3750-X, 3560V2, 3560-E, 3560-
X, 3560-C
— Cisco Catalyst 2000 Series: 2960, 2960-S, 2960-C, 2960-SF, 2360

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-43
Recommended Software Versions for Director Roles
Smart Install Director Model Software Version

Cisco Catalyst 6500 Supervisor Engine 2T 15.1.1-SY

Cisco Catalyst 4500 15.1.2-SG or 3.4.0SG

Cisco Catalyst 3850 3.2.0SE

Cisco Catalyst 3750 or 3560 15.0(2)SE1


The Cisco Smart Install solution supports Cisco ISRs as Smart Install directors too. Supported
ISR platforms as of December 2012 are as follows:
 G1 series of Cisco ISRs: 1841, 2801, 2811, 2821, 2851, 3825, 3845
 G2 series of Cisco ISRs: 1921, 1941, 2901, 2911, 2921, 2951, 3925, 3945, 3925E, 3945E
For additional information About Cisco Smart Install supported hardware, refer to
http://www.cisco.com/en/US/docs/switches/lan/smart_install/configuration/guide/supported_de
vices.html.

1-44 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Director: Configures client providing switch plug-and-play
• Client: Gets the image and configuration from the director
• Groups: Classification of client switches based on switch model and
other parameters for better management
• DHCP and TFTP Server: Serves IP addresses, image, and
configuration files to client switches
Central TFTP, DHCP
Server

Catalyst 3850
Director Switch

Client Switches Client Switches

Clients Group 1 Clients Group 2

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-37

A network using Smart Install includes a group of networking devices that are known as
clients. A common Layer 3 switch or router that acts as a director serves these clients. The
director provides a single management point for images and configuration of client switches.
When a client switch is first installed into the network, the director automatically detects the
new switch and identifies the correct Cisco IOS image and the configuration file for
downloading. It can allocate an IP address and hostname to a client. If a standalone switch in
the network is replaced by another switch of the same model, meaning a switch with the same
product ID, it automatically gets the same configuration and image as the previous one. The
director can also perform on-demand configuration and software image updates of a switch or a
group of switches in the network.
The director can act as a DHCP and TFTP server and can store the configuration and image
files. These files can also be stored on a third-party TFTP server for the director to use. This
type of storage is recommended when the topology has client switches of different models,
requiring different IOS images. The client can download the image and configuration files from
the director TFTP server or from a remote server.
In a typical Smart Install network, a client switch uses DHCP to get an IP address and the
director snoops DHCP messages. For a client to participate in Smart Install zero-touch upgrade,
it must use DHCP, and all DHCP communication must pass through the director so that it can
snoop all DHCP packets from clients. The most automatic operation is when all switches in the
Smart Install network use DHCP and are Smart Install-capable. However, any client switch that
supports the archive download-sw privileged EXEC command to download a software image
can be used in a zero-touch Smart Install network.
A client switch can participate in Smart Install even if not directly connected to the director.
The Smart Install network supports up to seven hops. Intermediate switches or clients that are
connected to the director through an intermediate switch in a multihop environment can be, but
do not have to be, Smart Install-capable switches.
The figure shows a Smart Install network with external DHCP and TFTP servers. There can be
only one director in any Smart Install network. The director can also serve as the DHCP and
TFTP server.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-45
TFTP, DHCP
servers

Director discovers
1. client via CDP

LAN/WAN
New switch issues
2. DHCP discover
~20
Minutes
Director adds options
3. to DHCP offer
Director

TFTP
Client retrieves image, CDP
4. config via TFTP DHCP

Client reboots with


new configuration
5. and image
Client group 1 Client group 2
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-38

The figure describes the steps that are taken when a client is first connected to a Smart Install
Director. Before connecting the client, there are some configuration steps that must be taken on
the director:
1. Configure the switch as the Smart Install director using the vstack director command and
enable Smart Install on the director using the vstack basic command.
Director# configure terminal
Director(config)# vstack director 10.0.0.33
Director(config)# vstack basic
2. Configure the DHCP scope for Smart Install client switches (if an external DHCP server is
not used).
Director(config)# vstack dhcp-localserver pool1
Director(config-vstack-dhcp)# address-pool 10.0.1.0
255.255.0.0
Director(config-vstack-dhcp)# default-router 10.0.0.33
Director(config-vstack-dhcp)# file-server 10.0.0.33
Director(config-vstack-dhcp)# exit
Director(config)# ip dhcp remember
3. Configure the default image using the vstack image command and default configuration
using the vstack configuration command. This example shows local storage of these files,
but an external TFTP server can be used as well.
Director# configure terminal
Director(config)# vstack image flash:c2960-lanbase-tar.122-
53SE.tar
Director(config)# vstack configuration
flash:2960lanbase_configuration.txt
4. Configure assignment of the last three bytes of a switch MAC address in addition to a
common name (such as Client_Switch) for all new switch clients.

1-46 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Director# configure terminal
Director(config)# vstack hostname-prefix Client_Switch
5. Use the write erase and reload commands to start Zero Touch startup process for
preconfigured switches.
Director# write erase
Director# reload
Proceed with reload? [confirm]
Once these steps are complete, the director is ready to have clients attach to it. When the client
attaches to the director, the following happens in the background:
 The director discovers the client through DHCP snooping.
 The client gets IP on VLAN 1 from the DHCP pool on the director (if an external DHCP is
not used).
 The download starts on the client, which takes 5 to 8 minutes. The steps of the download
include the following:
— The client downloads client_cfg.txt.
— The client downloads the configuration file.
— The client downloads the image file.
— The client switch reboots.

Note Do not press any key on the client switch at this time as it will terminate the Smart Install
operation.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-47
• Client switches belong to multiple models.
- External TFTP server, new management VLAN, and EtherChannels
• Before you begin, copy image tar files for all client switch platforms to
the TFTP server.

Catalyst 3850
Director Switch

Central TFTP, DHCP


Client Switches Server

Clients Group 1
- 3560e Series

Client Switches Client Switches

Clients Group 2 - 3750e Series Clients Group 3 – 2960 Series

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-39

The variety of client switches means that each client switch model will have its own unique
IOS image or configuration. In the example that is shown in the figure, an external TFTP server
is being used to meet the scalability requirements of multiple client switch IOS images,
configuration files, and so on. The external server also helps in a scenario where a topology has
multiple director switches.

Note When using external TFTP servers, write permissions can cause issues when the director
tries to copy image lists and backed up versions of the configuration. To overcome this
issue, create a subfolder in the TFTP server that allows complete read/write access to the
director.

To configure multiple client groups on the director, you must use either the vstack group
built-in or vstack stack group custom commands. The built-in groups are currently shipping
products, and the options for these shipping products can be seen by entering a question mark
(?) after built-in.
This example shows how to identify a group as Catalyst 3560 8-port Power over Ethernet (PoE)
switches and to enter Smart Install group configuration mode. It identifies the image to be
obtained through TFTP for the group as c3560-ipbase-mz.122-52.SE.tar, which contains the
3560 IP base image for 12.2(52)SE and identifies the configuration file as the 3560 IP Base
image.
Director(config)# vstack group built-in 3560 8poe
Director(config-vstack-group)# image tftp://1.1.1.10/c3560-
ipbase-mz.122-52.SE.tar
Director(config-vstack-group)# config tftp://1.1.1.10/c3560-
24-ipbase-config.txt
The custom option allows for the creation of a user-defined Smart Install group. There are four
options for custom groups:
 Connectivity: Matches a custom group that is based on connectivity or network topology.
All clients have the same upstream neighbor. If a client matches more than one group

1-48 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
characteristic, a connectivity match will take precedence over a stack match or product-ID
match, but not over a MAC address match.
 Mac: Matches a custom group consisting of switch MAC addresses. If a client matches
more than one group characteristic, a MAC address match takes precedence.
 Product ID: Matches a custom group that is based on the product ID.
 Stack: Matches a custom group that is based on switch stack membership. If a switch
matches more than one group characteristic, a stack match takes precedence over product
ID.
The following example shows how to identify a custom group named test that is based on
matching connectivity and to enter Smart Install group configuration mode. It specifies that the
group includes clients that are connected to the host with the IP address 2.2.2.2 with an
interface name of finance, and identifies the image and configuration to be obtained through
TFTP for the group:
Director(config)# vstack group custom test connectivity
Director(config-vstack-group)# match host 2.2.2.2 interface
finance
Director(config-vstack-group)# image tftp://1.1.1.10/c3560-
ipbase-mz.122-52.SE.tar
Director(config-vstack-group)# config tftp://1.1.1.10/3560-24-
ipbaseconfig.txt

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-49
Director switch (6509) Hardened TFTP
Segment Smart Install Functions running DHCP server for server for client-
switch images and
Smart Install VLAN 10
config
 Create and utilize dedicated VLAN/DHCP scope only VLAN 10 not routed
for Smart Install operation
 Configure Smart Install DHCP scope on director
switch
 Eliminate or severely restrict outside traffic into
Smart Install VLAN PACL: permit vlan10
 Enable Catalyst security features on every tftp-server tftp
switchport in the Smart Install VLAN
 DHCP Snooping, DAI, IP SRC Guard, Port
Security max macs
3750X • Switchport VLAN 10
• Catalyst security
features enabled
Segment Smart Install Functions
 Utilize Join Window on Director
 Schedule a time window for zero-touch image
and config upgrades 3750X Smart Install Client
Zero-Touch Install
 Clients cannot download image or config
outside the window
 Disable TFTP server switchport or TFTP service
outside of Join Window
 Configure PACL on TFTP server that only allows
TFTP from Smart Install VLAN DHCP scope
 Prune Smart Install VLAN from trunks when not in
use
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-40

There are several recommendations for securing an infrastructure using Smart Install.
Join Window CLI:
Director(config)#vstack join-window start [date] hh:mm
[interval] [end date] [recurring]}
Port security max macs allowed CLI
(config-if)# switchport port-security maximum
number_of_addresses {number greater than 10 is fine in most
situations}
Dhcp snooping and other switchport security info
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6
500/ios/15.0SY/configuration/guide/dhcp_snooping.html

1-50 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Smart Install Directors Smart Install Clients

Catalyst 6500 Catalyst 3K


Sup 2T (software version
15.1.1-SY) 3850
Catalyst 4500 3750, 3750v2, 3750E, 3750G, 3750X,
Sup 7 and Sup 6 3560, 3560v2 3560E, 3560G, 3560X
(software version 3.4.0SG
15.1.2-SG)

Catalyst 3K
Catalyst 2K
3850 (software version 3.2.0SE)
3750, 3750G, 3750v2, 3750E,
3560, 3560v2, 3560E, 3560G 2960, 2960S, 2960G, 2960SF
3750X, 3560X
Recommended: 12.2.(58)SE2

ISR Branch Router Catalyst 2K/3K Compact


G1: 1841, 2801, 2811, 2821, 2851, 3825, 3845
G2: 1921, 1941, 2901, 2911, 2921, 2951, 3925, 3945, 2960C, 3560C
3925E, 3945E, NM-16-ESW
Min release: : 15.1.(3)T1

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-41

The left side of the figure shows Cisco devices capable of acting as Smart Install directors.
The right side of the figure shows Cisco devices that are supported as Smart Install clients.
The Catalyst 3000 series, when stacked, can act as director.
The latest additions to the Smart Install Director are 6500 Sup 2T, and the 4500 Sup 7 and Sup
6.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-51
Cisco Easy Virtual Network
This topic describes the capabilities and characteristics of the Cisco EVN.

One Physical Network Many Access Devices


VRF A–F Personal Devices
40GE Corporate Desktops
Guest Laptops
Video Surveillance
TelePresence Units
Corporate Voice

Simplified Network Design via MPLS, VRF-Lite and EVN

Enhanced Security, Group Segregation, and Shared Services via Virtualized Firewalls

Better Monitoring and Operations with VRF-Aware Services


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-43

A scalable solution is needed for keeping groups of users totally separate and centralizing
services and security policies. This separation must be kept while preserving the high
availability, security, and scalability benefits of the campus design. To address this solution, the
network design needs to effectively solve the following challenges:
 Access control: Help ensure that legitimate users and devices are recognized, classified,
and have authorized entry to their assigned portions of the network.
 Path isolation: Help ensure that the substantiated user or device is mapped to the correct
secure set of available resources—effectively, to the right VPN.
 Services edge: Help ensure that the right services are accessible to the legitimate set or sets
of users and devices, with centralized policy enforcement.
Network virtualization, which can be achieved in several ways, solves these challenges.
Virtualization technologies enable a single physical device or resource to act like it is multiple
physical versions of itself and to be shared across the network. Network virtualization is a
crucial element of the Cisco Unified Access architecture. One physical infrastructure can be
configured to support multiple different organizations or roles, helping enterprises optimize
resources and security investments. Other virtualization strategies include centralized policy
management, load balancing, and dynamic allocation. The use of virtualization enhances agility
and improves network efficiency, reducing both capital and operational expenses.

1-52 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• It is a device virtualization technique to virtualize Layer 3 routing and
forwarding.
• It allows the switch to maintain multiple routing and forwarding tables.
• Each VRF has its own interfaces.
• It allows overlapping address spaces, and complete Layer 2 and Layer 3
traffic isolation: virtual networks.

VRF GREEN
192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.102 is directly connected, Loopback12
VRF BROWN
192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.102 is directly connected, Loopback11
GLOBAL TABLE
192.168.255.0/32 is subnetted, 1 subnets
C 192.168.255.253 is directly connected, Loopback0

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-44

Multivirtual routing and forwarding (VRF) Customer Edge (CE) is a feature that allows a
service provider to support two or more VPNs, where IP addresses can be overlapped among
the VPNs. Multi-VRF CE uses input interfaces to distinguish routes for different VPNs and
forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each
VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as
VLAN switch virtual interfaces (SVIs). An interface cannot belong to more than one VRF at
any time.
Multi-VRF CE includes these devices:
 CE devices provide customers access to the service-provider network over a data link to
one or more provider edge (PE) routers. The CE device advertises the local routes of a site
to the router and learns the remote VPN routes from it. A Catalyst 3750-X or 3560-X
switch can be a CE.
 PE routers exchange routing information with CE devices by using static routing or a
routing protocol such as BGP, Routing Information Protocol version 2 (RIPv2), OSPF, or
EIGRP. The PE is only required to maintain VPN routes for those VPNs to which it is
directly attached. This limit eliminates the need for the PE to maintain all of the service-
provider VPN routes. Each PE router maintains a VRF for each of its directly connected
sites. Multiple interfaces on a PE router can be associated with a single VRF if all of these
sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning
local VPN routes from CEs, a PE router exchanges VPN routing information with other PE
routers by using Internal BGP (IBPG).
 Provider routers or core routers are any routers in the service provider network that do not
attach to CE devices.
With multi-VRF CE, multiple customers can share one CE, and only one physical link is used
between the CE and the PE. The shared CE maintains separate VRF tables for each customer
and switches or routes packets using its own routing table for each customer. Multi-VRF CE
extends limited PE functionality to a CE device. This design gives it the ability to maintain
separate VRF tables to extend the privacy and security of a VPN to the branch office.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-53
Routing and VRF-Lite
In order to propagate route information within each VRF instance, the routing protocol needs to
be instantiated by using either a separate routing process (OSPF, IS-IS) or address family
(EIGRP, RIPv2). This feature is often referred to as the “VRF awareness” of the routing
protocol. All IPv4 routing protocols are VRF-aware, including static routes and policy-based
routing (PBR).

VRF-Lite Design Consideration


VRF-Lite transport is based on either IPv4 or IPv6 and does not require any additional
protocol. The drawback of this technology is that any addition of a new VRF requires either the
creation of a new tunnel interface or a new IEEE 802.1Q subinterface. As such, VRF-Lite is
manageable for networks with fewer numbers of VPNs and fewer numbers of hops in a VPN
path.
The Catalyst 4500E Series Switches do not support per-packet dynamic-path maximum
transmission unit (MTU) checking based on the IP destination address. It propagates the Don’t
Fragment (DF) bit to the outer header when packets are sent over a tunnel. If the original packet
is equal to or smaller than the tunnel MTU, the original packet is encapsulated. The resulting
tunneled packet may be subsequently fragmented if it exceeds the MTU of the physical output
interface. The fragmentation process will be performed by the software.
If the encapsulated traffic is fragmented at the output physical interface or within the tunnel
path, the fragments will not be reassembled by the forwarding engine. Rather, they will be
punted to the control plane for reassembly.

1-54 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Multi-VRF Network
R1 R2

802.1q 802.1q 802.1q

Easy Virtual Network


Edges R1 R2
Trunk Edges
Interfaces Interface Interfaces

vnet
802.1q tag 802.1q

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-45

Network virtualization is an economical way to provide traffic separation. Multiple virtualized


networks can be overlaid on a single physical infrastructure. A corporation may need to provide
traffic separation between different user groups. Traffic separation may be based on user role or
user group policies. For example, traffic separation may be required between different
departments in an organization. Third-party vendors may need to share selected network
resources. Due to corporation acquisitions and mergers, network access may need to be
partially restricted. Deploying a separate physical network for each user group increases capital
expenditures (CapEx) and operating expenses (OpEx) and may not be a viable way to provide
traffic separation. Many virtual networks with different security and routing polices can be built
over a single physical infrastructure without affecting the ability of end users to access needed
network resources.
EVN is a simplified LAN virtualization solution that helps enable network managers to provide
service separation on a shared network infrastructure. EVN uses existing technology to increase
the effectiveness of VRFs. Existing enterprise network architecture and protocols, as well as
concepts such as trunk and access interface, are preserved in the EVN architecture. In addition
to reutilizing Multi-VRF features, new components such as virtual network (VNET) trunk,
VNET tag, route replication, and management tools are introduced to provide a comprehensive,
pure-IP network segmentation solution.
Multi-VRF offers Multiprotocol BGP (MP-BGP) and label-free network segmentation
solutions, but requires a setup of hop-by-hop path isolation. Separate interfaces or subinterfaces
must be provisioned for each virtual network on core-facing interfaces on an end-to-end
virtualized path as shown in the top image in the figure. Network provisioning and management
could become repetitive and complex depending on the numbers of virtual networks and
numbers of hops that traffic needs to cross.
There are three virtual networks—Blue, Yellow, and Green—shown in the figure. Notice that
there are three separate interfaces that are dedicated for each between R1 and R2. Blue virtual
network traffic is forwarded over the interface and subinterface that is provisioned for the Blue
virtual network. This forwarding guarantees traffic separation in the forwarding plane. Virtual
network devices peer over separate routing instances providing control plane separation. For

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-55
example, the Blue VRF table holds Blue virtual network routes and the Yellow VRF table
holds Yellow virtual network routes.
Multi-VRF is manageable for networks with fewer numbers of virtual networks and fewer
numbers of hops in a virtual network path. As the numbers of virtual networks grow, new
interfaces and subinterfaces will need to be added, and the need for IP addresses and routing
will increase. This demand increases planning and provisioning overhead.

Traffic Separation in EVN


Path isolation can be achieved by using a unique tag for each virtual network. This tag is called
the VNET tag. Each virtual network carries throughout the same tag value that was assigned by
a network administrator. An EVN device in the virtual path uses the tags to provide traffic
separation among different virtual networks. This tag removes the dependency on physical and
logical interfaces to provide traffic separation. As illustrated in the figure, only a single trunk
interface is required to connect a pair of EVN devices. A trunk interface provides connectivity
between a pair of EVN devices and transports multiple virtual network traffic, whereas edge
interfaces connect to specific virtual network users. An edge interface is mapped to a specific
virtual network and is the point in the network where the VNET tag is applied to incoming
traffic from virtual network users. Traffic traversing from an EVN device to virtual network
users is untagged. Midpoint EVN devices do not remove, add, or swap tags.
Network virtualization solution EVN provides a pure IP alternative to Multiprotocol Label
Switching (MPLS) in enterprise networks for up to 32 virtual networks. It has the following
features:
 Uses an existing enterprise design, architecture, and protocols.
 Uses existing technology to increase the effectiveness of VRFs
 Provides either an Interior Gateway Protocol (IGP)-only (OSPF, EIGRP) or IGP/Exterior
Gateway Protocol (EGP)-based alternative.
 Reintroduces familiar concepts for access and trunks to Layer 3.
 Can be deployed with traditional MPLS VPNs or MPLS VPNs over Multipoint Generic
Routing Encapsulation (mGRE).
 Can coexist with Multi-VRF deployments.
 Supports non-IP and IPv6 traffic through the EVN global table.
 Supports Protocol Independent Multicast (PIM) and Internet Group Management Protocol
(IGMP) with sparse mode (SM) and Source Specific Multicast (SSM) modes for Multicase
VPN (MVPN).
 Supports shared services using route replication.
 Includes enhanced troubleshooting and usability tools, which includes routing context,
traceroute, debug condition, cisco-vrf-mib, and simplified VRF-aware SNMP
configuration.

1-56 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
GE0/0/2 GE0/0/3 GE0/0/2
R1 R2 GE0/0/1 R3
GE0/0/0 GE0/0/0

GE0/0/1 GE0/0/0 GE0/0/3 GE0/0/1

R1 Before EVN R1 After EVN


Interface GigabitEthernet0/0/3.101 vrf definition yellow
description GE Connection to R2 vnet tag 101
encapsulation dot1Q 101 address-family ipv4
ip vrf forwarding yellow
ip address 10.1.10.1 255.255.255.0 vrf definition green
ip pim query-interval 333 msec
ip pim sparse-mode vnet tag 102
address-family ipv4
interface GigabitEthernet0/0/3.102
description GE Connection to R2 vrf definition blue
encapsulation dot1Q 102 vnet tag 103
ip vrf forwarding green address-family ipv4
ip address 10.1.10.1 255.255.255.0
ip pim query-interval 333 msec Interface GigabitEthernet0/0/3
ip pim sparse-mode description GE Connection to R2
vnet trunk
interface GigabitEthernet0/0/3.103 ip address 10.1.10.1 255.255.255.0
description GE Connection to R2
encapsulation dot1Q 103
ip pim query-interval 333 msec
ip vrf forwarding blue ip pim sparse-mode
ip address 10.1.10.1 255.255.255.0
ip pim query-interval VRF
333 1003
msec
ip pim sparse-mode

Simplified operations with VNET Trunk


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-46

The configuration in the figure shows that Multi-VRF does not have a trunk interface. Each
subinterface for each VRF has to be configured manually. EVN automatically generates
subinterfaces for each EVN that does not expand in the configuration to keep the configuration
concise.
To configure EVN, use the vrf definition command to configure the VNET, the vnet tag
command to assign an EVN tag, and the address-family ipv4 command to declare carrying the
IPv4 prefixes.
Switch# configure terminal
Switch(config)# vrf definition Blue
Switch(config-vrf)# vnet tag 1003
Switch(config-vrf)# address-family ipv4

Note Notice that the virtual network name is case sensitive.

To set up a client facing edge interface connecting to Blue VN users, use the vrf forwarding
command.
Switch# configure terminal
Switch(config)# interface gigabitethernet 0/0/2
Switch(config-if)# vrf forwarding Blue
Switch(config-if)# ip address 10.1.3.1 255.255.255.0
Note that a single trunk interface transporting multiple EVN traffic doesn’t require the vrf
forwarding command.
To set up the core facing trunk interface, use the vnet trunk command.
Switch# configure terminal
Switch(config)# interface gigabitethernet 0/0/3
Switch(config-if)# vnet trunk
Switch(config-if)# ip address 10.1.10.1 255.255.255.0

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-57
BEFORE EVN AFTER EVN

Switch# routing-context vrf green


Switch# show ip route vrf green Switch%green#
Routing table output for green
Switch%green# show ip route
Switch# ping vrf green 10.1.10.1 Routing table output for green
Ping result using VRF green
Switch%green# ping 10.1.10.1
Switch# telnet 10.1.10.1 /vrf green Ping result using VRF green
Telnet to 10.1.1.1 in VRF green
Switch%green# telnet 10.1.10.1
Switch# traceroute vrf green Telnet to 10.1.1.1 in VRF green
10.1.10.1
Traceroute output in VRF green Switch%green# traceroute 10.1.10.1
Traceroute output in VRF green

Simplified context-aware operations


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-47

Use the routing-context vrf command to select the virtual network and use various show
commands inside the routing context to verify virtual network-specific configuration, which is
isolated within a specified VRF.
Use this command to set the VRF context before entering several privileged EXEC commands
that you want to apply to the same VRF. This command saves you from repeatedly entering a
VRF name in several commands while entering EXEC commands that apply to a single VRF.
When in a routing context, the system prompt changes to indicate the routing context being
used. Commands that can be used in a routing context are ping, show ip route, telnet, and
traceroute.
The routing-context vrf green command enters routing context green.

1-58 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
ip vrf SHARED vrf definition SHARED
rd 3:3 address-family ipv4
route-target export 3:3 route-replicate from vrf RED unicast
route-target import 1:1 all route-map red-map
route-target import 2:2 route-replicate from vrf GREEN unicast
! all route-map grn-map
ip vrf RED
rd 1:1 vrf definition RED
route-target export 1:1 address-family ipv4
B route-target import 3:3 route-replicate from vrf SHARED
! A unicast all
E ip vrf GREEN
rd 2:2 F vrf definition GREEN
F route-target export 2:2 address-family ipv4
route-target import 3:3 T route-replicate from vrf SHARED
O ! unicast all
router bgp 65001 E
R bgp log-neighbor-changes
! R
E address-family ipv4 vrf SHARED
redistribute ospf 3 Shared Services Benefits
no auto-summary
no synchronization E with EVN
E exit-address-family
! V
V address-family ipv4 vrf RED • No BGP required
redistribute ospf 1
N • No Route Distinguisher required
N no auto-summary
no synchronization
• No Route Targets required
exit-address-family • No Import/Export required
! • Simple Deployment
address-family ipv4 vrf GREEN
redistribute ospf 2
• Supports both Unicast and Multicast
no auto-summary
no synchronization
exit-address-family Simplified shared services
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-48

There are some common services (such as database servers and application servers) that
multiple virtual networks need to access. Shared services are beneficial for the following
reasons:
 Services are usually not duplicated for each group.
 Sharing services is economical.
 Sharing services is efficient and manageable.
 Policies can be centrally deployed.
To achieve route separation, you could replicate the service, either physically or virtually, one
service for each virtual network. However, that solution might not be cost effective or feasible.
For a router that supports EVN, the solution is to perform route replication and route
redistribution, which is a simple deployment. Route replication requires no BGP, no route
distinguishers (RDs), no route targets, and no import or export. Route replication allows shared
services because when routes are replicated between virtual networks, clients who reside in one
virtual network can reach prefixes that exist in another virtual network.
In VRF-Lite, route leaking is achieved, via BGP, by using the route import/export feature. In
fact, the BGP import and export method of copying routes between VRFs works with both
VRF-Lite and EVN. However route replication is the simpler alternative to enable sharing of
common services across multiple virtual networks.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-59
The following are best practice guidelines for customers to follow when
using the features discussed in this module:
1. When using Cisco NSF, all attached neighbors must be Cisco NSF-aware.
2. When using VSS, dual-home devices with MEC, to achieve the highest level of
resiliency.
3. When using Quad Supervisor VSS SSO, use all four supervisor uplinks to form the
VSL.
4. Cisco NSF and SSO must be enabled for VSS to work with Catalyst 4500
switches.
5. Use Auto Smartports to ensure best practice configurations are deployed
consistently across the infrastructure.
6. When using Smart Install, use a dedicated TFTP server for a large number of
clients. Otherwise, the TFTP function can be hosted on the Director.
7. Use the Catalyst Integrated Security Toolkit (CIST) and Join Window functions to
secure Smart Install.
8. Eliminate or severely restrict outside traffic into the Smart Install VLAN.
9. Do not touch the Smart Install Client until Smart Install completes or else the
operation will fail.
10. Utilize EVN in VRF-Lite environments to simplify deployment and management.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-49

The figure describes some of the best practice recommendations when deploying a Cisco
Unified Access wired infrastructure.

Feature Catalyst 3850 Catalyst 4500E/X Catalyst 6500/6800


Stacking Stackwise-480 No No

Redundant Supervisors N/A Yes Yes

NSF/SSO Yes Yes Yes

VSS No Yes Yes

ISSU/EFSU No ISSU with 4500-E only EFSU (not with 6880-X)

Auto-QoS Yes Yes Yes

Auto Smartports Yes Yes Roadmap

Smart Install Yes (Client and Yes (Director) Yes (Director)


Director)
VRF-Lite/EVN VRF-Lite – Yes Yes Yes
EVN - Roadmap

For Roadmap information please check with your respective product


management team for the most current release timeframe.
* Operating systems running on LAB devices are supporting these features.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-50

The figure shows a per-platform support matrix for all of the major features that are discussed
in this module.

1-60 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
VLAN3
UA Champions Boot Camp TRUNK (VLAN5 Mgmt.)
TRUNK (VLAN5 Mgmt.)
HTA Network Design VLAN3

Ten 2/4
G1 1/2

Gi 1/3
Gi 1/2
VLAN/SVI VLAN3
VLAN 10
· 3 – Wired Mgmt G1 1/2
G1 1/2
Eth0/Gi0
· 5 – Wireless Mgmt LAB Eth0/Gi0
· 10 – HTA Servers eth0 Ten1/0/1
Gi0/0/1
· 200 – hta-employee-wlan Po1
(Ten1/5,Ten 2/5)
· 220 – hta-guest-wlan
· 230 – hta-voice-wlan ROUTED
· 240 – BYOD-WLAN hta-mse hta5508 hta5760
AD1 hta6503 ISE Primehta
· 245 – BYOD-REGISTER 10.1.3.110 10.1.5.50 10.1.5.55
10.1.10.10* 10.1.1.1 10.1.3.20 10.1.3.101

Po1 (Ten1/1,Ten 1/2)


Layer 2 Trunk Single Link VLAN/SVI
· 22 – hta-ap2 · 202 – hta-employee2-wlan TRUNK
Po3 (Ten2/1,Ten 2/2)
· 23 – hta-ap3 · 222 – hta-guest2-wlan TRUNK
Layer 2 Port Channel · 52 – hta-voice2 · 232 – hta-voice2-wlan Ten2/3
· 53 – hta-voice3 · 502 – hta-backbone2 ROUTED
Po2 (Ten2/4,Ten 2/5)
Layer 3 Port Channel · 102 – hta employee2 · 503 – hta-backbone3
· 103 – hta-employee3 hta4503
· 122 – hta-guest2 10.1.1.2
· 123 – hta-guest3

Po1 (Gi1/0/24,Gi2/0/24) Po2 (Ten2/4,Ten 2/5)


Bldg. 1 Bldg. 2 Gi1/0/4 Bldg. 3 Gi1/0/2 LAB
Gi1/0/4 Gi1/0/3
Gi1/0/1
Gi1/0/1
Gi1/0/1

hta3850-standalone W7-PC1
10.1.2.2
LAB VLAN 22
LAB
hta3850-stack Gi0 hta3750-stack
VLAN 21 VLAN 23
10.1.1.3 10.1.2.130
W7-PC3
VLAN/SVI VLAN/SVI VLAN/SVI
· 21 – hta-ap1 · 22 – hta-ap2 W7-PC2
· 23 – hta-ap3
· 51 – hta-voice1 Gi0 · 52 – hta-voice2 · 53 – hta-voice3 Gi0
· 101 – hta-employee1 · 102 – hta-employee2 AP2 · 103 – hta-employee3
· 121 – hta-guest1 · 122 – hta-guest2 · 123 – hta-guest3
· 201 – hta-employee1-wlan · 202 – hta-employee2-wlan
· 221 – hta-guest1-wlan · 222 – hta-guest2-wlan
· 231 – hta-voice1-wlan AP1 · 232 – hta-voice2-wlan AP3

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-51

This figure represents the HTA Hospital’s network infrastructure. It will be used as a lab
topology in this course.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-61
Summary
This topic summarizes the key points that were discussed in this lesson.

• Cisco Unified Access is an intelligent network platform, which is the


business foundation to support the BYOD trend and the Internet of
Everything.
• Cisco Unified Access wired architecture provides several high
availability features like Stackwise-480, dual supervisor engines, Cisco
NSF and SSO, VSS, and ISSU.
• Cisco Catalyst Smart Operations is a set of technologies and features to
simplify network planning, deployment, monitoring, and troubleshooting.
• Auto Smartports macros dynamically configure ports based on the
device type detected on the port.
• Smart Install is a plug-and-play configuration and image-management
feature that provides zero-touch deployment for new switches.
• Cisco Auto-QoS is used to easily deploy QoS on the access ports on the
campus switches.
• An IP-based network virtualization solution, EVN takes advantage of
VRF-Lite technology to simplify Layer 3 network virtualization.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wired Foundation UASEBC v1.0—1-53

1-62 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1) Resiliency is a key feature needed to support BYOD and other critical Cisco Unified
Access wired infrastructures. Choose three platforms that support SSO, which provides
subsecond failovers. (Source: Wired Unified Access Infrastructure and Advanced
Features)
A) Catalyst 6500 series switches
B) Catalyst 4500E series switches
C) Catalyst 3850 series switches
D) Catalyst 3750-X series switches
E) Catalyst 3560-X series switch
Q2) Cisco NSF can provide hitless service continuity in the case of a control plane failure.
When designing a network to use Cisco NSF, what is the most important thing to
remember if Cisco NSF is to function as expected? (Source: Wired Unified Access
Infrastructure and Advanced Features)
A) When using Cisco NSF, all attached neighbors must be Cisco NSF-aware
B) VSS must be enabled for NSF and SSO to work with Catalyst 4500 switches
C) The IOS ISSU mechanism must be enabled
D) Smart Install functionality can not be used in the network
E) EIGRP routing protocol must be used in order to utilize all Cisco NSF benefits
Q3) What feature should customers use if they want to automate and simplify the
deployment of QoS to support voice and video? (Source: Wired Unified Access
Infrastructure and Advanced Features)
A) Cisco Smart Install
B) Cisco Auto Smartports
C) Cisco AutoQoS
D) Cisco Easy Virtual Network
Q4) A customer tells you that they want to roll out a BYOD-capable network that will
support voice, video, and multiple other types of users and applications, but they need
to use the same infrastructure to support all of it. What are you going to recommend
and why? (Source: Wired Unified Access Infrastructure and Advanced Features)

Q5) A customer with multiple branch locations and a relatively large centralized campus is
about to install all new Catalyst 3850s to take advantage of the converged wired and
wireless capability. They have limited manpower due to budget and are looking for a
way to automate as much as possible. What would you recommend that can meet their
requirements? (Source: Wired Unified Access Infrastructure and Advanced Features)

Q6) A customer comes to you and says that they are having problems with the network
support team and its inability to roll out policies consistently across their infrastructure.
What will you suggest to help them solve this problem? (Source: Wired Unified Access
Infrastructure and Advanced Features)

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-63
Q7) Both the Catalyst 4500 and Catalyst 6500 support ISSU, which allows for 200 ms or
less of downtime during a code upgrade. (Source: Wired Unified Access Infrastructure
and Advanced Features)
A) true
B) false
Q8) A customer wants to deploy VSS in their campus distribution, but they want to have
one chassis in one building and the other chassis in another building. The VSL will run
500 feet between the two chassis, and all attached devices will connect to both chassis.
Would you tell them that this is a good idea? Why or why not? (Source: Wired Unified
Access Infrastructure and Advanced Features)

Q9) A customer is looking to roll out 3850s in their branches so they can take advantage of
the wireless termination locally. They have ISR G2s connecting to their corporate
campus and will use Smart Install to automate and simplify deployment and
management of the 3850s. They are asking for guidance on where to host the DHCP
and TFTP functions required by Smart Install. Would you recommend to host it locally
on the ISR G2 or remotely in the corporate offices? Why? (Source: Wired Unified
Access Infrastructure and Advanced Features)

Q10) A customer wants to deploy the new Catalyst 6880-X in their campus so that they can
save space in their racks. They want to use it as a Smart Install Director while running
VSS. Can they do this immediately or must they wait for these features to come in a
later code release? (Source: Wired Unified Access Infrastructure and Advanced
Features)

1-64 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Module Self-Check Answer Key
Q1) A, B, C
Q2) A
Q3) C
Q4) The use of Unified Access (UA) Architecture - One Policy (Cisco ISE), One Management (Cisco Prime),
and One Network (wired, wireless, VPN access). UA brings together the security and mobility to deliver a
consistent access experience for users regardless of location or device.
Q5) The use of Cisco Catalyst Smart Operations Tools – Cisco Smart Install and Cisco Auto Smartports.
Q6) The use of One Policy (with Cisco Identity Services Engine (ISE) and TrustSec) as a world-class unified
policy platform and distributed enforcement.
Q7) A
Q8) Flexible deployment options are one of the benefits of the VSS. The underlying physical switches do not
have to be collocated. The two physical switches are connected with standard 10 Gigabit Ethernet
interfaces and as such can be located any distance based on the distance limitation of the chosen 10 Gigabit
Ethernet optics. For example, with X2-10GB-ER 10 Gigabit Ethernet optics, the switches can be located
up to 40 km apart.
Q9) When using Smart Install, use a dedicated TFTP and DHCP server for a large number of clients or many
different client platforms. Otherwise, the TFTP and DHCP function can be hosted on the Director.
Q10) Yes.

© 2013 Cisco Systems, Inc. One Network—Building the Wired Foundation 1-65
1-66 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Module 2

One Management
Foundation—Basic Prime
Infrastructure Setup
2-2 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Lesson 1

Prime Infrastructure Setup for


Wired and Wireless Clients
Overview
This lesson describes the process of adding Cisco Prime Infrastructure (PI) to the HTA
Hospital’s wired network architecture, illustrating the concept of One Management. This
process will include implementing Cisco best practices for the initial configuration of PI as
design references for implementing PI to support the bring your own device (BYOD) use case.
Described in this lesson are features available in PI to support Cisco Unified Access
architecture in HTA Hospital network. These features include the following:
 User and device visibility features
 Service assurance features
 Readiness assessment for VoIP
 Best practice wizards for implementing features in Prime Infrastructure.
The lab builds upon the basic HTA Hospital network infrastructure from Module 1, adding PI
as the management foundation from which other labs will follow. You will configure a basic
setup of PI following best-practice guidelines and implementing features compatible with the
BYOD use case referenced in the lessons.

Objectives
Upon completion of this lesson, you will be able to explain and implement the best practices for
setting up PI to support a wired and wireless network. You will be able to meet these
objectives:
 Describe Prime Infrastructure
 Describe the advantages of having one management for both wired and wireless networks
 Describe the Prime Infrastructure workflow
 Describe PI lifecycle and assurance capabilities
 Describe how PI can help in operationalizing the Cisco advantage
Prime Infrastructure Overview, Direction, and
Roadmap
This topic describes Cisco Prime Infrastructure, its key concepts and benefits.

• A single integrated solution for


comprehensive lifecycle
management of wired and
wireless access, campus, and
branch networks.
• Utilizes rich performance data
for end-to-end network visibility
to assure application delivery
and optimal end-user
experience.

Prime Infrastructure
Convergence Consolidation Cisco Advantage

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-5

Networks are being transformed and IT departments must be empowered to effectively manage
this transformation. Managing this transformation includes managing these issues:
 End-user demands for anywhere, anytime network access that is changing traditional
workplace borders.
 The use of intelligent mobile devices like Smartphones and tablets in the workplace is
changing the profile of end-user devices.
 Use of real-time video, multimedia, and Cisco TelePresence for collaboration and
communication.
 Business imperatives to save costs and implement green best practices.
Converged lifecycle and assurance management accelerate the rollout of unified access
services. These services provide highly secure access and tracking of mobile devices, while
assuring application performance and end-user network experience. Cisco Prime Infrastructure
couples end-user awareness and performance visibility with lifecycle management of wired and
wireless networks for a powerful unified solution that is called One Management. One
Management is a single pane of glass for your entire wired and wireless network infrastructure,
a single point of visibility for users and devices.
Cisco Prime Infrastructure provides the following benefits:
 Converged management of wired and wireless access, branch, and wide area networks.
 Comprehensive network lifecycle management, including user access visibility, inventory,
configuration management, plug and play, radio frequency planning, and best practices
reporting.

2-4 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
 End-to-end application and service assurance visibility to quickly isolate and troubleshoot
performance issues, leveraging technologies, such as Flexible NetFlow, Network-Based
Application Recognition (NBAR), and Medianet Performance Agent.
 Prime 360 Experience providing a relational, multidimensional view of users, applications,
and the network to simplify the diagnostics and remediation of network- and service-
impacting issues.
 Day zero/day one support.
 Easy deployment and management of Cisco advanced technologies, such as Cisco Adaptive
Wireless Intrusion Prevention System (wIPS), Cisco CleanAir, virtual private network
(VPN), zone-based firewall, ScanSafe, and the Cisco Application Visibility and Control
(AVC) solutions.
 Getting started and plug-and-play wizards for fast deployment.
 Faster troubleshooting.
The vision of One Management is realized through two key concepts:
 Lifecycle: Lifecycle provides day to day management of the entire network infrastructure
along with monitoring and troubleshooting functions.
 Assurance: Assurance provides network and application visibility to improve overall user
experience by leveraging embedded intelligence in the network.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-5
• Converged wired and wireless,
campus, and branch management
• Centralized discovery, inventory,
configuration management,
SWIM, and proactive/reactive
monitoring
• Accelerated troubleshooting of
wired and wireless infrastructure
issues
• Customizable out-of-the-box
Cisco best practices and validated
design configuration templates for
wired and wireless devices
• Unified access management and
client tracking
• Infrastructure lifecycle reports—
EoX, Contract, PSIRT
• Plug and play for automated
deployment
• Third-party device support

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-6

Prime Infrastructure provides end-to-end lifecycle management which incorporates a unified,


single pane of glass view across both wired and wireless networks. Prime Infrastructure
lifecycle capabilities cover required day-to-day operation tasks. These tasks include the
following:
 Network and device discovery: PI uses various protocols to discover the existence of
devices in the network. This is followed by a deep device discovery, which covers the
device’s inventory, health, configuration, and image.
 Software Image Management (SWIM): PI provides a central console for managing the
network element’s IOS images, including software distribution and backup.
 Monitoring: PI collects network events (syslogs and traps) from the network elements and
provides processed alarming information.
 Cisco best practices: PI includes pre-built configuration templates for deploying
networking capabilities, which are based on recommendations from Cisco.
 Client and user tracking: PI provides granular visibility into network clients and users,
including location, connectivity, policy, and user experience.
 Plug and play: PI simplifies the deployment of new network elements and provides
automated, zero-touch device deployment capabilities.

2-6 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• End-to-end visibility for service-aware
networking
- By applications, services, and end users
• Out-of-the-box support for Cisco
advanced instrumentation
- NetFlow, Flexible NetFlow, AVC, NBAR,
PA, Medianet, and so on
• Simplified end-to-end visibility for faster
troubleshooting
- Normalizes, correlates, and aggregates
data sources
• Automated baselining with dynamic
thresholds
• NBAR2 custom application support
• Multi-NAM management
• Service health dashboard

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-7

The Assurance capabilities in Prime Infrastructure provide end-to-end application and service
assurance visibility to quickly isolate and troubleshoot performance issues. PI leverages
technologies such as the following:
 AVC
 Flexible NetFlow
 NBAR
 Medianet Performance Agent.
Prime Infrastructure Assurance receives network traffic information from the various data-
sources (routers, switches, wireless controllers, Network Analysis Modules [NAMs]), removes
duplicates, correlates, and aggregates the data to provide seamless end-to-end visibility.

Note Customers with multiple NAMs in their environment were not able to manage them globally.
Prime Infrastructure offers one console to manage all NAMs from one place. Customers can
manage their data and also management their NAMs themselves (their configuration).

New for version 2.0, PI Assurance creates dynamic baselines for critical application behavior,
which are based on actual traffic patterns over time. This feature provides a proactive approach
for identifying application behavior discrepancies.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-7
WCS NCS 1.1 PI 2.0 PI 2.1

PI 1.2 PI 1.3 PI 1.4

LMS 4.2

Version WLC Issue Recommendation Exception


NCS 1.1 7.2 Remain until 2.0 Require WLC 7.3+
PI 1.2 7.3 CSAT Issue Upgrade to PI 1.3
PI 1.3 7.4 Remain until 2.0 Require 802.11ac module or
AP-700
PI 1.4 7.5 No path to 2.0 By exception only Only for customers moving
to 7.5
LMS 4.2 N/A Review LMS to PI LMS feature parity will occur
migration doc here throughout the PI 2.x release
train
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-8

The figure shows the recommended paths for migrating between the various Prime
Infrastructure components.
 Legacy Wireless Control System (WCS) customers need to migrate to Network Control
System (NCS) 1.1 before upgrading to PI 2.0.
 PI 1.2 has experienced some customer satisfaction issues. Cisco does not recommend
running the 1.2 version.
 PI 1.3 customers would benefit from migrating to PI 2.0 because it has many enhancements
and better quality.
 PI 1.4 should only be used by customers that need specific wireless controller 7.5 version
support. There is no migration between PI 1.4 to PI 2.0, which would require 1.4 customers
to upgrade to PI 2.1 when available.

Note If customers are not using WLC version 7.5, there is no need to go to PI version 1.4.
Customers can go directly to PI version 2.1, which will be able to support new controllers as
well. PI version 2.1 will have different updates where there will be no need to upgrade the
whole product. For example, you will be able to add additional technology packages to
support new WLC.

2-8 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Decouple device/technology support from platform
- Prime support aligned to hardware FCS
- Non-disruptive new-hardware support with fewer customer upgrades
- Fewer, more impactful platform releases
- Identify and address problem areas and “soft spots”
- Test product via customer use cases

Q2 CY13 Q3 CY13 Q4 CY13 Q1 CY14 Q2 CY14


Low-touch updates
PI 1.4 Less frequent
TP upgrades
PI 2.0
Upgrade
PI 2.1 .
HW Features Upgrade
PI
Platform Release Platform Release

Tech Pack Independent release May require reboot


Platform NMTG 9-12 month train Requires upgrade

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-9

At present, Prime Infrastructure requires a version upgrade when there is a need to support a
new network hardware, version, or technology. This version upgrade often leads to a complex
migration process that results in customer satisfaction issues.
The next platform release of Prime Infrastructure 2.1 will include enhancements that will
decouple the technology and device support modules from the core framework. This
decoupling will allow the introduction of technology and device packs that are independent of
the platform release. Technology and device packs would be installed inline without disturbing
PI functionality.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-9
• Long-term roadmap, the path to One Management

UNIFICATION
Customer Consolidation One Management Unified IT Operations
Wired / Wireless Bundle One wired/wireless/routing Integrated Management Stack
• Introduce PI as bundle Product • Network, DC, Security, Collab
• Unified purchase and • New and NCS customers use PI • EMS, assurance,
entitlement • LMS migrates over time orchestration…
• Large Enterprise and SP Scale
Shipping Development Radar
Prime Prime Prime
Infrastructure Infrastructure Infrastructure
1.x 2.0 CY13/14
PI Lifecycle
PI Lifecycle PI Lifecycle
LMS 4.2

PI Assurance PI Assurance PI Assurance

PI DC/Cloud
Assurance

Wired and Wireless Unified Access Data Center


TECHNOLOGY

TECHNOLOGY
• Wired/wireless endpoint visibility • Converged Access Architecture • E2E assurance from user to DC
• ISE policy system integration • Unified wired/wireless/WAN • DCNM integration
• ISE policy system integration
AVC for Branch and Edge • User application experience One Firewall
• ISR/ASR/branch • One Firewall in ASR/ISR
• Assurance and app visibility with • PrSM integration
Prime NAM integration
• Prime Site and Device 360`
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-10

Cisco started announcing the Prime Infrastructure as a bundle to bring together Prime NCS,
Prime LMS, and some new Branch/Assurance functionality in Prime Infrastructure version 1.1.
This bundle simplified ordering for customers as well as converged licensing. The goal was for
customers to order one device license and split it across a mix of wired and wireless devices for
Prime LMS and Prime NCS respectively. Additionally, Prime Assurance was introduced as a
separate product. Although the bundle was available, Prime NCS Branch/WAN and Assurance
Manager were different installs and different virtual machines (VMs).
In Prime Infrastructure version 1.2, the product becomes a single install for converged wired
and wireless management. Cisco combines all of these components and converges them into a
single product and single install.
Prime Infrastructure version 2.0 evolved into the true converged platform for Next Generation
Wiring Closet (NGWC) and other next generation platforms. Prime LMS migration was done
in phases and the basic Fault, Configuration, Accounting, Performance, and Security (FCAPS)
type management functions are available in Prime Infrastructure 1.2.
Future Prime Infrastructure releases will focus on broadening the domain support, adding data
center technologies, integrating with security solutions, and increasing the scale.

2-10 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• The following deployment platforms are used for Cisco Prime
Infrastructure and cover both Lifecycle and Assurance licenses:
- Virtual Appliance: Open Virtualization Appliance (OVA) image installed in a
VMware ESX 4.1 & 5.x environment with Virtual Machine File System (VMFS)
3.1 and 5.0.
• Available in three deployment sizes:
- Express: Up to 1000 devices, 1000 LWAPs
- Standard: Up to 11,000 devices, 15,000 LWAPs
- Professional: Up to 18,000 devices, 15,000 LWAPs
- Physical Appliance: Prime Infrastructure appliance with Cisco Prime
Infrastructure preinstalled using the following hardware:
• 16 processors, 16-GB RAM, 400-GB hard disk
• Field upgradeable

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-11

Cisco Prime Infrastructure is available in two deployment platforms:


 Virtual Appliance: In this platform, the Open Virtualization Appliance (OVA) is installed
in a VMware ESX 4.1 and 5.x environment with Virtual Machine File System (VMFS) 3.1
and 5.0.
 Physical Appliance: In this platform, the Prime Infrastructure appliance comes with Cisco
Prime Infrastructure preinstalled using 16 processors, 16-GB RAM, and 400-GB hard disk
as the basic configuration. This system is also field-upgradable.
Minimum hardware requirements are as follows:
 4 CPU @ 2.93 GHz
 8 GB RAM
 200 GB hard drive
Recommended hardware requirements are as follows:
 Cisco UCS C-Series with two quad-core Xeon processors
 12 GB RAM
 300 GB hard drive

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-11
• Prime Infrastructure high availability is active/passive.
- Secondary server is not running unless activated, therefore there is no need to
synchronize in-memory state.
- Database state is replicated using DB high availability syncing.
- Some files are also copied over HTTP (fileSync.properties).
• Health Monitor checks whether server is up.
- Deployed in the PI high availability setup to monitor the state of the primary
and secondary instances.
• In the event of a failure, secondary server is brought up.
- Secondary DB server is made primary—actually “secondary active.”
- Trap receivers are redirected to secondary.
• Once primary is available, user can initiate a “fail back.”

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-12

High availability is an embedded capability in Prime Infrastructure and does not require any
additional software components. It is enabled during the system’s installation process, where
one PI instance is installed and configured in a standard way to become the primary instance. A
second PI instance is installed in a standard way, but configured as secondary during the initial
configuration wizard.
During operation, the two system’s databases are replicated and synchronized. System health
and availability is monitored for ensuring the primary system’s operation. In a case of a failure,
the secondary system becomes active.
Once the primary system becomes available again, the user can order the system to fail back to
the normal state. This fail back might be done during a maintenance window to ensure
undisrupted IT operations.

Note If the secondary server is not running that means the Prime Infrastructure system processes
(applications) are not running but the Prime Infrastructure server is up and the VM is up as
well. The database is running and the replication between the two databases is running. The
secondary system (secondary Prime Infrastructure) comes up when the primary Prime
Infrastructure server fails.

2-12 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Lifecycle Management of Wired and Wireless
Devices
This topic describes the lifecycle management of both wired and wireless devices.

• Welcome screen for Lifecycle view.


• Getting Started allows for accelerated deployment of your Cisco Prime
Infrastructure. This is accomplished through recommended workflows
for system setup and network management.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-14

Cisco Prime Infrastructure is a network management tool that supports lifecycle management
from one graphical interface. PI provides network administrators with a single solution for
provisioning, monitoring, optimizing, and troubleshooting both wired and wireless devices.
Detailed graphical interfaces make device deployments and operations simple and cost-
effective.
Prime Infrastructure provides two different GUIs.
 Lifecycle view, which is organized according to home, design, deploy, operate, report, and
administer menus.
 Classic view, which closely corresponds to the GUI in Cisco Prime NCS 1.1 or Cisco
WCS.
Classic view is out of the scope of this training.

Tip You can switch back and forth between interfaces by clicking the down arrow next to your
login name.

After initial login, Prime Infrastructure opens with a welcome screen offering an optional
Getting Started screen for rapid deployment. Network operators can check the “Do not show
this on startup” checkbox in order to skip the Getting Started option in the future.

Note After the initial login, you may see a request to add a license file. If you are running a
demonstration license, this screen will show you how many days remain on the license.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-13
Prime Infrastructure Workflows
The Prime Infrastructure web interface is organized into a lifecycle workflow that includes the
following high-level task areas:
 Home: This tab is used to view the dashboard, which gives a quick view of devices,
performance information, and various incidents.
 Design: The Design tab displays features, device patterns, or templates. Under Design, the
network operator creates reusable design patterns, such as configuration templates.
Predefined templates can be used or the operator can create unique ones. Patterns and
templates are used in the deployment phase of the lifecycle.
 Deploy: The Deploy tab is used by the operator to deploy previously defined designs or
templates into the network. Templates that are created in the design phase are used to
specify how to deploy features. The deploy phase allows operator to push configurations
that are defined in templates to one or many devices.
 Operate: The Monitor tab is used by the operator to run the network on a daily basis and
perform other day-to-day or ad hoc operations that are related to network device inventory
and configuration management. The Operate tab contains the dashboards, the Device Work
Center, and the tools that are needed for day-to-day monitoring, troubleshooting,
maintenance, and operations.
 Report: The Report tab is used to create reports, view saved report templates, and run
scheduled reports.
 Administration: The Administration tab is used to specify system configuration settings
and data collection settings, and manage access control.

2-14 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Discover or add (bulk/single) devices
• Work with configurations and images (SWIM)
• Check the status of your plug-and-play devices
• Network audit
• Launch Device Work Center from Operate menu or Getting Started view.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-15

The Device Work Center provides a single screen overview and control of your network
devices. You can launch Device Work Center from the Operate menu or from the Getting
Started view after initial login. This screen allows you to view the device inventory and device
configuration information. The Device Work Center contains general administrative functions
at the top and configuration functions at the bottom of the screen.
The main tasks that network operators can perform in the Device Work Center are as follows:
 Device discovery
 Manual device addition (bulk/single device)
 Working with configurations and images
 SWIM
 Status verification of the plug-and-play devices
 Network audit

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-15
• Ways to add devices:
- Bulk import or single device addition
- Device discovery

Groups Discovery Add Device and Bulk Import

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-16

To view and manage the devices in the network, they must be added manually or discovered.
After Prime Infrastructure installation and initial login, the network operator can start adding
the devices. One of the ways to add a new device is from a Device Work Center.
The Device Work Center also displays device grouping. Device groups allow the network
operator to group devices based on location, type, or user-defined variables.

2-16 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Launch Device Discovery view from Device Work Center and click Add.

Fill in the following


parameters:
• Device IP
address
• SNMPv2/v3
credentials
• Telnet/SSH
credentials
• HTTP/HTTPS
credentials (if the
device is a NAM,
WAAS)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-17

Prime Infrastructure must first discover the devices and, after obtaining access, collect
information about them. Prime Infrastructure uses both Simple Network Management Protocol
(SNMP) and Secure Shell (SSH)/Telnet to connect to supported devices and collect inventory
data.
Devices can be added manually, as shown in the figure. This is helpful if the network operator
wants to add a single device. In order to add all of the devices in your network, Cisco
recommends running discovery.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-17
• Launch Device Discovery view from Device Work Center
• Click Discovery Settings and select New

Hover or click on the


button to view
settings.

Click + to expand
the setting option.

Enable the setting


and then choose
Add Row to add
entries.

Follow the format


guidelines.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-18

Prime Infrastructure uses SNMP polling to gather information about your network devices
within the range of IP addresses you specify. If you have Cisco Discovery Protocol enabled on
your network devices, Prime Infrastructure uses the seed device that you specify to discover the
devices in your network.
Before running discovery, complete the following tasks:
 Configure SNMP credentials on devices: Prime Infrastructure uses SNMP polling to
gather information about your network devices. You must configure SNMP credentials on
all devices that you want to manage using Prime Infrastructure.
 Set syslog and trap destinations on devices: Specify the Prime Infrastructure server
(using the Prime Infrastructure server IP address and port) as the syslog and trap destination
on all devices you want to manage using Prime Infrastructure.
 Configure discovery email notifications: You will then receive email notification when
Prime Infrastructure has completed discovering the devices in your network.

2-18 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Launch the Jobs Dashboard from the Administration menu.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-19

When discovery has completed, a network operator can verify if the process was successful. In
order to verify the discovery, check the Discovery type job from the Jobs Dashboard.
You can launch the Jobs Dashboard from the Administration menu by selecting the Jobs
Dashboards option. Additionally, you can launch the Jobs Dashboard from the Tools menu
under the Task Manager option.
In the Jobs Dashboard, network operators can verify job details for user-defined or system-
defined jobs. Device discovery is an example of a user-defined job. Interface, CPU, and
Memory poller jobs are additional examples of system-defined jobs.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-19
• Configuration Archives provides stored configurations.
• Organized by device type, site groups, user-defined parameters.
• Use Schedule Archive to back up selected configurations.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-20

Prime Infrastructure attempts to collect and archive the following device configuration files:
 Startup configuration
 Running configuration
 Virtual LAN (VLAN) configuration, if configured
Network operators can specify how Prime Infrastructure archives the configurations. Archiving
options are as follows:
 On demand: Prime Infrastructure collects the configurations of selected devices when the
network operator selects the Configuration Archives option from the Operate menu.
 Scheduled: Prime Infrastructure can schedule collection of the configurations of selected
devices and specify recurring collections. Recurring collections can be selected by clicking
Schedule Archive in the Configuration Archives option from the Operate menu.
 During inventory: Prime Infrastructure can collect device configurations during the
inventory collection process.
 Based on syslogs: If the device is configured to send syslogs when there is any device
configuration change, Prime Infrastructure collects and stores the configuration.
By default, Prime Infrastructure has the following configuration settings:
 It does not back up the running configuration before pushing configuration changes to a
device.
 It does not have Prime Infrastructure attempt to roll back to the previously saved
configuration in the archive if the configuration deployment fails.
 When pushing CLI to a device, it uses five thread pools.

2-20 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• SWIM is the repository for device images.
• From SWIM you can back up, upgrade, import, and analyze your device
images.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-21

Manually upgrading your devices to the latest software version can be error prone and time
consuming. Prime Infrastructure simplifies the version management and routine deployment of
software updates to your devices by helping you plan, schedule, download, and monitor
software image updates. You can also view software image details, view recommended
software images, and delete software images.
Prime Infrastructure stores all the software images for the devices in your network. The images
are stored according to the image type and version. Before you can upgrade software images,
your devices must be configured with SNMP read-write community strings that match the
community strings that were entered when the device was added to Prime Infrastructure.
You can specify image management preferences. These preferences can include whether to
reboot devices after successfully upgrading a software image, and whether images on
Cisco.com should be included during image recommendation of the device. Because collecting
software images can slow the data collection process, by default, Prime Infrastructure does not
collect and store device software images when it gathers inventory data from devices.
It can be helpful to have a baseline of your network images by importing images from the
devices in your network. You can also import software images from the Cisco web page and
store them in the image repository. By default, Prime Infrastructure does not automatically
retrieve and store device images when it collects device inventory data.
Prime Infrastructure can generate an Upgrade Analysis report to help you determine
prerequisites for a new software image deployment. These reports analyze the software images
to determine the hardware upgrades (boot ROM, Flash memory, RAM, and boot Flash, if
applicable) required before you can perform the software upgrade. The Upgrade Analysis
report answers the following questions:
 Does the device have sufficient RAM to hold the new software?
 Is the device’s Flash memory large enough to hold the new software?
 Do I need to add Telnet access information for the device?

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-21
• Image Dashboard shows top software images used in deployment of the
network.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-22

The software image dashboard displays the top software images that are used in your network
and allows you to do the following:
 Change image requirements.
 See the devices on which an image is running.
 Distribute an image.

2-22 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Assurance Management
This topic provides an overview of assurance management as a function of network
availability.

SNMP/CLI
Polling
ERSPAN

End-User Experience
SPAN/

Cisco Catalyst 3750-X

• Wired/wireless user experience


Cisco ASR • User 360
• Voice quality experience
Netflow
FNF

Cisco ISR
Visibility
WAAS

Wireless Controller
• Application traffic analysis and reporting
• Multi-NAM: Packet level debugging and troubleshooting
• WAN optimization visibility
PA

Netflow Generation
Application (Prime NGA)

Network Performance
MEDIA-
NET

• Device availability and Interface polling


• Event/alarm generation
Cisco 6509 • Configuration of devices for data and flow collection: NetFlow,
Medianet, PA, NBAR
NBAR

Network Analysis
Modules (Prime NAM)
NBAR
2

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-24

Assurance is a function for network and application availability as it relates to end-user


experience. Prime Infrastructure divides the problem of assurance into three sections:
 Network performance
 Application visibility
 End-user experience
Network performance management is a standard part of element management and relates to
device availability, interface polling, and an event and alarm generation from various parts of
the network. One very important aspect of the network performance in Prime Infrastructure is
how it relates assurance to lifecycle. It supports monitoring templates whereby you can
configure devices for data and flow collection, for example, NetFlow, NBAR, Flexible
NetFlow, and so on. This is unique to the Cisco solution. It not only supports intelligent
instrumentation in the network but also the ability to enable it.
Application visibility involves application classification and traffic analysis by leveraging
intelligent instrumentation in the network. This instrumentation includes packet analytics from
the NAMs deployed at various points in the network. Embedded instrumentation, such as
NetFlow, NAM, NBAR/NBAR2, AVC, and so on is what makes a Cisco network unique.
Once network and application visibility is provided, Prime Infrastructure correlates this
information with end user information it has from lifecycle management. Using this combined
data, Prime Infrastructure constructs a picture of the end-user experience of applications, such
as voice and video. With User 360 view, the network operator can interrogate users and see
how they are accessing the network. Operators can also see switch interfaces or wireless
controller information along with all the applications the users are running.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-23
Prime Infrastructure acts as a collector for all information flows and, correlating them with the
client IP address information, it can then construct a total picture of assurance. The figure
provides a graphical representation of how flow and application data is collected from across
different sources in the network. Prime Infrastructure is leveraging NBAR2/PA/AVC for
branch visibility, NetFlow and Medianet in campus, NBAR2 for wireless, NGA for data center,
and so on.

2-24 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• The Operate tab provides tools for the following:
- Monitoring the network on a daily basis.
- Performing other day-to-day or ad hoc operations relating to network device
inventory and configuration management.
• The Operate tab contains dashboards, the Device Work Center, tools for
day-to-day monitoring, troubleshooting, maintenance, and operations.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-25

Under the Operate tab, Prime Infrastructure provides tools to help network operators monitor
their network on a daily basis. Tools are also available to perform other day-to-day or ad hoc
operations relating to network device inventory and configuration management. The Operate
tab contains the dashboards, the Device Work Center, and the tools you need for day-to-day
monitoring, troubleshooting, maintenance, and operations.
Prime Infrastructure automatically displays monitoring data in dashboards and dashlets. You
can choose one of the following dashboards by selecting the Monitoring Dashboard option in
the Operate menu to view summary information:
 Overview: Displays overview information about your network such as device counts and
the top five devices by CPU and memory utilization. From the Overview dashboard, you
can click device or interface alarms counts to view detailed dashboards and alarms and
events in order to help troubleshoot and isolate issues.
 Incidents: Displays a summary of alarms and events for your entire network, for a
particular site, or for a particular device. By clicking an item in the dashboard, you can
view details about the alarm or event and troubleshoot the problem.
 Performance: Displays CPU and memory utilization information.
 Detail Dashboards: Displays network health summaries for sites, devices, or interfaces.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-25
• The Detail Dashboards provide many options for rich application visibility
and analysis: Site, Device, Interface, Application, Voice/Video, End User
Experience.

Experience
Server

Analysis
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-26

Detail dashboards display network health summaries for sites, devices, or interfaces. Many
different views are provided including Site, Device, Interface, Application, Voice/Video, and
End User Experience. These views allow network operators to see congestion in the network
and gather detailed site, device, and interface information. For example, you can view detailed
dashboards for a particular site to determine which devices have the most alarms, device
reachability status for the site, and so on.
Cisco Prime Assurance lets network operators investigate performance issues including any of
the following parameters:
 Raw server performance
 Competition for bandwidth from other applications and users
 Connectivity issues
 Device alarms
 Peak traffic times
This flexibility shortens troubleshooting time and provides quicker solutions. In the figure
below, a network administrator is responding to scattered complaints from multiple branches
about poor performance for a newly deployed application. The administrator suspects a
malfunctioning edge router at the application server site to be the problem, but needs to see if
other factors are contributing to the issue.

2-26 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Several portlets are available out of the box for the dashboard.
• Troubleshoot the RTP
conversations using
key metrics like jitter,
loss, or MOS score.

• Identify worst site


by MOS scores.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-27

To successfully diagnose and resolve problems with application service delivery, network
operators must be able to link user experiences of network services with the underlying
hardware devices, interfaces, and device configurations that deliver these services. This linking
is especially challenging with Real-Time Transport Protocol (RTP)-based services like voice
and video, where service quality, rather than gross problems like outages, impose special
requirements.
Cisco Prime Assurance makes this kind of troubleshooting easy. The following workflow is
based on a typical scenario:
1. A user complains to the network operations desk about poor voice quality or choppy video
replay at a branch office.
2. The operator first confirms that the user is indeed having a problem with jitter and packet
loss that will affect the RTP application performance.
3. The network operator further confirms that other users at the same branch are also having
the same problem.

4. The operator next confirms that there is congestion on the WAN interface on the edge
router that connects the local branch to the central voice/video server in the main office.
5. Further investigation reveals that an unknown HTTP application is using a high percentage
of the WAN interface bandwidth and causing the dropouts.
6. The operator can then change the unknown application’s differentiated services code point
(DSCP) classification to prevent it from stealing bandwidth.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-27
• Add NAMs to Prime Infrastructure via Device Work Center using:
- Bulk device import or adding NAMs individually
- Discovering the NAMs and editing them to include the HTTP credentials
- To enable NAM data collection:
• Open the Data Sources view from the Administration menu.
• Expand the NAM Data Collector list.
• Select all of the NAMs for which you want to enable data collection and click
Enable.
• Manage NTP server configuration to synchronize the clock between
Prime Infrastructure and NAMs.
• Enabling Flexible NetFlow data collection.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-28

If Prime Infrastructure implementation includes Assurance licenses, the network operator needs
to enable data collection via NAMs and NetFlow configurations. This enabling is necessary to
populate the additional dashlets, reports, and other features that are supplied with Assurance.
Prime Infrastructure provides multi-NAM management, centralizing data collection from
multiple NAMs. Simultaneous packets captured on multiple NAMs are stitched together and
shown in a unified view.
In order to collect data from NAMs, NAM data collection must be enabled. The network
operator can enable data collection for each discovered or added NAM, or for all NAMs at
once. Open Data Sources view from the Administration menu and expand NAM Data
Collector list. Select all of the NAMs for which you want to enable data collection and click
Enable.
In order to start collecting NetFlow and Flexible NetFlow data, the network operator must
configure NetFlow-enabled switches, routers, and other devices to export this data to Prime
Infrastructure. Prime Infrastructure provides an out-of-the-box configuration template that
allows you to set this export up quickly. You can apply it to all or just a subset of your
NetFlow-enabled devices.
The use of templates for the configuration of Flexible NetFlow assumes that the network
operator wants to configure all types of NetFlow-enabled devices in the same way. Different
templates can be used for the following tasks:
 Create a separate configuration for each type of device.
 Vary exporter or monitor names.
 Set up multiple flow exporters or monitors on the same device type.
 Set up data export for multiple interfaces on a particular type of device.

2-28 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Select from one of the
data sources:
• NetFlow
• Flexible NetFlow
• NAM NetFlow
• NAM Data Port

Select:
• Number of rows
to present
• Traffic types
• Apply filters

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-29

Several views within Detail Dashboards are contributing to a wide set of information that is
provided by Prime Infrastructure. Site view of the detailed dashboards provides the possibility
to see the right information from the right source.
Various filters and options allow the user to customize the view and focus on the required data.
Multiple dashlets of the same type can be added to one dashboard, while applying different
settings to each one.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-29
Operationalizing the Cisco Advantage
This topic describes how the Cisco advantage automates and drives efficiencies in the use of
customer equipment.

Simplify the deployment and


management of Cisco differentiated
technologies and platforms.

Use Cisco expertise and best


practices to improve network design
and troubleshooting.

Integrate with Cisco knowledgebase


to automate key tasks and make
more informed decisions.

Support new Cisco platforms and


technologies the day they ship.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-31

One of the goals of Prime Infrastructure is to accelerate the time to value for customers using
Cisco equipment. This will make the design and fulfillment of network services fast and
efficient thus accelerating deployment.
Another goal of PI is to drive efficiencies, optimizing the use of customer equipment for
managing their networks. PI will also lower capital expenditures through an architecture that is
designed to drive out costs and drive up efficiencies.
Currently many networks are operated by highly skilled and high-cost operators that use a
manual approach (such as CLI scripts) to manage their networks. With PI, the goal is to
automate core processes making it much faster to provision services, diagnose, and repair
problems, and so on.
Without good instrumentation, determining the root cause of a network service outage can be
very time consuming. Faults can occur for a variety of reasons and are often caused by human
error due to highly manual processes. With PI the quality of service improves through the
monitoring and management of network events. A common problem for technology
organizations is that of taking a compartmentalized approach to managing services. Often,
specific teams will manage areas of technology. The result can be a lack of complete visibility
into the network services. As a result, when outages occur they can take longer to resolve.
The Cisco point of view is that service providers need to transition from managing the network
to managing the subscriber experience lifecycle. This approach means automating key aspects
of the lifecycle and encouraging the technology functions to work together with a common
understanding of the business impact of the network services they provide.

2-30 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Day 0 ZTD for switches and routers
- Plug and play gateway embedded in PI 2.0.
- Includes Apple iOS plug and play app allowing anyone to
stage and push a configuration.
• Day 0/day 1 deployment of unified access devices
- Deployment workflow for tier 1/tier 2 engineers, with multi-
tabbed template mode for advanced engineers.
- Optimized deployment based on best practices.
- Cisco recommended mobility domain configurations based on
number of APs to be deployed.
- Simplified guided guest access configuration.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-32

Prime Infrastructure allows quick and easy deployment of new devices, using simple day 0/day
1 deployments workflows. These wizard-based workflows guide the network operator through
the process of configuring a new device in a simplified way.
Examples of areas that are covered in the workflows are as follows:
 Device credentials
 VLAN creation
 Trunking, uplinks
 Wireless (3850, 5760)
 Site association

Note Devices that are configured with the day 0/day 1 deployment workflows are automatically
added to Prime Infrastructure’s Device Work Center and then managed by the system. This
eliminates the need to add or discover the devices separately.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-31
• Prime Infrastructure 2.0 includes the following:
- A powerful templating engine, allowing customers to build
templates for efficiency and automation.
- Templates reflecting best practices that are used to turn on
IOS features.
- Including One-Click AVC, Zone-Based Firewall, Medianet,
and so on.
• Readiness assessments are used to prepare networks
for specific technologies, including TrustSec 2.0 and
IPv6.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-33

Configuring and deploying updates to the network has been made easier with the built-in
feature templates. These templates incorporate Cisco Smart Business Architecture (SBA)
templates that are based on Cisco validated designs, simplifying platform and technology
rollout and reducing the chance for errors.
Prime Infrastructure 2.0 adds AVC-dedicated templates that allow the user to deploy a
validated AVC configuration in one click, or configure a customized AVC template.
Prime Infrastructure 2.0 also adds a new TrustSec deployment environment. This environment
provides TrustSec network readiness assessment, simplified configuration, and reporting.

2-32 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Simplify
troubleshooting
and remediation
by correlating
various sources Context Policy
of information.
• Brings together
multiple sources
of information for
effective
problem
isolation.
• Uses 360 views Applications Connectivity
for:
- Users
- Devices
- Interfaces
- Applications
User 360
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-34

The concept of a 360-degree view in Prime Infrastructure was designed to simplify the
consumption of data for a specific object, while gathering information from various sources.
A Device 360 view was previously introduced with PI 1.2. User, Application and Interface 360
views were added to Prime Infrastructure 2.0.
One of the main advantages of the 360 views is that they are overlaid on an existing screen.
This allows the PI user to receive important information about the relevant object (User,
Device, Application, Interface) without the need to migrate to another screen or separate view.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-33
• Real-time contextual user
details:
- Context, location
- Client device type
- Session
- Connectivity
- Visibility of application traffic
- Alarms

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-35

New for Prime Infrastructure 2.0, the User 360 view provides information on a specific user,
which includes all of the user’s clients.
This unique view is available from nearly any screen where a username is shown, or by using
the search capability for finding the various users in PI’s database.
The User 360 view gathers information from sources, including ISE- and MSE-sourced data.
This provides a single location for the following different type of data:
 Location, through MSE integration
 Client device type, through ISE profiling
 Connectivity, wired or wireless, which is based on WLC and switch data
 Visibility of application traffic such as AVC or NAM
 Alarms, based on the device to which the user is connected
 Policy, through ISE integration

2-34 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Real-time contextual device
details from the device
perspective:
- Device name
- Location, type
- System uptime
- Operating system version and
status
- CPU and memory utilization
- Interface status type
- Visibility of application traffic
• Take actions
- Open TAC

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-36

The Prime Infrastructure Device 360 view provides real-time contextual detailed device
information from the device perspective. These details include the following:
 Device name, location, type with system uptime, and device status
 Operating system version and status
 CPU and memory utilization
 Interface status type and visibility of application traffic
Device status indicates whether the device is reachable, is being managed, and is synchronized
with the Prime Infrastructure database.
The second half of the device 360 view provides access to several tabs as follows:
 Modules tab lists the device modules and their name, type, state, and ports.
 Alarms tab lists alarms on the device, including the alarm status, time stamp, and category.
 Interfaces tab lists the device interfaces and the top three applications for each interface.
 Neighbors tab lists the device neighbors, including their index, port, duplex status, and
sysname.
You can see the Device 360 view from nearly all screens in which device IP addresses are
displayed. It provides a quick snapshot to isolate and troubleshoot device-related issues.
Additional tool icons are available on the top right of the Device 360 view and provide access
to the following additional Prime Infrastructure views:
 Alarm Browser: Launches the Alarm Browser.
 Support Community: Launches the Cisco Support Community.
 Support Request: Allows you to open a support case.
 Ping: Allows you to ping the device.
 Traceroute: Allows you to perform a traceroute on the device.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-35
To launch the 360 view of any device, mouse over a device IP address, and then click the icon
that appears.

Note The features that appear on the 360 view differ depending on the device type.

2-36 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Interface 360 views show the
following:
- Interface status, speed, and type
- Interface alarms
- Interface utilization, errors, and
discards
- Interface application traffic

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-37

New for Prime Infrastructure 2.0, the Interface 360 view provides information on a specific
Interface.
Interface 360 includes the following information:
 Status information
 Alarms
 Utilization, errors
 Interface application traffic

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-37
• Prime Infrastructure integrates with Cisco backend systems for
increased visibility into impact analysis.
• PSIRT (Security Advisories) reports provide an analysis on which
devices are impacted based on:
- IOS version running on the device.
- How the device is configured.
• EoX reports provide a lifecycle management analysis on the devices.
- Shows devices that are or will be “End-of-Sales” or “End-of-Support.”
- Allows customers to budget for upcoming refresh.
• One-click access to related posts and discussions on Cisco forums.
• One-click creation of TAC case.
- Device and SmartNet contract number automatically populated.
- Common supporting documents automatically forwarded to TAC.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-38

Tight integration between Prime Infrastructure and Cisco’s online knowledge base allows PI to
offer unique capabilities in reporting. PI also offers the following support “lifelines” when
needed:
 PSIRT and EoX reports are available based on Cisco’s security advisories and End-of-Life
announcements. Prime Infrastructure combines the discovered network inventory data
available in the system’s database with the EoX/PSIRT information available on
Cisco.com. This combination allows PI to provide these unique reports immediately when
needed.
 Consult and view information at the Cisco Support Community by launching it from
various screens.
 Open a Cisco Technical Assistance Center (TAC) Support Request quickly with minimal
effort. The user chooses the device for which the case will be opened. Prime Infrastructure
adds the serial number, contract number, show tech (if needed), alarm history, and more.

2-38 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Many reports can be generated to run on an immediate and scheduled
basis.
• Report Launch Pad is the hub for all Prime Infrastructure reports.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-39

Cisco Prime Infrastructure reporting is necessary to monitor the system and network health as
well as troubleshoot problems. A number of reports can be generated to run on an immediate
and scheduled basis. Each report type has a number of user-defined criteria to aid in the
defining of the reports. The reports are formatted as a summary, tabular, or combined (tabular
and graphical) layout. Once defined, the reports can be saved for future diagnostic use or
scheduled to run and report on a regular basis.
Reports are saved in either comma separated value (CSV) or PDF format and are either saved
to a file on Prime Infrastructure for later download or emailed to a specific email address.
The Reports menu provides access to all Prime Infrastructure reports as well as currently saved
and scheduled reports. The Reports menu has the following options:
 Report Launch Pad: The hub for all Prime Infrastructure reports. From this page, you can
access specific types of reports and create new reports.
 Scheduled Run Results: Allows you to access and manage all currently scheduled runs in
Prime Infrastructure. In addition, allows you to access and manage on-demand export as
well as emailed reports.
 Saved Report Templates: Allows you to access and manage all currently saved report
templates in Prime Infrastructure.
The reporting types include the following:
 Current: This type provides a snapshot of the data that is not dependent upon time.
 Historical: This type retrieves data from the device periodically and stores it in the Prime
Infrastructure database.
 Trend: This type generates a report using aggregated data. Data can be periodically
collected based from devices on user-defined intervals, and a schedule can be established
for report generation.
With Prime Infrastructure, you also have the ability to export any report. You can then view
reports, sort reports into logical groups, and archive reports for long-term storage.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-39
Cisco Prime Infrastructure Field Resources
This topic covers the Cisco Prime Demo series and other resources useful for customers,
partners , and employees.

http://nmtg/pyc
By exception For extensions or existing:
Need Evaluation Licenses? Download evaluations
ask-prime-infrastructure

Need Information on Competitive analyses; By exception Send an email to ask-prime-


Competitors systems infrastructure

By exception
Technical Issues Review FAQ Open a TAC Case

Commercial/Licensing By exception Send an email to ask-prime-


Review FAQ
Issues infrastructure

Need Customer-Facing Go to the Field Enablement


Collateral/OGs Kit

By exception
Leverage global Prime Send an email to ask-prime-
Customer Demos
Demo Series infrastructure

Want to Influence Your


Access our RFx template
Customer?

By exception
Send an email to ask-prime-
Need RFQ/RFP Help? Leverage TSN
infrastructure

Access Demo
View demo servers here
Servers/Scripts

By exception
Send an email to ask-prime-
Need Training/VoDs View full inventory
infrastructure

Field Team Updates Contact Theater BDM Lead

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-41

The figure describes optimal ways to communicate with the business unit for a variety of
issues.

2-40 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Americas Edition
Every Week* Prime Demo Series Topic Time Place
Every Monday Cisco Prime LMS 11 a.m. PT www.tinyurl.com/primedemo
(90 mins.) No registration required
Every Tuesday Cisco Prime Collaboration Assurance and Provisioning
San Jose
Every Wednesday Cisco Prime NAM and NGA Time
Every Thursday Cisco Prime Infrastructure (including Assurance)

Every Wednesday Cisco Prime Data Center Network Management (DCNM) 9 a.m. PT www.tinyurl.com/primedcnm
(60 mins.) Password: dcnmdemo
*Exceptions: US public holidays and Cisco shutdown

APJC Edition
Every Week* Prime Demo Series Topic Time Place
Every 2nd Thursday Cisco Prime Infrastructure Lifecycle Management and 12 p.m. www.tinyurl.com/prime-APJC
Assurance SGT No registration required
(90 mins.)
Every 2nd Thursday Cisco Prime Collaboration Assurance and Provisioning
Singapore
(alternating week)
Time
*Exceptions: Indian public holidays and Cisco shutdown

EMEAR Edition
Day Prime Demo Series Topic Time Place
See schedule Cisco Prime Infrastructure (including Assurance) 9:30 a.m. www.tinyurl.com/prime-emear
(biweekly) GMT Registration is required
Cisco Prime Collaboration Assurance and Provisioning
(90 mins.)

Free trial software: www.cisco.com/go/nmsevals


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-42

Customers, partners, and Cisco employees who are looking for more information on the various
Prime products are invited to participate in the Cisco Prime Demo Series. This series is an
interactive demo of Cisco’s various Prime applications. Each demo is 90 minutes in length with
a 30 minutes introduction and slides, and 60 minute demo.
During these sessions, you will hear from product experts on how Cisco’s various Prime
applications can help with the following:
 Efficiently manage and troubleshoot Cisco networks (wired and wireless) and network
services (video and voice).
 Optimize the configuration of IOS features and instrumentations.
 Gain end-to-end visibility across the network right down to applications and end-user
clients.
The Cisco team of experts covers a different solution each weekday. The time and place
(WebEx ID) are the same for all four weekly sessions. Each of the four weekly sessions covers
a different Prime application. You are encouraged to ask questions throughout the session.
Similar sessions are available for APJC and cover Prime Infrastructure and Prime Collaboration
every second week. Prime Demo Series also cover the EMEAR region, which is based on a
published schedule.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-41
• Detailed, 18-segment quick-start
videos on demand cover
essentials of how to download,
deploy, configure, and
customize Prime Infrastructure.
• Available on Cisco’s YouTube
Channel and PEC
• http://www.youtube.com/playlist
?list=PL7406F0EF2BC7DED8

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-43

Cisco makes available several videos for Prime Infrastructure 2.0 and its installation. They are
available on You Tube on the Cisco channel.

Tip Cisco recommends viewing the following two videos before starting the lab for this module:

- Getting Started VOD available at http://www.youtube.com/watch?v=sFrPLfykj6Y

- Deploying the Virtual Environment VOD available at


http://www.youtube.com/watch?v=BBgX9-UvL2w

2-42 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Single pane of glass for true converged wired/wireless
lifecycle and assurance management. No other vendor
does this.
• Centralized policy integration (Prime and ISE) is
unique in the industry.
• Deploy and configure Cisco devices more efficiently
and rapidly.
• Easy to enable Cisco best practices engineered into
IOS and instrumentation.
• Power of embedded intelligence inherent in a Cisco
network improves application delivery and end-user
experience by using Prime NAM, Medianet, AVC,
NetFlow, and NBAR2.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-44

The figure summarizes the key features of Cisco Prime Infrastructure.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup 2-43
Summary
This topic summarizes the key points that were discussed in this lesson.

• The Cisco Prime Infrastructure provides converged management of


wired and wireless network infrastructure.
• The Cisco Prime Infrastructure is a network management tool that
supports lifecycle management of your entire network infrastructure from
one graphical interface.
• The device 360 view provides real-time contextual detailed device
information from the device perspective.
• The Cisco Prime Infrastructure supports an assurance as a function for
network and application availability and relates to end user experience.
• Detailed dashboards contribute to a abundance of information provided
by Prime Infrastructure and provide the right information from the right
source.
• Several best practices can optimize the operation of Prime
Infrastructure: Limiting collection of data, aggregated data, Shorter
retention, and off loading of backups and reports are used to save
storage space.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Management Foundation—Basic Prime Infrastructure Setup UASEBC v1.0—2-46

References
For additional information, refer to http://www.cisco.com.

2-44 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1) Which of the following modules are available in Prime Infrastructure? (Choose two.)
(Source: Prime Infrastructure Overview)
A) Assurance
B) Classic
C) Lifecycle
D) NAM
E) Design
Q2) Which two legacy management systems were replaced by Prime Infrastructure?
(Choose two.) (Source: Prime Infrastructure Overview)
A) WCS
B) NCS
C) LMS
D) Cisco Works
E) Prime Management System
Q3) Prime Infrastructure integrates with which three of the following? (Choose three.)
(Source: Operationalizing the Cisco Advantage)
A) ISE
B) LMS
C) NAM
D) MSE
E) NCS
Q4) Which three types of data does PI consolidates in a unique way? (Choose three.)
(Source: Operationalizing the Cisco Advantage)
A) Location
B) Policy
C) NetFlow
D) Configuration archive
E) End user experience for wired and wireless
Q5) Which three types of 360 views are available with PI 2.0? (Choose three.) (Source:
Operationalizing the Cisco Advantage)
A) Network
B) Device
C) User
D) Mediatrace
E) Application and Interface 360 views

© 2013 Cisco Systems, Inc. CONFIDENTIAL Converged Access Solution Design Overview 2-45
Q6) Name the two installation options available for PI? (Choose two.) (Source: Prime
Infrastructure Overview, Direction, and Roadmap)
A) Physical appliance
B) Distributed
C) Web-based installation
D) Virtual appliance
E) Windows installer installation
Q7) Which screen is used to add/remove/discover network elements? (Source: Lifecycle
Management of Wired/Wireless Devices)
A) Plug and Play Status
B) Device Work Center
C) Data Sources
Q8) Which five of the following are sources of PI assurance data? (Choose five.) (Source:
Assurance Management)
A) NAM
B) WLC AVC
C) NetFlow
D) Catalyst 6500 series MPA
E) ASR/ISR AVC
F) NGA
Q9) How does PI help to leverage the Cisco Advantage? (Source: Assurance Management)

Q10) What is the easiest way to learn how to install and set up PI? (Source: Cisco Prime
Infrastructure Field Resources)

2-46 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Module Self-Check Answer Key
Q1) A,D
Q2) B,C
Q3) A,C,D
Q4) A,B,E
Q5) B,C,E
Q6) A,D
Q7) B
Q8) A,B,C,E,F
Q9) PI provides a single pane of glass for true converged wired and wireless lifecycle and assurance
management as well as centralized policy integration (Prime and ISE.)
Q10) Watch the quick start VoDs

© 2013 Cisco Systems, Inc. CONFIDENTIAL Converged Access Solution Design Overview 2-47
2-48 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Module 3

One Policy Foundation


3-2 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Lesson 1

Basic Cisco ISE AAA and


Guest Server Setup for Wired
and Wireless Networks
Overview
Upon completion of this module, the learner will be able to describe the basic Cisco Identity
Services Engine (ISE) authentication, authorization, and accounting (AAA) setup and guest
server setup for wired and wireless networks.

Objectives
Upon completing this lesson, you will be able to meet the following objectives:
 Explain and configure Cisco ISE in the HTA Hospital network to authenticate users
 Explain and configure the setup of authorization rules in Cisco ISE using Microsoft Active
Directory and downloadable access control list (dACL)
 You will understand the process of setting up access to a guest server using Cisco ISE
 You will explain the process, requirements, and implementation of authentication and
authorization rules in compliance with HTA Hospital policies
Cisco ISE Solution Overview and Positioning
This topic provides an overview of the Cisco ISE solution and describes its position in the
marketplace.

• End-user expectations • IT trends


- There will be more - 50% of workloads are
than 15 billion devices virtualized
by 2015 to increase efficiency
- The average worker - 2/3 of workloads will
has 3 devices be in the cloud by
- New workspace: 2016
anywhere, anytime - 71% of the world’s
- 71% of Gen Y mobile data traffic will
workforce does not be video in 2016
obey policies - Mobile malware has
- 60% will download doubled (2010 to
sensitive 2011)
data onto a personal
device

Reduce Security Risk Improve End User Increase Operational


Productivity Efficiencies
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-6

According to a 2012 report by Gartner, by 2014 the personal cloud will have replaced the
personal computer as the center of the user’s digital life.
Currently, the average number of devices per user is three.
The following are additional interesting statistics:
 70 percent of organizations have a formalized bring your own device (BYOD) program or
plan to have one.
 50 percent of organizations allow executives to bring their own device with or without
restrictions
 88 percent of organizations believe that the use of personal devices increases employee
satisfaction
This has led to an explosion of new, uncontrolled devices showing up on the secure network.
You need a solution that can support these devices without impairing the efficiency and
efficacy of IT staff.

3-4 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• BYOD provides improved productivity, lower cost, and added security
- Challenge: Support BYOD without increasing IT operational costs
- Solutions: Zero-touch portal automates device registration, application
containerization, device posture.
• Secure access control leads to device visibility (profiling), posture,
contextual control, and AAA.
- Challenge: Identifying what is on the network
- Solutions: Device fingerprinting (identifying “things”), posture analysis
• Consistent network wide policy control means differentiated access
control
- Challenge: Ensure consistent E2E policy that is topology independent
- Solutions: Cisco TrustSec and policy management

TECHNOLOGY UTILITY ENERGY HEALTHCARE HIGHER ED SECONDARY ED

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-7

Data is merging. By 2015, 60% of data will be moved to virtualized environment. How will
you manage this merge?
The workplace is segmenting and changing. You have to keep up and understand how to give
the right type of access to the right person. How can you assure the correct access?
The answer that Cisco provides is One Policy, One Management, One Network.
The work of putting the device on the network, registering the device, putting the device in the
right container, checking the health of the device—all needs to be pushed back to the user but
seem relatively seamless to the user.
You also need a way to identify the type of device. Is it an iPad, is it Mac or Windows?
Profiling will be discussed later in the course. You also need a way to look for additional
details on the device, like process and applications registries. If there is something on the
device that is contrary to corporate policies, can you shut down that device or application?
Security posture will be discussed later in this course.
All of these functions have to be deployed in a centralized end-to-end policy over both the
wired and wireless networks of the entire organization. This need is not tied to just one industry
or environment. The figure shows just a few of the Cisco partnerships that Cisco has made
across various and diverse industries.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-5


• Policy management solution Gartner 2013 NAC MQ
- Unified network access control
- Turn-key BYOD solution
- First system wide solution
- Deep network integration
- System wide policy control
from one screen
- Award-winning product
• 2012 Cisco Pioneer Award
- Over 400 trained and
trusted ATP partners
- Over 1000 wins in year 1

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-8

In 2012, Cisco ISE won the 2012 Pioneer Award which is the first systemwide integration.
Cisco ISE provides a single screen to manage wired employees, wireless guests, as well as
remote VPN employees.
Access control is an architecture. Cisco offers a program to certify and train partners. The
partners go through one week of extensive training, and then pass an exam, and their first three
designs must be approved by Cisco or someone in their organization who is fully trained. To
sell a stock-keeping unit (SKU) with advanced wired or wireless features, you must be a
certified Cisco Authorized Technology Provider (ATP). Partners who are not ATP certified can
work with Cisco or select specialists who are certified.

3-6 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Secure Access on Wired,
Wireless, and VPN BYOD
Control with one policy across wired, Users get on the Internet
wireless, and remote infrastructure safely, fast, and easy

Guest Access Cisco TrustSec Network Policy


It’s easy to provide Rules written in business terms
guests limited time and resource access controls access

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-9

Cisco ISE addresses some core secure access use cases. Those use cases include BYOD where
personal devices come onto the network and guest services to offer safe and seamless network
access to nonemployees. Cisco ISE helps to simplify secure access policy across wired,
wireless, and remote networks for users and devices.
A policy-based networking approach helps IT staff to accomplish business goals. For example,
staff may give authorized users, such as doctors and nurses, access to sensitive data when they
are in certain locations or using specific devices, while restricting access from other locations
or from other devices. For a more precise example, a policy might permit a doctor to access
data from anywhere using a hospital laptop, but restrict access to a specific resource from a
personal device outside the office. In regards to HTA Hospital, the network administrator has
decided to take this approach for managing the access and authorization requirements for the
hospital staff and guests by establishing policies to allow them to access to resources they need.
A policy is broadly defined as “a definite course or method of action to guide and determine
both present and future decisions.”
As an administrator, ask the following questions:
1. How are you currently managing BYOD?

2. Can you enforce security policy consistently across wired, wireless, and remote access
networks?
3. How do you expect to control security all the way into a virtual data center?
4. Can you enforce secure access with efficiency?
5. What scenarios are critical to your organization?
There is an entire guest life cycle process that is built into Cisco ISE. As an example, a sponsor
securely logs in and creates guest user accounts for patients to get to a select internal server, yet
Cisco ISE can still allow visitors to log in, and create their own self registered accounts to get
to the Internet. This ability includes reporting, auditing and a way to suspend and reinstate
accounts through a single pane.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-7


Within Cisco ISE, you can write policies that are business relevant and that pertain to your
organizational needs.

3-8 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
WHO

Identity Security Policy


Context WHAT Attributes

Business-Relevant
WHERE
Policies
ISE
WHEN

Wired VPN
HOW Wireless

VM client, IP device, guest, employee, remote user

Replaces AAA and RADIUS, NAC, guest management, and device identity servers
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-10

You can address multiple attributes that Cisco ISE combines to form a context to which a
policy is applied. As the context changes, the policy being applied can change as well.
Users will have a seamless experience with all forms of access, whether wired, wireless, or
VPN (remote).
This product will improve security while improving the user’s quality of experience and while
reducing IT hassles and errors.
It is important to remember that device identity and BYOD is not just about iPads and iPhones.
There are many types of devices that may need to access the network, including the following:
 Cisco access points (APs) (basic IT operations)
 Lenel door access or badge reader (Physical security)
 Rockwell manufacturing programmable logic controller (PLC) (manufacturing)
 Draeger infusion pump (healthcare)
 Microsoft Xbox 360 (higher education)
 Video surveillance cameras (which are currently being moved from isolated analog
networks to the IP infrastructure, and their numbers are increasing to $2.4 billion market in
2017 with compound annual growth rate [CAGR] of 31.5 percent)

© 2013 Cisco Systems, Inc. One Policy Foundation 3-9


Policy
Management
Cisco ISE Cisco Prime Infrastructure

Policy
Information
User Directory Profiling from Cisco Infrastructure Posture from End-Point Agents

Policy
Enforcement
Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-11

Today’s networks must accommodate an ever-growing array of consumer IT devices while


providing user-centric policy and enabling global collaboration. The Cisco TrustSec
architecture addresses this shift by using identity- based access policies to tell you who and
what is connecting to your network, allowing IT to enable appropriate services without
sacrificing control.
The first release of Cisco ISE focused on the pervasive service enablement of Cisco TrustSec
for Cisco Borderless Networks.
The TrustSec portfolio is enhanced with the introduction of the new policy manager, Cisco ISE.
Cisco ISE delivers all the necessary services that are required by enterprise networks—AAA,
profiling, posture, and guest management—in single appliance platform. Cisco ISE can be
integrated in Cisco Prime Infrastructure as well, which will be discussed later in the course.
Policy information points and the platform for delivery of services is Cisco ISE. This layer is
where the information that ISE needs is stored or collected. The external identity sources could
be Microsoft Active Directory and or Lightweight Directory Access Protocol (LDAP)
directories. Cisco ISE collects profiling information from sensors on the network access
devices (NADs) and posture information from Network Admission Control (NAC) agents
pushed out to or installed in Cisco AnyConnect on the endpoints.
Policy enforcement is provided by Cisco infrastructure. This layer includes the network devices
that will actually carry and control the traffic. The policy enforcement points are the switches,
wireless LAN controllers (WLCs), firewalls, and routers. In Cisco ISE, they are configured as
the network devices and referred to as NADs.

3-10 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Centralized Policy
ACS
• RADIUS Server
Profiler • Posture Assessment
• Guest Access Services
Guest
Server
• Device Profiling
ISE
NAC
Manager • Monitoring
NAC • Troubleshooting
Server
• Reporting

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-12

Cisco ISE consolidates the following servers into a single server:


 Access Control Server (ACS) used as the RADIUS server for authentication and
authorization
 NAC profiler that is used for device fingerprinting
 NAC guest server that is used for guest services
 NAC manager and NAC servers that are used to manage and control services for wireless
and VPN users
Cisco ISE provides the following services as well as monitoring, reporting, and troubleshooting
from a single pane of glass:
 Consolidates services and software packages, which includes simplification of deployment
and administration tasks.
 Provides a session directory to track active users and devices
 Offers flexible Cisco ISE service deployment to optimize where Cisco ISE services run
 Delivers extensibility of applied policies for linked policy information points
 Manages security group access to keep the existing logical design
 Systemwide monitoring and troubleshooting capabilities, to consolidate data and give a
“three click” drill in capability for troubleshooting

© 2013 Cisco Systems, Inc. One Policy Foundation 3-11


Policy Administration Node (PAN)
• Interface to configure policies and manage ISE deployment
• Writeable access to the database

Policy Service Node (PSN)


• Makes policy decisions
• RADIUS server and destination for profiling data

Monitoring and Troubleshooting Node (MnT)


• Interface to reporting and logging
• Destination for syslog from NADs

Inline Posture Node (IPN)


• Enforces policy

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-13

A Cisco ISE node is a running installation of the Cisco ISE software. This installation can be
on a physical appliance or on a virtual machine (VM) within a VMware environment.
There are three major collections of Cisco ISE services that are organized into personas. These
personas are responsible for different functions within the Cisco ISE architecture. They may be
collocated on a single node or distributed across multiple nodes.
The three personas include the following:
 Policy administration persona: This persona is the interface for configuring policies. This
persona is the control center in the Cisco ISE deployment, controls the licensing, and
contains the user interface. The administration persona is also responsible for pushing the
configurations out to other nodes in a distributed deployment. Nodes that implement the
policy administration persona are often referred to as policy admin nodes (PAN).
 Policy service persona: This persona is an engine that makes policy decisions. This
persona is the main run-time engine that processes the entire network messaging that
pertains to Cisco ISE deployment. This messaging includes DHCP, Cisco Discovery
Protocol, NetFlow, and RADIUS, among others. Nodes that implement the policy service
persona are often referred to as policy service nodes (PSN).
 Monitoring persona: This persona is the interface for logging and reporting data. This
engine collects all logs and correlates them. In addition, this persona generates reports and
any alarms for the Cisco ISE system. Nodes that implement the monitoring persona are
often referred to as monitoring nodes (MnT).
Finally there is an inline posture node (IPN). Adaptive security appliances (ASAs) currently do
not support RADIUS Change of Authorization (CoA) for profiling and posturing of VPN
tunnels. You need an IPN to act as the proxy RADIUS policy enforcement point between the
ASA firewalls and the PSN. The IPN could also be used between Cisco APs and the PSN as a
RADIUS Proxy. It should be noted that the IPN cannot run on the same hardware as any of the
other personas.

3-12 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Network Monitoring and Policy Service Policy Admin
Access Device Troubleshooting Node, The “Work- Administration
Access-Layer Logging and Horse” Node: All
Device Reporting Data RADIUS, Profiling, Management UI
Enforcement WebAuth, Posture, Activities and
Point for All Sponsor Portal Synchronizing
Policy Client Provisioning All ISE Nodes
NAD MnT PSN PAN

Policy Sync
RADIUS from NAD to PSN

RADIUS response from PSN to NAD PSN queries


User RADIUS Accounting external
database
syslog directly
syslog

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-14

How do all these personas work together?


First, the administrators will log in to the PAN where they will configure Cisco ISE with the
deployment infrastructure and deployment policies. Once the policies are completed, the
policies are synced to the PSNs and audited to the MnT.
The user connects to the NAD, which is the switch or WLC, which generates a RADIUS
Authentication request from the NAD, which is the RADIUS client, to the PSN, and the
RADIUS server.
The PSN checks the authentication rules and queries the appropriate user database, internal
Active Directory or LDAP, to verify the authentication credentials.
Based upon the response for the user database, the PSN will locate the correct authorization
profile that is to be applied to the user. These policies, which may include downloadable ACLs
(dACLs), virtual LANs (VLANs), voice domains, and even security group tags (SGTs) via
RADIUS response to the NADs.
The NADs will action the policies by applying the dACLs, VLAN, or SGT to the users’ traffic
via session numbers. The NAD will also send RADIUS accounting messages to the PSN. The
PSN will correlate the messages and forward all the session audit and syslogs to the MnT.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-13


ISE Node

Standalone Distributed Deployment


Deployment
Primary Secondary
PAN Admin PAN PAN Admin

Secondary Primary
MnT MnT MnT
Monitoring Monitoring

PSN PSN PSN

Maximum endpoints – Maximum endpoints – 10,000 (platform dependent)***


(platform dependent) Redundant sizing – 10,000 (platform dependent)
•2000 for 33x5
•5000 for 3415
•10,000 for 3495 ***
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-15

Cisco ISE can be installed on both hardware and VMs (ESXi or ESX). Standalone deployment
keeps all three personas on a single node which will support up to 2000 endpoints on the Cisco
ISE 33x5 platforms or 5000 and 10,000 endpoints on the new Cisco ISE 3415 and Cisco ISE
3495 platforms respectively.
In a distributed deployment, you will need a minimum of two nodes with the primary PAN on
one node and the secondary PAN on the other node. For performance and load splitting, it is
recommended that the primary PAN and the secondary MnT be collocated as the well as the
secondary PAN and the primary MnT. It should be noted that even though you now have two
PSNs the maximum endpoints remains at 2000, 5000, or 10,000.

3-14 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Platform Cisco ISE Appliance Cisco ISE Appliance Cisco ISE Appliance
3315 (Small) 3355 (Medium) 3395 (Large)
Process 1 x QuadCore 1 x QuadCore 2 x QuadCore Intel
Intel Core 2 CPU Intel Xeon CPU Xeon CPU E5504
Q9400 E5504 @ 2.00 GHz
@ 2.66 GHz @ 2.00 GHz (8 total cores)
(4 total cores) (4 total cores)
Memory 4 GB 4 GB 4 GB
Hard Disk 2 x 250-GB SATA 2 x 300-GB SAS 4 x 300-GB SFF SAS
HDD drives drives
(250 GB total disk (600 GB total disk (600 GB total disk
space) space) space)
RAID No Yes (RAID 0) Yes (RAID 0 + 1)
Ethernet NICs 4x Integrated Gigabit 4x Integrated Gigabit 4x Integrated Gigabit
NICs NICs NICs
Concurrent 3000 maximum 6000 maximum 10,000 maximum
Endpoints

http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_ovr.html#wp1103032
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-16

In a fully distributed deployment, the policy service persona would be running on its own node
with no other persona running and be referred to as a PSN. Before Cisco ISE 1.2, the software
was a 32-bit operating system. The maximum number of concurrent sessions is limited to 3000,
6000, and 10,000 respectively on the 3315, 3355, and 3395.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-15


• Cisco Secure Network Servers
- Based on the Cisco UCS C220 Server, but designed for the following:
• Cisco Identity Services Engine (ISE)
• Network Admission Control (NAC)
• Access Control Server (ACS)

SNS-3415-K9 and SNS-3495-K9

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-17

With Cisco ISE 1.2, there is a new 64-bit software that runs on the new platforms. What’s new
in 1.2? What is new is 64-bit software running on the new platforms.
Cisco secure network servers are based on the Cisco UCS C220 Server, but designed for Cisco
ISE, NAC, and ACS.

3-16 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Secure Network Services Secure Network Services
Appliance SNS-3415-K9 Appliance SNS-3495-K9
Processor 1 - QuadCore Intel Xeon 2 - QuadCore Intel Xeon
2.4 GHz 2.4 GHz
CPU Model E5-2609 E5-2609
# Cores per CPU 4 (4 total cores) 4 (8 total cores)
# Threads per CPU 1 (no hyperthreading) 1 (no hyperthreading)
Memory 16 GB DDR3-1066 (4 x 4 GB) 32 GB DDR3-1066 (8 x 4 GB)
Hard Disk 1 - 2.5 Inch 2 - 2.5 Inch
600 GB SAS 10K RPM 600 GB SAS 10K RPM
RAID No Yes - RAID 1 (600 GB total
storage)
LSI 2008 SAS RAID mezzanine
card
Ethernet NICs 4 (2 on board; 2 on NIC) 4 (2 on board; 2 on NIC)
Power Supplies 1 x 650 W 2 x 650 W
Trusted Platform Module Yes Yes
SSL Acceleration Card No Yes
Concurrent Endpoints 5000 (PSN function) (20,000 PSN function)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-18

The SNS-3415 running the 64-bit Cisco ISE 1.2 will support up to 5000 concurrent sessions.
The SNS-3495 running the same software has maximum concurrent sessions of 20,000.
The numbers that are shown are for hardware. If Cisco ISE is installed in the VM ESXi or
ESX, the VM must be provisioned with the same resources as a particular hardware appliance
to get the same concurrent sessions. For instance, if you provision the VM with the resources of
an SNS-3415, then the VM will support up to 5000 concurrent sessions.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-17


Cisco ISE Cisco ISE Cisco ISE
Base License Advanced License Wireless License
Are My Endpoints Are My Endpoints
Base + Advanced
Authorized? Compliant?

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-19

The Cisco ISE Base License will support authentication, authorization, and guest services for
both wired and wireless access. This license will allow the organization to manage the who,
what, where, when and how users or devices access the network, based upon user names and
MAC addresses.
If the organization also wants to know dynamically what types of devices are accessing the
network, like Android, iPad, Mac, or Windows, that would require profiling. It would also
require knowing the health of the devices, as well as use of posturing or mobile device
management (MDM) by applications that are used by the device. These advanced services
require the Cisco ISE Advanced License for both wired and wireless.
If the organization needs advanced services but only for wireless access, then there is a Cisco
ISE Wireless ISE License that supports both Base and Advanced services.

3-18 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
ATP
Wireless Advanced
Wireless
Base Advanced Advanced
Wireless
Base Advanced
Advanced
Base Advanced

More Wireless
More Advanced

ATP Wireless
Base Advanced ATP
Base

Base

Full ISE (Wired, Wireless, VPN) Base

Base Advanced

More Base
Wireless to Full ISE Upgrade
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-20

The Wireless License which includes both base and advanced service does not require ATP
certification or the ATP process. It only supports wireless NADs. Should you attempt to
connect a wired NAD to ISE, then the wired NAD configuration will be rejected.
Upgrading from wireless to full ISE wired, wireless VPN will require ATP.
The Base License will require ATP and, of course, adding the Advanced License to Base will
also require ATP.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-19


Wired/Wireless/VPN Deployment Wireless Deployment Followed by Wired/VPN

Base (ATP) Advance (ATP) Wireless (No ATP) Upgrade (ATP)

Endpoints Perpetual New PID 3-yr term/ New PID 3-yr term/ New PID 3-yr term/
5-yr term 5-yr term 5-yr term
100 L-ISE-BSE-100= L-ISE-ADV-S-100= ISE-ADV- L-ISE-W-S-100= ISE-W- L-ISE-WU-S-100= ISE-WU-
250 L-ISE-BSE-250= L-ISE-ADV-S-250= 3YR-n/ISE- L-ISE-W-S-250= 3YR-n/ISE- L-ISE-WU-S-250= 3YR-n/ISE-
500 L-ISE-BSE-500= L-ISE-ADV-S-500= ADV-5YR-n L-ISE-W-S-500= W-5YR-n L-ISE-WU-S-500= WU-5YR-n
(for (for (for
1000 L-ISE-BSE-1K= L-ISE-ADV-S-1K= L-ISE-W-S-1K= L-ISE-WU-S-1K=
example, n example, n example, n
1500 L-ISE-BSE-1500= L-ISE-ADV-S-1500= = 100, 250, L-ISE-W-S-1500= = 100, 250, L-ISE-WU-S-1500= = 100, 250,
2500 L-ISE-BSE-2500= L-ISE-ADV-S-2500= 500, and so L-ISE-W-S-2500= 500, and so L-ISE-WU-S-2500= 500, and so
3500 L-ISE-BSE-3500= L-ISE-ADV-S-3500= on) L-ISE-W-S-3500= on) L-ISE-WU-S-3500= on)
5000 L-ISE-BSE-5K= L-ISE-ADV-S-5K= L-ISE-W-S-5000= L-ISE-WU-S-5000=
10,000 L-ISE-BSE-10K= L-ISE-ADV-S-10K= L-ISE-W-S-10K= L-ISE-WU-S-10K=
25,000 L-ISE-BSE-25K= L-ISE-ADV-S-25K= L-ISE-W-S-25K= L-ISE-WU-S-25K=
50,000 L-ISE-BSE-50K= L-ISE-ADV-S-50K= L-ISE-W-S-50K= L-ISE-WU-S-50K=
100,000 L-ISE-BSE-100K= L-ISE-ADV-S-100K= L-ISE-W-S-100K= L-ISE-WU-S-100K=

Appliance Platforms
Physical Virtual

ISE-3315-K9 ISE-3415-K9 1xVM ISE-VM-K9=


ISE-3355-K9 ISE-3395-K9 5xVM ISE-5VM-K9=
ISE-3395-K9 10xVM ISE-10VM-K9=
Small 3315/ 3415 | Medium 3355 | Large 3395/ 3495 | Virtual Appliance
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-21

The Advanced License sits on top of the Base License.

Appliance Migration SKUs Base Migration SKUs Advanced Migration SKUs


Physical Appliance SKUs Base Migration SKUs Advanced Migration SKUs
ISE-3315-M-K9 L-ISE-BSE-100-M= (Provides 3-year term;
ISE-3395-M-K9 L-ISE-BSE-250-M= includes Base License)
ISE-3355-M-K9 L-ISE-BSE-500-M= L-ISE-ADV-100-M=
ISE-3415-M-K9 L-ISE-BSE-1K-M= L-ISE-ADV-250-M=
ISE-3495-M-K9 L-ISE-BSE-1500-M= L-ISE-ADV-500-M=
L-ISE-BSE-2500-M= L-ISE-ADV-1K-M=
Virtual Appliance (VM) L-ISE-BSE-3500-M= L-ISE-ADV-1500-M=
SKUs L-ISE-BSE-5K-M= L-ISE-ADV-2500-M=
ISE-VM-M-K9= L-ISE-BSE-10K-M= L-ISE-ADV-3500-M=
ISE-5VM-M-K9= L-ISE-BSE-25K-M= L-ISE-ADV-5K-M=
ISE-10VM-K9= L-ISE-BSE-50K-M= L-ISE-ADV-10K-M=
L-ISE-VM-M-K9= L-ISE-BSE-100K-M= L-ISE-ADV-25K-M=
L-ISE-5VM-M-K9= L-ISE-ADV-50K-M=
L-ISE-10VM-M-K9= L-ISE-ADV-100K-M=

Applicable to NAC/ACS Under ATP , Applicable to Under ATP , Applicable to


Deployments ACS and NGS NAC and Profiler
Deployments Deployments

Note: When migrating from ACS or NAC to Cisco ISE, the number of appliances can vary so do not assume
1:1 migration logic.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-22

The figure describes various Cisco ISE migration SKUs.

3-20 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Secure Access
This topic describes secure access.

Policy-governed Cisco Unified Access


Dependable anywhere access
Enforcement embedded in the network
Automated onboarding and device security

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-24

The Cisco BYOD Smart Solution transforms the workspace by providing the most secure,
comprehensive endpoint to network lifecycle management system for the enterprise, resulting
in a productive end-user and IT experience. Cisco empowers organizations to go beyond
BYOD to deliver an uncompromised experience with seamless security. The Smart Solution
also offers policy-governed unified infrastructure and simplified management to ensure
compliance and IT operational efficiency which are the cornerstones to securing BYOD.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-21


Secure Access: Authentication
Secure access has the following components: authentication, authorization, profiling, and
posturing. This topic discusses authentication.

Sample Authentication
Policy

Authorization
Posture

Profiling

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-25

Proceed through the configuration in the following order:


1. Configure the authentication rules that define how the user or endpoints connect and the
protocols which lead to which database to authenticate against.
2. The authorization rules are built. These rules define user groups and which profiles the user
groups will use.
3. Profiling is a separate, independent operation that collects data and determines the types of
endpoints that are connecting to your network. Profiling can occur at any time but generally
you will want to know if the user is allowed to connect before wasting resources to
determine the type of device that is connecting.
4. You will need to know the type of device that wants to access the network so posturing
follows profiling. This step tells you which NAC agent to provision out to the device, such
as a Windows NAC agent versus a Mac NAC versus a web agent.

Authentication
Rule-based authentication policies consist of attribute-based conditions that determine the
allowed protocols and the identity source or identity source sequence to be used for processing
the requests. In a simple authentication policy, you can define the allowed protocols and
identity source statically. In a rule-based policy, you can define conditions that allow Cisco ISE
to dynamically choose the allowed protocols and identity sources. You can define one or more
conditions using any of the attributes from the Cisco ISE dictionary.
Cisco ISE allows you to create conditions as individual, reusable policy elements that can be
referenced from other rule-based policies. You can also create conditions from within the
policy creation page. There are two types of conditions:

3-22 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
 Simple condition: A simple condition consists of three components that include attribute,
operand, and value. The condition can be saved and reused in other rule-based policies.
You can use any attribute from the Cisco ISE dictionary and specify any value that fits the
attribute.
 Compound condition: A compound condition is made up of one or more simple
conditions with an AND or OR relationship. These conditions are built in addition to
simple conditions and can be saved and reused in other rule-based policies.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-23


Examples: Printers, Misc Devices with no supplicant

Primary Auth Methods: MAB

Examples: Redirect Users to WebAuth if MAB Fails

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-26

You can authenticate devices that do not have an IEEE 802.1X supplicant. You can use MAC
Authentication Bypass (MAB) over both wired and wireless networks to authenticate printers,
cameras, scanners, and other such devices that generally do not have users behind them, to the
network based on their MAC address. By default the MAC address table is an internal
endpoints database in ISE. If you need to allow users to connect, even though they do not have
an 802.1X supplicant and the MAC address of their device is not in the tables, you will have a
user that is not found, but you will continue on to authorization so that you can authorize the
traffic to be redirected to a WebAuth portal on the ISE PSN. You will see this action when you
get to guest services.

3-24 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Authenticator RADIUS Server
00.0a.95.7f.de.06

EAPOL: EAP Request-Identity

EAPOL: EAP Request-Identity

EAPOL: EAP Request-Identity

Time until endpoint


• IEEE 802.1X times out
sends first packet after
• MAB starts Unknown
IEEE 802.1X timeout
MAC address
Any Packet
RADIUS Access-Request
[AVP: 00.0a.95.7f.de.06]

Limited Network Access RADIUS Access-Accept

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-27

How does MAB work? The device connects to the access switch, which is the authenticator and
Cisco ISE, which is the RADIUS Server.
The port on the access switch or NAD comes up. The switch, which is configured with 802.1X
authentication, will issue three Extensible Authentication Protocols over LAN: Extensible
Authentication Protocol (EAPOL: EAP) Request-Identity messages. These messages will fail
as the device does not have a supplicant or the supplicant is disabled.
Once the 802.1X timer times out, for any other packet encapsulated in a frame, the source
MAC address of the device will be forwarded in a Radius Access-request by the NAD to the
Radius server, being the ISE PSN.
If the MAC address is found in the Cisco ISE internal database, then the device will be issued
that appropriate access profile.
If the MAC Address is unknown, if the user is not found, the continuation of the process will
cause a WebAuth Profile to be pushed to the NAD, which will allow limited access for the
device to be redirected to a web authentication portal.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-25


Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors

Primary Auth Methods: 802.1X or Agent-based

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-28

Managed wired or wireless users will be authenticated with 802.1X authentication. These
managed users will have their credentials stored generally in external databases so you can tell
Cisco ISE to use an identity source sequence database, which will be reviewed later in this
course.

Identity Store OS Version


Cisco ISE Internal endpoints, internal users
RADIUS RFC 2865-compliant RADIUS servers
Active Directory Microsoft Windows Active Directory 2003, 32-bit only
Microsoft Windows Active Directory 2003 R2, 32-bit only
Microsoft Windows Active Directory 2008, 32-bit and 64-bit
Microsoft Windows Active Directory 2008 R2 64-bit
Microsoft Windows Active Directory 2012 (ISE 1.2)
LDAP Servers SunONE LDAP Directory Server, Version 5.2
Linux LDAP Directory Server, Version 4.1
NAC Profiler, Version 2.1.8 or later
Token Servers RSA ACE/Server 6.x Series
RSA Authentication Manager 7.x Series
RADIUS RFC 2865-compliant token servers
SafeWord server prompts

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-29

The figure shows external identity sources that have been tested and proven to work with Cisco
ISE. Note that Cisco ISE 1.2 includes Microsoft Windows Active Directory 2012.

3-26 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Examples: Employees/Staff, Faculty/Students, Extended Access
Partners/Contractors

Primary Auth Methods: 802.1X or Agent-based

OTP Server Configuration

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-30

Very often, organizations used a one-time password (OTP) server for their VPN managed
users. Cisco ISE can be integrated with a number of different OTP servers.

More specific condition can be defined to Match flow


(For example: user, location)

Protocol Specific

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-31

You can define different protocol lists for different locations or types of NADs in your
deployment.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-27


• AnyConnect 3.1
- Cisco Unified access interface for the
following:
• 802.1X for LAN/WLAN
• VPN (SSL-VPN and IPSec)
• Mobile User Security
(WSA/ScanSafe)
- Supports MACSec/MKA (802.1X-REV)
for data encryption in software.
Performance based on endpoint CPU.
- MACSec-capable hardware (network
cards) enhanced performance with
AnyConnect 3.0

Cisco NAC Agent


currently used for
posture. Will be
merged into
AnyConnect in 3.2.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-32

You can use the native supplicant that is provided within the operating system.
A more complete and powerful solution is to use the Cisco AnyConnect Agent. Any Connect
3.1 is a unified access agent that can connect to anywhere in any way. AnyConnect 3.1 offers a
unified access interface for 802.1X (both wired and wireless), VPN, (both Secure Socket Layer
[SSL]-VPN and IP Security [IPsec]), and Mobile User Security (web security appliance [WSA]
or ScanSafe). AnyConnect also supports Layer 2 MAC security data encryption between the
endpoint and the access point.
NAC agents are also used for posturing. AnyConnect 3.2 will include the Cisco NAC Agent
Module (NAM).

3-28 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Secure Access: Authorization
Secure access has the following components: authentication, authorization, profiling, and
posturing. This topic discusses authorization.

Sample Authentication
Policy

Authorization
Posture

Corp Identity Groups


Profiling
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-33

Authorization profiles combine multiple policy elements into a set that can be applied to
clients. The Task Navigator guides the user through the screens necessary to select appropriate
options for configuring authentication as well as authorization.
Cisco ISE is preconfigured with five default authorization profiles:
 Blacklist_Access
 Cisco_IP_Phones
 Non_Cisco_IP_Phones
 DenyAccess
 PermitAccess
You can edit the built-in profiles, but it is not recommended. In practice, you will need more
granularities, so you can create custom authorization profiles. One of the built-in profiles can
be duplicated and used as a starting point for the creation of custom authorization profiles.
The Blacklist_Access profile is designed to reject connections for systems that are placed on
the black list. This profile is useful when a user reports a lost or stolen device and the device
needs to be removed from the network and prevented from initiating new connections to the
network.
Authorization logic is similar to authentication logic. An authorization policy consists of rules.
Each rule has one or more conditions. The conditions can be simple or compound. You build
authorization conditions by comparing an attribute against a value using an operator.
The main difference between the authentication and the authorization conditions is in the
configuration context.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-29


You can set authentication conditions by navigating to Policy > Policy Elements >
Authentication > Simple Conditions or to Policy > Policy Elements > Authentication >
Compound Conditions.
You can set authorization conditions by navigating to Policy > Policy Elements >
Authorization > Simple Conditions or to Policy > Policy Elements > Authorization >
Compound Conditions.
Build an authorization policy by adding, duplicating, reordering, and deleting rules, just as you
do with authentication policies.

3-30 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Who?

Permissions = Authorizations
• Employee Set VLAN = 30 (Corp Access)
• Contractor Set VLAN = 40 (Internet Only)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-34

The figure shows a sample policy that you could build into your authorization rules. As you can
see in the example, the rules define conditions that identify the user groups that reside in an
external Active Directory database. Employees get a permission profile that can assign the
employee to a particular VLAN whereas a contractor will be put into an Internet-only VLAN.
The permission column points to an authorization profile which can include the following:
 dACLs that are stored on Cisco ISE and dynamically pushed down to the switch
 Dynamic VLAN assignment
 Voice domain assignment
 Airespace ACL name
 SGTs

© 2013 Cisco Systems, Inc. One Policy Foundation 3-31


Secure Access: Profiling
Secure access has the following components: authentication, authorization, profiling, and
posturing. This topic discusses profiling.

Sample Authentication
Policy

Authorization
Posture

Corp Identity Groups


Profiling
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-35

3-32 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
NMAP Classification
NetFlow
HTTP
SNMP
DHCP
LLDP
RADIUS

Collection

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-36

Profiling collects attributes about endpoints via various controllable collectors. Once all the
attributes are collected, they are used to classify the endpoints into endpoint groups. These
groups can be used to monitor and report the endpoints on the network and used to control
access to the network.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-33


Collection
Profiling Probes
OUI, DHCP, Netflow,
DNS, HTTP, CDP, LLDP

Classification
ID Group Assignment

ISE
The Network
Apply Policies
Internet ONLY
Video VLAN
Voice VLAN
Printer VLAN
More ………….

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-37

With Cisco ISE Profiler, begin by using the Organizationally Unique Identifier (OUI) to start
the process of classifying the device that is based on the vendor code in the MAC address. By
using some of the other profiling probes, you can further classify the type of device that is built
by a particular vendor. Once Profiler has classified the device to a certify factor, the device can
then be assigned an authorization profile. In the example that is shown in the figure, the Cisco-
IP-Phone will receive Cisco-IP-Phone profile, which could assign the voice VLAN and voice
domain with a dACL or SGT. The Motorola Android device or mobile device will not be
allowed to connect. ISE PSN will send a RADIUS CoA message to the NADs, which will then
“bounce” the port or session to cause a reauthorization to push the new authorization profile
down to the session as a function of the profiler classification.

3-34 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• User-Agent is an HTTP request
header that is sent from web
browsers to web servers. User-
PSN
Agent includes application,
vendor and OS information that
can be used in profiling endpoints.
- User-Agent attributes can be
collected from web browser
sessions redirected to ISE for
existing services such as:
• Central Web Auth (CWA),
• Device Registration WebAuth
(DRW)
• Native Supplicant Provisioning
(NSP)
Endpoint Redirection
(TCP/8443)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-38

One of the ways to collect endpoint information is through the user-agent attribute in the HTTP
header request. The user-agent identifies the vendor and operating system information. With
guests and non-802.1X devices, traffic is redirected to Cisco ISE web portal, which can then
collect the HTTP user-agent attribute. Through this attribute, the profiler can determine the
vendor, operating system, and browser information.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-35


Wireless

Enable CoA
support on WLC

Configuration Commands:
ip http server
ip http secure-server
ip access-list extended REDIRECT-ACL
deny tcp any any <PSN_IP_address>
permit tcp any any eq http Switch Configuration Wired
permit tcp any any eq https

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-39

To support Profiler and specifically HTTP probe via HTTP redirection, the following must be
enabled:
 On the WLCs
Step 1 Navigate to RADIUS Authentication Servers > Edit.
Step 2 Enable Support for RFC 3576 which supports RADIUS CoA messages. It should be
noted that RFC 3576 has been superseded by RFC 5176.
Step 3 Navigate to WLANs > Edit “guest-cwa”.
Step 4 Choose the Security and then Layer 2 tabs.
Step 5 Click the check box for MAC filtering.
Step 6 Choose the Advanced tab.
Step 7 For the NAC state, select RADIUS NAC from the drop-down menu.
 On the switches the following commands should be added to the configuration
ip http server
ip http secure server.
ip access-list extend REDIRECT-ACL
Deny tcp any any <PSN_IP_ADRESS>

Note The above command ensures that traffic going to the PSN does not get redirected to the
PSN.

Permit tcp any any eq http


Permit tcp any any eq https
Before implementing IP http secure-server, you should generate RADIUS key pairs with
modulus 2048.

3-36 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Note The figure shows an example of a simplistic redirect ACL. This ACL will be modified to
support additional protocols later in the course when discussing posturing later.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-37


• Great and simple method of
getting DHCP traffic to ISE.
PSN
• Requires configuration of NADs
to relay DHCP packets to ISE.
• DHCP probe in ISE will collect
DHCP-REQ DHCP data to use in profiling
policy.
• For WLCs, disable DHCP proxy.
Configuration Commands:
Interface Vlan50
Ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.10
Ip helper-address 10.1.100.5 (For ISE)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-40

Another common profile probe is DHCP. Cisco ISE will look at the DHSCP class ID, which
will give ISE more information for the OUI. By default, DHCP remains in the Layer 2
broadcast domain and the DCHP server and ISE will generally not be in the same Layer 2. At
the Layer 3 default gateway interface, there is an IP helper address pointing to the DCHP
server. There you will have to add an additional IP helper address point to ISE-PSN.

3-38 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Aggregate and forward profiling information over
existing RADIUS traffic between NAD and ISE
DHCP, CDP, LLDP
Using RADIUS • IOS switches collect DHCP, LLDP and CDP data. Data
PSN
sent to ISE as cisco-av-pair using RADIUS accounting
updates.
- Supported on IOS 15.0(1)SE1 for Cat 3K
- Supported on IOS 15.1(1)SG for Cat 4K

Configuration Commands:
Wired device-sensor accounting
device-sensor notify all-changes

HTTP & DHCP


Using RADIUS

PSN

- WLC 7.2.11

Wireless

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-42

With each sensor probe that is initiated, the switch generates a new individual packet to the
PSN and the PSN must process each packet. This could be a processing issue for each switch
and would certainly be a processing issue for the PSN if all the switches send several packets to
the PSN for every device that accesses the NAD.
The IOS sensor is a new technology added to the switches. The switch now collects all packets
and information and sends a single RADIUS packet per device to the PSN. The IOS sensor of
the switch currently collects DHCP, Cisco Discovery Protocol, and Link Layer Discovery
Protocol (LLDP). More probes will be added in the future.
IOS Sensor is supported on IOS 15.0(1) for Catalyst 3000 and IOS 15.1(1) for Cat 4000
switches. More platforms are to come.
The following is the configuration command to activate IOS sensor:
device-sensor accounting
device-sensor notify all-changes
Also, for WLCs beginning with version 7.2.11, client profiling waits and collects HTTP and
DHCP probe information and sends a single RADIUS av-pair to the PSN for each device
connecting to the WLC.
To activate the sensor, from Client Profiling select DHCP and HTTP Profiling.
These sensor probes may support and profile most devices connecting to your network.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-39


• Traffic is mirrored to an interface
on ISE policy services node.
PSN
WWW • Both SPAN and Remote SPAN
are supported.
• Not an optimal way to send
traffic to ISE.
• SPAN Configuration Guide:
http://www.cisco.com/en/US/doc
DHCP
HTTP s/switches/lan/catalyst2940/soft
ware/release/12.1_19_ea1/confi
guration/guide/swspan.html
SPAN

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-43

Should you have NADs that do not support Central WebAuth redirects or DHCP snooping,
Cisco ISE has the option to collect Switched Port Analyzer (SPAN) and Remote SPAN
(RSPAN). The switches have to be configured to mirror the traffic to an interface on the PSN
which would put a significant load on the network and the PSN, and should only be done after
careful due diligence. For more information, use the SPAN Configuration Guide on Cisco.com.

3-40 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• The NMAP utility
incorporated into ISE
PSN PSN
allows profiler to detect
new endpoints via a
subnet scan and to classify
endpoints based on their
Scan OS, OS version and
services as detected by the
OUI = Apple NMAP.
Subnet Scan
(On demand) • The Network Scan probe is
considered an active
assessment mechanism
since it communicates
directly with the endpoint
to obtain information from
the source.
IOS Sensor
• A scan can be triggered
dynamically based on
10.76.40.0/24 policy.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-44

If you have a finely tuned security policy that states you will support a vendor’s device but only
if it is running a particular code or operating system, then HTTP and DHCP may not collect
enough attributes for you to differentiate the profiled devices. You may need to activate the
NMAP (targeted active scan) of the endpoint. To do this, the profiler must first discover the
vendor code of then go back and do a targeted network map (NMAP) active scan of the device.
Of course, this will give the profiler more details but will also put more of a load on the PSN
and it may also trigger a host IPS sensor on the end station.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-41


• Predefined scan
actions
• Default scan
action for
Unknown
endpoints

• Adding scan action. Common Ports is a list of 15 UDP


and 15 TCP ports.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-45

NMAP can do an operating system can, a Simple Network Management Protocol (SNMP) port
scan or scan common port numbers. As noted, you should only do operating system scan and
SNMP port scan if the operating system was not determined by a previous passive scan.

Apple HP Motorola Cisco Blackberry


WYSE
Lexmark VMware Microsoft Xerox
Samsung
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-46

There are profiles that are built into Cisco ISE that accommodate devices from most major
vendors. But what if there is not a profile for your device? This problem will be discussed later
in the course.

3-42 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-47

An exhaustive list of canned profile policies to uniquely identify the many devices that could
possibly access your network is built into Cisco ISE. First, there are the parent groups that are
identified by the OUI or vendor code. Each parent has many child devices or groups. The child
groups can have many child devices. Your authorization rules can apply permission profiles to
the parent group, child group, or child devices, depending upon how granular you make your
security policy.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-43


PSN Cisco

Feed
PSN Server DB Partner

Notifications
Supported

• No need to wait for new Cisco ISE


version
• Zero-day support for popular
endpoints is added using Feed
Server
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-48

Even though the canned profiles are extensive, there are more devices available that have not
yet been defined as a profiled endpoint. As new devices come out, new profile policies have to
be developed. There are also devices that are unique to your particular business.
Cisco ISE1.2 offers the Profiler Feed Service. As new devices are defined, either by Cisco or
by partners and confirmed by Cisco, the policies will be placed on the Profile Feed Service.
Cisco ISE can then retrieve the new profiles from the server and dynamically add them to the
Cisco ISE profile database.

3-44 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
What = ? Who = Employee

Permissions = Authorizations
• Employee Phone Set VLAN = 601 (Internet Only)
• Employee PC Set VLAN = 603 (Full Access)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-49

Now that the profiler has discovered what the device is and to which group the device belongs,
you can apply authorization policies to the devices based on the vendor group, device group, or
even a particular device. The device groups will be stored in the internal Cisco ISE database
and will be identified in the authorization rule as the ID group. You can further implement a
policy that also looks at the user group. In the example that is shown in the figure, an employee
smart phone can access the internet, but an employee who has a workstation has full access. In
the hospital, doctors with Windows notebooks can get full access, but the same doctors with
iPads can only get to the radiology server and internet. Patients with iPads can only go to the
internet.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-45


IP-Phones
Would like to
group all my smart
phones and iOS
devices into a
logical profile to
facilitate writing
policy

iOS-Devices

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-50

As you create more authorization profiles, you will end up creating more and more groups.
Cisco ISE 1.2 introduces logical profiling groups. With logical profile groups, you can assign
many different profile groups into a single logical profile group to which a common
authorization profile will be attached.

3-46 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
What = ? Who = Employee

Permissions = Authorizations
• Employee Phone Set VLAN = 601 (Internet Only)
• Employee PC Set VLAN = 603 (Full Access)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-51

Logical profile groups allow for much cleaner rules as authorization rules can reference logical
groups as opposed to many vendor groups.
The figure shows an example of implementing a smart phone policy using a logical profile in
Cisco ISE.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-47


Secure Access: Posture
Secure access has the following components: authentication, authorization, profiling, and
posturing. This topic discusses posture.

Sample Authentication
Policy

Authorization
Posture

Corp Identity Groups


Profiling
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-52

3-48 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Posture is the state of compliance with the company’s security policy.
- Is the system running the current Windows patches?
- Do you have anti-virus software installed? Is it up to date?
- Do you have anti-spyware installed? Is it up to date?

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-53

Cisco ISE posture service provides you with the capability to check the health of the endpoints
and, depending on the results, assign appropriate connectivity permissions. Cisco ISE
determines the security posture by obtaining from the NAC Agent of the endpoint the status of
various software components, such as service packs, software patches, antivirus, and
antispyware applications.
Cisco ISE provides automated rule sets to simplify management for over 350 partner
applications, including Microsoft Windows, online services, and antivirus software vendors.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-49


• Microsoft updates • Antivirus • File data
- Service packs installation/signatures • Services
- Hotfixes • Antispyware • Applications/processes
installation/signatures
- OS/Browser versions • Registry keys

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-54

Posture conditions are used to check specific attributes on the client system. A posture
condition can be one or any combination of the following conditions:
 File condition: A simple condition that checks the existence of a file, the date of a file, and
the versions of a file on the client. This condition is available for Windows computers.
 Registry condition: A simple condition that checks for the existence of a registry key or
the value of the registry key on the client. This condition is available for Windows
computers.
 Application condition: A simple condition that checks if an application (process) is
running or not running on the client. This condition is available for Windows computers.
 Service condition: A simple condition that checks if a service is running on the client. This
condition is available for Windows computers.
 Dictionary simple condition: A simple condition that checks an attribute that is associated
to an operator and the operator to a value.
Examples of common posture conditions include the following:
 Windows update verification: Verifies the proper service pack and patch levels.
 Virus application verification: Verifies that the client has the correct antivirus software
installed. This function may also be used in a less restrictive capacity to verify that the
client simply has any antivirus installed.
 Virus definition verification: Verifies that virus definitions are newer than a specific date.
 Windows screen saver password verification: Verifies that the client has a Windows
screen saver password configured.
 Registry entry verification: Verifies the client registry key.

3-50 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Employee policy • Contractor policy
- Microsoft patches updated - Any AV installed, running, and
- McAfee AV installed, running, and current
current • Guest policy
- Corp asset checks - Accept AUP (no posture, Internet
- Enterprise application running only)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-55

The Cisco NAC Agent is installed on the endpoints to assist in the posture assessment and
remediation of client devices. The NAC Agent validates the endpoint for compliance, which is
based on the requirements that are sent from the Cisco ISE server and determines the posture of
the endpoint. If the endpoint is not compliant with the requirement, then the NAC Agent
prompts to remediate the endpoint for compliance. Any failures during posture evaluation will
result in the noncompliance of the endpoint. The NAC Agent sends the appropriate compliance
report to the Cisco ISE server once the endpoint is postured as compliant or noncompliant.
There are three types of NAC Agent:
 NAC Agent for Windows: This read-only client software can check the host registry,
processes, applications, and services. The NAC Agent for Windows can be used to perform
Windows updates or antivirus and antispyware definition updates, launch qualified
remediation programs, distribute files that are uploaded to the Cisco ISE server, distribute
links to websites for users to troubleshoot their systems, or simply distribute information
and instructions.
 NAC Agent for Macintosh: The Macintosh NAC Agent provides the posture assessment
and remediation for client machines and returns the results to the Cisco ISE.
 NAC Web Agent: This agent provides temporal posture assessment for client machines.
Users can launch the NAC Web Agent executable file, which installs the Web Agent files
in a temporary directory on the client machine via ActiveX control or Java applet. After
users log into the NAC Web Agent, the Web Agent gets the requirements that are
configured for the user role and the operating system from the Cisco ISE server, checks the
host registry, processes, applications, and services for required packages, and sends a report
back to the Cisco ISE server. If requirements are met on the client, the user is allowed
network access. If requirements are not met, the Web Agent presents a dialog to the user
for each requirement that is not satisfied. The dialog provides the user with instructions and
the action to take for the client machine to meet the requirement. If the specified
requirements are not met, users can choose to accept the restricted network access while
they try to remediate the client system so that it meets requirements for the user login role.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-51


NAC Agent for Web Agent for NAC Agent for
Windows Windows Mac OS
Posture Assessment OS/service packs/hotfixes OS/service packs/hotfixes AV installation
Options Process check Process check AV version/AV definition date
Registry check Registry check AS installation
File check File check AS version/AS definition date
Application check Application check
AV installation AV installation
AV version/AV definition date AV version/AV definition date
AS installation AS installation
AS version/AS definition date AS version/AS definition date
Windows update running Windows update running
Windows update Windows update
configuration configuration
WSUS compliance settings WSUS compliance settings
Remediation Options Message text (local check) Message text Message text
URL link (link distribution) URL link URL link
File distribution File distribution AV live update
Launch program (AS live update)
AV definition update
AS definition update
Windows update
WSUS

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-56

The table in the figure lists posture assessment and remediation options.

3-52 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Corporate Policy
- Must have Kaspersky AV installed
- Automatic remediation enforced
• Guest Policy
- Must have AV installed but can be
ANY vendor

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-57

The figure shows a posture policy example.


The policy says that corporate Windows workstations must have Kaspersky antivirus (AV)
software that is installed and automatic remediation is enforced.
The guest policy is that an AV must be installed but that any vendor is supported.
First, configure the AV remediation policy that defines what remediation actions are to be taken
should an endpoint be noncompliant with the AV requirements.
Second, configure the requirements policy to define the requirements and point to the
remediation policy.
Finally, configure the posture policy rules that define which ID-Groups are learned by the
profiling rules, the operating system learned by the profiling, and the users groups in the
external data source. If the correct conditions are met, then the posture requirements are
assigned.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-53


I know who you are, but are you logging in from a corporate
device? Hi, I am jsmith
and my password
is *******
• User identity
- Username/password credentials User

(802.1X or WebAuth) Corporate User or


Guest (Non-Employee)?
- User certificate (802.1X)

• Machine “identity” MAC address lookup to AD/LDAP


00:11:22:AA:BB:CC
Profiling
–MAC address Posture Machine

–Machine certificate (802.1X) Machine certificates


Non-exportable user certificate
–Passwords Machine auth with
Corporate PEAP-Device
or Personal
MSCHAPv2
EAP chaining

• How do I tie the two together in a single Access


policy? + = Policy

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-58

You can perform both machine authentication and user authentication before assigning the
corporate access policy. You have learned about user authentication using 802.1X and
WebAuth.
You have reviewed a couple of ways to authenticate the machine and MAC address lookup,
either in the internal endpoints database or to an external database like Active Directory or
LDAP. You can learn about devices dynamically through profiling, but that is not really
authentication. Using the posture agent, you can find out details on the machine and can even
check for a registry setting or a particular file location (watermark) to determine if the machine
is a corporate machine.
To truly authenticate the machine, you can install machine certificates and verify those
certificates against the certificate authority (CA).

3-54 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• NAC or Web Agent
checks in Windows
registry for domain
value.
• Example:
mycompany.com.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-59

One way to declare the machine as a corporate machine is to have the NAC or Web Agent to
check the windows registry for domain value; however this check can be easily spoofed.
Another option is to “watermark” the machines with an obscure registry setting or an obscure
file with an obscure filename in a hidden directory. If the NAC Agent finds all three, then you
have a high degree of certainty that the machine is a corporate machine.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-55


• EAP chaining uses EAP-FAST protocol extensions
• It ties both machine and user credentials to the device, thus the “owner”
is using a corporate asset
• Machine credentials are authenticated to the network using 802.1X.
• Once a user logs onto the device, session information from the machine
auth and user credentials are sent as part of the same authentication.
• If both machine and user credentials are successfully validated, then the
“owner’ is tied to the device (corporate asset).
• If both or either credentials fail, restricted network access can be given
according to ISE policy.
Machine
Credentials Machine
Authentication Machine and User Credentials
RADIUS Validated
PSN

User
AD (EAP-MSCHAPv2 inner method)
Credentials User PKI (EAP-TLS inner method)
Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-60

Cisco ISE introduced Extensible Authentication Protocol-Flexible Authentication via Secure


Tunneling (EAP-FAST) protocol extensions by including the type length value (TLV) type of
user and machine to do EAP chaining. In a single operating system event, you can encompass
both machine and user credentials. The credentials tie to a specific user and to a specific device.
In the authentication log, you will see not only the host name, but also the user name. They are
no longer separate entities. It is one entry. You can now have policies that apply if the user
authentication failed but the machine authentication has succeeded and vice versa. You can
have policies if both user and machine fail or both succeed.

3-56 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
User authentication includes both user and machine identity types.

AnyConnect is required for EAP chaining

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-61

To configure authorization rules for EAP chaining, you will need Cisco AnyConnect installed
on the workstation and you will set up the rule conditions for the following:
 Network Access:EapTunnel EQUALS EAP_FAST AND
 Network Access:EapAuthentication EQUALS EAP_TLS AND
 Network Access:EapChainingResult EQUALS <the TLV that you require for the rule>
 User failed and machine succeeded
 User succeeded and machine failed
 User and machine both succeeded
 User and machine both failed

© 2013 Cisco Systems, Inc. One Policy Foundation 3-57


• Client:
- Laptop/desktop with Ethernet/WiFi NIC and one of the following operating
systems:
• Windows 7 SP1 x 86 (32-bit) and x64 (64-bit)
• Windows Vista SP2 x86 and x64
• Windows XP SP3 x86
• Windows Server 2003 SP2 x86
- AnyConnect 3.1MR+ with Network Access Manager Mobile installed
- AnyConnect 3.1MR+ Profile Editor
• Server:
- ISE 1.1.1 (1.1MR)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-62

For EAP chaining, you need a client that has an Ethernet or Wi-Fi network interface card
(NIC), and one of the following operating systems:
 Windows 7 SP1 x 86 (32-bit) and x64 (64-bit)
 Windows Vista SP2 x86 and x64
 Windows XP SP3 x86
 Windows Server 2003 SP2 x86
You will note that the list includes only Windows operating systems; however, Cisco has taken
a leadership role in driving this as an industry standard to support other platforms as well.

3-58 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Secure Access: Sample Policy
Secure access has the following components: authentication, authorization, profiling, and
posturing. This topic discusses a sample policy.

Sample Authentication
Policy

Authorization
Posture

Corp Identity Groups


Profiling
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-63

Access
Policy

User Device Type Location Posture Time Access Method Custom

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-64

The figure provides an example Cisco ISE authorization policy that uses context-aware access.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-59


Segmentation Segmentation Pros Cons
Method Point
VLANs Ingress • Does not require switch port • Typically requires IP change
ACL management • Requires the proliferation of
• Preferred choice for path common VLANs across access and
isolation maintenance.
• VLANs still require some other
enforcement mechanisms to be
deployed

dACL Ingress • No IP address change required • Resource limits per switch on ACE
• Does not require the count per ACL
proliferation of VLANs across
access network and associated
VLAN management
• Provides access control directly
at switch port versus reliance on
upstream security device or
mechanism
SGACL Ingress • Simplifies ACL management • Enforcement is not available on all
and reduces number of ACLs platforms
required
• Uniformly enforces policy
independent of source IP
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-65

The table in the figure describes ISE policy enforcement network segmentation.

3-60 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Endpoint access attempt

3 5

Authentication

Posture Profiler
2 4

CoA CoA

1
Authorization

Controlled endpoint access

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-66

This figure shows the allowance of the policy server to initiate a change in the authorization
policy that is implemented at the NAD.
Example CoA flow:
1. Initial State:
NAD port ACL: Permit DHCP, TFTP, KRB5, EAPoL
ISE: Undefined
2. Endpoint connects, 802.1X authentication completes successfully:
NAD port ACL: Permit DHCP, TFTP, KRB5, EAPoL
ISE: UID/PWD = OK, Posture = Unknown, Authorization = Temporary
3. Initial authorization policy ISE to NAD: allow posture assessment and remediation.
NAD port ACL: IP to ISE, IP to Remediation Server
ISE: UID/PWD = OK, Posture = Unknown, Authorization = Temporary
4. Posture assessment completes, endpoint is compliant.
NAD port ACL: IP to ISE, IP to Remediation Server
ISE: UID/PWD = OK, Posture = Compliant, Authorization = FullAccess
5. CoA message from ISE to NAD, allow unrestricted access:
NAD port ACL: Permit IP to Any
ISE: UID/PWD = OK, Posture = Compliant, Authorization = FullAccess
A Cisco ISE Inline Posture node can be implemented to enforce policy for NADs that do not support CoA.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-61


Cisco Setup Assistant
This topic describes Cisco Setup Assistant.

• Walks through ISE


configuration
• Walks through NAD
configuration
• Can help with quick
proof of concept setups

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-68

Cisco Setup Assistant walks through Cisco ISE configuration and NAD configuration. The
program is not designed for a large policy services node deployment. However, it can be
helpful with quick proof of concept setups.

3-62 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-69

To do authentications, Setup Assistant will query whether you want to connect Cisco ISE to
Active Directory. As you answer the questions, Setup Assistant will prompt with additional
questions if it needs to. For example, it will ask for credentials for Active Directory or the
domain name. Setup Assistant also has a section where you can indicate the network access
devices in the network. Based on how these questions are answered, including subnets, VLAN
IDs, and so on, Setup Assistant will generate a sample configuration for that particular NAD
and IOS version. It will do the same thing for the WLC. Obviously, Setup Assistant does not
know the exact interfaces that these devices are attached to, so you cannot simply cut and paste
information from the window, but Setup Assistant comes close. The user can cut and paste
information in a text window, enter the actual interfaces that are needed, and then paste that
into the configuration. Setup Assistant takes care of NAD configuration.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-63


Guest Portal
This topic describes using the guest portal of Cisco ISE.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-71

At HTA Hospital, guests are offered network access. Guests include patients, their families, and
other visitors to the hospital.
This access is offered not only for the well-being of the patients and as a courtesy to their
family and friends, but also as a security measure. Allowing guess access prevent uncontrolled
access to hospital resources due to the unwitting assistance of a well meaning hospital staff
member or employee who offers a visitor or patient access to email or the Internet through the
staff member’s own account.
It would be cumbersome if hospital IT staff had to manage all guest accounts by manually
adding them to the authentication server. Because it is cumbersome, a guest services portal in
Cisco ISE allow guests to establish their own account through the self-service capabilities of
the portal which allows guests to have the access they desire without placing a huge burden on
IT staff.

3-64 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Provision Manage Notify Report

Create Notify Guest Report on all


Create Guest
Sponsor Policy using different aspects of
Accounts in
method Guest
the Sponsor
Manage Accounts
Portal
sponsor groups Print
Email
Customize SMS
Portals

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-72

Cisco ISE guest services cover the full life cycle of guest accounts. The users who create guest
accounts are called sponsors. The Cisco ISE administrator assigns privileges to sponsors, who
in turn may define the attributes of the guest users.
Cisco ISE guest services provide customizable portals for both guests and sponsors.
Cisco ISE guest services allow any sponsor with appropriate privileges to easily create
temporary guest accounts and to sponsor guests. Cisco ISE allows sponsors to provide account
details to the guest by printout, email, or short message service (SMS). The entire experience,
from user account creation to guest network access, is stored for audit and reporting purposes.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-65


• Unifying network access for guest users and employees

Guest
SSID Contractor
Corp

Guest SSID
Contractor Guest
Employee
Desktop

On wireless: On wired:
 Using multiple SSIDs  No notion of SSID
 Open SSID for Guest  Unified port: Need to use different
auth methods on single port
 Enter Flex Auth

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-73

Cisco ISE guest services feature is tied to the web authentication functionality. When a guest
user first attaches to the local network, either through a wireless or wired connection, Cisco ISE
assigns that user a very restrictive authorization profile.
On wireless most organizations will have dual Service Set Identifier (SSIDs), a Cisco corporate
SSID using Wi-Fi Protected Access (WPA) enterprise for the employees to connect and an
open SSID for guests.
On the wired network, the switch port will use Flex Auth by using 802.1X, followed by MAB.
If they fail, there will be a continuance in authorization as discussed earlier using WebAuth.
Web authentication allows guests, visitors, contractors, consultants, or customers to perform an
HTTP or HTTPS login to access a network, whether that network is a corporate intranet or the
public Internet. Based on the initial restrictive authorization profile, the NAD intercepts the
HTTP request and redirects it to the guest user login portal. The user is presented with a login
page to enter a username and password and, after successful authentication, is associated with
the appropriate authorization profile and is provided controlled network access.

3-66 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
I’m your I can’t get on Device
normal guest the network registration

Temporary Employee with Register


users, no misconfigured personal
802.1X system devices

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-74

Web authentication is typically used for guest network access. Guest services are covered later
in this course. Web authentication provides network access to users who authenticate using
HTTP or HTTPS using a centralized Cisco ISE service.
Web authentication may be used as a method of last resort for users with an 802.1X supplicant
that is not installed, is misconfigured, or is not functional. If the 802.1X supplicant is not
functioning properly, web authentication may be used to prompt the user for authentication
credentials and still provide access to the network. Web authentication may also be used for
guest users who have an 802.1X supplicant that is installed, but do not have a user account in
the appropriate identity database.
Web authentication can be implemented in both wired and wireless environments.
WebAuth will also be used later for the personal device registration and onboarding, which will
be discussed later in this course.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-67


Sponsor

Imran
********

Local RADIUS

Redirection of the guest Web session


to ISE guest portal for authentication

ISE

Guest

WLC
Switches

Workstations Mobile
(iPhone) AP

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-75

To create guest accounts, connect to the sponsor portal and log in as a sponsor user. To
provision guest accounts on the Cisco ISE, you must be a sponsor user. Sponsors are generally
employees and will be authenticated against the corporate identity source sequence.
Follow these steps to create guest accounts:
Step 1 Connect to the Sponsor Portal. https://<PSN-FQDN>:8443/sponsorportal which
assumes the default port 8443 of the sponsor portal has not been changed for the
admin portal.
Step 2 (Optional) Create single guest accounts.
Step 3 (Optional) Create random guest accounts.
Step 4 (Optional) Import guest accounts from a file.
Step 5 (Optional) Verify guest user accounts.
Once the sponsor has created a guest account, the guest will attempt to connect to the network
and will get redirected to the guest portal on the PSN. There the guest will log in with the
newly created username password credentials that were provided via printout, email, or SMS.
The organization also has the option to allow a guest to use self-service for creating accounts
which allows organizations to track guests not be involved in creating guest accounts.
The guest portal is device agnostic in that a guest that connects with a workstation will get the
full web page whereas a guest connecting with a smart phone will see a page that is tailored for
that smart phone.

3-68 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-76

The guest user portal consists of the following elements:


 Guest user login screen: This screen provides username and password fields.
 Acceptable use policy screen: This screen is an optional term of use agreement.
 Required password change screen: This screen is optional at first login.
 Allow password change screen: This screen allows the user to optionally change a
password.
 Self-registration screen: This screen is an optional screen that allows guests to set up their
own user accounts.
 Device registration: If enabled, this option allows guest user accounts to self-register a
predefined number of endpoints by MAC address. Registration results in static population
of the internal endpoint store without a default ID group assignment. The user must have
valid credentials to register devices.
Cisco ISE guest services make use of the Distributed Management System of Cisco ISE to
allow for multiple Cisco ISE nodes to communicate with one another in a deployment.
Guest portals must be located on the same policy service nodes that manage the RADIUS
requests that arrive from the NADs. For example, if a node is used to manage RADIUS
requests for a NAD that depends on central WebAuth support, the guest portal must be enabled
on that node.
The guest and sponsor portals will work on any policy service node in a deployment, as long as
that node also has session services functionality enabled.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-69


PSN
Local Web Auth (LWA) Central Web Auth (CWA)

Portal

User Auth User Auth Portal

Predefined web auth policy No web auth policy


(ACL, url)
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-77

To be clear, WebAuth, the web page, and authentication occur at the PSN. The WebAuth PSN
must be the same PSN as the RADIUS server for the NADs and it is RADIUS that returns the
authentication session numbers and authorization policies.
Local Web Auth (LWA) means that the WebAuth policy, redirect ACL, interface ACL, and the
redirect URL are hard-coded on the NAD.
This would cause a problem if there is redundancy with your RADIUS and if the NAD starts
using a different RADIUS server PSN than what the redirect URL is pointing to.
The solution is to use Central Web Auth (CWA). With CWA, the Web Auth Policy and the
Redirect URL are maintained on the PSN and dynamically pushed down to the NADs via the
radius attribute-value (AV) pair message. With this solution, the RADIUS PSN and the
WebAuth URL are always the same PSN.

3-70 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
ISE Database

Guest External
Database Database
 Created by  LDAP/AD
sponsors  Managed
(bulk externally
option)  Enabled/
 Guest “self disabled
service”
 Restricted
access
duration

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-78

Where can you find guest user accounts? In Cisco ISE, the guest database contains user
accounts that are created by sponsors (bulk option); are created as self service by guests; and
have restricted access duration.
In an external database, user accounts are stored in LDAP or AD, managed externally, and have
been enabled or disabled.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-71


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-79

The sponsor portal allows you to perform the following functions:


 Create, edit, delete, suspend, and reinstate guest user accounts.
 View guest details.
Sponsors are authenticated using identity sources that are defined within Cisco ISE. Options
include the following:
 Local database
 Active Directory
 LDAP
 RADIUS
Guest sponsor groups define the permissions and settings for the sponsor user. Sponsor users
that belong to a particular sponsor group have a certain set of permissions and settings when
they log into the sponsor portal. You can set role-based permissions for sponsors to allow or
restrict access to different functions, such as creating accounts, modifying accounts, and
sending account details to guests by email or SMS.
For example, if you want a set of sponsors to be unable to log in for a short period while a
configuration is being changed, you can set the sponsor group permission to prevent login. This
method allows you to restrict a set of sponsor users from logging in without having to remove
the sponsor group.
Cisco ISE is preconfigured with three default sponsor groups: SponsorAllAccounts,
SponsorGroupGrpAccounts, and SponsorGroupOwnAccounts. You can modify and delete the
existing groups or create additional groups by navigating to Administration > Guest
Management > Sponsor Groups.

3-72 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-80

Before provisioning any guest accounts, the system administrator must configure the sponsor
portal. The sponsor portal defines the privileges that the sponsors have within the system.
Follow these steps to configure the sponsor portal settings on Cisco ISE:
Step 1 Optionally configure a sponsor group. The parameters of a sponsor group include
the sponsor authorization levels, guest roles selectable by sponsors, and sponsor time
profiles.
Step 2 Declare the identity source or identity source sequence to be used for sponsor
authentication.
Step 3 Optionally define sponsor conditions.
Step 4 Configure a sponsor group policy.
Step 5 Optionally customize the portal theme.
Step 6 Optionally customize internationalization.
Each sponsor group has a certain authorization level that is associated with it. The authorization
level defines the sponsor permissions and behavior. You configure the authorization levels
under the Authorization Level tab within the sponsor group configuration menu.
You can set Yes or No permission for the following:
 Allow login
 Create accounts
 Create random accounts
 Import CSV
 Send email
 Send SMS
 View guest password

© 2013 Cisco Systems, Inc. One Policy Foundation 3-73


 Allow printing guest details
You can choose one of the following options for View or Edit Accounts:
 No: Sponsors are not allowed to edit any guest accounts.
 All accounts: Sponsors are allowed to edit or view all guest accounts.
 Group accounts: Sponsors are allowed to edit guest accounts that are created by anyone in
the same sponsor user group.
 Own account: Sponsors are allowed to edit only the guest accounts they created.
You can choose one of the following options for Suspend or Reinstate Accounts:
 No: Sponsors are not allowed to suspend any guest accounts.
 All accounts: Sponsors are allowed to suspend or reinstate all guest accounts.
 Group accounts: Sponsors are allowed to suspend guest accounts that are created by anyone
in the same sponsor user group.
 Own account: Sponsors are allowed to suspend only the guest accounts they created.
 The Account Start Time setting restricts the number of days the sponsor can specify for
starting the guest account which is applicable only for the Start End type of time profile.
 The Maximum Duration of Account setting specifies the maximum duration for which a
guest account can be active. The expiration date is based on the maximum duration of the
account or the time profile duration, whichever is less. This value overrides the maximum
duration value that is set by the sponsor during the creation of the guest account when this
value is less than the one specified in the time profile.

3-74 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
There are multiple ways to notify guests with their credentials
and other access info
• Print the details
• Send via e-mail
• Send via SMS

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-81

To provision guest accounts on the Cisco ISE, you must be a sponsor user. The configuration is
performed in the sponsor portal. Follow these steps to create guest accounts:
Step 1 Connect to the sponsor portal.
Step 2 (Optional) Create single guest accounts.
Step 3 (Optional) Create random guest accounts.
Step 4 (Optional) Import guest accounts from a file.
Step 5 (Optional) Verify guest user accounts.
To create guest accounts, connect to the sponsor portal and log in as a sponsor user. The
sponsor portal is accessible at the address https://<PSN-FQDN>:8443/sponsorportal. This
assumes the default port 8443 of the sponsor portal has not been changed for the admin portal.
One method of provisioning guest user accounts is for a sponsor to manually create individual
guest user accounts. The attributes that are presented in the configuration page have been
defined in the guest details policy.
Alternatively, you may create a number of random users at one time. In order to configure
random users in the sponsor portal, select the Create Random Guest Accounts menu from the
main sponsor portal window, enter the number of random users to create, a username prefix (if
any), and the group role to which these users should be added.
Another option is to import guest user accounts from a comma-separated value (CSV) file. The
template file, which can be downloaded and viewed using the Download Import File Template
button, determines the format of the file.
The sponsor portal offers the option to view the created guest user accounts. The displayed list
includes the guest usernames, along with their primary attributes, such as first name, last name,
and email address.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-75


ISE 1.2 will support multiple pre-activated
guest groups. 802.1X PEAP-
MSCHAPv2 or
Do not redirect EAP-GTC
my contractors to
guest portal

LWA to local WLC


portal

Remote Access
VPN
ISE
Guest
DB

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-82

If you have contractors or guests coming in with 802.1X clients, or an LWA to a local WLC
portal or even Remote Access VPN authentication, you do not want to redirect that traffic to the
guest portal. The problem is that if you just created guest accounts, the account does not get
activated until a guest actually logs in to the guest portal and accepts the acceptable use policy
(AUP). When a guest tries to authenticate with this method, a RADIUS message will be sent by
the NAD and ISE PSN will check against the guest database but, because the account has not
been activated, the authentication will fail.
The solution is to create guest accounts that are preactivated so that the user can log in via
802.1X, the WLC, or VPN on the ASA. The advantage is that you can use the guest life cycle
to manage users that in the past had to be managed by the AD administrator.
Cisco ISE1.2 will support multiple preactivated groups.

3-76 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
A contractor takes
time off. Can I
suspend and then
reinstate access?

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-83

Another new feature of Cisco ISE 1.2 is that guest accounts can be suspended and reinstated.

A guest or
contractor stay is
extended but their
account expired.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-84

Another new and more important feature of Cisco ISE 1.2 is that an existing account can be
extended by changing the account duration.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-77


Can I limit one
active device per
Guest account?

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-85

Additionally with Cisco ISE 1.2, you can now manage the number of sessions per user.

PSN

DMZ

Corp
PSN

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-86

Cisco ISE comes with four interfaces, but by default everything happens on interface 0. Due to
customer requests, Cisco ISE 1.2 now allows you to dedicate an interface specifically for the
guest portal and client provisioning portal in a demilitarized zone (DMZ).

3-78 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-87

In the Operations tab of the portal configuration, you can define the following guest actions:
 Guest users should agree to an AUP. The selectable options are Not Used, First Login, and
Every Login.
 Enable self-provisioning flow or mobile device management (new to Cisco ISE 1.2).
 Enable mobile portal (new to Cisco ISE 1.2).
 Allow guest users to change password.
 Require guests and internal users to change password at expiration.
 Guest users should download the posture client.
 Guest users should be allowed to perform self-service.
 Guest users should be allowed to perform device registration.
 You can check the VLAN DHCP option to refresh the IP address of Windows clients after
a VLAN change. This option applies to wired and wireless environments for guests with no
posture.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-79


Authentication page
Acceptable usage policy
Success/failure page

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-88

Cisco ISE provides localization and internalization support for the following languages for the
sponsor portal:
 Chinese traditional; browser locale: zh-tw
 Chinese simplified; browser locale: zh-cn
 Czech_Cestina (new to Cisco ISE 1.2)
 Dutch_Netherlands (new to Cisco ISE 1.2)
 English; browser locale: en
 French; browser locale: fr-fr
 German; browser locale: de-de
 Hungarian_Magyar (new to Cisco ISE 1.2)
 Italian; browser locale: it-it
 Japanese; browser locale: ja-jp
 Korean; browser locale: ko-kr
 Polish_polski – New to ISE 1.2
 Portuguese; browser locale: pt-br (Brazilian)
 Russian; browser locale: ru-ru
 Spanish; browser locale: es-es
Internationalization and localization applies to all supported internet browsers. Cisco ISE
allows you to add, modify, and delete custom language templates for the sponsor portal. You
can also duplicate standard language templates, which you then modify to create a custom
template.

3-80 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-89

You can customize a portal theme by changing text, banners, background color, and images.
This functionality allows you to change the appearance of a portal without having to upload
customized HTML files to the Cisco ISE server. Supported image formats include JPG, JPEG,
GIF, and PNG.
You have, among others, the following customization options:
 You can change the logo of the portal login page. You can choose the default Cisco logo or
upload a custom image. When you upload the image, it is automatically resized.
 You can change the background image of the portal login page. You can choose the default
Cisco background or upload a custom background image.
 You can change the portal banner logo. You can choose the default Cisco banner or upload
a custom banner logo.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-81


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-90

To create a personalized portal with custom HTML pages, you must first add a new portal.
The guest portal URL for wired and wireless local web authentication is
https://ip:8443/guestportal/portals/PortalName/portal.jsp, where PortalName is the name of the
portal as it is created during the upload.
The guest portal redirect URL for CWA is
https://ip:port/guestportal/gateway?sessionId=SessionIdValue&portal=PortalName&action=cw
a.
The ip and port values are updated by the RADIUS server as the URL redirect is returned to the
NAD. These values are the IP address and port number for the Cisco ISE guest portal server.

3-82 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
1. Add AUP checkbox to Both guests and employees
get Internet access from one SSID.
customized Guest HTML
pages. Only show the AUP on first login.

2. Save a cookie when the user


logs in.
3. Hide the AUP checkbox if the
cookie exists.
• Skills required:
- Basic HTML
- Basic
JavaScript

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-91

Both guests and employees will log in at the same guest portal. The first time a user connects
requires the user to accept the AUP. Once the user has accepted the AUP, the user should not
have to accept it again so the AUP check box can be hidden after first login.
The following are the steps for hiding the AUP checkbox:
Step 1 Add the AUP checkbox to the customized guest HTML pages.
Step 2 Save a cookie when the user logs in.
Step 3 Hide the AUP checkbox if the cookie exists.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-83


• Operations > Authentications window will show all authentications
including guests.
• Identity and authorization can be found for guests .

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-92

To verify both successes and failures, navigate to Operations > Authentications to show all
authentications including guest.

3-84 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• When Cisco ISE is used as a RADIUS server to authenticate clients,
Cisco Prime Infrastructure collects additional information about these
clients from the ISE and provides all relevant client information to Cisco
Prime Infrastructure to be visible in a single console.

Step 1: In Cisco Prime


Infrastructure, navigate to Design >
External Management Servers
(under Management Tools) > ISE
Servers.

Step 2: Add a new ISE server by


selecting Add Identity Services
Engine as shown in the figure.

Step 3: Once required information is


entered, confirm that the Cisco ISE
server is added to the list.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-93

Cisco ISE is the RADIUS Server used to authenticate and authorize access. By integrating
Cisco ISE into Prime Infrastructure, you now have a single pane of glass to monitor the entire
network.
When Cisco ISE is used as a RADIUS server to authenticate clients, Cisco Prime Infrastructure
collects additional information about these clients from Cisco ISE and provides all relevant
client information to Cisco Prime Infrastructure to be visible in a single console.
Perform these steps:
Step 1 In Cisco Prime Infrastructure, navigate to Design > External Management Servers
(under Management Tools) > ISE Servers.
Step 2 Add a new ISE server by selecting Add Identity Services Engine as shown in the
figure above.
Step 3 Once the required information is entered, confirm that the Cisco ISE server is added
to the list.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-85


• For wired and wireless devices and clients, offers integrated
management, monitoring, and troubleshooting
• How?
- SNMP is used to discover clients and collect client data.
- Cisco ISE is polled periodically to collect client statistics and other attributes.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-94

Cisco Prime infrastructure offers integrated management, monitoring, and troubleshooting for
wired and wireless devices and clients.
SNMP is used to discover clients and collect client data.
Cisco ISE is polled periodically to collect client statistics and other attributes.

3-86 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
• Results are populated to related dashboard components and reports.
• Cisco ISE provides authentication records to Cisco Prime Infrastructure
through the REST API.
• Network administrators can choose a time period for retrieving
authentication records from Cisco ISE.
• The figure shows that the authentication record indicates that the user
was not found in the ISE database.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-95

The dashboard and reports are populated with results.

Deliver native MDM and integrate with AnyConnect.

Native MDM Features in ISE


1 • Leverages ISE as the Device Manager
• Leverages AnyConnect Mobile as the MDM Agent

2 Integration of ISE & ASA


• Enforce ISE Policy for Remote Access Users

3 Deliver New Set of API - xGrid


• Expand ISE eco-system with new APIs (Lancope, Prime… )

4 Deliver Highly Requested Features


• Multiple AD Forest Support
• Guest API

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-96

The figure describes features that are expected in Cisco ISE 1.3.

© 2013 Cisco Systems, Inc. One Policy Foundation 3-87


2H CY 13 1H CY 14

AnyConnect 3.2 AnyConnect 3.3

Unified Agent (NAC Agent Layer 3 Authentication Support


Integration with AnyConnect) NEA Compliance
IPv6 Phase II SCCM Support
Web Agent
Miscellaneous VPN Requests
Grace Period Remediation
MDM Phase II (Container and App
Tunnels)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-97

The figure describes upcoming features for Cisco AnyConnect.

3-88 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Summary
This topic summarizes the key points that were discussed in this lesson.

• This lesson reviewed the Cisco ISE solution and its capabilities, as well
as where it fits into current network scenarios and how it is used.
• You now understand the elements used to provide secure access
including authentication and authorization policies in Cisco ISE. You
examined the Cisco ISE authentication process as well as profiling and
posturing.
• You explored how Cisco ISE Setup Assistant can be used to configure a
secure proof of concept environment to support BYOD.
• You know how Cisco ISE supports guest services for self-service guest
accounts as well as sponsored guests.
• The Cisco ISE Roadmap describes what features are expected in the
future and the compatibility capabilities for Cisco ISE to support EAP
and AnyConnect.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-98

Cisco ISE provides consistent policy for wired, wireless, and VPN networks.

References
The following figures provide additional resources and reference information.

HLD/LLD Submissions – Tracking Page


sac-support@cisco.com
HLD/LLD Submissions – File Folder
sac-support@cisco.com
ATP Certified SEs
http://pmbuwiki.cisco.com/ATP_Information/List_of_Partners_
who_have_completed_Training_for_ATP_ISE

TME HLD Review Alias


sac-support@cisco.com

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-100

© 2013 Cisco Systems, Inc. One Policy Foundation 3-89


• Partner links
- Partner Resources (ATP info, xLD templates):
http://www.cisco.com/en/US/partner/products/ps11640/products_partner_resources_list.html
- ATP Portal (Everything ISE) http://www.ciscosecurityatp.com/
- ATP Navigator (comprehensive information site for partners):
http://www.cisco.com/web/partners/pr11/atp/atp_navigator.html
• Internal links
- ISE Sales Process: http://wwwin.cisco.com/swg/pmbu/ise/sales-portal/
- ISE - Product Resources (xLD Templates, Ordering/Licensing/Migration Guides):
http://wwwin.cisco.com/swg/pmbu/ise/resources.shtml
- PMBUwiki ATP Info (Design Lectures, List of ATP Certified SEs, etc):
http://pmbuwiki.cisco.com/ATP_Information
- PMBUwiki - ISE Performance Info: http://pmbuwiki.cisco.com/Products/ISE#Performance
• Aliases
- ISE HLD Submission Alias: sac-support@cisco.com (WW)
- ISE HLD Pre-Submission Support: ise_hld_help@cisco.com (US Only) & sac-
support@cisco.com (WW)
• Communicate ISE issues
- Americas: atp-ise-americas@cisco.com
- APJC: atp-ise-apjc@cisco.com
- EMEA: atp-ise-emea@cisco.com

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-101

• Cisco ISE product - http://www.cisco.com/go/ise


• TrustSec - http://www.cisco.com/go/trustsec
• TrustSec design and how-to guides
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing
_DesignZone_TrustSec.html
• Cisco ISE 1.1.1 demos
https://communities.cisco.com/community/partner/borderlessnetworks/s
ecurity?view=video
• dCloud BYOD hosted demos – http://www.cisco.com/go/byoddemo
• Free NFR lab software for partners (1.1.1 Available)
- Cisco Marketplace - $35 VMware image, perpetual license, 20 endpoints
http://cisco.mediuscorp.com/ise
• PDI helpdesk - http://www.cisco.com/go/pdihelpdesk
• Program-related questions - pdihd-bn@cisco.com
• Your Cisco PDM and CSE
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-102

3-90 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
EAP Type Win7 Vista WinXP AC 3.0 Apple SL Ubuntu RHL
Native Native Native (10.5)
EAP-TLS Yes Yes Yes Yes Yes Yes Yes

EAP-TTLS No No No Yes Yes Yes Yes

PEAP- Yes Yes Yes Yes Yes Yes Yes


MSCHAPv2
PEAP No No No Yes Yes Yes Yes
EAP-GTC
PEAP Yes Yes Yes Yes Yes Yes Yes
EAP-TLS
EAP-FAST No No No Yes Yes Yes Yes
MSCHAPv2
EAP-FAST No No No Yes Yes Yes Yes
EAP-GTC

Ubuntu, RHL = wpa_supplicant


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-103

EAP Type ISE ACS 5.4 AD LDAP

EAP-TLS Yes Yes Yes Yes

EAP-TTLS No No Yes Yes

PEAP- Yes Yes Yes No


MSCHAPv2
PEAP Yes Yes Yes Yes
EAP-GTC
PEAP Yes Yes Yes Yes
EAP-TLS
EAP-FAST Yes Yes Yes No
MSCHAPv2
EAP-FAST Yes Yes Yes Yes
EAP-GTC

EAP and ID Store configuration and data


http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.html

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-104

© 2013 Cisco Systems, Inc. One Policy Foundation 3-91


Cisco ISE and TrustSec How-To Guides:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns7
44/landing_DesignZone_TrustSec.html

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Policy Foundation UASEBC v1.0—3-105

3-92 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Module Self-Check
Use the questions here to review what you learned in this module. The correct answers and
solutions are found in the Module Self-Check Answer Key.
Q1) What are the three personas built into ISE? (Choose three). (Source: Basic Cisco ISE
AAA and Guest Server Setup for Wired and Wireless Networks)
A) Inline Posture Node (IPN)
B) Monitoring & Trouble shooting (MnT)
C) Policy Administration Node (PAN)
D) Client Provisioning Portal (CPP)
E) Policy Service Node (PSN)
Q2) ISE can be installed on which platforms? (Choose three). (Source: Basic Cisco ISE
AAA and Guest Server Setup for Wired and Wireless Networks)
A) MicroSoft Server 2013
B) Cisco 33x5 Appliance
C) Cisco C3850 Switch
D) Cisco SNS-34x5-K9 Servers
E) Virtual Machine (ESXi or ESX)
Q3) Cisco ISE replaced which of the following servers? (Source: Basic Cisco ISE AAA and
Guest Server Setup for Wired and Wireless Networks)
A) Cisco Secure Access Control Server (ACS)
B) Cisco Profiler
C) Cisco Guest Server
D) Network Access Control (NAC) Manager
E) NAC Server
F) All of the above
Q4) In a Standalone deployment where all three personas are on one node. What is the
maximum number of concurrent endpoints supported? (Choose two). (Source: Basic
Cisco ISE AAA and Guest Server Setup for Wired and Wireless Networks)
_____ 1. Cisco ISE 33x5 Appliance
_____ 2. Cisco SNS-3415-K9
_____ 3. Cisco SNS-3495-K9
a. 5000
b. 10,000
c. 2000
Q5) What is new in ISE 1.2? (Choose six). (Source: Basic Cisco ISE AAA and Guest
Server Setup for Wired and Wireless Networks)
A) 64 bit operating system
B) Cisco Guest Server
C) Profiler Feed Service
D) Logical Profiling
E) Setup Assistant
F) 32 bit operating system
G) Guest Account Duration changing

© 2013 Cisco Systems, Inc. CONFIDENTIAL Basic Cisco ISE AAA and Guest Server Setup for Wired and Wireless Networks 3-93
Q6) Cisco ISE PSN has many services running. Which service is NOT running on the PSN?
(Source: Basic Cisco ISE AAA and Guest Server Setup for Wired and Wireless
Networks)
A) Guest Portal
B) Client Provisioning Portal
C) Sponsor Portal
D) Admin Portal
E) Radius Server
F) Profiling
Q7) Cisco ISE PSN is the Radius Server for the Network Access Devices (NADs). Select
the possible NADs that ISE PSN could support? (Source: Basic Cisco ISE AAA and
Guest Server Setup for Wired and Wireless Networks)
A) Cisco Switches
B) Cisco Wireless LAN Controllers
C) Cisco ASAs
D) Cisco ISE running as an Inline Posture Node (IPN)
E) All of the above
Q8) In a distributed deployment, only the Policy Service Persona will be running on a PSN.
What is the maximum number of concurrent endpoints supported on the following
PSNs? (Source: Basic Cisco ISE AAA and Guest Server Setup for Wired and Wireless
Networks)
_____ 1. Cisco ISE 3315 Appliance
_____ 2. Cisco ISE 3355 Appliance
_____ 3. Cisco ISE 3395 Appliance
_____ 4. Cisco SNS-3415-K9
_____ 5. Cisco SNS-3495-K9
a. 20,000
b. 5000
c. 2000
d. 10,000
e. 6000
f. 3000
Q9) ISE requires Licensing for production deployments. Match the correct type of License
to the following deployments requirements. (Source: Basic Cisco ISE AAA and Guest
Server Setup for Wired and Wireless Networks)
_____ 1. Customer has both wired and wireless endpoints and needs to ensure all
the devices are compliant to the corporate policies.
_____ 2. The enterprise will only be authenticating wireless clients. They wish to
know and control who and what is on their wireless only network.
_____ 3. The small business owner wants to control his employee and guest access
to his network but is currently not concerned about the health of the
devices.
a. ISE Base License

3-94 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
b. ISE Advance License
c. ISE Base license plus ISE Advance License
d. ISE Wireless License
Q10) The customer has a distributed deployment and has purchased the 10 SNS-3495-K9
appliances for their wired and wireless FIPs compliancy Network. How many ISE
Licenses do they require? (Source: Basic Cisco ISE AAA and Guest Server Setup for
Wired and Wireless Networks)
A) 10, one for each and every node.
B) 1, just need Base License for Primary PAN
C) 2, need a Base and Advanced License for Primary PAN
D) Depends. Will need Base and Advanced License for Primary PAN but we also
need to know how many endpoints and how many endpoints need
profiling/Posturing/MDM to truly determine the licenses required

© 2013 Cisco Systems, Inc. CONFIDENTIAL Basic Cisco ISE AAA and Guest Server Setup for Wired and Wireless Networks 3-95
Module Self-Check Answer Key
Q1) B, C, E
Q2) B, D, E
Q3) F
Q4) 1 – c, 2 – c, 3 – b
Q5) A, C, D, E, G
Q6) D
Q7) E
Q8) 1 – f, 2 – e, 3 – d, 4 – b, 5 –a
Q9) 1 – c, 2 – d, 3 – a
Q10) D

3-96 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Module 4

One Network—Building the


Wireless Network
4-2 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Lesson 1

Wireless Network Architecture


Overview
The Cisco “One Network” strategy comprising a complete end-to-end network solution
includes wireless components and features. This lesson discusses the different wireless
architectural configurations and components available to meet the needs of different customers.
The lesson includes a forward-looking roadmap of Cisco wireless products and features to
provide you a view of how Cisco is evolving the network.
In this course, the example customer scenario is HTA Hospital. The hospital has established the
wired network infrastructure, Cisco Identity Services Engine (ISE), and Cisco Prime
Infrastructure. In this scenario, the IT team wants to verify and expand on their current wireless
capabilities. Providing them the options to choose the right architectural topology and products
for their business will enable them to serve successfully the wireless clients of their employees,
medical devices, patients, and guests.

Objectives
Upon completing this lesson and given a specific customer scenario, you will be able to meet
the following objectives:
 Describe the four Cisco wireless LAN deployment architectures
 Describe the Cisco wireless LAN portfolio of products
 Reference the Cisco wireless LAN compatibility matrix
 Discuss the Cisco wireless LAN roadmap
HTA Hospital Use Case
This topic describes a use case with HTA Hospital.

• After successfully securing their wired network, HTA Hospital decides to


leverage their existing wireless equipment.
• Deploying wireless implies configuring controllers and access points,
and optimizing the RF environment, but also applying security
configurations specific to wireless users and devices.
• As wireless is a shared medium, QoS is a major concern, and HTA
Hospital needs to optimize their network QoS to take into account the
needs of wireless devices.
• The Cisco solution also offers additional possibilities to optimize the
network experience based on user location. HTA Hospital wants to
examine these different possibilities and check which features may
apply to their specific environment.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-5

4-4 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Wireless LAN Deployment Architectures
This topic discusses the four different Cisco wireless deployment architectures: autonomous,
FlexConnect, centralized, and converged access.

Autonomous FlexConnect Centralized Converged Access


(Unified)

WAN

Traffic
Individual APs Traffic Distributed Centralized Traffic Distributed
at AP at Controller at Switch
Small Wireless
Branch Campus Branch and Campus
Network
Purchase Decision • Wireless only • Wireless only • Wireless only • Wired and wireless
• Simple and • Highly scalable for • Simplified • Wired and wireless
cost-effective large number of operations with common operations
for small remote branches centralized control • One enforcement point
networks • Simple wireless for wireless • One OS (IOS)
Benefits
operations with • Wireless traffic • Traffic visibility at every
DC-hosted visibility at the network layer
controller controller • Performance optimized
for 11ac
• Limited RRM, • L2 roaming only • System • Catalyst 3850 in the
Key no rogue • WAN BW and throughput access layer
Considerations detection latency
requirements
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-7

The autonomous architecture comprises individual Access Points (APs). By individual APs, we
mean each AP is managed independently and not unified by connection to the network through
attachment to a wireless LAN controller (WLC). An autonomous architecture may be desired
by smaller enterprises because they are simple to deploy and cost-effective.
A FlexConnect architecture is typically positioned for enterprises that have branch or remote
offices. This architecture is well suited for locations with a relatively small number of APs
where deployment of a WLC is not justified or desired. During FlexConnect operation, wireless
LAN data traffic is either tunneled back to a central WLC (central switching) or the data traffic
is broken out locally at the wired interface (local switching) of the AP. When a FlexConnect
AP can reach a WLC, it is said to be in connected mode. When a FlexConnect AP cannot reach
a WLC, it goes into standalone mode.
The centralized or unified architecture, often referred to as a Cisco Unified Wireless Network
(UWN), is one where APs are managed and monitored by WLCs. Clients and APs send critical
information regarding cell coverage, interference, and client traffic back to the WLCs. This
architectural model is appropriate for campus environments where traffic is centralized.
A converged access architecture represents the convergence of wired and wireless traffic,
where both types of traffic may be switched on the same converged access (CA) platform that
functions as both a switch and a WLC. The CA platforms run on IOS-based operating systems,
thus standardizing and simplifying the user interface.
Each of these architectural models has benefits as well as limitations. When determining the
correct model for a given customer, you must consider the existing network infrastructure, the
desired network performance, and the right component models and features that will support
the desired goals. Enterprises may be cost-sensitive but most also want a secure solution that
will grow as their needs grow.

© 2013 Cisco Systems, Inc. One Network—Building the Wireless Network 4-5
The flexibility of the Cisco wireless LAN portfolio and deployment architectures is by design.
Cisco is able to tailor the infrastructure and services for various vertical market applications. In
the education market space, K-12 schools are mostly concerned about cost and desire easy
wireless connections throughout the campus. Additional concerns include segmentation of
teacher and staff traffic from students and guests, collaborative learning techniques, use of
smartboards, wireless printers, and other conveniences. A school campus environment typically
has a dense number of users during certain hours of the day. Faculty, staff, students, and guests
expect bring your own device (BYOD) adaptations.
BYOD, in fact, most notably started with the higher education market segment. Wireless and
specifically mobility are essential to wireless users at a college or university. They share the
same needs for segmentation of traffic, collaborative learning, use of eReaders, and so forth.
The healthcare industry has very demanding requirements for wireless services. Security is very
important when dealing with patient care, and the use of wireless medical devices and radio
frequency identification (RFID) tags is prominent in this vertical.
These are just examples of the importance of selling the right solution to the right customer.
Cisco provides the means to support any of these explicit needs.

4-6 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Wireless LAN Portfolio of Products
This topic describes the Cisco wireless LAN product portfolio.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-9

As part of the One Network solution, wireless LAN products provide the capability for wireless
devices to connect to the network. Wireless devices connect to APs that either directly connect
to the network or are managed by WLCs. The converged access architecture makes it possible
to combine the WLC and switching functionality into one platform. The Cisco Mobility
Services Engine (MSE), in conjunction with Cisco Prime Infrastructure, provides advanced
services such as intrusion prevention, location services, and connected consumer services.
In the past couple of years, Cisco has launched its second generation of APs based on 802.11n
technology. These APs include the AP1600, AP2600, and AP3600. These APs provide the
highest possible throughput, utilize multiple antenna technology, and are CleanAir-enabled,
meaning they contain firmware that helps to mitigate sources of interference that would
otherwise cause disruption of signal quality or wireless service altogether. Features such as
CleanAir are described later in this course.
The AP1600, AP2600, and AP3600 are intended for use in indoor environments. Cisco also
offers second-generation ruggedized and outdoor APs—the Cisco 1550 Series Access Points.
Some environments such as manufacturing plants require a more durable AP construction, and
outdoor APs are exposed to the natural outdoor elements.
The portfolio of WLCs ranges from the virtual WLC to the FlexConnect WLC7500 to the
higher-capacity WLC8500. Some controllers, such as the WiSM2, fit within existing
infrastructure components, while others are standalone. The converged access controllers, the
Catalyst 3850 and the Catalyst 5760, combine the switching and controller functionality into a
single platform that is IOS-based.
As mentioned previously, the MSE extends basic wireless capabilities into more sophisticated
monitoring, interference prevention, location, and connected consumer services.

© 2013 Cisco Systems, Inc. One Network—Building the Wireless Network 4-7
Access Points
This topic describes the models of Cisco APs.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-10

As you move from left to right in the figure, the placement of the AP models indicates
scalability and functionality. The AP600 is an OfficeExtend component designed for
teleworkers. Sometimes termed OEAP, the AP600 allows companies to provide corporate
wireless LAN services to employees who need access from remote work locations.
The AP1600, 2600, and 3600 are built on the same foundation of 802.11n technology but are
scaled to meet the needs of businesses of various sizes. Notice that these APs provide CleanAir
capabilities.
Prior to the AP3600, Cisco launched the first CleanAir-capable AP, the AP3500. In terms of
number of clients it can support, the AP3500 addresses the business-ready market previously
served by AP1140 and AP1260. The latter two APs are not CleanAir-capable.
The AP3600 has a unique, forward-looking modular design that accommodates the ability for
customers to add more services and capabilities as needed. For example, Cisco anticipated the
pending technology evolution to 802.11ac by creating an 11ac add-on module that can be easily
inserted in the underside of the AP3600. This ability avoids a complete replacement of APs in
order to support 11ac clients and speeds. With this module available in May 2013, customers
who already deployed or who purchase the AP3600 with the module can serve 802.11ac-
capable clients.

4-8 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Controllers
This topic describes Cisco WLC products.

SRE
vWLC

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-11

The figure shows WLCs from left to right, indicating the increase in scale and other
capabilities. Customers can choose from a virtual WLC running in a virtual machine
environment on a server of their choice, or they can select low-, medium-, or high-end WLCs
based on their business needs. The virtual WLC is primarily focused on price-sensitive mid-
market solutions for FlexConnect AP management. The WLC7500 is also specifically designed
for use in larger scale FlexConnect deployments. Higher-end WLCs provide capabilities such
as high availability that are not available on all WLCs.
Conveniences of a WLC-based architecture include the ability to configure multiple APs,
control software image downloads, create mobility groups, and a host of other time-saving and
more productive operations.

© 2013 Cisco Systems, Inc. One Network—Building the Wireless Network 4-9
Cisco Mobility Services Engine
This topic describes Cisco MSE services.

Advanced Spectrum Capability Indoor Location/Context-Aware

• System wide interferer details • Real-time location tracking


• Event correlation • Tracking, probing, and associated
• Visualization of interferer zone of clients, RF tags, and wired
impact endpoints
• Interferer notification • Geo fencing/zone-based alerts
• Track and trace interferers and Layer 1 • Location analytics
threats

Wireless Intrusion Prevention Mobile Concierge


• Detection and mitigation of security • Detecting presence
penetration attacks • Delivering location-based services
Physical and
• Detection and mitigation of denial of Virtual Appliance
service attacks
• Capability supported in Monitor MSE tracks up to
Mode and data serving AP (Enhanced 50,000 endpoints and
Local Mode [ELM]) supports 10,000
Monitor Mode
or ELM AP

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-12

Cisco MSE is sold as either a virtual appliance or a physical platform. To some extent, the MSE
may be thought of as a data collection point, but with additional capabilities that make it
possible for customers to increase the effectiveness of their wireless investment.
MSE offers the following:
 A way to visually depict the impact of interference on network performance so that
interference can be reduced
 The ability to implement a wireless intrusion prevention system (wIPS) to ward off security
threats
 A way to track the location of wireless devices, displaying them on the customer’s floor
maps
More recently, MSE became part of a solution that monetizes the wireless LAN by offering
connected consumer services. For certain types of businesses such as retail, this is a game-
changing view from the customer perspective. No longer do customers worry only about the
cost of the wireless network, they can actually use it to make money.
One of the connected consumer applications is Mobile Concierge. Using a third-party
application that communicates with the MSE, enterprises can offer mobile concierge services to
its wireless end users. For example, a shopping mall may want users with iPhones, tablets, and
so on, who enter their facility to be offered a navigational map, directions to restaurants, sales
advertisements, coupons, and so forth.
Each of the MSE services is described in more detail later in this course.

4-10 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Cisco Wireless LAN Compatibility Matrix
This topic describes a Cisco wireless LAN compatibility matrix, an Excel spreadsheet tool that
is useful when determining the types of APs, WLCs, and services that a customer may need.

For Cisco internal and NDA partners only

• The compatibility matrix provides an at-a-glance comparison of the


wireless LAN components and the features and functionality that each
supports.
• The matrix also indicates scaling information and best architectural fit for
large campus, service provider, small campus, and branch.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-14

The wireless LAN compatibility matrix is a tool that helps enable system engineers and other
personnel to advise customers about deployment architectures, equipment models, and other
elements they will need to satisfy their business needs. The spreadsheet shows the WLC models
and provides details about which architecture each best supports, and many other details.
When you first open the compatibility matrix spreadsheet, notice the worksheet tabs at the
bottom. There is a read me first tab, an all controllers comparison tab, a tab for large campus,
service provider, small campus, and branch. The various types of functionality available in the
system are notated as available (√) or not available (x) under each column.

© 2013 Cisco Systems, Inc. One Network—Building the Wireless Network 4-11
Cisco Wireless LAN Roadmap
This topic discusses new products and features targeted for future Cisco wireless LANs.

Cisco Confidential – NDA Only


Committed In Planning

Sep 2012 Dec 2012 Q2CY13 2HCY13/Q1CY14


s/w release 7.3 7.4 7.5
AP3700 - Modular AP
AP 2600 AP1600 AP3600
11ac – Wave 1
802.11n G2 802.11n G2 11ac - Wave 1 Module
Outdoor AP1532
Unified Access—WLAN Infrastructure

AP700 (also Bridge with


Outdoor AP AP3600 Autonomous s/w)
Uni Band Antenna WSSI Module China SP AP 3G Small Cell Module for
OEAP 600 Split AP3600
WLC 8500
Target Customer - SP Application Visibility and Tunneling 1552WU with Emerson
Control (AVC) HART GW
OEAP Support on vWLC
Stadium Hi-Gain Antenna
Virtual Controller Bonjour Services Directory for AP3700
Phase 1 CT2500 HA SKU, N:1
CT8500 as
Scale Flex7500 MC for Converged Access
6K APs AP Neighbor List Profiling and Policy on
(Subset of 802.11k) WLC Native IPv6 (Centralized
Mode Only)
Controller Resiliency - AP
SSO Guest Anchor on CT8500 CleanAir Express for
HA Licensing Scale WLC 2500 AP1600
Controller Resiliency Mesh Support for
FlexConnect Split HA Licensing, N:1 Client SSO FlexConnect
Tunneling Over any L2 Connection VideoStream for
802.11w (local mode) FlexConnect
802.11r – Flex Modes Bonjour Services
Protected Mgmt Frame Directory PMIPv6 MAG on AP
Phase 2
Bi-Directional Rate Limiting WLC as DHCP Proxy – New
LAG on Flex7500, WLC
8500, WLC 2500 FlexConnect Additions: Sub Options for SP Wi-Fi
Voice/Video: PEAP / EAP-TLS
11n CAC AAA ACL and QoS Certs – FIPS, CC,
802.11w UCAPL, USGv6
Guest Anchor on
PMIPv6 MAG on WLC WLC2500 CPI 1.4.1 / CPI 2.1
CPI 1.4
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-16

Cisco continues to lead the marketplace in the area of wireless LAN, which shows a very high
growth rate. The figure shows the traditional AireOS WLCs roadmap. Cisco first introduced
WLCs into the architecture when it acquired a company named Airespace. Airespace had
developed its own WLC hardware and software, and these WLCs are now referred to as having
an AireOS operating system. When Cisco introduced the converged access platforms in early
2013, the Catalyst 3850 and WLC 5760, the WLC operating system for these CA systems were
engineered to be IOS-compliant.
AireOS WLC code release 7.4, compatible with Cisco Prime Infrastructure code release 1.3,
was introduced to the market in January 2013. This release contained features that support end-
to-end network functionality such as NetFlow and application visibility and control (AVC), and
exciting new features such as multicast DNS (mDNS), also known as Bonjour Gateway, and
connected mobile experience (CMX). Such features support the Cisco Unified Access strategy,
as well as the BYOD reality of today.
The next release, 7.5, which is compatible with Cisco Prime Infrastructure 1.4, brings the
previously mentioned 802.11ac module for AP3600, high availability through client stateful
switchover (SSO), a host of enhancements, and a new CMX feature called Billboard
(sometimes abbreviated as BBX). Billboard is an MSE advanced location services (ALS)
feature that allows customer marketing personnel to offer value-added services to targeted
guests based on the location of the end user. You will learn more about these features in a
subsequent lesson. The first customer shipment (FCS) target for 7.5 and Prime 1.4 is June 2013.
There will be an interim release of Cisco Prime Infrastructure, v2.0, available between 7.5 and
8.0, to sync with converged access WLCs and provide improved feature parity with non-CA
WLCs. The Cisco Prime Infrastructure 2.0 release is targeted for late June to early July 2013
timeframe.

4-12 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
The next major software release after 7.5 is 8.0, compatible with Cisco Prime Infrastructure 2.1.
There is an interim planned in between (October 2013) to support the new 802.11ac AP (3700)
and the 1532 (low profile 802.11n outdoor AP). Release 8.0 target availability is February
2014. This release will support the 3G small cell module for AP3600; native IPv6; CleanAir
Express; and a number of feature enhancements.

© 2013 Cisco Systems, Inc. One Network—Building the Wireless Network 4-13
IOS Controllers
This topic describes the roadmap plans for Cisco IOS-based WLCs.

Cisco Confidential – NDA Only


Committed In Planning

Q1CY13 Q2CY13 Q3CY13


s/w release IOS XE 3.2.0 SE IOS XE 3.2.x IOS XE 3.3
Enterprise Campus Parity Enterprise Campus Parity
Cisco Unified Access—WLAN Infrastructure

with 7.0 Release Enterprise Campus Parity with 7.4 Release


MSE 7.4 with 7.0 Release MSE 8.0
CPI 2.0 CPI 2.1

CT5760 Web GUI for Wireless on UPOE SKU, 9 Member Stacking


CT5760/Cat3850
CT5760 HA SKU, N:1
CT5500, WiSM2, CT8510
ISE 1.2 Support
MC in Converged Access Mode
Catalyst 3850 (8.0)

CT5500 and WiSM2


MC in Converged Access Mode AP3700 - Modular AP
(7.3MR1) 11ac – Wave 1

AP3600, AP2600, AP1600 * AP3600


Support 802.11ac Wave 1 Module

ISE 1.1MR Support


HA - AP SSO
With Stacking Cable
Multiple LAG

IPv6 Interface, IPv6 Client Mobility Bonjour Services Directory

Secure Copy App Visibility with G2 11n APs


Granular QoS
TrustSec SXP and SGT
Downloadable ACLs
802.11r and Neighbor List
Flexible Netflow v9
802.11w
EEM/TCL Scripting
* AP1600 not supported with CT5500/WiSM2 on 7.3MR1 with Converged Access Mode
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-17

The first release of IOS-based CA WLCs was built on IOS XE 3.2.0 SE. The wireless LAN
feature scope was equivalent to AireOS-based WLC code 7.0. The figure lists the main features
that rolled out in the first release. A maintenance release of the IOS code, IOS XE 3.2.x was
released in June 2013. The maintenance release introduced a new CA WLC web GUI and
BYOD onboarding capability. BYOD were expected to be supported in the FCS code, but
BYOD onboarding (1 SSID, 2 SSID cases, with provisioning) presented several issues related
to the onboarding process and the change of authorization returned from the Onboarding server
(ISE). The maintenance release addressed these issues, and also ensured compatibility with ISE
1.2. Please refer to module 5 for more details.
The next major release for CA WLCs is based on IOS XE 3.3, and addresses feature parity with
AireOS WLC code release 7.4. The 3.3-based release will be supported by Cisco Prime
Infrastructure code release 2.1 and similarly targeted for late August to early September 2013.
The figure lists the features equivalent to AireOS 7.4 WLC code.

4-14 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Summary
This topic summarizes the key points of this lesson.

• You now understand Cisco Unified Access: One network (wired +


wireless) + One Policy + One Management
• You reviewed the four deployment architectures:
- Autonomous
- FlexConnect
- Centralized and Unified
- Converged access
• You reviewed the portfolio of WLCs, APs, MSE options, and integration
with ISE and Cisco Prime Infrastructure
- Small to large campus solutions
- Branch and campus solutions
• You can describe the roadmap objectives: Continue to build on BYOD,
mid-market solutions, RF excellence, cloud services, network resiliency,
connected consumer business, and E2E product integration

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network-Building the Wireless Network UASEBC v1.0—4-18

© 2013 Cisco Systems, Inc. One Network—Building the Wireless Network 4-15
4-16 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc.
Lesson 2

Basic Wireless Connectivity


and Functionality
Overview
After verifying customer requirements and confirming network design criteria, the wireless
network components are installed and basic services need to be enabled. This lesson covers the
implementation of foundational services for a wireless network.
Making efficient use of wireless spectrum is important for network performance and requires
the system capability to manage the RF environment in real-time and still maintain appropriate
power levels. RF management also includes the ability to detect and mitigate RF interferers that
would otherwise affect network performance. With today’s growing use of wireless devices,
the wireless network also must be capable of serving a mix of clients with various levels of
wireless protocols. Also, depending on customer need and the actual network infrastructure that
the customer has, enterprise-level wireless operation often dictates the need for the highest
possible level of wireless operational resiliency.

Objectives
Upon completing this lesson, and given a customer scenario and a wireless LAN comprised of
switches, access points (APs), Cisco Unified Wireless Network (UWN) wireless LAN
controllers (WLCs), Cisco Prime Infrastructure (PI), and Cisco Mobility Services Engine
(MSE), you will be able to meet the following objectives:
 Explain how to maintain optimum RF conditions in a changing environment
 Describe how to improve client predictability and performance
 Explain how Cisco ClientLink technology uses client uplink to optimize downlink
performance
 Describe how Cisco CleanAir helps build an intelligent RF network
 Describe high availability wireless solutions
Maintaining Optimum RF Conditions in a
Changing Environment
This topic describes features and functionality of Cisco Radio Resource Management (RRM)
needed to provide maximum performance within the RF spectrum.

• What are the objectives of RRM?


- To dynamically balance the infrastructure and mitigate changes
- To monitor and maintain coverage for all clients
- To manage spectrum efficiency so as to provide the optimal throughput under
changing conditions
• What RRM does not do
- Substitute for a site survey
- Correct an incorrectly designed network
- Manufacture spectrum

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-5

The first enterprise Wi-Fi networks were added conveniences that were used for web surfing in
building lobbies or conference rooms. For these applications, a best-effort level of performance
was acceptable. Today, Wi-Fi has matured and is now often deployed for many mission-critical
applications. Wi-Fi is increasingly used for rich media applications such as voice and video,
which are sensitive to the impact of interference.
RRM allows the unified wireless architecture to analyze the existing RF environment
continuously, automatically adjusting the power levels and channel configurations of APs to
help mitigate such things as noise from non-802.11 signals, co-channel interference, and signal
coverage problems. RRM reduces the need to perform exhaustive site surveys, increases system
capacity, and provides automated self-healing functionality to compensate for RF dead zones
and access point (AP) failures. Even though the RRM process uses information that is gathered
by the deployed APs to make decisions on adjustments to AP channel assignments and power
settings, a change in the RF environment does not necessarily mean that a WLC will change
current settings for any given AP.
As large-scale, dense wireless LANs have become the norm, administrators are challenged
continuously with RF configuration issues. If processed improperly, these issues can lead to
wireless LAN instability and a poor end-user experience.
The addition of capacity to a wireless LAN is an issue unlike that of wired networks, where
common practice is to increase bandwidth to solve the problem. In a wireless network,
additional APs are required to add capacity, but if configured incorrectly the additional APs can
actually lower system capacity due to RF interference and other factors.

4-18 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Dynamic Channel Assignment (DCA)
- Each AP radio gets a transmit channel
assigned to it.
- Changes in “air quality” are monitored,
AP channel assignment is changed
when deemed appropriate (based on
DCA cost function).
• Transmit Power Control (TPC)
- Transit power assignment is based on
radio to radio pathloss.
- TPC is in charge of reducing Tx on
some APs—but may also increase Tx by
defaulting back to a power level higher
than the current Tx level.
- There are two versions of TPC, v1 and
v2. v1 should be preferred.
• Coverage Hole Detection and
Mitigation (CHDM)
- Detects clients in coverage holes.
- Decides on Tx adjustment (typically Tx
increase) on certain APs based on
adequacy or inadequacy of estimated
downlink client coverage.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-6

Adequate coverage with the appropriate level of performance (throughput) to all users is
necessary. Often this requires the deployment of a large number of APs, operating on different
channels that must be selected intelligently so as not to interfere with each other. Such a task is
accomplished by the use of dynamic channel assignment (DCA) on the WLC.
The level of network performance and unnecessary noise in the wireless environment is directly
attributed to the selected transmit (TX) power levels of the APs. Maintaining performance
levels without contributing excess noise in the RF environment is accomplished by allowing the
WLC to collectively manage the AP power levels through the application of the Transmit
Power Control (TPC) algorithm, which is run on the RF group leader. TPC exists in two
versions, v1 and v2. In most cases, v1 should be preferred. v2 should only be enabled under
Cisco Technical Assistance Center (TAC) guidance to solve specific high AP density-related
issues.
Whenever a change in the AP infrastructure happens, such as an AP failure, displacement, or a
change in TX power, a coverage hole may appear and must be detected and managed. This
management is accomplished by the coverage hole detection (CHD) algorithm, which runs on
the individual WLCs.

Note In earlier versions of software, RRM was also referred to as Auto-RF.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-19
• RRM is configurable either on an individual controller or via a template
from the Cisco Prime Infrastructure.
• Templates are highly recommended to maintain consistency between
controllers.

CAUTION: Selection of
TPCv2 without thorough
investigation and
understanding of its impact
on the wireless environment
can severely disrupt network
coverage and capacity.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-7

When configuring RRM within a wireless network it is highly important to maintain consistent
settings between all WLCs. Otherwise you may experience unexpected behavior within the
network. For example, should you inadvertently set one WLC to use TPC, version 1 (TPCv1)
and another for TPC, version 2 (TPCv2) while utilizing dynamic master selection, the TPC
version in use on the network will be determined by the WLC elected as the RRM master.
Potentially, if a new election occurs and the other WLC is elected as the master, the new
algorithm for TPC would determine the power settings and possibly leave coverage holes
within the network.
To avoid implementing constant changes that would keep the wireless network in a state of flux
during initial deployment or during AP additions, it is recommended to turn off RRM until all
WLCs and APs have been deployed. Then, enable RRM and allow it to stabilize the network
over the first 100 minutes after being enabled. Once the network has stabilized, an anchor time
and interval should be established to ensure that the DCA algorithm runs at least twice a day. If
the network is already running and new APs must be deployed or relocated, the RRM service
should be restarted manually once all APs have been moved or added.
There are two different algorithms from which to choose to control TPC. The algorithms are
TPCv1 Coverage Optimal Mode or TPCv2 Interference Optimal Mode. Only one algorithm
may be used at any given time within an RF group, as they are wholly incompatible with each
other.
When TPCv1 is selected, the RF group leader uses the algorithm to determine the RF
proximities of the APs in the group. This algorithm runs at a fixed 10-minute interval by
default. The group leader uses this algorithm to adjust each band’s transmit power level down
in order to limit excessive cell overlap and co-channel interference. It is important to
understand that the TPC algorithm is responsible only for turning power levels down. The
increase of transmission power is a function of the CHD and correction algorithm. For TPCv1
to work, you must have a minimum of four APs that can hear each other at an appropriate level.
TPCv1 uses the power measurements from the neighbor messages to calculate the deployment
density of the APs.

4-20 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
TPCv1 is designed to provide broad, even coverage between APs. To accomplish this
calculation, the algorithm tends to use higher transmit power values for each AP. For a typical
data network of average user density, this algorithm is sufficient to meet the network TPC
needs. However, when network AP placement is optimized for 5-GHz coverage, the AP
placement tends to bring the 2.4-GHz radios closer together as well, creating a dense
deployment of 2.4-GHz radios. In this type of deployment, the default values for TPCv1 tend to
produce a network with excessive 2.4-GHz coverage, referred to as an overheating situation.
TPCv2 is designed to provide good coverage around an AP while reducing the amount of
excessive interference that the same AP contributes to the wireless environment. The easiest
way to look at the differences is by comparing what is happening between the APs. Under
TPCv2, rather than running the cell edge up to a neighboring AP, the algorithm calculates for
the cell edge to occur at a point midway between the APs while still allowing sufficient overlap
for smooth roaming performance.
TPCv2 has been supported as of WLC code release 7.2 and is not a simple upgrade or tweaking
of the existing TPCv1 algorithm. TPCv2 is a completely different algorithm developed to solve
roaming and coverage issues in dense voice deployments. TPCv2 determines the cell edge
based on more than a simple power measurement. TPCv2 determines the deployment density of
each AP and calculates the required AP power by the following:
 Cell overlap area, which is the amount of interference from adjacent APs
 Cell coverage area for each AP
 Co-channel interference metric, an AP utility
Because of these different primary goals, simply using TPCv2 will not overcome fundamental
deployment issues in the network. Making the decision to shift from TPCv1 to TPCv2 requires
a firm understanding of what is different in the operation of the algorithms. Otherwise, making
the switch may mean relocating APs and will likely cause more severe problems in the network
rather than correcting problem areas. In other words, in most cases, v1 should be preferred. v2
should only be enabled under Cisco TAC guidance to solve specific high AP density-related
issues.
More detailed information on the comparison between TPCv1 and TPCv2 can be found in the
Cisco course entitled Cisco Unified Wireless Networks (CUWN).

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-21
• How do you effectively tune RF performance at the system level when a
single controller must support APs deployed in areas with vastly different
requirements?
• RF profiles allow the administrator to tune groups of APs sharing a common
coverage zone together.
- They selectively change how RRM will operate the APs within that coverage zone.
• RF profiles are created for either the 2.4-GHz radio or 5-GHz radio.
- Profiles are applied to groups of APs belonging to an AP group, in which all APs in
the group will have the same profile settings.
- There are two components to this feature:
• RF groups
- Existing capability
- No impact on channel selection algorithms
• RF profile – New in 7.2 providing administrative control over the following:
- Minimum and maximum TPC values
- TPCv1 (or TPCv2) threshold
- Data rates

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-8

In a corporate environment, administrators are facing an ever-increasing demand for wireless


services. The network designer or administrator has to consider conflicting coverage goals and
density requirements. For example, a business may have two areas where a high number of
users will meet and congregate, such as a large conference room and presentation theater, as
well as open cubicle spaces spread across multiple floors with “normal” users. In order to
provide adequate coverage in the high-density areas, a high number of APs typically are
deployed. This generally requires manipulation of both data rates and power to raise the cell
density while managing co-channel interference. This manipulation, however, affects normal
users in directly adjacent areas, resulting in a loss of coverage. Using RF profiles and AP
groups provides a solution.
A great example of this is Hall number 4 at the recent Mobile World Congress. Within this
deployment, coverage was needed in the various auditoriums throughout the building (high
density environment) and at the same time coverage was required for the public spaces in-
between (large coverage area). In a situation like this, a global change made in the RF
environment, such as a power adjustment, may have a negative impact on interference levels in
another part of the deployment, such as the auditoriums.
RF profiles allow the administrator to tune groups of APs sharing a common coverage zone.
The administrator can change how RRM operates the APs within that coverage zone.
Administrators create RF profiles for either the 2.4- or 5-GHz radios.
Application of an RF profile does not change the assigned AP status within RRM (RF group
assignment). It is still in global mode controlled by RRM, and all APs remain part of the same
original RF group. RF profiles simply allow the administrator to define a specific set of values
that RRM uses when managing a specific group of APs. An RF profile does not make any
changes to the RRM algorithms defined on the WLC. The following conditions must be met for
RF profiles to work:
 All APs assigned must have their channel and power settings managed by RRM (global
mode).
 An AP that has a custom power setting applied for AP Power is not in global mode.

4-22 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
— An RF profile will have no effect on this AP.
RF profiles are applied to groups of APs belonging to an AP group, in which all APs in the
group have the same profile settings. Most installations only have a couple of different
coverage zones that will benefit from having RF profiles configured. In most cases, RRM is
doing an adequate job already.

Note Only one version of TPC can be operable for RRM on a given WLC, and version 1 and
version 2 are not interoperable within the same RF group. If you select a threshold value for
TPCv2 and it is not the chosen TPC algorithm for the RF group, the value will be ignored.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-23
Band Select
This topic describes how Band Select optimizes performance for dual-mode capable clients.

• Automatic band steering and selection for 5 GHz-capable devices

Band Select improves predictability and performance.


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-10

Currently many devices are capable of operating in either the 2.4-GHz or the 5-GHz bands but,
due to the larger proliferation of 2.4-GHz networks, devices still prefer to attempt a connection
in the 2.4-GHz band first. Many vertical markets also utilize specialized wireless clients that
either cannot (regulatory) or will not (cost factor) be converted to use the less congested 5-GHz
band. Additionally, some clients, either by design or with poorly written drivers, will delay
until the last possible moment the process of locating a new AP to roam to and will not
consider moving bands.
The result of these behaviors is that the 2.4-GHz band is expected to stay congested for the
foreseeable future. Therefore, a solution must be found that will encourage as many devices
that are capable to use the less congested 5-GHz band.
The 2.4-GHz band is often congested and, because of the 802.11b/g limit of three non-
overlapping channels, clients on this band typically experience interference from Bluetooth
devices, microwave ovens, and cordless phones as well as co-channel interference from other
APs. To combat these sources of interference and improve overall network performance, you
can configure band selection on the WLC. Cisco Band Select enables client radios that are
capable of dual-band (that is, 2.4- and 5-GHz) operation to move to a less congested 5-GHz
AP.
Band selection works by regulating probe responses to clients, making 5-GHz channels more
attractive to clients by delaying the probe responses to clients on 2.4-GHz channels. The feature
only runs on an AP when both the 2.4-GHz and 5-GHz radios are up and running.

4-24 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Enabled on a per-WLAN basis using Cisco Prime Infrastructure or directly
on the controller.

• Disabled by default
• Makes 5-GHz channels more
attractive
• Not supported on WLANs with
time-sensitive applications
• Can have a detrimental
effect on the performance
clients

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-11

You can enable Band Select globally on a WLC, or you can enable or disable Band Select for a
particular wireless LAN. This flexibility is useful because Band Select-enabled wireless LANs
do not support time-sensitive applications like voice and video due to roaming delays
introduced by delaying probe responses.

Making changes to these parameters can have detrimental effects on client roaming capabilities.
You should investigate and be aware of the probing behavior of all clients expected to associate
with the WLC, and consult the WLC help file under Wireless > Advanced > Band Select before
making adjustments to these values.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-25
Cisco ClientLink
This topic describes how Cisco ClientLink provides network optimization in a mixed-client
environment comprised of 802.11a/g and 802.11n clients. When used, ClientLink ensures that
802.11a/g clients operate at the best possible rates.

Advanced beam forming technology

Cisco ClientLink improves wireless client predictability and performance.


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-13

Network administrators recognize the need to serve several types of clients, some of them
enjoying the benefits of 802.11n technology and others still operating at 802.11a/g speeds.
Unfortunately, they often must support these non-802.11n clients without the possibility of
upgrading any time soon. These devices with lower capabilities could effectively slow down
the general process of data transfer due to the shared media nature of the communication
throughout the cell. The network administrator must ensure that the legacy devices do not
deprive the 802.11n-capable clients of achieving an optimal performance level.
Recognizing the need for businesses to protect their investment and the investment of their end
users in 802.11a/g devices, Cisco developed a technology called ClientLink. ClientLink enables
the performance benefits of 802.11n while supporting 802.11a/g devices, thereby increasing
their useful life.
ClientLink enhances the Multiple Input Multiple Output (MIMO) antenna characteristics of
modern APs. This enhancement is realized by taking advantage of the multipath propagation of
the radio signal so as to maximize the signal-to-noise ratio (SNR) where the legacy client is
located. Improved SNR yields many benefits such as a reduced number of retries and higher
data rates. For example, a client at the edge of the cell that might previously have been capable
of receiving packets at 12 Mb/s could now receive them at 36 Mb/s. Typical measurements of
downlink performance with ClientLink show as much as 25 percent greater throughput for
802.11a/g clients. By allowing the Wi-Fi system to operate at higher data rates and with fewer
retries, ClientLink increases the overall capacity of the system, which means more efficient use
of spectrum resources.

4-26 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Higher PHY Data Rates
ClientLink Disabled ClientLink Enabled

Lower Data Rates Higher Data Rates

Source: Miercom; AirMagnet/Fluke Iperf Survey

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-14

The 802.11n systems take advantage of multipath by sending multiple radio signals at the same
time. Each of these signals, called a spatial stream, is sent from its own antenna using its own
transmitter. Because there is some space between these antennas, each signal follows a slightly
different path to the receiver, a situation called spatial diversity. The receiver has multiple
antennas as well, each with its own radio that independently decodes the arriving signals, and
each signal is combined with the signals from the other receive radios. The result is that
multiple data streams are received at the same time.
The designers of 802.11n provided a mechanism that would allow a system to compute the
parameters necessary to adjust the phase of the transmitted signals based on feedback
information collected from the client in what is called explicit beam forming. The idea was to
enable much higher throughput than previous 802.11a/g systems, but to do so requires an
802.11n client to decipher the signal.
Cisco recognized the opportunity to use the other possibility, implicit beam forming, whereby
the AP does not require explicit signal measurement feedback from the client but instead
computes the weights applicable to the data stream captured by each receiving antenna on the
AP. Since the Wi-Fi channel is reciprocal, it means that transmissions between APs and clients
happen on the same frequency and use the same antennas. Therefore, the AP can use the
adjustments calculated by Maximal Ratio Combining (MRC) (referred to as weights) to
optimize the reciprocal signal transmitted back to that specific client using two transmit
antennas of the APs.
The AP stores the weights for each client and computes what is called a steering matrix for
each one. The steering matrix changes the phase of each transmitted stream towards the legacy
client so that the interference phenomenon produces a maximum SNR at the location of the
client, thus increasing the speed level at which the client can work. The result is that every
client in the cell benefits from the fact that all non-802.11n clients work at higher speeds, and
thus have a lesser impact in slowing down data transfers. Cisco ClientLink technology is
unique in that it offers uplink improvements as well as downlink communication from AP to
client. This ability is significant because the majority of daily communication on the wireless
LAN, such as web browsing, email, and file downloads, occur in the downlink direction.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-27
Cisco CleanAir Technology
This topic describes the use of Cisco CleanAir technology, its capabilities and benefits in
detecting sources of interferences in both the 2.4-GHz and the 5-GHz bands.

BEFORE AFTER
Wireless interference decreases CleanAir mitigates RF interference
reliability and performance improving reliability and performance

Wireless Client
Performance

Microwave oven
? AIR QUALITY PERFORMANCE AIR QUALITY PERFORMANCE Microwave oven

BlueTooth
BlueTooth

• Industry’s first chip-level proactive and automatic interference protection.


• Spectrum intelligence solution designed to manage the challenges of a
shared wireless spectrum.
• Who, what, when, where, and how with interference.
• Enables the network to act upon this information.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-16

Traditional Wi-Fi chipsets evaluate the spectrum by tracking all of the energy in the airwave
that can be attributed to their own transmissions or that can be demodulated as another 802.11
radio transmission. Any energy that remains in the spectrum that cannot be demodulated or
accounted for by transmit and receive activity is lumped into a category called noise. In reality,
a lot of the noise is actually the remnants from collisions, or Wi-Fi packets that fall below the
receive threshold for reliable demodulation. Noise can come from many sources, some of
which include microwave ovens, cordless telephones, wireless video cameras, Bluetooth and
ZigBee devices, game controllers, fluorescent lights, or outdoor wireless links such as WiMax.
To extend spectrum analysis even further, Cisco created CleanAir technology. Cisco CleanAir
is a systemwide feature of a wireless network that streamlines operations and improves wireless
performance by providing complete visibility into the wireless spectrum. The CleanAir
technology is an enterprise-based, distributed spectrum analysis technology. As such, it is
similar to Cisco Spectrum Expert in some respects, but very different in others.
Essentially, Cisco has taken the technology behind the Cisco Spectrum Expert analysis tool and
integrated it directly into the infrastructure, including deep integration within the Wi-Fi chipset
in the Cisco Aironet 3500 and 3600 Series Access Points. The heart of the CleanAir system is
the Spectral Analysis Generation Engine (SAgE), the spectrum analyzer on a chip. The chipset
is always online. SAgE scans are performed once per second. If a Wi-Fi preamble is detected, it
is passed through to the chipset directly and is not affected by the parallel SAgE hardware. No
packets are lost during SAgE scanning. SAgE is disabled while a Wi-Fi packet is processed
through the receiver. SAgE is very fast and accurate. Even in a busy environment, there is more
than enough scan time to assess the environment accurately.

4-28 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
1. APs detect interferer and report to WLC.
2. WLC takes immediate action to protect most affected APs.
3. WLCs work in coordination (DCA/TPC) to avoid interferer.
4. MSE calculates interferer location, zone of impact, and so on.
WLC
5. You can see interferer details and map in PI.
WLC

PI
G2 AP
MSE
G2 AP
G2 AP
802.11a

G2 AP Interferer G2 AP

G2 AP
G2 AP

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-17

Cisco CleanAir combines several elements working together to offer best-in-class protection
against the negative impact of non-802.11 interferers. As soon as an interferer is detected, the
detecting access points report the interferer to their respective controller, including elements
such as interferer pattern and detected type, affected channel, interferer detected power level,
and so on.
If APs in the neighborhood are badly affected by the interferer, the controller can take
immediate action to change the affected AP channel. At regular intervals, RRM will help
controllers working in the same RF group redesign the RF channel and power map for all APs
in the affected area to mitigate the impact of the interferer.
If your network includes an MSE, the controllers will report to the MSE all the information
collected by the APs about the interferer. The MSE will be able to combine the readings from
the various APs to determine the interferer location, zone of impact, and effect on the Wi-Fi
network.
From Cisco PI, you will be able to see the reports from the controllers, and see an Air Quality
Index (AQI) that will evaluate the impact of the interferer. With the MSE reporting to PI, you
will also be able to see all interferer locations on a given floor, along with their zone of impact,
and the location of devices affected by the interferer.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-29
1. Identify sources of interference to be detected and those which will
trigger an alarm notification.
2. Enable globally per band.
3. Verify administratively enabled on all capable APs.

3
1

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-18

With 802.11n, wireless performance is on par with wired networks, allowing enterprises to
transition more business-critical applications such as voice and video to the wireless LAN.
Today’s Wi-Fi networks are expected to run with very high reliability. It is no longer
acceptable for Wi-Fi networks to have unexpected downtime due to interference. This is why it
is very important to be able to detect all sources of interference, including non Wi-Fi sources.
Configuring CleanAir operation consists of four steps. First you must identify the sources of
interference that will be detected and reported. Next, identify the types of interferers that will
trigger a security alarm when detected, such as a jammer or a device operating on an inverted
Wi-Fi channel. Then, enable CleanAir operation on the radio bands you wish to monitor and,
finally, verify and administratively enable CleanAir on the individual AP radios that will
monitor the RF environment. Optional but recommended configuration includes configuration
of persistent device propagation and setting a value for the AQI alarm trigger.
Persistent interferers are present at a location and interfere with the wireless LAN operations
even if they are not detectable at all times. By selecting the Persistent Device Propagation
enable check box you enable the propagation of information about persistent devices detected
by CleanAir-capable APs to any neighboring non-CleanAir-capable APs in the environment.
By selecting the Air Quality Alarm check box and entering a value between 1 and 100
(inclusive) for the Air Quality Alarm Threshold field, you specify the threshold at which you
want the air quality alarm to be triggered. When the air quality falls below the threshold level,
the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best.
The default value is 1.
Once CleanAir has been enabled and configured within the network, information on all
detected sources of interference is available for monitoring via the PI. Although individual
WLCs will also provide information on interfering devices reported by the APs associated to
the WLCs, the result is an isolated view of the overall impact on the network that any specific
interferer is causing. However, by using PI to monitor detected sources of interference, the
administrator gains a complete networkwide view of the impact and severity of any individual
interfering device.

4-30 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
High Availability Solutions
This topic discusses the various methods, capabilities, and limitations of the current high
availability solutions within a unified wireless architecture.

• A well-designed
wireless network
plans for component
failures by building in
redundancy where
possible.
Access
• Create redundancy
throughout the
access layer by
homing APs into
Distribution
different switches.

Core

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-20

High availability schemes are designed to provide quick recovery from a network component
failure. Recovery is often achieved with a very limited amount of downtime or with a period of
degraded capacity, while the failed components are quickly restored to operation. Customers
require a wireless network to be designed with high availability in mind to ensure a predictable
degree of operational continuity. Services may be degraded during the downtime, but the
wireless network should remain operational while the hardware failure is being repaired.
In order to provide a highly available design, redundancy should be used whenever and
wherever possible.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-31
• Dynamic
- Rely on CAPWAP to load balance APs across controllers and populate APs
with backup controllers.
- Results in dynamic “salt-and-pepper” design.
• Deterministic
- Administrator statically assigns to APs a primary, secondary, and/or tertiary
controller.
- Cisco recommends this as a best practice.
Dynamic Redundancy Deterministic Redundancy
Pros Easy to deploy and configure—less upfront Predictability—easier operational management
work More network stability
APs dynamically load balance (though never More flexible and powerful redundancy design options
perfectly) Faster failover times
“Fallback” option in the case of failover

Cons More intercontroller roaming More upfront planning and configuration


Bigger operational challenges due to
unpredictability
Longer failover times
No “fallback” option in the event of controller
failure
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-21

When planning for WLC redundancy, two possible options exist, which are dynamic
redundancy and deterministic redundancy. With dynamic redundancy, two WLCs are used to
support the deployed APs. In this fashion, the administrator relies on the Control and
Provisioning of Wireless Access Points (CAPWAP) joining process to balance the APs across
both available WLCs. The major drawback to this type of a solution is that the APs tend to be
deployed across the available WLCs in a salt-and-pepper configuration, which results in
unnecessary intercontroller roaming. While this may be an easier solution on the front end with
less work to set it up, in the end it more often leads to larger operational challenges due to the
unpredictability of where an AP is associated.
Additionally, a deployment such as this will experience longer failover times for APs if a WLC
failure occurs due to the requirement for the AP to attempt to contact the failed WLC as part of
the AP join process. If dynamic WLC redundancy is used, all WLCs should be located in a
central location and only Layer 2 roaming should be supported.
The recommended best practice for implementing WLC redundancy without AP Stateful
Switchover (SSO) is the implementation of deterministic WLC redundancy. To accomplish
this, some thought must be given to how APs should react in the event of a loss of their
associated WLC. Each joined AP is then provided with a prioritized list of WLCs that it should
attempt to join in the event that it loses communications with the primary WLC. By providing
this information to the AP, you gain more predictability in the network for the association of all
APs. You can prevent an AP from joining a WLC that has a different wireless LAN (WLAN)
to virtual LAN (VLAN) mapping, or that does not have access to the same VLANs or
authentication servers. Another benefit is that when configured in a deterministic manner an
AP, which has joined another WLC due to loss of contact with the primary WLC, can be
configured to rejoin the primary WLC automatically as soon as the primary WLC is again
reachable.

4-32 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Redundant WLC in a geographically
separate location
WLAN-
• Layer 3 connectivity between the AP Controller-1 APs Configured With:
connected to the primary WLC and Primary: WLAN-Controller-1
Secondary: WLAN-
the redundant WLC Controller-BKP

• Redundant WLC need not be part of WLAN-


the same mobility group NOC or Controller-2
APs Configured With:
Data Center Primary: WLAN-Controller-2
• Configure high availability to detect WLAN- Secondary: WLAN-
Controller-
failure and faster failover BKP
Controller-BKP

• Use AP priority in case of WLAN-


oversubscription of redundant WLC Controller-n
APs Configured With:
Primary: WLAN-Controller-n
• Other redundancy models: N+N, Secondary: WLAN-
Controller-BKP
N+N+1, AP SSO
• Licensing:
- With N+1, N+N, N+N+1 models, make
sure that your backup controller has
enough AP licenses left to onboard APs
from failed controller
- With AP SSO, backup controller can be
standard controller with 50 AP licenses,
or dedicated HA SKU
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-22

A single WLC at a centralized location can act as a backup for APs when they lose connectivity
with the primary WLC in the local region. You can configure primary and secondary backup
WLCs (which are used if primary, secondary, or tertiary WLCs are not specified or are not
responsive) for all APs connected to the WLC. The centralized WLC does not need to be in the
same mobility group as the regional WLCs. However, the additional WLC should be the same
model and support the same number of APs as the largest one on the network. This additional
WLC allows for one WLC to fail and no APs to be without a WLC.
There are several variations of this redundancy model. In the N+1 model, one controller is a
backup for any failed controller in the network. This model offers the lowest cost. The
downside is that only one controller can fail at any given time. At the other end of the
spectrum, the N+N model sets one backup controller for any active controller. In this model, all
controllers will be loaded to 50 percent of their AP capacity to keep room for APs from a
neighboring controller in case of failure. This model offers the best redundancy mechanism, but
represents also the highest capital expense. Most networks implement a hybrid model, called
N+N+1, where each controller is loaded to a percentage of its AP capacity, higher than 50
percent but lower than 100 percent. When a controller fails, its APs can be split across several
secondary controllers, each secondary controller onboarding part of the APs of the failed
controller. The number of controllers that can be allowed to fail in this scenario relates to the
load level of each controller.
With controller code 7.3 and later, you can also configure AP SSO for a controller. With this
deployment model, a controller is used as a backup for an active controller. The backup
controller can be a standard controller (50 AP licensers are needed on that backup controller to
activate the backup function), configured as a backup. You can also use a dedicated HA SKU.
The backup controller does not play any active role in the network while the primary controller
is functioning. The backup assumes the active role if the primary controller fails.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-33
• Backup WLCs and enhanced timers can be configured for all APs on a
given controller

Wireless >
Access Points >
Global Configuration

Wireless >
Access Points >
Edit Access Point >
Advanced

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-23

To enhance the AP failover process, in addition to the option to configure primary, secondary,
and tertiary controllers on the AP side, a configuration on the controller itself is possible. This
will set up primary and secondary backup controllers.
If there are no primary, secondary, or tertiary controllers configured on the AP side and a
primary backup controller or secondary backup controller is configured on the controller side
(downloaded to the AP), the primary backup controller or secondary backup controller, or both,
are added to the primary discovery request message recipient list of the AP.
Another way to enhance AP failover is to speed up the time taken by an AP to realize that its
primary controller failed, and to maintain an accurate list of possible backups. To reduce the
controller failure detection time, new heartbeats are added between the controller and AP with
smaller timeout values. Rather than one keepalive message being exchanged every 30 seconds,
messages can be sent down each second if needed.

4-34 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• 1:1 wireless stateful failover • One WLC in active state and
capability in appliance and second WLC in hot standby state
integrated controllers that monitors the health of the
• SSID is always beaconing (even active WLC.
after primary controller is down)
• Configuration on active is
• Subsecond WLAN network synched to standby WLC via
convergence redundant port.
• HA SKU (for example, AIR-
CT5508-HA-K9) • Both the WLCs share the same
set of configurations including the
5500, WiSM2, 7500, 8500 Series IP address of the management
L2 Redundant Link
interface.
• AP’s CAPWAP state (only APs
which are in run state) is also
Active WLC Hot-Standby WLC synched.

Separate SKU Orderable


• APs do not go in discovery state
without AP Licensing when active WLC fails.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-24

Before the release of the 7.3 WLC code, all WLCs had to be in the same mobility domain for
the primary/secondary/tertiary concept to work. The primary/secondary/tertiary WLCs had to
be defined on each AP, and each WLC had to be configured separately with its own unique IP
address. This resulted in each of the WLCs being monitored and managed separately by PI.
When an AP detected the loss of connectivity to the WLC, the AP returned to the discovery
state and restarted the CAPWAP join process. This meant that the downtime between failover
could be as much as 1.5 minutes, depending on the number of APs attempting to join a new
WLC.
With the release of the 7.3 WLC code, one-to-one WLC high availability with AP SSO became
available. When configured for SSO operation, one WLC is in the active state and the second
WLC is in a hot standby state monitoring the health of the active WLC.
The configuration on the active WLC is synched to the standby WLC via a physical
redundancy port (RP). This direct Layer 2 cable connection allows both of the WLCs to share
the same set of configurations including the IP address of the management interface.
In addition to the WLC configuration, the CAPWAP state of all APs in the run state is also
synchronized between the active and standby WLCs. The result is that the APs do not go into
the CAPWAP discovery state when the active WLC fails. It reduces the AP downtime between
failover to between 5 and 996 milliseconds in the event of a WLC failure or up to 3 seconds in
the case of network issues.
The 7.4 version of the WLC code introduced the ability to utilize an HA-SKU WLC as a
secondary WLC without AP SSO or one-to-one high availability capabilities. This allows the
HA-SKU WLC to be configured as a secondary WLC in support of a single WLC or multiple
primary WLCs without additional licensing in an N+ 1 configuration. You can still use a
standard controller as the backup controller, but that standard controller needs to have at least
50 licenses to be configurable as a backup controller.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-35
Summary
This topic summarizes the key points that were discussed in this lesson.

• Cisco RRM is used to efficiently overcome the various challenges


inherently faced in an 802.11 deployment. It is like having an RF
engineer in the box who constantly monitors the RF demands and
optimizes the radio operations in real time.
• Cisco ClientLink technology uses the reciprocal nature of the Wi-Fi
channel to implement implicit beam forming by using information
obtained from the received signal to adjust the transmitted signal and
improving the SNR of individual clients.
• Band Select enables client radios that are capable of dual-band (2.4 and
5 GHz) operation to move to a less congested 5 GHz access point.
• Cisco CleanAir is a systemwide feature that streamlines operations and
improves wireless performance by providing complete visibility into the
wireless spectrum.
• The Cisco Unified Network architecture can be deployed using controller
redundancy to provide quick recovery from a network component failure.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-25

4-36 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Lesson 3

Wireless Network Security


Overview
Once basic wireless network operations are established, the next concern is to ensure that
network access is secure. This means that the right user should access the right resources, and
that data transiting through the network is protected against eavesdropping. Providing secure
network access can be especially challenging for wireless networks.
This security goal may be especially challenging in a wireless network where multiple users
share the same RF space, even with different Service Set Identifiers (SSIDs). This lesson will
suggest possible ways to ensure security of the wireless network.

Objectives
Upon completing this lesson and given a specific customer scenario and a wireless LAN with
basic functionality enabled, you will be able to describe and enable the key elements that are
needed for network security. You will be able to meet these objectives:
 Describe and enable traffic segmentation
 Describe and enable Cisco Prime Infrastructure (PI) and Cisco Identity Services Engine
(ISE) integration for security monitoring and management
 Describe how Cisco Adaptive Wireless Intrusion Prevention System (wIPS) is used to
expand security monitoring
Traffic Segmentation Needs and Methods
This topic describes the various methods for segmenting user traffic for security purposes.

Branch
ISE PI

Wan
Core WLC in DMZ
WLC
AP3600

WLC

Voice User
SSID Employees
WLC
SSID Voice Employee

Guest
Channel utilization
SSID Guests

• Segment by SSID to isolate traffic and user types.


• Limit the number of SSIDs to the minimum to avoid overheating.
• Each SSID uses encryption and different authentication.
8 SSIDs 2 SSIDs
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-5

The way wireless networks are used has changed dramatically over the last few years. Modern
networks need to connect a wide variety of devices. Some devices belong to corporate users
who need to access the network resources anytime, from anywhere, and with any device. Some
other devices belong to guests. Knowing which user accesses the network, from which location,
and with what device are key concerns for wireless network administrators.
In networks where both employees and the general public (guests) use the same wireless space,
isolation is usually needed. Guests or the general public should not be allowed to access the
resources that are used by employees. These guests should also not be allowed to view data that
is sent and received by employees through the wired or the wireless network. Ideally, the
implementation of a wireless guest network uses as much of an existing wireless and wired
enterprise infrastructure as possible. This avoids the cost and complexity of building a physical
overlay network.
In most cases, isolation can be performed on the wireless space by using different wireless
LANs (WLANs). Common isolation techniques include the following:
 Segmentation by user or device type: In this model, a separate WLAN is created for each
type of user. This isolation can be done for guest or general public traffic isolation from
corporate users, but can also be extended to the corporate users to create one WLAN for
each category (for example, marketing, sales, and so on). When specialized devices are
used (for example, portable electronic medical records [EMR] devices), WLANs can be
created to isolate each device type.
 Segmentation by application type: Corporate wired networks are often divided into
virtual LANs (VLANs), based on applications. In this environment, each VLAN is
dedicated to a specific application or group of applications. A common practice is to
separate voice and data applications and guest access to the Internet into their own VLANs.
This logic can be extended to the wireless space, where a WLAN will be assigned to each

4-38 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
type of application. However, one limitation of this model is that different WLANs may
still share the same RF space. Isolation may be achieved if WLANs use encryption (so that
users on one WLAN cannot capture and read traffic from another WLAN), but this
isolation does not reduce congestion if both WLANs are on the same access point (AP) and
the same band.
 Segmentation by security type: When a wireless client connects to an SSID, the client
must match the WLAN security settings. If the WLAN advertises Wi-Fi Protected Access 2
(WPA 2)-Enterprise and Advanced Encryption Standard (AES) encryption, then the client
must use WPA2-Enterprise and AES encryption. A common practice is to use Webauth for
guest users, and one or several WLANs with Layer 2 authentication for corporate users.
Each WLAN can be linked to a specific VLAN, thus ensuring that less-secure wireless
devices are not allowed access to sensitive or restricted network resources.
However, SSID segregation also presents severe limitations, which include the following:
 A Cisco wireless LAN controller (WLC) supports up to 16 SSIDs per AP. The design must
make sure that no more than 16 SSIDs are deployed per AP.
 Each SSID requires its own beacon, sent at the lowest mandatory rate. In a dense AP
environment, each additional SSID and its associated management frame overhead may
increase each channel utilization by 3 to 7 percent. The figure shows the channel utilization
in an example dense AP deployment with 8 SSIDs, and then the same channel utilization
when the SSID number is lowered to 2.
 For RF efficiency, it is necessary to limit the number of SSIDs to the strict minimum, for
example, one SSID for guests, one for VoIP devices, and one SSID for employees.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-39
Branch
ISE PI

Wan
Core WLC in DMZ
WLC
AP3600

WLC

SSID Employees Voice VLAN, QoS, and ACL


WLC
SSID Voice Employee VLAN, QoS, and ACL

Guest VLAN, QoS, and ACL

SSID Guests

• Each category of user or device is dynamically sent to a specific VLAN/dynamic


interface.
• Specific ACLs and QoS rules are also sent to filter and control network access.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-6

When using central authentication with ISE, you can leverage the flexibility of ISE to
dynamically send VLAN information (in the form of VLAN tag or dynamic interface name),
access control lists (ACLs), or quality of service (QoS) profiles specific to each authenticated
user and device. On the WLC, you would check the authentication, authorization, and
accounting (AAA) Override check box in the Advanced tab of the WLAN configuration
section. This will allow the ISE to return values that would be different from the WLAN
defaults.
This method allows you to send specific users to specific VLANs, with a specific QoS profile
and specific traffic filter ACL, regardless of which WLAN they use to connect.

Note QoS override is supported on WLC code 7.5 and later.

Identity-based networks (IBNs), also called Secure Access Control, provide a convenient way
to distribute ACLs based on user identification. This way, two users in the same WLAN and
sent to the same VLAN may receive different sets of ACLs. IBN ACLs are distributed to the
user along with the VLAN and other user profile details at the end of the IEEE 802.1X
authentication phase. With a Cisco WLC and Cisco ISE acting as a RADIUS server, several
subtypes of ACLs can be distributed. These include the following:
 Filter-ID ACLs: Sometimes called Airespace ACLs, these ACLs are configured on the
WLC. During the 802.1X authentication phase, the RADIUS server returns the name of the
ACL to the WLC. If the name string matches the name of an ACL configured on the WLC,
the WLC applies this ACL to the user. If the ACL is not found on the WLC, the 802.1X
authentication fails.
 Downloadable ACLs: The ACL can be configured on the WLC or on the RADIUS server.
During the 802.1X authentication phase, the RADIUS server returns the name of the ACL
to the WLC. If the name string matches the name of an ACL configured on the WLC, the
WLC applies this ACL to the user. If the ACL is not found on the WLC, the RADIUS can
send the ACL content to the WLC.

4-40 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
 Redirect ACL: This type of ACL is used for Webauth type of WLAN during onboarding
or web authentication. This type of ACL is used to redirect the user to another IP address,
usually a web server, where authentication will occur (when the ACL is returned before
authentication), or to a web server.
Note that ACLs sent from ISE always override the general ACL defined on the WLC.
Therefore, if an ACL is sent from the ISE to be applied to a user, this user will be limited by
this ACL. However, the user is not limited by an ACL that would be defined in the WLC at the
wireless LAN level or at the dynamic interface level.
When AAA override is used for ACLs, how several ACLs combine and result into a specific
access profile for the user must be clearly understood. ACLs can be configured and set directly
on the WLC. ACLs configured on the WLC are not stateful, and the traffic direction must be
specified in most WLC ACL rules. Once configured, a WLC ACL can be positioned on a
dynamic interface to which a WLAN is mapped. In that case, it affects all users sent to this
interface regardless of their WLAN. Alternatively, a WLC can be positioned on a WLAN. In
that case, it affects all users of that WLAN, regardless of the interface to which each user is
sent.

Note When both a WLAN and an interface ACL are implemented, the WLAN ACL overrides the
interface ACL.

For guest WLANs using Webauth, two types of ACLs can be implemented:
 Preauthentication ACLs are applied to users after open authentication and association, and
DHCP address assignment, but before web authentication. This type of ACL is commonly
used to prevent attacks such as domain name server (DNS) or DHCP poisoning.
 Postauthentication ACLs are applied to users after web authentication is completed. This
type of ACL is commonly used to restrict the extent or resources that guest users can
access.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-41
Both types of ACLs are returned to WLC for user authenticating using
RADIUS.
Airespace ACL:
• ACL is configured on controller, ISE sends the ACL name.
• If WLC finds an ACL with that name in its configuration, WLC accepts the
authentication and applies the ACL.
• If WLC does not find an ACL with that name in its configuration, user authentication
fails.
• Works on CUWN and CA controllers, with ACS and ISE.
Downloadable ACL:
• ACL does not need to be configured on WLC, ISE sends the ACL name and version
number.
• If WLC finds an ACL with that name in its configuration (not because it was
configured on the WLC, but because it was previously obtained from the RADIUS
server with the same version), WLC accepts the authentication and applies the ACL.
• WLC does not find an ACL with that name or that version in its configuration, WLC
queries the RADIUS server for the ACL content, then accepts the authentication and
applies the ACL.
• Works on CA controllers, not on CUWN controllers.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-7

Downloadable ACLs are more complex than Filter-ID (or Airespace) ACLs. With Filter-ID
ACLs, authentication fails if the ACL is not found on the WLC. The RADIUS server only
returns an ASCII string, which is the name of the ACL. With downloadable ACLs, you can
configure the ACL on the WLC or just on the RADIUS server. The exchange between the
WLC and the RADIUS server occurs as follows:
1. The wireless client first requests 802.11 authentication and association. The wireless LAN
uses open authentication.

2. The WLC grants association.


3. Extensible Authentication Protocol over LAN (EAPOL) starts, and the WLC authentication
manager component initiates the 802.1X authentication to relay the client Extensible
Authentication Protocol (EAP) queries to the AAA server.
4. Upon successful 802.1X/EAP authentication, the RADIUS server returns an authentication
success message, along with the client profile information. This profile information
contains the name of the ACL that should be applied to the client, along with a version
number for this ACL.
5. The WLC then looks in its cache to check if an ACL with the same name and the same
version exists. If you configured the ACL on the WLC but this client is the first client
receiving the ACL from the AAA server, then the ACL exists, but not the version number.
If another client previously received the same ACL from the RADIUS server, then the
WLC cache has both the ACL and the version number. The version number changes only
when the administrator modifies the ACL content on the AAA server. If the WLC finds the
ACL in its cache with the correct version number, the WLC applies the ACL to the user. If
you did not configure the ACL on the WLC and no client received the ACL from the AAA
server recently, then the ACL is not found.
6. When the ACL is not found in the WLC cache, the ACL is found but not with the correct
version number, or without any version number, the WLC queries the AAA server. The

4-42 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
AAA server then returns the content of the ACL. The ACL is applied to the client and is set
into the WLC cache.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-43
One Network—Cisco Prime Infrastructure and ISE
Integration
This topic describes how ISE and PI can be used together to deploy security profiles for
wireless users.

Branch
ISE PI

Wan
Core
WLC in DMZ
WLC
AP3600

WLC

SSID Employees Voice VLAN and ACL


WLC
SSID Voice Employee VLAN and ACL

Guest VLAN and ACL

SSID Guests

• Prime Infrastructure is used to deploy dynamic interfaces, ACLs, and


QoS rules to WLCs.
• ISE tells WLCs which interface, ACL, and QoS rule to use for each user.
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-9

When configuring per-user VLANs, ACL, QoS profile assignment, and PI work together.
First, you can use Cisco Prime Infrastructure to create and deploy policies. When you allocate a
user to a specific VLAN, dynamic interface, Airespace ACL, or QoS profile, the element must
exist on the WLC. Using PI, you can create all of the interfaces, ACLs, and QoS profiles that
will be needed and deploy them to the WLCs. They do not need to be assigned to a specific
WLAN, but must exist on the WLC that will assign them to specific users.
Next, when the user authenticates, the WLC relays the authentication query to ISE. With the
EAP Success message, ISE also returns a profile for the user that includes the dynamic
interface name, VLAN tag, ACL name, and/or QoS profile name that must be assigned to this
user. The WLC then looks into its configuration to find the name that was returned and applies
the associated parameter to the user.
Notice that if the WLC does not find in its configuration the name of the value that is returned
by ISE, the authentication fails, and the user is denied access to the network. The only
exception is the downloadable ACL. For this element, if the WLC does not find the ACL name
in its configuration, a second query is sent to ISE to provide the ACL content.

4-44 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Adaptive wIPS
This topic describes how Adaptive wIPS may be used to better identify and mitigate wireless
threats.

• Controller-integrated IDS engine:


- Detects rogues
- Detects common attack signatures
• Adaptive wIPS on MSE adds:
- Reduction in false positives (for example, APs containing rogues on one
WLC are not seen as attackers on another WLC)
- Alarm aggregation (avoids alarm duplicates)
- Enhanced detection of denial of service (DoS) attacks (finer analysis of
attack behaviors)
- Forensics (captures attack frames)
- Coordinated rogue containment
- Anomaly detection

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-11

Identifying and controlling the access of wireless users is fundamental to network security.
Establishing a strong wireless policy is also critical to establish clear rules. However, it is still
very possible that malicious users may attempt to tap into wireless communications, or to attack
the network itself. In an environment where wireless is used for critical application, such a
threat must be identified and mitigated.
The WLC-based wireless intrusion detection system (wIDS) is efficient for detecting rogues,
but also for detecting common attack signatures. The embedded wIDS system can be enhanced
by deploying the centralized Cisco Adaptive wIPS. Cisco wIPS relies on the Cisco Mobility
Services Engine (MSE) and PI to centralize the definition, deployment, and alarm consolidation
for attacks that should be monitored. wIPS is integrated into the unified wireless infrastructure
and provides wireless-specific network threat detection and mitigation against malicious
attacks, security vulnerabilities, and sources of performance disruption. wIPS can detect,
analyze, and identify wireless threats, and centrally manages mitigation and resolution of
security and performance issues.
The differences between WLC-based IDS and Adaptive wIPS are as follows:
 Reduction in false positives: The wIPS feature facilitates a reduction in false positives
with respect to security monitoring of the wireless network. In contrast to the WLC-based
solution, which triggers an alarm when it detects a number of management frames over the
air, wIPS only triggers an alarm when it detects a number of management frames over the
air that are causing damage to the wireless infrastructure network. This is a result of the
wIPS feature being able to dynamically identify the state and validity of APs and clients
present in the wireless network. Only when attacks are launched against the infrastructure
are alarms raised.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-45
 Alarm aggregation: The wIPS system is able to correlate unique attacks seen over the air
and aggregate them into a single alarm. This is accomplished by wIPS automatically
assigning a unique hash key to each particular attack the first time it is identified. If the
attack is received by multiple wIPS-enabled APs, it will only be forwarded to Cisco Prime
Infrastructure once because alarm aggregation takes place on the MSE.
 Enhanced detection of denial of service (DoS) attacks: A DoS attack involves
mechanisms that are designed to prohibit or slow successful communication within a
wireless network. The attacks often incorporate a number of spoofed frames that are
designed to drop or falter legitimate connections within the network. wIPS has more
signatures available for detecting DoS attacks.
 Forensics: The adaptive wIPS feature provides the ability to capture attack forensics for
further investigation and troubleshooting purposes. At a base level, the forensics capability
is a toggle-based packet capture facility that logs and retrieves a set of wireless frames.
This feature is enabled on a per-attack basis within a wIPS profile that is configured on PI.
Once enabled, the forensics feature is triggered when a specific attack alarm is seen over
the airwaves. The forensic file created is based on the packets contained within the buffer
of the wIPS monitor mode AP that triggered the original alarm. The file is transferred to the
WLC via Control and Provisioning of Wireless Access Points (CAPWAP), which then
forwards the forensic file via Network Mobility Service Protocol (NMSP) to wIPS running
on the MSE. The file is stored within the forensic archive on the MSE until the customer-
configured disk space limit for forensics is reached. By default, this limit is 20 gigabytes,
which when reached, causes the oldest forensic files to be removed. Access to the forensic
file is obtained by using PI to open the alarm that contains a hyperlink to the forensic file.
The files are stored in a .CAP file format, which is accessed by WildPacket Omnipeek,
AirMagnet WiFi Analyzer, Wireshark, or any other packet capture program that supports
this format.
 Rogue detection: An AP in wIPS-optimized monitor mode performs rogue threat
assessment and mitigation using the same logic as current unified wireless
implementations. This allows a wIPS mode AP to scan, detect, and contain rogue APs and
ad-hoc networks. Once discovered, this information regarding rogue wireless devices is
reported to PI where rogue alarm aggregation takes place.

Note If a containment attack is launched using a wIPS mode AP, its ability to perform methodical
attack-focused channel scanning is interrupted for the duration of the containment.

 Anomaly detection: wIPS includes specific alarms pertaining to anomalies in attack


patterns or device characteristics captured. The anomaly detection system takes into
account the historic attack log and device history contained within the MSE to baseline the
typical characteristics of the wireless network. The anomaly detection engine is triggered
when events or attacks on the system undergo a measurable change as compared to
historical data kept on the MSE. For example, if the system regularly captures a few MAC
spoofing events each day, and then on another day MAC spoofing events are up 200
percent, an anomaly alarm is triggered on MSE. This alarm is then sent to PI to inform the
administrator that something else is going on in the wireless network beyond traditional
attacks that the system may encounter. The anomaly detection alarm also can be employed
to detect day-zero attacks that might not have a preexisting signature in the wIPS system.

4-46 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
SNMP Trap
MSE
Integrated PI
SOAP/XML

NMSP
• wIPS enabled APs on same
WLCs as standard APs WLAN Controller

CAPWAP CAPWAP CAPWAP

Local Mode wIPS Monitor ELM AP


AP Mode AP

PI MSE PI MSE
Overlay
• APs and WLCs dedicated to WLAN Controller WLAN Controller
wIPS function RF Group Name = RF Group Name
WIPS = WIPS

Local Mode Local Mode wIPS Monitor wIPS Monitor


AP AP Mode AP Mode AP
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-12

Adaptive wIPS uses APs set to monitor mode, with a specific submode dedicated to wIPS. In
this case, the AP does not service clients but is dedicated to attack monitoring. The AP can also
be set to local mode, and to a wIPS sub-mode. This mode is called Enhanced Local Mode
(ELM). In this case, the AP can still service clients and also perform wIPS functions. However,
APs in ELM mode can perform wIPS functions only on the main channel they service. APs in
wIPS mode (monitor mode with wIPS sub-mode) can perform wIPS functions on all channels.
Adaptive wIPS can be deployed in two ways, as an integrated solution or as an overlay
solution. An integrated wIPS deployment is a system design in which local mode and wIPS
monitor mode or ELM APs are intermixed on the same WLC and managed by the same Cisco
PI. This setup is the recommended configuration, as it allows the tightest integration between
the client-serving and monitoring infrastructures. In fact, many of the components, including
WLCs and PI, are dual-purpose, which reduces duplicate infrastructure costs.
In a wIPS overlay deployment, the wIPS monitoring infrastructure is completely separate from
the client-serving infrastructure. Each distinct system has its own set of WLCs, APs, MSE, and
PI. The reasons for selecting this deployment model often stem from business mandates that
require distinct network infrastructure and security infrastructure systems with separate
management consoles. This deployment model could also be used if the total number of APs
(wIPS and local mode) exceeds the 15,000 AP limit for PI.
In order to configure the wIPS overlay monitoring network to provide security assessment of
the client-serving infrastructure, specific configuration items must be completed. The wIPS
system operates on the idea that only attacks against trusted devices should be logged. In order
for an overlay system to view a separate unified wireless infrastructure as trusted, the WLCs
must be in the same RF group.
There are several considerations that must be remembered after separating the client-serving
infrastructure from the wIPS monitoring overlay infrastructure. These include the following:
 wIPS alarms will be shown only on the wIPS overlay PI instance.
 Management frame protection (MFP) alarms will be shown only on the client infrastructure
PI instance.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-47
 Rogue alarms will be shown on both PI instances.
 Rogue location accuracy will be greater on the client-serving infrastructure PI, because this
deployment will use a greater density of APs than the wIPS overlay.
 Over-the-air rogue mitigation will be more scalable in an integrated model, as the local
mode APs can be used in mitigation actions.
 The security monitoring dashboard will be incomplete on both PI instances because some
events, such as wIPS, will only exist on the wIPS overlay PI. To truly monitor the
comprehensive security of the wireless network, both security dashboard instances must be
observed.
One consideration of the overlay solution is the possibility of APs on either the client-serving
infrastructure or wIPS monitoring overlay associating to the wrong WLC. This situation can be
prevented by specifying the primary, secondary, and tertiary WLC names on each AP (both
local and wIPS mode). In addition, it is recommended that the WLCs for each solution have
separate management VLANs for communication with their respective APs, and that ACLs are
used to prevent CAPWAP traffic from crossing these VLAN boundaries.

4-48 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Summary
This topic summarizes the key points that were discussed in this lesson.

• Traffic can be segmented based on application, user type, SSID, device


type, or user credentials. In most cases, you want to use SSID
segmentation while limiting the number of SSIDs to a minimum.
• Cisco Prime Infrastructure and ISE can work together to deploy and
apply security policies to wireless users.
• Adaptive wIPS provides a deep attack detection and mitigation
mechanism.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-13

References
For additional information, refer to these resources:
 Cisco Prime Infrastructure Configuration Guide v2.0 on wireless LAN and interface
templates, ISE interaction, ACL configuration, and wIPS, when available.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-49
4-50 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Lesson 4

Wireless Network QoS


Overview
Traffic isolation is not enough to provide optimal service to wireless users. You also have to
ensure that bandwidth consumption for each device and application matches the design
requirements. A non-critical application should not prevent a critical application from accessing
the bandwidth needed. A way to ensure this bandwidth allocation, and prioritize traffic in times
of congestion, is to implement a quality of service (QoS) policy.
QoS is different in the wireless space than it is on a wired cable. This lesson will show you
where QoS is implemented in a campus deployment of a wireless network. This lesson will also
describe the different families of QoS mechanisms used in the wireless space, with the IEEE
802.11e protocol, the Wi-Fi multimedia specification, and the various unified wireless metal
QoS profile types.

Objectives
Upon completing this lesson and given a specific customer scenario and a wireless LAN, you
will be able to enable wireless QoS policies. You will be able to meet these objectives:
 Describe where and when QoS policies are applied
 Describe the four standard metal QoS profile types
 Describe the four Alloy QoS profile types and the other mechanisms used to control traffic
flow through a wireless cell
Where and When QoS Is Applied
This topic describes where and when QoS is applied, both in the wired and the wireless spaces.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-5

QoS technologies consist of tools and techniques used to manage network resources and are
considered the key enabling technology for network convergence. The objective of QoS
technologies is to make voice, video, and data convergence appear transparent to end users.
QoS technologies allow different types of traffic to contend inequitably for network resources.
Network devices can grant priority or preferential services to voice, video, and critical data
applications so that the quality of these strategic applications does not degrade to the point of
being unusable. Therefore, QoS is a critical, intrinsic element for successful network
convergence.
QoS relies on three types of actions:
 The first action is to identify the traffic on the network and determine QoS requirements for
the traffic. This is done by classifying traffic through packet inspection and marking each
packet with an identifier (numeric value or tag) reflecting a traffic category.
 The second action is to create prioritization and bandwidth allocation policies at key
locations in the network. When congestion occurs, these policies will determine which
traffic should be sent first and which type of traffic may be dropped. This determination is
usually based on the traffic marking as defined in the first action. This second action is
often referred to as queuing and scheduling. In certain instances, traffic may be granted a
strict bandwidth allocation where any extra traffic is dropped (this is called policing).
Traffic may also be given a strict bandwidth allocation where a portion of extra traffic is
buffered and sent later if bandwidth becomes available (this is called shaping).
 The third action is to prevent congestion. This action is often referred to as congestion
avoidance. Several techniques can be used to achieve this goal. One is to reduce the size of
each frame by compressing the frame header (this technique is only possible on point-to-
point links). Another technique disassembles large frames and interleaves the smaller and
possibly more urgent frames (this is called fragmentation and interleaving). This technique

4-52 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
offers a way to reduce the delay needed to send frames of high priority. Another technique
is to admit only a limited number of flows in the network. The technique is well suited for
flows that have a predictable bandwidth consumption, and is called Admission Control or,
when discussing voice, Call Admission Control (CAC).
Each QoS feature has its own purpose and fits into a global QoS strategy.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-53
• Different types of traffic have different characteristics and needs. The
following are examples:
- Interactive video (bursty, bandwidth intensive, latency intolerant)
- Streaming video (bursty, bandwidth intensive, latency tolerant)
- Voice (consistent flow, low bandwidth consumption, latency intolerant)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-6

Congestion in wireless cells presents slightly different challenges than on a wired network. You
can configure several Service Set Identifiers (SSIDs) for the same access points (APs).
Regardless of the number of configured SSIDs, the AP has either one or two radios. This
physical limitation means that wireless clients that seem to be isolated in different SSIDs might
still have to share the same RF space. In this shared environment, clients do not have any
awareness of each other’s traffic requirements. Clients can detect that some other stations are
sending in the cell, but they cannot analyze each other’s bandwidth needs. They compete to
gain access to the wireless medium on a per-packet basis. As clients share the same RF
environment, collisions are likely to occur, and you need first a mechanism to manage these
collisions.
Depending on their position in the cell, clients can get up to 54 Mb/s in a classical 802.11a/g
network and up to 300 Mb/s in an 802.11n network. These values have to be understood as “per
radio.” In either case, the available bandwidth in the wireless space is different from the
available bandwidth on the wired link through which the AP connects to the enterprise switch.
Congestion has to be managed to ensure that traffic coming from either side will not be
dropped because of congestion issues. The same phenomenon occurs when traffic coming from
many APs is sent to one WLC. To take an extreme example, a Cisco 5500 Series Wireless LAN
Controller (WLC) with an 8-Gb/s link to the switch can manage up to 1000 802.11n APs with
two radios each. Congestion can occur at the WLC port level.
Although congestion on the wired side of the network is an issue, the main focus of this section
is congestion in the wireless cell itself, and between the controller and the AP. Packets coming
from wireless clients need to be sent first to the AP before being forwarded to another wireless
client of the wired network. The bandwidth available in the wireless cell usually dictates the AP
bandwidth consumption on the wired side. An AP offering 24 Mb/s on the wireless side will
usually consume the same bandwidth on the wired side simply because the link of lowest
bandwidth, in this case the wireless space, dictates the overall bandwidth consumption
throughout the whole link.
These requirements imply that an efficient QoS policy must be put in place for any network
that uses the Wi-Fi network for mission critical traffic. It would not be acceptable, for example,
to let guest video traffic prevent mission-critical data from reaching the database.
4-54 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Therefore, your first task is to examine the traffic expected to share the wireless space and to
classify this traffic into several categories. You will then assign a priority level and a criticality
level to each category. There are many ways to classify traffic. A common way is to identify
traffic types and then assign the corresponding QoS policies. You can do this by distinguishing
five general classes and examining the QoS requirements for each of them, including the
following:
 VoIP over Wi-Fi: This traffic bandwidth consumption is predictable. A typical call will
send a consistent number of packets per second, and will receive the same amount (for
example, 50 packets of 160 bytes each per second). Therefore, VoIP usually does not need
high bandwidth. However, VoIP packets cannot be delayed during transmission as
excessive delays result in clicks in the call or even in silences. Delay must be low and must
be consistent. Variation in the delay is called jitter and high jitter degrades the user
experience. VoIP should be given a high priority level.
 Video: You can distinguish two types of video flows. One flow is for real-time video, also
called interactive video (for example, video conferences). Another type of video is
streaming video. Video bandwidth consumption is variable and depends on the codec
(coding system chosen to represent each image and each change from one image to the
next). A major difference between these two types of video traffic is in the latency
tolerance. Interactive video is real-time, and therefore is not tolerant to high latency. A
common tradeoff to lower latency is that lower video quality is often acceptable. Streaming
video can be buffered in the receiving device, and therefore is more tolerant to high
latency.
 Web browsing: This type of traffic also includes emails and all other non-time sensitive
and non-critical traffic. This traffic would receive the lower priority classification.
 Scavenger traffic: This category groups all other, non-mission-critical data, such as peer-
to-peer traffic.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-55
802.11e Metal Profiles
This topic describes 802.11e Wireless Multimedia (WMM), and the standard metal profile
implementation derived from 802.11e and WMM access categories.

• 802.11e has four Access Categories (AC), each having two Traffic
Categories (TC) or User Priorities (UP)
- WMM is Wi-Fi Alliance certification for partial implementation of 802.11e
- WMM is needed for 802.11n and 802.11ac rates
• You also need Open/Open or WPA2/AES security for 802.11n/ac

Priority 802.1p Priority 802.11e Designation Access Category Designation


Highest 7 NC
AC_VO Voice
6 VO
5 VI
AC_VI Video
4 CL
3 EE
AC_BE Best Effort
0 BE
2 -
AC_BK Background
Lowest 1 BK

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-8

To classify the priority level of each expected traffic type, you need to understand and use the
QoS classification and prioritization system available for wireless networks. Wireless QoS as
defined by the IEEE Task Group E was ratified late in 2005 through the 802.11e amendment
and integrated in the later versions of the standard (802.11-2007 and later). Although 802.11e
defines two modes of operation, Enhanced Distribution Coordinate Access (EDCA) and Hybrid
Controlled Channel Access (HCCA), only the EDCA has seen widespread adoption. EDCA is
the subset of operation upon which the Wi-Fi Alliance based WMM.
Notice that later protocols are built upon 802.11e. This means, for example, that WMM support
is needed for 802.11n (802.11n was ratified in 2009) or 802.11ac. Without WMM you cannot
achieve any 802.11n or 802.11ac data rate.
WMM is a set of features that are designed to improve the performance of voice, video, and
data applications that are used on Wi-Fi networks. It functions by placing the eight user priority
(UP) levels that are defined by 802.11e into four access categories (AC) that correspond to the
different traffic types:
 Voice: Highest priority traffic
 Video: Second highest priority
 Best effort: Third highest priority, mainly applications such as email or web browsers
 Background: Lowest priority, where non latency-sensitive applications reside
Each UP corresponds to a priority level defined by the 802.1p protocol, which was built to
define priority levels for wired traffic. 802.11e and WMM create a wireless equivalent to
802.1p wired priority levels (although the medium access techniques are notably different). By
prioritizing traffic streams based on the data type and application requirements, WMM helps

4-56 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
ensure that low priority network traffic does not degrade the performance of other highly
sensitive applications such as voice.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-57
• Each metal level provides a single static QoS value for all traffic,
multicast as well as unicast.
- All devices on the WLAN are assumed to be of the same traffic type.
• Applications requiring different QoS treatment are assumed to be on
different WLANs.
• An 802.1p is applied to the wired side to allow proper precedence to be
applied to traffic across the entire network infrastructure.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-9

Although the four WMM access categories bear names that match their intended usage (voice,
video, and so on), you may have good reasons to put some other type of traffic in one of these
categories. For example, you may choose to put low-latency, mission-critical traffic in the
voice or video queue, even if this traffic is not voice or video related. To simplify the queue
identification, the 802.11e and the WMM certification also designate the four access categories
with metal names (the more precious metals are expected to receive higher priority). Using a
metal name instead of a traffic type allows you to assign the traffic to the category that best
matches the traffic priority requirement, without worrying about the traffic type:
 Voice (AC_VO), with UP 6 and 7, is also called Platinum.
 Video (AC_VI), with UP 4 and 5, is also called Gold.
 Best Effort (AC_BE), with UP 3 and 0, is also called Silver.
 Background (AC-BK), with UP 1 and 2, is also called Bronze.
In most wireless implementations, including Cisco Unified Wireless Networking (CUWN)
version 7.1 and older, you can configure the four access categories (or rather metal types) with
an expected 802.11e default UP (that will be translated into the Cisco Architecture for Voice,
Video, and Integrated Data [AVVID] 802.1p value when transmitted between the AP and the
WLC1). You can then assign a metal profile to a wireless LAN. This metal profile determines
the highest QoS level expected for that wireless LAN.
Under the four fixed levels of deployments—platinum, gold, silver, and bronze—each metal
level provides a single static QoS value for all traffic, multicast as well as unicast. All devices
on the wireless LAN are assumed to be of the same traffic type. Applications requiring
different QoS treatment are assumed to be on different wireless LANs.

1
This is the meaning of the numbers circled in the figure. For example, the Platinum profile 802.1p value of 6 means
that when a frame is received with a UP of 6, this frame should be transmitted to the WLC with the 802.1p AVVID tag
matching 802.11 UP 6 in the AVVID table. The packet will display an 802.1p value of 5 (as per the AVVID table)
when forwarded between the AP and the WLC.
4-58 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• IEEE determined standard L2 to L3 mapping and marking usage
• IETF and Cisco (AVVID) recommend a different mapping
• WLC and CAPWAP APs automatically converts the IEEE mapping to
AVVID mapping
AVVID 802.1p UP-Based AVVID IP DSCP AVVID IEEE
Traffic Type 802.1p UP 802.11e UP
Reserved (Network Control) 56 7 7
Reserved 48 6
Voice 46 (EF) 5 6
Video 34 (AF41) 4 5
Voice Control 24 (CS3) 3 4
Gold Background 18 (AF21) 2 2
Silver Background 10 (AF11) 1 1
Best Effort 0 (BE) 0 0.3
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-10

The process of moving a packet through the wireless network at the appropriate service level
involves the movement of the packet across the wired network as well. While both the wired
and wireless network respects QoS markings at Layer 3 (commonly using a differentiated
services code point [DSCP] marking), how Layer 2 markings are translated differs between the
two mediums. The AVVID defines the translation from the eight 802.1p priorities to IP DSCP,
and the IEEE defines the translation from IP DSCP to 802.11e UP. Two different sets of
translations must be used to ensure that the packet receives the same priority all the way across
the network. The chart shows the default values as they are mapped between layers. It also
shows the QoS values used by different types of traffic. Notice that there is no direct correlation
between Cisco AVVID DSCP and 802.11e UP. However, since they are both related to 802.1p
you can use this relationship as a translator.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-59
802.1p is always capped to WLAN QoS profile
DSCP is never capped
Untagged wired traffic is sent at 802.11e max QoS
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-11

Suppose that the network wired infrastructure sends a data packet to the WLC and then to the
AP. This packet may have a DSCP field or an 802.1p class of service (CoS) value when leaving
the wired source. When the packet reaches the WLC, the original DSCP value is read and kept
in the inner DSCP field. The packet is transformed into an 802.11 frame and encapsulated into
the Control and Provisioning of Wireless Access Points protocol (CAPWAP). During the
encapsulation process, the original DSCP value is also transparently applied to the CAPWAP
outer header. The QoS value read in the CoS field (or DSCP field if there is no CoS field) is
then compared to the QoS value applied to the wireless LAN. Several cases can occur:
 The WLC wireless LAN has no QoS mapping: In that case, the outer header does not
carry any tag.
 The WLC wireless LAN has a QoS mapping that is higher than the CoS value in the
received packet: For example, the wireless LAN is associated to Silver, 802.1p 3, the CoS
in the packet is 2, and DSCP is 20 (AF22). In that case, the CoS value requested in the
packet is transferred to the outer header. In this example, the outer header carries the CoS
value coming from the client (2), and the outer DSCP is unchanged (AF22).
 The WLC wireless LAN has a QoS mapping that is lower than the DSCP or CoS value
in the packet: For example, the wireless LAN is associated to Silver, 802.1p 3, the CoS
value in the frame header is 5, and the associated DSCP in the packet is 46 (EF). In that
case, the CoS value in the outer header is capped to the wireless LAN maximum. In this
example, the outer header carries the CoS value 3. The DSCP value is transparently applied
to the outer header (46).
You can see that in any case, the outer CoS level does not exceed the maximum defined for the
wireless LAN, whereas the DSCP value transparently reflects the DSCP value originally
requested by the client. The packet is transferred to the switch and then to the AP. After the
packet has arrived at the AP, the inner packet is retrieved and distributed to the cell. Two cases
can occur:
 The client has no WMM support: The packet is placed in the default transmit (TX) queue
for the wireless LAN, which is the Distributed Coordination Function (DCF) queue,
without any WMM prioritization.

4-60 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
 The client has WMM support: The packet is placed in the appropriate queue for the
802.11e traffic category (TC) value derived from the CAPWAP packet outer DSCP value.
When doing so, the AP makes sure that the requested TC does not exceed the wireless
LAN QoS policy. For example, the wireless LAN is associated to Silver, 802.1p 3, and the
DSCP value in the packet is 46 (EF). In that case, the WMM value in the 802.11 header is
capped to the wireless LAN maximum. In this example, the 802.11 header carries the AC
tag of Silver (3). The DSCP value is transparently applied to the Layer 3 section of the
frame (46).
The same logic applies for wireless frames received at the AP and forwarded to the WLC. The
AP encapsulates the entire frame into CAPWAP, preserving the inner DSCP and 802.11e
values. For the CAPWAP header, the AP makes sure that the outer QoS value does not exceed
the WMM value configured for the wireless LAN. As the AP is usually on an access port, this
translates into the AP capping the outer DSCP value. When the encapsulated packet reaches the
WLC, the CAPWAP header is removed. The WLC then applies the same logic as on the
previous page, which means the inner DSCP value is kept unchanged. When the WLC converts
the 802.11 frame into 802.3, the 802.1p value is capped to the wireless LAN profile maximum.
This logic is very efficient in most cases, with a few exceptions:
 All traffic for a given wireless LAN is expected to be of the same type. When a wired
packet is received with no QoS marking, the WLC places the packet into the wireless LAN
profile highest queue. For example, if the wireless LAN QoS profile is set to Platinum, any
untagged packet received by the WLC and sent to a client in that wireless LAN is placed in
the Platinum category. Although the inner marking may not exist, the outer CAPWAP
marking will be set to DSCP 46 and 802.1p 5. This prioritization system makes sense for
packets that are of voice type, but is not adapted for packets that are not marked because
they do not need any priority.
 Multicast packets are not marked. These packets are forwarded on a per-VLAN basis.
Therefore, they may be sent to several wireless LANs with different QoS levels. The
consequence is that multicast packets are always sent as best effort. This may be an issue
when these packets are destined for one single wireless LAN and would require
prioritization. A typical example is music-on-hold for voice networks.
 Most devices use multiple applications simultaneously. A handheld device may be a VoIP
phone and also offer web browsing functions. When associating to a wireless LAN, it may
be difficult to choose which wireless LAN and which associated QoS level should be more
appropriate: Platinum wireless LAN for the voice function, or Silver wireless LAN for the
web browsing function? With the Bring Your Own Device (BYOD) trend, the need for
differentiated QoS inside the same wireless LAN became prevalent. This led Cisco to
enhance the default QoS mechanisms for WLANs and introduce the Alloy QoS.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-61
Gold WLAN profile, voice packet

• Upstream traffic Payload DSCP 46 UP 6 (Platinum) DSCP AF 41 CoS 4 3

1 Payload DSCP 46 UP 6 (Platinum)

2 Payload DSCP 46 UP 6 (Platinum) DSCP AF 41 Payload DSCP 46 CoS 4 4

• Downstream traffic Payload DSCP 46 UP 5 (Gold) DSCP 46 CoS 4 2

4 Payload DSCP 46 UP 5 (Gold)

3 Payload DSCP 46 UP 5 (Gold) DSCP AF 41 Payload DSCP 46 CoS 5 1


© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-12

Gold is commonly used for video applications. Gold priority level is lower than Platinum,
because video applications can often be buffered. When setting a WLAN to Gold and enabling
the default wired QoS 802.1p mapping (5), the following translation occurs as WMM traffic
transits upstream, from the WMM client to the AP and then the WLC2:

802.11e CAPWAP DSCP 802.1p

7 AF41 4

6 AF41 4

5 AF41 4

4 AF31 3

3 AF21 2

2 AF11 1

1 CS1 1

0 00 0

2
This section assumes that Layer 3 switches between the WLC and the AP use the default and recommended CoS-to-
DSCP and DSCP-to-CoS maps.
4-62 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
The following translation occurs for the 11 Cisco QoS base values when WMM traffic transits
downstream, from the WLC to the AP and then the WMM client:

DSCP/Application 802.1p/DSCP 802.11e

48 (CS6)/IP Routing 4/34 (AF41) 5

46 (EF)/Voice 4/34 (AF41) 5

34 (AF41)/Interactive 4/34 (AF41) 5


Video

32 (CS4)/Streaming Video 4/34 (AF41) 5

26 (AF31)/Mission Critical 3/26 (AF31) 4

24 (CS3)/Call Signaling 3/26 (AF31) 4

18 (AF21)/Transactional 2/18 (AF21) 3


Data

16 (CS2)/Network 2/18 (AF21) 3


Management

10 (AF11)/Bulk Data 1/10 (AF11) 2

8 (CS1) Scavenger 1/8 (AF11) 2

0/Best Effort 0/0 0

The illustration shows the values for an example scenario. In this case, a voice packet is sent
from a wireless client toward the network, and another voice packet is sent back from the wired
network toward the wireless client. WMM is used, and the 802.1p mapping for the Voice SSID
is the default 802.1p 6.
The upstream frame starts from the client with a DSCP value of 46 and an 802.11 UP of 6
Platinum (1). The AP encapsulates the frame into CAPWAP, checks the maximum QoS value
for the SSID, and limits the outer QoS to DSCP 41, which is the Gold level (2). If the switch
port to the AP is set to trust DSCP, the switch trusts the incoming outer DSCP value and checks
its map to know what default 802.1p value matches DSCP Assured Forwarding (AF) 41: by
default, 802.1p 4. Upon reaching a trunk on the switch, an 802.1p tag of 4 is added, matching
the DSCP 41 value. The WLC receives the frame, extracts the encapsulated content, forwards
the QoS value requested by the client (46) into the outer DSCP section, checks the maximum
QoS value for the SSID and limits the 802.1p value that matches Gold level, and sets 802.1p to
4 (4).
For downstream traffic, a packet marked DSCP 46 and 802.1p 5 reaches the WLC (1). The
WLC checks the maximum QoS level allowed on the SSID, converts the 802.3 frame into an
802.11 frame, and limits the inner UP value to 5 (Gold) for the 802.11 QoS tag. The original
DSCP value is maintained inside the packet. The WLC then encapsulates the frame in
CAPWAP, translates the DSCP value unchanged (DSCP 46) to the outer header, then limits the
802.1p value to 4 (2). When the packet reaches the switch, if trust CoS is set on the switch
trunk, the outer DSCP value is not trusted and converted to the DSCP value that should match
802.1p 4, which is AF41. When the packet leaves a switch trunk to be sent to an access port,
the switch removes the 802.1p tag. The AP receives the packet with the outer header marked as
DSCP AF41. The AP checks the maximum QoS value for the SSID and accepts the inner
limited 802.11 QoS value of 5. The AP then sends the packet to the cell using the Gold queue.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-63
Alloy QoS and Traffic Control Techniques
This topic describes how Alloy QoS offers a finer traffic prioritization system for wireless
networks than the standard metal QoS system. This topic also describes other traffic admission
mechanisms that may help control traffic flows through the wireless network.

• Alloy QoS provides the capability to properly prioritize the multiple traffic
types that a multifunction device sends across the same WLAN.
• WLAN metal names are now treated as a profile name.
- Alloy separates default and maximum QoS levels for traffic on a WLAN.
- Instead of applying a fixed priority level, each profile name now consists of
three administratively configurable priorities.
- From the AP’s perspective, each WLAN is assigned three user priority values.
- Default configuration assigns a priority of 0 to unicast and multicast.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-14

WLC software release 7.2 introduced Alloy QoS to enable more granular QoS control. Alloy
QoS provides the capability to properly prioritize the multiple traffic types that a multifunction
device sends across the same wireless LAN. Alloy QoS separates the default and maximum
QoS levels for traffic on a wireless LAN instead of applying a fixed priority level. Now, each
profile name consists of three administratively configurable priorities.
Sending to non-WMM clients at the default multicast QoS priority solves the multicast-unicast
priority problem. This allows WMM clients to promote traffic by applying the appropriate tag
and non-WMM client traffic to be sent at the lower default level.
From the AP’s perspective, each wireless LAN (WLAN) is assigned three user priority values:
 WLAN-maximum-priority
 WLAN-unicast-default-priority
 WLAN-multicast-default-priority

Administrators can configure each of the WLAN priority values if the QoS level is one of the
customer defined Alloy levels. Valid priority values for an Alloy level are:
 WLAN-maximum-priority – 0 to 6
 WLAN-unicast-default-priority – 0 to WLAN-maximum-priority
 WLAN-multicast-default-priority – 0 to WLAN-maximum-priority
Note that the lowest priority value is not 0 and must be considered carefully when configuring a
metal level as an Alloy profile. For example, if the WLAN-maximum-priority value is 2, then
the permitted WLAN-unicast-default-priority values are 1 or 2 and 0 is not permitted.

4-64 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
• Rate-limiting can be set globally or per WLAN (7.3 and later), for both
upstream and downstream directions.

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-15

Bi-Directional Rate Limiting


Another very powerful technique used to control bandwidth consumption is rate limiting. With
rate limiting, you can define how much bandwidth should be assigned to each user, both in the
upstream and the downstream directions. Rate-limiting has long been available on WLCs, but
recent codes allow a finer tuning on which limitation is applied to which user, WLAN, or QoS
profile type.
In WLC release 7.2 and before, you could configure downstream rate limiting on a per-QoS
profile basis. In WLC code releases 7.3 and later (Cisco Prime Infrastructure code 1.2 and
later), you can configure rate limiting for a QoS profile, but also for a WLAN. In both cases,
rate limiting can be set for downstream traffic, upstream traffic, or both.
Providing this ability will allow setting a priority service to a particular set of clients. A
potential use case would be in hotspot situations where a company could offer free low-
throughput service to everyone, but charge users for a high-throughput service. Rate limiting is
done by expanding the existing rate-limiting feature of QoS profiling to AP. Rate limiting is
done through strict protocol matching. Real-time rate limits are applied to UDP traffic while
data limits are applied to TCP traffic.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-65
• Call admission control (CAC)
- Load-based: Client CAC
- Bandwidth-based: AP CAC
- SIP call admission control
• Expedited bandwidth requests
- Uses WMM traffic specifications
• Unscheduled automatic power save delivery (U-APSD)
- WMM enhancement to power saving clients
• You can also use AVC to monitor and control QoS on a per-application
basis (CUWN 7.4, CA 3.3 for visibility and 3.4 for control)

© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-16

Standard metals and Alloy QoS optimize the prioritization process for frames sent to and from
the wireless space. They are congestion management mechanisms. However, they are not
sufficient to provide congestion avoidance. Several other mechanisms can be configured on the
WLC to optimize traffic admission and limit the risk of congestion in the first place, and to
improve the user experience. These mechanisms are primarily targeted toward voice and video
traffic:
 CAC
 Expedited bandwidth requests
 Unscheduled automatic power save delivery

Call Admission Control


CAC enables an AP to determine what voice or video flow should be admitted based on the cell
bandwidth availability and the potential flow expected bandwidth requirements. Three types of
CAC are available: bandwidth-based CAC, load-based CAC, and an additional CAC
mechanism for voice flows using Session Initiation Protocol (SIP). The major difference
between them is in how the bandwidth is calculated.

Load-Based CAC
A limitation of static CAC is that it only takes into account the current traffic of the AP to
determine the current bandwidth consumption. Load-based CAC incorporates a measurement
scheme that takes into account the bandwidth that is consumed by all traffic types (including
that from clients), co-channel AP loads, and co-located channel interference.
In load-based CAC, the AP continuously measures and updates the RF channel utilization (that
is, the percentage of bandwidth that has been exhausted), channel interference, and the
additional flows that the AP can admit. The AP admits a new flow only if the channel has
enough unused bandwidth to support that call. By doing so, load-based CAC prevents
oversubscription of the channel and maintains QoS under all conditions of wireless LAN
loading and interference. Load-based CAC is considered more efficient than static CAC in
most cases.

4-66 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
Bandwidth-Based CAC
A QoS-enabled (WMM) wireless client can specify how much bandwidth an intended traffic
flow would require by sending an add traffic stream (ADDTS) request to the AP before the
flow starts. The ADDTS frame contains a description of the intended traffic flow, called traffic
specification (TSpec), in terms of bandwidth consumption, number of packets per second, data
rates, and so on. Bandwidth-based or static CAC enables the AP to determine if it is capable of
accommodating this particular flow based on the existing client bandwidth consumption. If the
additional intended flow would result in exceeding a configurable AP radio utilization
threshold, the AP would reject the flow.
To use bandwidth-based CAC with voice applications, the wireless LAN must be configured
for Platinum QoS. To use bandwidth-based CAC with video applications, the wireless LAN
must be configured for Gold QoS. Also, make sure that WMM is enabled for the wireless LAN.

SIP CAC
SIP CAC provides bandwidth reservation for SIP-based voice calls. For standard static CAC
and load-based CAC, bandwidth is reserved via TSpec, but most SIP clients do not support
TSpec, thus preventing bandwidth reservation. When expecting SIP clients, you can configure
SIP CAC. This feature enables the WLC and the AP to examine the content of incoming
packets for a given wireless LAN and identify SIP traffic. When such traffic is identified, the
WLC or AP identifies the source and destination, and provisions bandwidth for a SIP call. This
feature is applicable for non-TSpec-based SIP calls. SIP call snooping should be enabled only if
there are non-TSpec SIP-based clients. It is recommended that you use the SIP CAC feature
only with static CAC.
Do not use SIP CAC with load-based CAC. Load-based CAC statistics are based on the AP
radio statistics that take into consideration 802.11e QoS information in the 802.11 packets. If
there are any SIP-based voice calls from clients that do not have 802.11e QoS support, those
calls will not be taken into account to limit calls that are based on load-based CAC.
You can configure the SIP CAC feature to set a maximum call limit. This feature must be
configured only for SIP-based CAC to limit the number of calls per radio. By default, this
feature is disabled. The default value for maximum number of calls is 0, which indicates there
is no check for maximum call limit.

Expedited Bandwidth Requests


The expedited bandwidth request feature enables Cisco Compatible Extensions v5 clients to
indicate the urgency of a WMM TSpec request (for example, an emergency call) to the wireless
LAN. When the WLC receives this request, it attempts to facilitate the urgency of the call by
allowing that particular call to take place, even if it violates the defined CAC thresholds. This
additional call is rejected if admitting the call would render the AP radio unusable (because the
AP utilization would exceed 95 percent of the AP capacity).
You can apply expedited bandwidth requests to both bandwidth-based and load-based CAC.
Expedited bandwidth requests are disabled by default.

Unscheduled Automatic Power Save Delivery


Unscheduled automatic power save delivery (U-APSD) is a QoS facility that is defined in IEEE
802.11e that extends the battery life of mobile clients. In addition to extending battery life, this
feature reduces the latency of traffic flow that is delivered over the wireless media. Because U-
APSD does not require the client to poll each individual packet that is buffered at the AP, it
allows delivery of multiple downlink packets by sending a single uplink trigger packet. WLC
support for U-APSD is enabled automatically when WMM is enabled. Although enabled, the
client may choose not to use it.

© 2013 Cisco Systems, Inc. CONFIDENTIAL One Network—Building the Wireless Network 4-67
Application Visibility and Control
AVC, introduced in CUWN controller code 7.4, is another way of controlling QoS, on a per-
application basis. With AVC and Network-Based Application Recognition (NBAR) 2, the
controller and AP can perform deep packet inspection to identify traffic of interest (on a per-
application basis). Based on this application determination, you can block a specific traffic flow
or change the application QoS marking on the wired side.
AVC is available on CUWN controllers running code 7.4 and later. AVC will be introduced in
two phases in converged access controllers. A first phase (IOS XE release 3.3) will allow you
to monitor wireless applications (AVC is already available for wired traffic). A second phase
(IOS XE 3.4) will allow you to re-mark and limit the bandwidth allocated to the monitored
wireless applications.

4-68 Unified Access SE Boot Camp (UASEBC) v1.0 © 2013 Cisco Systems, Inc. CONFIDENTIAL
© 2013 Cisco and/or its affiliates. All rights reserved. CONFIDENTIAL One Network—Building the Wireless Network UASEBC v1.0—4-17

Voice WLAN should be configured for the highest possible QoS by editing the WLAN and
selecting the QoS tab. Platinum (voice) should be selected from the QoS drop-down menu.
Keep in mind that QoS, being related to prioritization, is a relative factor. For example, if you
design two WLANs, one set to Bronze and the other to Silver, the second SSID will be
prioritized over the first one. You could, therefore, assign any priority level as long as the
prioritization is consistent among the WLANs. Cisco still recommends using the predefined
QoS levels (Platinum for voice, Gold for video, and so on), as some applications expect these
QoS levels and will not function properly if another QoS level is chosen.
Depending on the