Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3

Similar documents
Configuring Application Visibility and Control

External Web Authentication on Converged Access

Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks

CONFIGURATION DU SWITCH

P ART 3. Configuring the Infrastructure

Service Discovery Gateway Deployment Guide, Cisco IOS-XE Release 3.3

Configuring Application Visibility and Control for Cisco Flexible Netflow

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Configure IOS-XE to display full show running-config for users with low Privilege Levels

Configuring Web-Based Authentication

Configuring Web-Based Authentication

Lab - Troubleshooting VLAN Configurations (Instructor Version Optional Lab)

when interoperating with a Cisco Layer 3 Switch Situation: VLAN 1 shutdown, no IP on default VLAN on Cisco switch

Configuring Hybrid REAP

Securing Wireless LAN Controllers (WLCs)

INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4

Cisco Troubleshooting Cisco Wireless Enterprise Networks WITSHOOT v1.1

Flexible NetFlow IPv6 Unicast Flows

Basic Router Configuration

Flexible NetFlow Full Flow support

Configuring Encrypted Traffic Analytics

Using the Web Graphical User Interface

ECMP Load Balancing. MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 900 Series) 1

Flexible NetFlow IPv6 Unicast Flows

NATIONAL_WATER_CONSERVATION#sh run Building configuration...

Lab Configuring Per-Interface Inter-VLAN Routing (Solution)

CISCO SWITCH BEST PRACTICES GUIDE

Multicast Music-on-Hold Support on Cisco UBE

Configuring Web-Based Authentication

Lab Configuring Per-Interface Inter-VLAN Routing (Instructor Version)

Configuring Data Export for Flexible NetFlow with Flow Exporters

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Configuring Web-Based Authentication

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

Flexible NetFlow IPFIX Export Format

Lab Configuring Basic RIPv2 (Solution)

Call Flows for 3G and 4G Mobile IP Users

Converged Access Deployment Guide

Configuring the Service Discovery Gateway

Chapter 5 Lab 5-1 Inter-VLAN Routing INSTRUCTOR VERSION

Lab 8.5.2: Troubleshooting Enterprise Networks 2

Configuring r BSS Fast Transition

Chapter 8 Lab 8-1, IP Service Level Agreements and Remote SPAN in a Campus Environment INSTRUCTOR VERSION

Lab Configuring 802.1Q Trunk-Based Inter-VLAN Routing (Instructor Version Optional Lab)

Workgroup Bridges. Cisco WGBs. Information About Cisco Workgroup Bridges. Cisco WGBs, page 1 Third-Party WGBs and Client VMs, page 9

Configure Site Network Settings

Cisco Deploying Basic Wireless LANs

Cisco Virtual Office: Easy VPN Deployment Guide

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

Using the Web Graphical User Interface

Configuring Web-Based Authentication

Configuring Secure Socket Layer HTTP

Configuring Client Profiling

CertKiller q

Flexible Netflow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Lab Configuring Switch Security Features (Solution) Topology

Configuring Data Export for Flexible NetFlow with Flow Exporters

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Chapter 5 Lab 5-2 DHCP INSTRUCTOR VERSION

Lab Troubleshooting IPv4 and IPv6 Static Routes (Instructor Version Optional Lab)

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Switches running the LAN Base feature set support only static routing on SVIs.

Troubleshooting VLANs and Trunks

Configuring NetFlow. Information About NetFlow. What is a Flow. This chapter contains the following sections:

Design and Implementation Plan for Network Based on the ALOHA Point of Sale System. Proposed by Jedadiah Casey. Introduction

Lab Designing and Implementing a VLSM Addressing Scheme. Topology. Objectives. Background / Scenario

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Configure MAC authentication SSID on Cisco Catalyst 9800 Wireless Controllers

IEEE 802.1X Multiple Authentication

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Configuring Link Aggregation

IEEE 802.1Q Tunneling (QnQ) and L2PT on L2 Ports

!! Last configuration change at 16:04:19 UTC Tue Feb by zdrillin! NVRAM config last updated at 21:07:18 UTC Thu Feb ! version 12.

Lab 1. CLI Navigation. Scenario. Initial Configuration for R1

H3C SecBlade NetStream Card Configuration Examples

CCNA Semester 2 labs. Labs for chapters 2 10

Configuring FlexConnect Groups

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Lab Configuring Dynamic and Static NAT (Solution)

Network security session 9-2 Router Security. Network II

Configuring Voice VLAN

IPsec Anti-Replay Window Expanding and Disabling

Flexible NetFlow IPv6 Unicast Flows

Multicast VLAN, page 1 Passive Clients, page 2 Dynamic Anchoring for Clients with Static IP Addresses, page 5

Lab - Configuring Basic DHCPv4 on a Router (Solution)

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

AVC Configuration. Unified Policy CLI CHAPTER

Flexible NetFlow IPv4 Unicast Flows

Configuring EtherChannel

Flexible NetFlow IPv6 Unicast Flows

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Mobility Groups. Information About Mobility

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Cisco Unified Communications Manager Express 7921 Push-to-talk

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Transcription:

Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3 Last Updated: November, 2013 Introduction This guide is designed to help you deploy and monitor new features introduced in the IOS XE 3.3 release. All sections apply to both the 5760 and 3850 products. The document builds on previous releases with the assumption that users are familiar with the Converged Access products. Please refer to both the 5760 and 3850 deployment guides for released features that are not covered in this guide: CT 5760 Deployment Guide http://www.cisco.com/en/us/docs/wireless/technology/5760_deploy/ct5760_controller_deployment _Guide.html CAT 3850 Deployment Guide http://www.cisco.com/en/us/prod/collateral/switches/ps5718/ps12686/deployment_guide_c07-727067.html CT5760 Controller CT5760 is an innovative UADP ASIC based wireless controller deployed as a centralized controller in the next generation unified wireless architecture. CT 5760 controllers are specifically designed to function as Unified model central wireless controllers. They also support newer Mobility functionality with Converged Access switches in the wireless architecture. Cisco Systems, Inc. www.cisco.com

AVC Design Topology Sample CT5760 is an extensible and high performing wireless controller, which can scale up to 1,000 access points and 12,000 clients. The controller has 6-10 Gbps data ports. As a component of the Cisco Unified Wireless Network, the 5760 series works in conjunction with Cisco Aironet access points, the Cisco Prime infrastructure and the Cisco Mobility Services Engine to support business-critical wireless data, voice, and video applications. AVC Design Topology Sample In order to derive the most out of this deployment guide and exercise the functionality outlined in this document, it is important to have a network that is configured properly with IPv4 configuration on switches and controllers. All sample design lab resources are configured as depicted in the diagram. Most lab deployments are usually configured in labs or private networks with a minimal set of controllers, Access Points, and clients. 2

Application Visibility (AV) Configuration Application Visibility (AV) Configuration Network Based Application Recognition (NBAR2) provides application-aware control on a wireless network and enhances manageability and productivity. It also extends Cisco s Application Visibility and Control (AVC) as an end-to-end solution, which gives a complete visibility of applications in the network and allows the administrator take some action on the same. NBAR2 is a deep-packet inspection technology available on Cisco IOS based platforms, which supports stateful L4 - L7 classification. NBAR2 is based on NBAR and has extra requirements such as having a Common Flow Table for all IOS features, which use NBAR. NBAR2 recognizes applications and passes this information to other features, such as QoS, NetFlow, and Firewall, which can take action based on this classification. You can configure and monitor Application Visibility (AV) from both the GUI and CLI. Note In this release, the AV is only supported. The Control (C) part will be introduced in future releases. 3

Configuring AV and Control (GUI) Restrictions for AV and Control (C) in Release 3.3 IPv6 packet classification is not supported. Multicast traffic is not supported. The capability of dropping or marking the data traffic (control part) is not supported. AVC is supported only on the following access points: 1600, 2600, 3600, and 3700. Configuring AV and Control (GUI) Note For CLI configuration, please see Appendix. Also note that customized AVC profiles can be created from CLI. Note WLAN names and profile names are examples only. Step 1 Go to Configuration > Wireless > WLAN and click New. Create an OPEN WLAN (security set to none) with naming convention as POD<Number>-Client and enable AV on that WLAN under the AVC tab. Map this WLAN to management interface i.e VLAN X0 a 4

Configuring AV and Control (GUI) Step 2 Click the corresponding WLAN ID to open the WLAN Edit page and click AV. The Application Visibility page appears. a. Check the Application Visibility Enabled check box to enable AV on the WLAN. b. In the Upstream Profile text box, the default AV profile is automatically selected. c. Enter the name of the AV profile in the Downstream Profile text box. Step 3 Step 4 Click Apply to apply AVC on the WLAN. Click Apply. Once the AV is enabled on the specific WLAN, from the associated wireless client, start different types of traffic using applications such as Skype, Yahoo Messenger, HTTP, HTTPS/SSL, Microsoft Messenger, YouTube, Ping, Trace route, and so on. Once traffic is initiated from the wireless client, 5

Monitoring AV (GUI) visibility of different traffic can be observed globally for all WLANs, per Client Basis and per WLAN Basis, which give a very good overview of the network bandwidth utilization and type of traffic in the network per client, per wlan and globally to an administrator. Monitoring AV (GUI) Navigate to the Home page of the controller that displays the AV on the WLAN pie chart that contains Aggregate Application Cumulative usage %. The top WLANs based on the WLAN IDs are displayed first. Step 1 Step 2 Choose Monitor > Controller > AVC > WLANs. The WLANs page appears. Click the corresponding WLAN profile. The Application Statistics page appears. From the Top Applications drop-down list, select the number of top applications that you want to view and click Apply. The valid range is between 5 to 30, in multiples of 5. a. In the Aggregate, Upstream, and Downstream tabs, you can view the following information with respect to the WLAN: Application last 90 seconds statistics (application name, packet count, byte count, average packet size, and usage (%)) Application Cumulative Statistics 6

Monitoring AV (GUI) Application last 90 seconds Usage (%) Application Cumulative Usage (%) 7

Monitoring AV (GUI) Step 3 Step 4 You can also monitor AV per Client. Navigate to Monitor > Clients > Client Details > Clients. The Clients page appears. Click Client MAC Address and then click the AVC Statistics tab. The AV page appears. a. In the Aggregate, Upstream, and Downstream tabs, you can view the following information with respect to the client: Application last 90 seconds statistics (application name, packet count, byte count, average packet size, and usage (%)) Application Cumulative Statistics Application last 90 seconds Usage (%) Application Cumulative Usage (%) 8

Flexible Netflow Collector CLI Configuration Output by Client MAC Address Flexible Netflow Collector CLI Configuration Cisco IOS Flexible NetFlow is the next generation in flow technology. It optimizes the network infrastructure, which reduces operation costs and improves capacity planning and security incident detection with increased flexibility and scalability. The ability to characterize IP traffic and identify its source, traffic destination, timing, and application information is critical for network availability, performance, and troubleshooting. When IP traffic flows are monitored, this increases the accuracy of capacity planning and ensures that resource allocation supports organizational goals. Flexible NetFlow helps you determine how to optimize resource usage, plan network capacity, and identify the optimal application layer for QoS. It plays a vital role in network security by the detection of Denial of Service (DoS) attacks and network-propagated worms. Here are the commands to configure Flexible Netflow: flow record IPv4flow match ipv4 protocol match ipv4 source address match ipv4 destination address match flow direction collect counter bytes long collect counter packets long collect timestamp absolute first 9

IOS XE 3.3 AV Supported Features collect timestamp absolute last flow exporter IPv4export-1 destination 10.1.1.6 (IP address of your Netflow Collector. It should be v9 netflow. transport udp 2055 flow monitor IPv4flow (you can view the flows on the switch using CLI if netflow Collector not available) description Monitor all IPv4 traffic exporter IPv4export-1 cache timeout active 30 record IPv4flow Here are the Show Commands: show flow monitor name monitor-name cache show flow record show flow-sampler show flow monitor For additional information on Netflow Configuration, please refer to Cisco Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches). IOS XE 3.3 AV Supported Features Application Visibility No Control Supported on IOS XE 3.3 platforms: 5760/3850/3650 Use NBAR2 Protocol pack 5.1 Seamless roaming More than 1000 applications Gen2 APs (AP1600, 2600, 3600, and 3700) Wireless clients only Centralized and Converged Access Flexible Netflow v9 Export to PI (PAM) and external collectors (Plixir and ActionPacked) NBAR/AV Summary The same AV profile can be mapped to multiple WLANs. But one WLAN can have only one AV profile. Only one NetFlow exporter and monitor can be configured on WLC. The AV stats are displayed for top 30 applications on both GUI and CLI. 10

NBAR Feature Limitation Any application, which is not supported or recognized by NBAR engine on WLC, is captured under bucket of UNCLASSIFIED/Unknown traffic. No limit on the number of AV profiles that can be created on WLC. NBAR Feature Limitation IPv6 traffic cannot be classified. Multicast traffic is not supported. No Control in IOS-XE 3.3. AAA override of AV profiles is not supported. Appendix Network Components 5760 Configuration Example 5760-1# version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config hostname 5760-1 boot-start-marker boot-end-marker vrf definition Mgmt-vrf address-family ipv4 exit-address-family address-family ipv6 exit-address-family logging console emergencies enable password Cisco123 username admin privilege 15 password 0 Cisco123 user-name miadler 11

Appendix creation-time 1374089252 privilege 15 password 0 Cisco123 type mgmt-user aaa new-model aaa local authentication default authorization default aaa session-id common clock timezone EST -5 0 switch 1 provision air-ct5760-6 switch 2 provision air-ct5760-6 flow record fr-avc match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match application name match wireless ssid collect counter bytes long collect counter packets long collect wireless ap mac address collect wireless client mac address flow monitor fm-avc cache timeout inactive 200 record fr-avc flow monitor wireless-avc-basic record wireless avc basic ip dhcp-server 10.70.0.1 ip device tracking ip dhcp snooping vlan 70 ip dhcp snooping qos wireless-default-untrust crypto pki trustpoint TP-self-signed-545652971 enrollment selfsigned subject-name cn=ios-self-signed-certificate-545652971 revocation-check none rsakeypair TP-self-signed-545652971 12

Appendix crypto pki certificate chain TP-self-signed-545652971 diagnostic bootup level minimal identity policy webauth-global-inactive inactivity-timer 3600 spanning-tree mode pvst spanning-tree extend system-id redundancy mode sso service-list mdns-sd gui-deny-all deny 20 service-list mdns-sd gui-permit-all permit 10 service-routing mdns-sd service-policy gui-permit-all IN service-policy gui-deny-all OUT class-map match-any non-client-nrt-class match non-client-nrt interface Port-channel1 switchport trunk allowed vlan 70 switchport mode trunk ip dhcp snooping trust interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address 10.91.104.101 255.255.255.0 ip helper-address 10.70.0.1 negotiation auto interface TenGigabitEthernet1/0/1 switchport trunk allowed vlan 70 switchport mode trunk channel-group 1 mode active ip dhcp snooping trust interface TenGigabitEthernet1/0/2 switchport trunk allowed vlan 70 interface TenGigabitEthernet1/0/3 interface TenGigabitEthernet1/0/4 13

Appendix interface TenGigabitEthernet1/0/5 interface TenGigabitEthernet1/0/6 interface TenGigabitEthernet2/0/1 switchport trunk allowed vlan 70 switchport mode trunk channel-group 1 mode active ip dhcp snooping trust interface TenGigabitEthernet2/0/2 interface TenGigabitEthernet2/0/3 interface TenGigabitEthernet2/0/4 interface TenGigabitEthernet2/0/5 interface TenGigabitEthernet2/0/6 interface Vlan1 no ip address shutdown interface Vlan70 ip address 10.70.0.55 255.255.255.0 ip helper-address 10.70.0.1 interface Vlan72 ip address 10.72.0.10 255.255.255.0 ip default-gateway 10.70.0.1 ip http server ip http authentication local ip http secure-server snmp-server location TME Lab MA snmp-server contact Mike line con 0 exec-timeout 0 0 stopbits 1 14

Appendix line aux 0 stopbits 1 line vty 0 4 password Cisco123 line vty 5 15 wsma agent exec profile httplistener profile httpslistener wsma agent config profile httplistener profile httpslistener wsma agent filesys profile httplistener profile httpslistener wsma agent notify profile httplistener profile httpslistener wsma profile listener httplistener transport http wsma profile listener httpslistener transport https mac address-table aging-time 15 vlan 70 wireless mobility controller peer-group MA-SPG1 wireless mobility controller peer-group MA-SPG1 member ip 10.70.0.65 public-ip 10.70.0.65 wireless mobility controller peer-group MA-SPG1 member ip 10.70.0.55 public-ip 10.70.0.55 wireless mobility group name miadler wireless management interface Vlan70 wireless rf-network miadler wlan avc 1 avc client vlan VLAN0070 ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes session-timeout 1800 no shutdown wlan mike-test 2 mike-test client vlan VLAN0070 ip dhcp server 10.70.0.1 ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output 15

Appendix no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes session-timeout 1800 no shutdown ap led no ap capwap fallback ap group default-group end Configuration of LAB Core Switch (Capture for POD 1 Setup) Note This screen capture is from a core switch as an example and a user need not login to this switch. 16

Appendix Individual POD L2 Switch (Capture from POD 1 Switch) 17

Appendix DHCP Server Configuration for POD 1 Note This screen capture is from a core switch as an example. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback