Converged Access Deployment Guidecisco.com/c/en/us/products/collateral/switches/catalyst-3850... ·...

Converged Access Deployment Guide

Converged Access Deployment GuideFirst Published: January 28, 2016

Last Modified: February 22, 2016

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain versionof the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS"WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)

2016 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarkshttp://www.cisco.com/go/trademarks

C O N T E N T S

C H A P T E R 1 Converged Access: Solution Overview 1

Supported Platforms 2

Recommended Software 3

Prerequisites for Converged Access Deployment Guide 3

Concepts and Definitions 4

Mobility Agent 4

Mobility Controller 4

Switch Peer Group 4

Mobility Group 4

Converged Access Topology Example 5

Supported Platform Product Identifiers 5

Supported Wireless Access Point Models 7

C H A P T E R 2 Converged Access: Predeployment Checklist 9

Predeployment Checklist 9

Initial Configuration Values Checklist 10

C H A P T E R 3 Converged Access: Management 13

Web GUI Access 13

Converged Access Web GUI 14

Enabling Cisco Prime 15

Enabling SNMP v2 15

Enabling SNMP v3 15

C H A P T E R 4 Converged Access: Basic Configuration 17


NTP 17

SSH 17

Converged Access Deployment Guide iii

VLAN 18

Port Channel 18

ARP 18

DHCP Snooping and Trust 18

DNS 19

Configuring Converged Access 19

Configuring a Switch Hostname 19

Viewing System Level Licensing 19

Activating an RTU License 20

Working with NTP System Clock and Console Timestamps 20

Configuring an NTP Server 20

Defining DNS 21

Generating Cryptographic Keys 21

Configuring SSH for User Login 21

Configuring Management Interface Setup 22

Configuring a VLAN 23

Configuring a Default Route 23

Configuring an Uplink Interface 24

Configuring DHCP Snooping and Trust 25

Enabling IP ARP Inspection 25

Configuring a Downstream Wired Client Interface 25

Configuring an Access Point Interface 25

Stacking for High Availability 25

Prerequisites for Switch Stack Configuration 26

Viewing Stack Details 26

C H A P T E R 5 Converged Access: Securing Networks with AAA and Cisco ISE 27

Overview of Securing Networks with AAA and Cisco ISE 27

Configuring AAA 28

Verifying Dot1x Protocol and RADIUS Server 29

Adding a Cisco Catalyst 3850 Switch to Cisco ISE 29

Configuring Authentication and Authorization Policies 30

C H A P T E R 6 Converged Access: Enabling Wireless 31


Converged Access Deployment Guideiv

Contents

CAPWAP 31

Switch Peer Group 31

Mobility Subdomain 32

Mobility Domain 32


Configuring Wireless Management Interface 33

Configuring Mobility Architecture 34

Configuring a Mobility Controller 34

Configuring an Access Point Adder License 35

Configuring Multiple Subdomains 35

Configuring a Mobility Agent 36

Creating a Switch Peer Group 37

Staging for Access Points 39

Configuring a Physical Port 39

Configuring an Access Point IP Address 39

Registering Access Points 40

C H A P T E R 7 Converged Access: WLAN Configuration 41

WLAN Features 41

DHCP Server 41

Protected Management Frame 42

Band Selection 42

Assisted Roaming 43

Peer-to-Peer Blocking 43

Wi-Fi Direct Client Policy 44

Roaming Fast Transition (802.11r) 44

Media Session Snooping 45

Quality of Service 46

Deploying WLANs 46

Defining WLANs 46

WLAN Security 47

Enabling a WLAN 47

C H A P T E R 8 Converged Access: Wireless AP and RF 49

Feature List 49

Converged Access Deployment Guide v

Contents

RRM Features 49

Wireless AP Features 50

Understanding Radio Resource Management 50


Configuring RF and AP 52

Configuring RF Grouping 53

Configuring an RF Group Leader 53

Configuring Transmit Power Control 54

Configuring Dynamic Channel Assignment 55

Configuring Coverage Hole Detection and Mitigation 56

Wireless AP Features 57

Wireless and RF Prerequisites 57

802.11ac 57

802.11ac Data Rates(5 GHz) 57

Channel Widths 58

Configuring Channel Width 58

Beamforming 58

Configuring Beamforming 58

Fast SSID Changing 59

Configuring Fast SSID Changing 59

Cisco CleanAir 59

Enabling Cisco CleanAir 60

Data Rates 60

C H A P T E R 9 Converged Access: Wireless QoS 63

Converged Access QoS 63

Supported Policies for Wireless Targets 65

Configuring ACL and Class Map 65

Configuring ACL Definitions 65

Configuring Class Map Definitions 67

Wireless Ingress QoS 68

Enterprise WLAN Client Ingress Policy 68

Wireless Egress QoS 69

Enterprise WLAN SSID Egress Policy 69

Verifying a Policy Installation 70

Converged Access Deployment Guidevi

Contents

C H A P T E R 1Converged Access: Solution Overview

Converged access represents an architectural change in the way wired and wireless networks are deployed.A converged access network allows policy decisions to be enforced at the network edge, potentially minimizesunnecessary traffic backhaul, and simplifies network management by allowing one policy to be used forboth wired and wireless traffic.

This chapter provides step-by-step instructions to deploy a converged access network with the commonlyrecommended features and configurations. This guide provides information about how to deploy an operatingconverged access network.

The following figure represents the converged access workflow. The items in white are the topics coveredin this guide. The items in dark gray are the work-in-progress topics that will be added to the guidesubsequently.

Figure 1: Converged Access Roadmap

Supported Platforms , page 2

Recommended Software, page 3

Prerequisites for Converged Access Deployment Guide, page 3

Concepts and Definitions, page 4

Converged Access Deployment Guide 1

Converged Access Topology Example , page 5

Supported Platform Product Identifiers, page 5

Supported Wireless Access Point Models , page 7

Supported Platforms Cisco Catalyst 3650 Series Switches

Cisco Catalyst 3850 Series Switches

Cisco 5760 Wireless LAN Controller

Cisco Catalyst 4500E Supervisor Engine 8E

The Cisco Catalyst 3650 Series Switches and Cisco Catalyst 3850 Series Switches provide converged wiredand wireless network access for devices. Choose a specific switch based on the number of ports and uplinktype and capacity required, type of ports, scalability requirement, and Power of Ethernet (PoE) capabilityneeds of the network. The choice of the network uplink module is optional and depends on networkrequirements.

On Cisco Catalyst 4500 Series Switches, the 7R-E chassis should be hardware revision 2 or higher tohouse a Supervisor Engine 8E.

Note

Install boot is a prerequisite on Cisco Catalyst 4500 Series Switches, to support wireless.Note

The following scale requirements serve as a baseline guide when choosing the platform:Tip

The Cisco Catalyst 3850 Series Switches support up to 100 access points and 2000 wireless clientson each switching entity (switch or stack).

The Cisco Catalyst 3650 Series Switches support up to 50 access points and 1000 wireless clientson each switching entity (switch or stack).

The Cisco Catalyst 4500E Supervisor Engine 8E supports up to 100 acess points.

PoE-based platforms should be used since wireless access points can be powered using inline power.This simplifies network deployment.

For more information about the Cisco Catalyst Series switches, see the Release Notes document at: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.html

Note

Converged Access Deployment Guide2

Converged Access: Solution OverviewSupported Platforms

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.html

Recommended SoftwareThe recommended software for Converged Access Deployment Guide is Cisco IOS XE Release 3.7.3 E.

The support for Supervisor Engine 8E on Cisco Catalyst 4500 Series Switches was added in Cisco IOSXE Release 3.8 E.On Cisco Catalyst 4500E, the 7R-E chassis should be hardware revision 2 or higher to house a SupervisorEngine 8E.

Note

Starting with Cisco IOS 12.2(31)SGA, ISSU is supported on Cisco Catalyst 4500 Series Switches. Formore information, refer to Catalyst 4500 Series Switch Software Configuration Guide, IOS XE 3.8.0Eand IOS 15.2(4)E

Note

The latest software releases are available on the Cisco website at:

http://software.cisco.com/download/navigator.html.

We recommend that you read the relevant Release Notes before upgrading to a given software release.

Prerequisites for Converged Access Deployment Guide Knowledge about converged access as a deployment model is essential. For more information about theoverall solution and offering, see the following links:

http://www.cisco.com/c/en/us/solutions/enterprise-networks/unified-access/index.html

http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/white-paper-listing.html

Knowledge about converged access as a deployment model for delivery of wired and wireless services.

The person performing the deployment should be a Cisco Certified Network Associate (CCNA), andpossess knowledge about wired and wireless services.

CLI and Console Access

Before you configure a switch or controller for basic operations, you must connect it to a PC that uses aVT-100 terminal emulator (such as, HyperTerminal, ProComm, or Putty). A controller has both EIA andTIA-232 asynchronous (RJ-45), and USB 5-pin mini Type B, 2.0-compliant serial console ports. The defaultparameters for the console ports are 9600 baud, 8 data bits, 1 stop bit, and no parity. The console ports do notsupport hardware flow control. Choose a serial baud rate of 9600 or 115200.

PC with Supported Browser Version

The GUI must be used on a PC that is running Windows 8, Windows 7, or Windows 2000 SP4 (or laterreleases).

The following is a list of supported browser versions:


Converged Access: Solution OverviewRecommended Software

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/issu.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/issu.htmlhttp://software.cisco.com/download/navigator.htmlhttp://www.cisco.com/c/en/us/solutions/enterprise-networks/unified-access/index.htmlhttp://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/white-paper-listing.htmlhttp://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/white-paper-listing.html

ChromeVersion 26.x and later

MozillaVersion 20.x and later

IEVersion 8.x, 9.x, 10.x and later

Web GUI is supported from Cisco IOS XE Release 3.2.2 onwards.Tip

Concepts and DefinitionsThis section provides you with brief descriptions of the key phrases used in converged access deployment.

Mobility AgentMobility Agent is the default mobility mode that is configured on a Cisco Catalyst switch when it is shippedfrom the factory. In this mode, the switch is capable of terminating Control and Provisioning of WirelessAccess Points (CAPWAP) tunnels from access points, thereby providing connectivity to wireless clients.When operating as aMobility Agent, the switch maintains local wireless client databases, and enforces securityand quality of service (QoS) policies for wireless clients and access points at the network edge. An IP Baselicense is required for the Mobility Agent.

Mobility ControllerWhen acting as a Mobility Controller, a Cisco Catalyst switch can perform all the typical Mobility Agenttasks, in addition to mobility coordination, radio resource management, and Cisco CleanAir coordinationwithin the associated mobility subdomain. The minimum license level required to run a switch as mobilitycontroller is IP Base.

Switch Peer GroupA switch peer group is a logical entity comprising of multiple Mobility Agents acting as a group under aMobility Controller, within a mobility subdomain. Configuring a switch peer group facilitates fast roamingbetween converged access switches within the group, and reduces unnecessary roaming traffic across the restof the mobility subdomain. Mobility Agents within the same switch peer group form a fullmesh topologyof CAPWAP tunnels between peer Mobility Agents.

Mobility GroupMobility group is a group of all the wireless LAN controllers in a network that share a mobility group name.These controllers share mobility context, client state, and controller-loading information. Additionally,controllers in the same mobility group can forward data traffic to one another, which enables intercontrollerwireless LAN roaming and controller redundancy.


Converged Access: Solution OverviewConcepts and Definitions

Converged Access Topology ExampleThe following figure shows a typical converged access deployment scenario. The Mobility Controller isstacked for redundancy purposes. The Mobility Controller stack connects to eight Mobility Agents, whichservice wireless clients. The eight Mobility Agents are divided equally into two different switch peer groups(SPG). The entire setup belongs to a single mobility subdomain.

The access points connect directly to mobility agents, thus terminating CAPWAP tunnels on the MobilityAgents.

Note

Figure 2: Converged Access Deployment Scenario

Supported Platform Product IdentifiersThe following table lists the supported platform product identifiers (PIDs), provides information about thelicense level for a given PID, as well as a description of the product.


Converged Access: Solution OverviewConverged Access Topology Example

Table 1: Product Identifiers for Supported Platforms

DescriptionCisco IOS ImageSwitch Model

Cisco Catalyst 3850 Stackable 2410/100/1000 Ethernet PoE+ ports, with715-WAC power supply 1 RU, and IPBase feature set

IP BaseWS-C3850-24P-S

Cisco Catalyst 3850 Stackable 4810/100/1000 Ethernet PoE+ ports, with715-WAC power supply 1 RU, IP Basefeature set

IP BaseWS-C3850-48P-S

Cisco Catalyst 3850 Stackable 4810/100/1000 Ethernet PoE+ ports, with1100-WAC power supply 1 RU, and IPBase feature set

IP BaseWS-C3850-48F-S

Cisco Catalyst 3850 24-port PoE IP BaseIP BaseWS-C3850-24PW-S

Cisco Catalyst 3850 48-port PoE IP BaseIP BaseWS-C3850-48PW-S

Cisco Catalyst 3850 Stackable 2410/100/1000 Ethernet PoE+ ports, with715-WAC power supply 1 RU, and IPServices feature set

IP ServicesWS-C3850-24P-E


IP ServicesWS-C3850-48P-E


IP ServicesWS-C3850-48F-E

Cisco Catalyst 3850 Stackable 2410/100/1000 Cisco Universal Power overEthernet (UPOE) ports,1 network moduleslot, and 1100-W power supply

IP ServicesWS-3850-24U-E

Cisco Catalyst 3850 Stackable 4810/100/1000 Cisco UPOE ports,1 networkmodule slot, and 1100-W power supply

IP ServicesWS-3850-48U-E

Cisco Catalyst 4500E Series UnifiedAccess Supervisor, 928 Gbps

IP BaseWS-X45-SUP8-E


Converged Access: Solution OverviewSupported Platform Product Identifiers

Supported Wireless Access Point ModelsThe following table lists the access point models that are supported with the converged access solution. Accesspoint models should be chosen based on the scale, wireless client count, and features leveraged.

Table 2: Supported Wireless Access Point Models

AP ModelProduct Family

AIR-CAP3702I

AIR-CAP3702E

Cisco Aironet 3700 Series

AIR-CAP3702I

AIR-CAP3702E


AIR-CAP3501E

AIR-CAP3501I

AIR-CAP3502E

AIR-CAP3502I


AIR-CAP2702I-x-K9

AIR-CAP2702E-x-K9


AIR-CAP2602E

AIR-CAP2602I


AIR-CAP1702I- x-K9

AIR-CAP1702I- xK910


AIR-CAP1602E

AIR-CAP1602I


AIR-CAP1532I-x-K9

AIR-CAP1532E-x-K9



Converged Access: Solution OverviewSupported Wireless Access Point Models

AIR-LAP1261N

AIR-LAP1262N

AIR-AP1261N

AIR-AP1262N


AIR-AP1141N

AIR-AP1142N

AIR-LAP1141N

AIR-LAP1142N


AIR-AP1041N

AIR-AP1042N

AIR-LAP1041N

AIR-LAP1042N


AIR-CAP702W-x-K9

AIR-CAP702I-x-K9

AIR-CAP702I-xK910



Converged Access: Solution OverviewSupported Wireless Access Point Models

C H A P T E R 2Converged Access: Predeployment Checklist

This chapter provides information about the predeployment checklist that details the various componentsthat are required for successfully deploying converged access, especially in the context of a branch deployment.While planning for converged access, the switch can act either as a Mobility Controller, Mobility Agent, orboth. Multiple Mobility Agent switches can be grouped under a single Switch Peer Group (SPG) to form amobility subdomain.

Predeployment Checklist, page 9

Initial Configuration Values Checklist, page 10

Predeployment Checklist

Before proceeding with the deployment, we recommend that you plan and design your mobility architectureand assign roles to each participating device in the mobility architecture. You must configure at least oneMobility Controller.

For more information about overall switch installation, refer to Catalyst 3850 Switch Hardware InstallationGuide.

Note

The predeployment checklist provides the necessary information for deploying a switch at the access layer.In the access layer, a Cisco Catalyst 3850 Series Switch or Cisco Catalyst 3650 Series Switch must beconfigured as aMobility Controller or aMobile Agent, for it to provide all the functionalities of a full wirelesscontroller.

On Cisco Catalyst 3850 Series and Cisco Catalyst 3650 Series Switches, stack the devices to achieve highavailability and redundancy.

Tip

Table 3: Predeployment Checklist

NotesCheck List Item

Hardware


http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/hardware/installation/guide/b_c3850_hig.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/hardware/installation/guide/b_c3850_hig.html

Role can be Mobility Controller or Mobility Agent.Cisco Catalyst 3850, Cisco Catalyst 3650Series switches

See Chapter 1, Solution Overview for information aboutsupported APs.

Any supported AP

Infrastructure

Cisco Identity Services Engine.Radius Server for Authentication

External or Cisco IOS-XE DHCP ServerDHCP Server For AP and Client IPaddresses

Any standard DNS ServerDNS Server

Any standard NTP ServerNTP Server

Software

See Chapter 1, Solution Overview for information aboutsoftware support.

Cisco IOS-XE image

See Chapter 4, Basic Configuration for information aboutlicensing.

License Level IPBase or IPServices

License

See Chapter 6, Enabling Wireless for procedure related tolicense activation.

AP licenses

Initial Configuration Values ChecklistUse the following table to document the values that have to be configured before deployment:

Table 4: Initial Configuration Values Checklist

ValueCheck List Item

Hostname

DHCP Server IP Address

Domain Name System (DNS) Server IP Address

Network Time Protocol (NTP) Server IP Address

TFTP Server Address

Network Management IP Address

Default Gateway IP Address

RADIUS Server IP Address

RADIUS Server Key


Converged Access: Predeployment ChecklistInitial Configuration Values Checklist

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/converged_access_deployement_guide/m_conAccess_deploy_guide/converged_access_solution_overview.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/converged_access_deployement_guide/m_conAccess_deploy_guide/converged_access_solution_overview.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/converged_access_deployement_guide/m_conAccess_deploy_guide/converged_access_basic_configuration.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/converged_access_deployement_guide/m_conAccess_deploy_guide/converged_access_enabling_wireless.html

Secure Shell (SSH) Login Credentials

Wireless Management VLAN

Wireless Management Interface IP Address

WLAN Profile Names

Wireless Client VLAN





C H A P T E R 3Converged Access: Management

This chapter describes the switch configuration that is required to enable access for Web GUI and CiscoPrime.

You can manage converged access platforms using the following methods:

Web GUIA web browser or GUI is built into each switch.

Cisco PrimeCisco Network management software

Simple Network Management Protocol (SNMP)

CLI

Web GUI Access, page 13

Converged Access Web GUI, page 14

Enabling Cisco Prime, page 15

Web GUI AccessThe Web GUI uses HTTPS, by default. However, you can configure HTTP access using the ip http servercommand in global configuration mode.

To access the Web GUI, configure an IP address and a user with privilege 15. Configure an IP address on themanagement port, on a regular interface, or a Switch Virtual Interface (SVI); this IP address should be reachablethrough the network.

For information about configuring IP on the management interface, see Chapter 4, Basic Configuration.Note

To create a user with privilege level 15 and to use the credentials from an authentication server, use theusername user_name privilege 15 password password command in global configuration mode.


http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/converged_access_deployement_guide/m_conAccess_deploy_guide/converged_access_basic_configuration.html

For Web GUI access, perform the following procedure:

Step 1 Open a browser, type your management IP address, and press Enter.Step 2 Enter the configured username and password.Step 3 On the Home window, click theWireless Web GUI hyperlink.

The Wireless Web GUI home page is displayed.

Converged Access Web GUIThe Web GUI supports the following features:

The following tasks can be performed from the Configuration tab:

Configure a switch for all initial operations using the web Configuration wizard. The wizard allowsyou to configure user details, management interface, and so on.

Configure system, internal DHCP server, management, and mobility management parameters.

Configure the switch, WLAN, and radios.

Configure and set security policies on the switch.

Access the software management commands of the operating system.

The Configuration wizardAfter the initial configuration of an IP address and a local username andpassword, or authentication through an authentication server (privilege 15), the wizard provides a methodto complete the initial wireless configuration.

Start the wizard by choosing Configuration >Wizard, and then configure the following:

Admin Users

SNMP System Summary

Management Port

Wireless Management

RF Mobility and Country Code

Mobility Configuration

WLANs

802.11 Configuration

Set Time

The Monitor tab displays the following information:

Summary details of switch, clients, and access points.

All radio and AP join statistics.


Converged Access: ManagementConverged Access Web GUI

Air quality on access points.

List of all the Cisco Discovery Protocol neighbors on all the interfaces and the Cisco DiscoveryProtocol traffic information.

All the rogue access points based on their classification friendly, malicious, ad hoc, classified,and unclassified.

The Administration tab enables you to configure system logs.

Enabling Cisco PrimeTo enable Cisco Prime, enable SNMP.

Enabling SNMP v2To enable SNMP on a switch, configure SNMPv2 or SNMPv3. You can configure read-only or read-writecommunity strings, depending on the requirement.

To configure a Read Only (RO) SNMP community string, use the following command:Device# configure terminalDevice(config)# snmp-server community name RODevice(config)# end

To configure a Read Write (RW) SNMP community string, use the following command:Device# configure terminalDevice(config)# snmp-server community name RWDevice(config)# endTo check the SNMP community string, use the following command:Device# show running-config | in snmp-server community

Enabling SNMP v3To enable SNMP v3, perform the following procedure:

Step 1 To create a new group and select a security model, use the following commands:Device# configure terminalDevice(config)# snmp-server group grp-name v3 privilege write write_nameDevice(config)# end

Step 2 To create a user account, use the following commands:Device# configure terminalDevice(config)# snmp-server user user-name-grp-name v3 auth md5 password privilege aes 128 passwordDevice(config)# endConfiguring snmpv3 USM user, persisting snmpEngineBoots. Please Wait...

Step 3 To verify SNMPv3 configuration, use the following commands:Device# show running-config | in snmp-server groupDevice# show snmp userDevice# show snmp group


Converged Access: ManagementEnabling Cisco Prime


Converged Access: ManagementEnabling SNMP v3

C H A P T E R 4Converged Access: Basic Configuration

This chapter provides information about the basic configuration of the wired features on a device. Forinformation about the deployment of the wired features, refer to the Cisco Wired LAN Technology DesignGuide.

Concepts and Definitions, page 17

Configuring Converged Access, page 19

Concepts and DefinitionsThe following concepts and terms are used throughout this guide:

NTPNetwork Time Protocol (NTP) is a networking protocol for clock synchronization between devices in anetwork. NTP is implemented using User Datagram Protocol (UDP), which in turn runs over an IP. An NTPnetwork usually gets its time from an authoritative time source, such as a radio clock or an atomic clockattached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; nomore than one packet per minute is necessary to synchronize two devices within a millisecond of one another.

SSHSecure Shell (SSH) is a cryptographic network protocol for secure data communication, remote commandline login, remote command execution, and other secure-network services between two networked computers.It connects an SSH server and SSH client through a secure channel over a network that is not secure. SSH istypically used to log in to remote machines and execute commands.

Remote shell protocols send information, such as password, in plaintext making the networks susceptible tointerception and disclosure. SSH is designed as a replacement for Telnet and other remote shell protocols thatare not secure.


VLANAVLAN is a switched network that is logically segmented by function, project team, or application, irrespectiveof the physical location of users. A VLAN has the same attributes as the physical LAN. However, you cangroup the end stations in a VLAN even if they are not physically located on the same LAN segment. A switchmodule port can belong to a VLAN, but the unicast, broadcast, and multicast packets are forwarded only tothe end stations in the VLAN. A VLAN is often associated with IP subnetworks. For example, all the endstations in a particular IP subnet belong to the same VLAN.

Interface VLANmembership on a switch module is assigned manually on an interface-by-interface basis andis known as interface-based or static VLANmembership. Traffic between the VLANsmust be routed. VLANsare identified with a number ranging from 1 to 4094.

Port ChannelA port channel bundles up to eight individual interfaces into a group to provide increased bandwidth andredundancy. If a member port within a port channel fails, the traffic that is carried over a failed link switchesto one of the remaining member ports within the port channel. This traffic switch facilitates the load andbalances the traffic across the physical interfaces. A port channel is operational as long as at least one physicalinterface within the port channel is operational.

You can create a port channel by bundling compatible interfaces. You can configure and run either static portchannels or the port channels that run the Link Aggregation Control Protocol (LACP). Any configurationchange that you apply to a port channel is applied to each member interface of that port channel.

Use a static port channel with no associated protocol for a simplified configuration. To use a port channelefficiently, you can use LACP, which is defined in IEEE 802.3ad.

ARPAddress Resolution Protocol (ARP) provides IP communicationwithin a Layer 2 broadcast domain bymappingan IP address to a MAC address. It can be used in the following scenario:

Host B wants to send information to Host A, but does not have the MAC address of Host A in the ARP cache.Host B generates a broadcast message for all the hosts within the broadcast domain to obtain theMAC addressassociated with the IP address of Host A. All the hosts within the broadcast domain receive the ARP requestand Host A responds with its MAC address.

DHCP Snooping and TrustDynamic Host Configuration Protocol (DHCP) snooping is a security feature that acts like a firewall betweenuntrusted hosts and trusted DHCP servers. The DHCP snooping feature validates DHCP messages that arereceived from the untrusted sources and filters the invalid messages. It limits the rate of DHCP traffic that issent or received from trusted and untrusted sources. It builds and maintains the DHCP snooping bindingdatabase which contains information about untrusted hosts with leased IP addresses. It utilizes the DHCPsnooping binding database to validate subsequent requests from the untrusted hosts. DHCP snooping is enabledon a per VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a singleVLAN or on a range of VLANs.


Converged Access: Basic ConfigurationVLAN

DNSDomain Name System (DNS) is a hierarchical distributed naming system that maps hostnames to IP addresses.When you configure DNS on your switch, you can substitute the hostname for the IP address with the IPcommands, such as ping, telnet, connect, and related Telnet support operations. IP defines a hierarchicalnaming scheme that allows a device to be identified by its location or domain. Domain names are piecedtogether with periods (.) as delimiting characters. For example, Cisco Systems is a commercial organizationthat the IP identifies by a com domain name. Therefore, its domain name is cisco.com. To keep track of domainnames, IP has defined the concept of a domain name server that holds a cache (or database) of names mappedto IP addresses. If you need to map the domain name to the IP addresses, you must identify the hostname,specify the server name that is present on your network, and then enable the DNS.

To map a domain name to an IP address, use the following command on your network and enable the DNS:

serverservpresent

Configuring Converged Access

Configuring a Switch HostnameYou can configure a hostname on a switch to uniquely identify the switch. By default, the system name andthe system prompt are Switch.

Configure your switch hostname such that you can easily identify the switch in your network. Set thehostname for the switch product family, the role of the switch in your network, and the switch location.For example, 3850-access-Bld1Flr1

Tip

To configure a host name, use the hostname command in the global configuration mode.Device(config)# hostname 3850-access-Bld1Flr1

Viewing System Level LicensingThe switch is preinstalled with the ordered license. If a license is not pre-ordered, the switch is booted withthe LAN-base license, by default. Right-to-use (RTU) licensing allows the activation of a specific licensetype and level, and the management of license usage on the switch.

The following are the available RTU licenses:

LAN Base Layer 2 features

IP Base Layer 2 and Layer 3 features

IP Services Layer 2, Layer 3, and IPv6 features

Wireless functionality is supported only on IP Base licenses or on IP Services licenses.Tip


Converged Access: Basic ConfigurationDNS

In case of a switch stack, the switch that is activated with an RTU license is the active switch. The licenselevel for the standby or member switches in the stack can be activated at the same time from the active switchconsole.

Activating an RTU License

Step 1 To activate an RTU License, use the following command in privileged EXEC mode:Device# license right-to-use activate {ipbase |ipservices | lanbase}{all | evaluation all}[slotslot-number][acceptEULA]

Step 2 To reload the switch stack and complete the activation process for RTU license, use the following command in privilegedEXEC mode:Device# reload

Step 3 After you configure a specific license type and level, you can manage your license by monitoring the license state. Tomonitor the license state, use the following command:Device# show license right-to-use usage [slot 9]

Working with NTP System Clock and Console TimestampsIf you use any of the following features, it is mandatory to use NTP to synchronize controllers:

SNMPv3

Access point authentication

Management frame protection

Cisco Catalyst 3850 and Cisco Catalyst Series switches also supports synchronization with NTP usingauthentication.

Configure a service timestamp for console messages, logs, and debug outputs to allow accurate and easycross-referencing of events in a network.

Note

Configuring an NTP Server

Step 1 To configure an NTP server, use the following commands in the global configuration mode:Device(config)#ntp server ip-addressDevice(config)# clock timezone zone hours-offsetDevice(config)# clock summer-time zone recurring


Converged Access: Basic ConfigurationActivating an RTU License

Step 2 To configure service time stamps, use the following commands in global configuration mode:

Device(config)# service timestamps debug datetime msec localtimeDevice(config)# service timestamps log datetime msec localtime

Step 3 To verify whether the system clock is synchronized with the NTP server, use the following command in privileged EXECmode:Device# show ntp status

Defining DNSTo configure name and address resolution, define a domain name, and specify the IP address for one or moreservers, use the following commands in global configuration mode:

Device(config)# ip domain-name nameDevice(config)# ip name-server server-address1[server-address2 ... server-address6]

The default domain name is the value set by the ip domain-name command.Note

Generating Cryptographic KeysWhen SSH or HTTPS is configured on a switch, a default cryptographic key is generated. For enhancedsecurity, we recommend that you increase the key length beyond the default size. The recommended key sizeis 2048.

To generate a cryptographic key, use the following command:Device(config)# crypto key generate rsa modulus 2048

For more information about additional cryptographic configuration options and examples, refer to theConfiguring SPAN and RSPAN chapter in the Consolidated Platform Configuration Guide, Cisco IOSXE 3.3SE.

Note

Configuring SSH for User Login

Disable the Telnet access to the device.Note

Step 1 To configure SSH, use the following command in global configuration mode:

Device(config)# ip ssh version 2


Converged Access: Basic ConfigurationDefining DNS

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/configuration_guide/b_consolidated_3850_3se_cg/b_consolidated_3850_3se_cg_chapter_0110111.htmlhttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/consolidated_guide/configuration_guide/b_consolidated_3850_3se_cg/b_consolidated_3850_3se_cg_chapter_0110111.html

Device(config)# ip ssh authentication-retries 3Device(config)# ip ssh time-out 120Device(config)# line vty 0 15Device(config-line)# transport input ssh

Step 2 To configure local login and password for access, use the following commands in the global configuration mode.

Device(config)# username admin privilege 15 secret my-passwordDevice(config)# enable secret my-secret-passwordDevice(config)# service password-encryptionDevice(config)# exit

The local login account and password provides basic device access authentication to view platform operations.Note

Step 3 To verify whether SSH is enabled, use the following command in privileged EXEC mode:Device# show ip ssh

Configuring Management Interface SetupThe GigabitEthernet 0/0 interface on the Cisco Catalyst 3850 Series Switches is used for out-of-bandmanagement and is located next to the console port on the back panel of the switch. Out-of-band managementmanages Cisco Catalyst 3850 Series Switches and all other networking devices through a physical networkthat is separate from the network that carries end-user traffic. The GigabitEthernet 0/0 interface is located onthe back panel of the switch, which is next to the console port.

On Cisco Catalyst 4500 Series Switches, FastEthernet 0 is used as the management interfaceNote


Converged Access: Basic ConfigurationConfiguring Management Interface Setup

Note Management traffic originating from a switch must be associated with GigabitEthernet 0/0 VirtualRouting and Forwarding (VRF).

The management VRF, mgmt-vrf is a built-in VRF. A default route is required for the managementVRF.

On Cisco Catalyst 4500 Series Switches, the management VRF is mgmtvrfNote

The GigabitEthernet 0/0 interface cannot be used as the source interface for sending SNMP traps.

The GigabitEthernet 0/0 interface is a Layer 3 interface.

Step 1 To configure the interface on Cisco Catalyst 3850 Series Switches, use the following commands:Device(config)# interface GigabitEthernet 0/0 or interface FastEthernet0Device(config-if)# ip address 10.1.1.1 255.255.255.0Device(config-if)# no shutdownDevice(config-if)# exit

Step 2 To verify the reachability to the default gateway use the following ping utility:Device# ping vrf Mgmt-vrf gateway-ip-address

Configuring a VLANTo configure a VLAN, use the following commands:Device# configure terminalDevice(config)# vlan data-vlanDevice(config)# name data-name

Device(config)# vlan voice-vlanDevice(config)# name voice-name

Device(config)# vlan wireless-management-vlanDevice(config)# name management-nameDevice(config)# exit

Configuring a Default RouteTo configure a default route, use the following command in global configuration mode:Device(config)# ip route 0.0.0.0 0.0.0.0


Converged Access: Basic ConfigurationConfiguring a VLAN

Configuring an Uplink InterfaceThis section describes how to configure Ethernet interfaces that connect a switch stack to distribution switchesor routers. Typically, EtherChannels are used for uplink connectivity because they offer additional resiliency.

When you stack two or more physical switches into one logical switch, we recommend that you spreadthe uplink interfaces across the physical members, preventing a complete member failure.

Note

This section provides the options available for configuring uplink interfaces:

L3 connectivity using port channelTo configure L3 connectivity using a port channel, use the following commands:

Device(config)# interface intf-id1Device(config-if)# switchport mode trunkDevice(config-if)# switchport trunk allowed vlan 10

Converged Access Deployment Guidecisco.com/c/en/us/products/collateral/switches/catalyst-3850... ·...

Documents

Transcript of Converged Access Deployment Guidecisco.com/c/en/us/products/collateral/switches/catalyst-3850... ·...