Page 2 - Contents
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 70 Contents Overview ................................................................................................................................................................... 3 Cis...
Page 4 - X with Converged Access; up to get authenticated using dot1x.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 70 Figure 1. 802.1X with Converged Access The authentication, authorization, and accounting (AAA) group and RADIUS server are set up on the Cisco Catalyst 3850. The authentication and author...
Page 5 - Device Definition in ISE; X Configuration for Wired Users; switchport access vlan 12
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 70 To define the Cisco Catalyst 3850, on the ISE screen, navigate to Administration Network Resources Network Devices as in Figure 2. Figure 2. Device Definition in ISE The dot1x needs t...
Page 6 - X Configuration for Wireless Users; similar to wired clients.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 70 class-map type control subscriber match-all DOT1X_NO_RESP match method dot1x ! policy-map type control subscriber DOT1X event session-started match-all 1 class always do-until-failure 2 a...
Page 7 - The following is the configuration on the wired port:
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 70 I - Awaiting IIF ID allocation P - Pushed Session (non-transient state) R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details)...
Page 8 - Downloadable Access Control List; The screenshot in Figure 3 shows the dACL definition in ISE.; Downloadable ACL Screen
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 70 The following is the detailed output of the wired client session: Switch#sh access-session mac 0024.7eda.6440 details Interface: GigabitEthernet1/0/13 IIF-ID: 0x1092DC000000107 MAC Addres...
Page 9 - Authorization Profile; If a named authentication; Access Control List Deployment Considerations; Table 1 summarizes the access control entries (ACEs) scalability.; Scale Numbers
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 70 After defining ACL in ISE, it can be associated with an authorization profile, as shown in Figure 4. Figure 4. Authorization Profile Note: If a named authentication method-list is in plac...
Page 10 - Cisco Catalyst 3850 Quality of Service; Wired Quality of Service; Cisco Catalyst 3850 Trust Behavior; Trust Behavior; trusted
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 70 The total capacity of the ACEs is an aggregate number that constitutes all types of ACEs. One type of ACE, however, can scale up to 1500. For example, the total number of Port ACL (PACL)...
Page 12 - Ingress Marking and Policing
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 70 permit udp any any eq 1214 ip access-list extended SIGNALING remark SCCP permit tcp any any range 2000 2002 remark SIP permit tcp any any range 5060 5061 permit udp any any range 5060 50...
Page 14 - Applying Ingress Policies; policies before entering the network.; Egress Quality of Service; the priority queues. Figure 5 illustrates 2P6Q3T mode.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 70 Applying Ingress Policies Like other Cisco Catalyst platforms, Cisco Catalyst 3850 Switches offer two simplified methods to apply service policies. Depending on the deployment model, eit...
Page 16 - Wireless: Ingress Quality of Service; Ingress Marking and Policing on Wireless Client
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 70 Wireless: Ingress Quality of Service Ingress Marking and Policing on Wireless Client In the ingress direction, traffic can be marked and policed at client level. The following example pr...
Page 18 - Authentication Profile; the clients. Currently QoS policies cannot; Ingress Policies on WLAN/SSID
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 70 If the policy name is downloaded from the ISE server, the server needs to be configured as shown in Figure 6, with the AV pair ip:sub-qos-policy-in=Standard-Employee. Figure 6. Authentic...
Page 19 - Wireless: Egress Quality of Service; Policy on Access Point/Port; P2Q3T structure is shown in Figure 7.; P2Q3T Queue Model for Queuing Application Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 70 table-map dscp2dscp default copy Policy-map TRUST Table Map dscp2dscp default copy The QoS policy is applied under the WLAN configuration. The SSID policy is applied as shown in the foll...
Page 21 - Policy on Radio; The following is the policy at radio level:
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 70 bandwidth remaining ratio 10 Class-map: class-default (match-any) Match: any (total drops) 0 (bytes output) 0 The “port_child_policy” can be modified by the user to queue different appli...
Page 22 - limiter at radio level.; Policy on Service Set Identification; policies are applied in the WLAN configuration mode.; voice; Priority level 1; video; Priority level 2; bandwidth remaining percent 70
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 70 Match: any shape (average) cir 200000000, bc 800000, be 800000 target shape rate 200000000 Radio dot11a iifid: 0x104F10000000011.0xCF8F4000000005 Service-policy output: def-11an Class-ma...
Page 23 - Client; conformed 404432 bytes actions:; Flexible NetFlow
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 70 Policy-map guest-ssid Class class-default Shape average percent 20 On the enterprise SSID class-map voice and video, the policer enforces the aggregate unicast traffic at the BSSID level...
Page 24 - Flow Record
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 70 Cisco Catalyst 3850 NetFlow Architecture (Wired and Wireless) NetFlow Cisco Catalyst 3850 Overview The Cisco Catalyst 3850 supports both ingress and egress FnF on all ports of the switch...
Page 25 - is configured on the first interface.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 70 Configuring a Flow Record (Egress) flow record v4out match ipv4 protocol match ipv4 tos match ipv4 source address match ipv4 destination address match transport source-port match transpo...
Page 26 - Attaching a Flow Monitor to Supported Port Types; Wired Port; configuration related to NetFlow on the switch and collect flows.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 70 flow monitor v4 exporter Collector exporter Collector 1 cache timeout active 60 cache timeout inactive 20 record v4 Attaching a Flow Monitor to Supported Port Types Wired Port interface ...
Page 27 - Flexible NetFlow Outputs; privileged EXEC mode.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 70 Flexible NetFlow Outputs To display the status and statistics for a flexible NetFlow flow monitor, use the “Show Flow monitor” command in privileged EXEC mode. Switch# show flow monitor ...
Page 28 - in privileged EXEC mode.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 70 19:52:12.755 10.1.22.101 10.1.1.22 51524 5060 Gi1/0/3 LIIN0 1038 3 19:52:10.755 19:52:10.755 To display top N destination aggregated flow statistics from a flow monitor cache, use the fo...
Page 30 - Multicast Flexlink is not supported on the switch.; Configuring Wireless IP Multicast on Cisco Catalyst 3850; packets as broadcast at the lowest data rate on all BSSID and radio.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 70 Multicast Overview (Traditional and Converged Multicast) Efficient and intelligent use of bandwidth is paramount, particularly with the advent of video, mobility, and cloud technologies....
Page 31 - Multicast Mode Configuration; are sent to this access point in an outer multicast tunnel.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 70 The videostream mode is a further enhancement of the preceding. Instead of sending the multic ast as broadcast at the lowest data rate, the access point converts the original multicast p...
Page 32 - Multicast Show Commands; To display; show wireless multicast
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 70 Following is the basic configuration of wireless multicast: ● Configure IGMP snooping and querier: Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping querier ● Configure wir...
Page 33 - command in privileged EXEC mode.; Total number of MCAST MGIDs = 3; tracking” command in privileged EXEC mode.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 70 To display all (S,V,G) list and the corresponding MGID value, use the “Show wireless multicast group summary” command in privileged EXEC mode. Switch#show wireless multicast group summar...
Page 34 - SGV to Client mappings; Number of Active Clients : 4; Client List
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 70 Group: 239.255.67.250 Vlan: 412 Source: 0.0.0.0 blacklisted: no SGV to Client mappings ---------------------- Group: 224.0.1.60 Source: 0.0.0.0 Vlan: 412 Client: 10.33.170.101 Port: Ca10...
Page 35 - IGMP is enabled on interface
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 70 To display the multicast groups that are directly connected to the switch and that were learned through IGMP, use the “show ip igmp groups” command in privileged EXEC mode. Switch#show i...
Page 37 - Converged Access with the Cisco Catalyst 3850; intelligent wired services on wireless traffic.; Distributed Functions Enabling Converged Access; points, coverage hole detection, and CleanAir
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 70 Converged Access with the Cisco Catalyst 3850 The Cisco Catalyst 3850 Switch offers scalable, resilient, and future-proofed wired and wireless services. It serves as an integrated wirele...
Page 39 - Hierarchical Roles in Converged Access; an SPG require traffic to traverse the mobility controller.; Converged Access Network Design with Cisco Catalyst 3850
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 70 Figure 8. Hierarchical Roles in Converged Access The SPGs are designed as a group of mobility agent switches to where the users frequently roam. It is important that roams within an SPG ...
Page 40 - Branch
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 70 Figure 9. Single Cisco Catalyst 3850 Stack for Wired/Wireless in Small Branch If the wireless deployment consists of only a Cisco Catalyst 3850 Switch running as a mobility controller wi...
Page 42 - Configuring Converged Access with Cisco Catalyst 3850; Configuring Mobility Controller on Cisco Catalyst 3850
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 70 Figure 12. 5508/WiSM2/5760 Controller Appliances with Cisco Catalyst 3850 Switches for Large Campus Configuring Converged Access with Cisco Catalyst 3850 This section explains how to con...
Page 45 - wireless mobility controller peer-group SPG1
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 70 Figure 14. Configuring Mobility Agents and Switch Peer Group on Cisco Catalyst 3850 In this case the additional Cisco Catalyst 3850 Switches can be added and configured as mobility agent...
Page 49 - Roaming in Cisco Unified Wireless Network
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 70 These two mobility controller switches can be grouped together in one mobility group to enable fast roaming between clients of each respective subdomain. Relevant configuration that need...
Page 50 - Intracontroller roams; to the same controller.; Intercontroller roams; another access point connected to a different controller.; L2 roam; L2 Roam in Cisco Unified Wireless Network
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 70 Point of attachment (PoA) moves with user mobility and is defined as the access point to which the user joins or roams. There are two types of roams within the wireless network: intracon...
Page 51 - with which access point has associated.; L3 roam; L3 Roam in Cisco Unified Wireless Network; anchor for symmetric routing and policy application.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 70 The previous controller does not hold any state of the client that has roamed to another controller. In this case the client traffic is CAPWAP encapsulated by the access point and termin...
Page 52 - Understanding Roams in Converged Access; Tunneled mode; areas to which most users roam.; L2 Roam in Tunneled Mode in Converged Access
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 70 Understanding Roams in Converged Access Since roams in Cisco Unified Wireless Network are explained earlier, this section explains the roams as they occur in converged access mode. It wi...
Page 53 - application latency, might increase client roam times.; L2 Roam in Nontunneled Mode in Converged Access
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 70 There is a provision per WLAN that the administrator can configure, if they want a L2 roam like the Cisco Unified Wireless Network, where both the PoP and PoA of the user moves. This is ...
Page 54 - Traffic Paths in Converged Access; Client Roams Within an SPG in Converged Access
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 70 Traffic Paths in Converged Access This section explains the traffic path (profile) for local and roamed wireless clients across the different SPGs and mobility controllers. (See Figure 2...
Page 55 - Client Roams Across Mobility Controller in Converged Access; Relevant Outputs for Tracking Client Roams in Converged Access
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 70 Figure 22. Client Roams Across Mobility Controller in Converged Access In the preceding scenario, an intersubdomain (intermobility controller) roam is explained. The initial client join ...
Page 56 - Switch Roles and Other Details in Example Topology; Figure 23 shows initial client join on MA1; Initial Client Join on MA1; MA1#show wireless client summary; MAC Address AP Name WLAN State Protocol; UP
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 70 Table 3 is a list of switch names, IP addresses, their roles in SPG, and mobility group that form part of the example network. Understanding this will help explain the client roams as th...
Page 57 - point it is connected, and the WLAN and 11n on 5GHz:; Total Number of Wireless Clients = 2
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 70 Initial client join on MA1, as seen in CLI on the switch, where it shows the client MAC address, to which access point it is connected, and the WLAN and 11n on 5GHz: MA1#show wcdb databa...
Page 58 - State is the Sub-Domain state of the client.; * indicates IP of the associated Sub-domain
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 70 MC1#sh wireless mobility controller client summary Number of Clients : 2 State is the Sub-Domain state of the client. * indicates IP of the associated Sub-domain Associated Time in hours...
Page 59 - while MC1 becomes the foreign switch.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 70 The following are the relevant outputs displaying the client roam. In this case, MA1 becomes the anchor switch, while MC1 becomes the foreign switch. MC1#show wireless client summary Num...
Page 61 - Client Roams Across SPG in Converged Access
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 70 where the mobility state is “anchor,” and the access point name is the switch/wireless management IP address of the foreign switch (MC1): 20.1.3.2. (See Figure 25.) Figure 25. Client Roa...
Page 62 - Relevant outputs at the anchor switch are the following:
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 70 Mac Address VlanId IP Address Src If Auth Mob -------------- ------ --------------- ------------------ -------- ------- b065.bdbf.77a3 701 20.1.1.53 0x00C9D9C000000004 RUN FOREIGN b065.b...
Page 63 - Mac Address VlanId IP Address Src If Auth Mob; ANCHOR; Figure 26 shows client roam across MCs
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 70 Mac Address VlanId IP Address Src If Auth Mob -------------- ------ --------------- ------------------ -------- ------- b065.bdbf.77a3 500 20.1.1.53 0x00D03BC000000002 RUN ANCHOR b065.bd...
Page 64 - Nontunneled Roam in Converged Access
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 70 Total Number of Wireless Clients = 2 Clients Waiting to Join = 0 Foreign Clients = 2 MTE Clients = 0 Mac Address VlanId IP Address Src If Auth Mob -------------- ------ --------------- -...
Page 65 - Tracking the initial client join on MA1:; LOCAL; this type of nontunneled L2 roam.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 70 wlan Predator shutdown no mobility anchor sticky no shutdown Tracking the initial client join on MA1: MA1#show wireless client summary Number of Local Clients : 2 MAC Address AP Name WLA...
Page 67 - Tunnel Roles in Converged Access; The following outputs are from an MA1:; data; The following outputs are from the mobility controller switch:
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 70 Tunnel Roles in Converged Access This section explains what function each CAPWAP tunnel plays in the converged access deployment. The following outputs are from an MA1: MA1#show capwap s...
Page 68 - Name SrcIP SrcPort DestIP DstPort DtlsEn MTU; Appendix A: Detailed FnF Field Support
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 68 of 70 Ca5 3502E_G2/0/25_83A9 data Gi2/0/25 unicast - Ca4 3602I_G2/0/1_3A04 data Gi2/0/1 unicast - Name SrcIP SrcPort DestIP DstPort DtlsEn MTU ------ --------------- ------- --------------- --...
Cisco MGX-FRSM-HS2
Manual
Cisco 3545
Manual
Cisco Dial NMS
Manual
Cisco DOC-7813565=
Manual
Cisco 2620
Manual
Cisco CP7910GRF
Manual
Cisco ME-C6524GS-8S
Manual
Cisco OL-2056-02
Manual
Cisco TD 92322GB
Manual
Cisco OL-11524-01
Manual
Cisco OL-5532-02
Manual
Cisco VG204XM
Manual
Cisco DS71-MD4
Manual
Cisco 247933900
Manual
Cisco 4.5
Manual