Control Plane Protection (Policing) configuration on Catalyst 3850
I need to block ICMP requests from being received by the switch. And there is no 'control-plane' configuration mode, which I was going to use for this.
How can I configure this feature or apply another for my purpose?
Greetings,
How about on the 3725 router?
A couple specific questions I have while configuring the portion for IGPs.
Here is a couple snips of example configurations I'm finding on the Internet, that I have questions on.
1. Cisco CoPP Best Practicesaccess-list 120 permit ospf any
access-list 120 permit ospf any host 224.0.0.5
access-list 120 permit ospf any host 224.0.0.6
2. Deploying Cisco Control Plane Policing
ip access-list extended coppacl-igp remark CoPP IGP traffic class
! permit OSPF permit ospf any host 224.0.0.5
permit ospf any host 224.0.0.6 permit ospf any any
3. RFC6192
ip access-list extended OSPF
permit ospf 192.0.2.0 0.0.0.255 any
Questions - Which optionis better?
- Is the network specified in option #3, the network statement under the OSPF process,
or the actual network I'm routing?
- If option #1 is better, what is the "router receive block" mentioned?
Thank you for your assistance!!
Debbie
Similar Messages
-
Hi guys,
I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
Control-plane
Control-plane host
Control-plane transit
Control-plane cefHi Bro
What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
a) control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
b) control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
c) control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED. -
Control-plane protection| soft ware hardware counters
Hi everybody
Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
cisco#show running-config | begin control-plane
control-plane
service-policy input copp-aggregated
+++++++++++++++++++++++
Policy defination:
policy-map copp-aggregated
class cpp-icmp
police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
class-map match-all cpp-icmp
match access-group name cpp-icmp
cisco#show ip access cpp-icmp
Extended IP access list cpp-icmp
10 permit icmp any any (156222580 matches)
++++++++++++++++++++++++++++++
cisco#show policy-map control-plane
Control Plane Interface
Service-policy input: copp-aggregated
Hardware Counters:
class-map: cpp-icmp (match-all)
Match: access-group name cpp-icmp
police :
5000000 bps 93000 limit 93000 extended limit
Earl in slot 5 :
5295068971 bytes
5 minute offered rate 9528 bps
aggregate-forwarded 5259145173 bytes action: transmit
exceeded 35923798 bytes action: drop
aggregate-forward 9936 bps exceed 0 bps
Software Counters:
Class-map: cpp-icmp (match-all)
99672582 packets, 14936584392 bytes
5 minute offered rate 11000 bps, drop rate 0 bps
Match: access-group name cpp-icmp
police:
cir 5000000 bps, bc 93750 bytes, be 187500 bytes
conformed 99672950 packets, 14936253164 bytes; action: transmit
exceeded 289 packets, 422518 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
conformed 13000 bps, exceed 0 bps, violate 0 bps
+++++++++++++++++++++++++++++++++++
I can see " software counters' just show the constraints defined under policy " copp-aggregated", how did we end up with hardware counters ?
Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit" which we never defined that anywhere.
I appreciate your help
ThanksBTW, don't know why but the **** above should have read k - n - o - b. Probably the decorum police checking in...
-
Control Plane Protection (CPPr) and Traffic Rates
Hi Everybody,
currently I'm working on implement policies according to the CPPr but a couple of questions comes to my mind:
1. Is there any standard to start policing the Management traffic (SSH, SNMP, Telnet, etc)??
2. How can I identify the current rates for the management protocols in order to Policy them??
I understand how the MQC works and for sure understand the the CPPr optiones and benefits but I cannot find a way to start using it in my network or tuning it for my needs.
Kind Regards,
Jose-Manuel CortesBTW, don't know why but the **** above should have read k - n - o - b. Probably the decorum police checking in...
-
Hello,
Here is the config for Catalyst 3560 found under the link below.
I would like to do same setting on Catalyst 3850.
http://itknowledgeexchange.techtarget.com/network-engineering-journey/how-to-configure-per-vlan-qos-in-cisco-3550-and-3560/
mls qos
interface fa0/2
mls qos vlan-based
class-map INT
match input-interface fa0/2
policy-map NESTED_POLICE
class INT
policy 12800 1600 exceed-action drop
class-map HTTP
match protocol http
policy-map PARENT_MARK
class HTTP
set dscp af11
service-policy NESTED_POLICE
interface vlan 10
service-policy input PARENT_MARK
But commands like "mls qos", "mls qos vlan-based" and "match input-interface " doesn't work on 3850.
There is no helpful Cisco manual for it.
Could anyone help me?
Thanks in advance,
TaroHello Paul,
Thank you for the attention.
Here is the information.
#sh ver
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.01.SE RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 20-Mar-13 17:10 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: C3850 Boot Loader (C3850-HBOOT-M) Version 1.1, RELEASE SOFTWARE (P)
SW01 uptime is 21 weeks, 6 days, 14 hours, 27 minutes
Uptime for this control processor is 21 weeks, 6 days, 14 hours, 30 minutes
System returned to ROM by reload at 22:27:58 JST Wed Jan 8 2014
System restarted at 22:27:52 JST Wed Jan 8 2014
System image file is "flash:packages.conf"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices
cisco WS-C3850-24T (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FOC1717V01B
24 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
250456K bytes of Crash Files at crashinfo-2:.
1609272K bytes of Flash at flash:.
1609272K bytes of Flash at flash-2:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of Dummy USB Flash at usbflash0-2:.
0K bytes of at webui:.
Base Ethernet MAC Address : 44:ad:d9:6d:4e:00
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC17163HB8
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1717V01B
Switch Ports Model SW Version SW Image Mode
1 32 WS-C3850-24T 03.02.01.SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24T 03.02.01.SE cat3k_caa-universalk9 INSTALL
Switch 02
Switch uptime : 21 weeks, 6 days, 14 hours, 31 minutes
Base Ethernet MAC Address : 20:bb:c0:01:86:80
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC17163HCM
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1717V01K
Configuration register is 0x102
SW01#sh sdm prefer
Showing SDM Template Info
This is the Advanced template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 8192
Overflow IGMP and Multicast groups: 512
Directly connected routes: 32768
Indirect routes: 8192
Security Access Control Entries: 3072
QoS Access Control Entries: 2816
Policy Based Routing ACEs: 1024
Netflow ACEs: 1024
Input Microflow policer ACEs: 256
Output Microflow policer ACEs: 256
Flow SPAN ACEs: 256
Tunnels: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created. -
Control Plane Policing (CoPP) for Data Center
Hi All,
I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.
My question are:
1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?
2. How to find the packet processing rate from router and switches?
3. Any best practices CoPP template for routers running OSPF and BGP?
Thanks and Regards,
Ahmed.1. You would need to apply CoPP to all routers/switches that are
manageable from untrusted sites. So even if you have non-DMZ switches
that will be able to be telneted to from the outside for example,
CoPPing them would be helpful for you.Do we not need to apply
CoPP on switches and routers that are not telneted from outside?
Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.
2. "sh proc
cpu" would give you some insight for processes like ssh or telnet and
how much the take. Not control packet rate processing though.I
want to know the maximum packet processing rate of a router or switch?
I don't think you will be able to pull that number.
3. Depends
on how powerful the router is, how many commands you are running, how
much route processing is going on.Best practice for a router
running OSPF with 200 routes?
Don't know of any.
PK -
Control-plane policing on ML Card
Hi All,
We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
Thanks
Regards
Anantha Subramanian NatarajanTry the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
bridge X limit dynamic entries 10000 -
please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
class-map type queue-threshold match-all http-que
match protocol http
policy-map type queue-threshold http-que
class http-que
que-limit 100
class-map match-all http
match access-group name http
policy-map http
class http
bandwidth 100000
queue-limit 100The type queue-limit will be matching http packets that are for the router management.
If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
Regular class-map is for traffic through the routers.
I hope it helps.
PK -
3750 / 3850 Stack - Control Plane
Hi all.
In a relatively small environment, if I were to stack two switches as my core, say two 3750X's or two 3850's, will I be able to come up with a single control plane so that there won't be any need for FHRP's?Thanks for taking the time to rate our posts, Carlos. :)
-
What snmp OID to use to monitor control-plane of router
Hi there!
I've applied policy-maps on control-plane, based on cisco recomandation.
Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
Let me know.
Regards!If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp -
Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question
Hello there:
Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
We have several 10GB connections to servers.
We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
No ip phones, no POE.
Inter-VLAN connectivity/throughput and security are priorities.
Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
Thank you.If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job. If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers. These memory buffers get swamped when servers do non-stop traffic.
Ideally, Cisco recommends the Nexus solution to connect servers to. One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
In a DC environment, if you have a lot of VM stuff, then stick with Layer 2. V-Motion and Layer 3 don't go hand-in-hand. -
Catalyst 3850 Cross-Stack EtherChannel
On 3850 configuration guide, I came across PAgP desirable mode is not supported in the switch stack (cross-stack EtherChannel).
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/layer2/configuration_guide/b_lay2_3se_3850_cg/b_lay2_3se_3850_cg_chapter_0101.html
But on Q&A document, it mentioned 3850 supports PAgP.
Q. What cross-stack EtherChannel link bundling protocols are supported?
A. The Cisco Catalyst 3850 supports Cisco Port Aggregation Protocol (PAgP) and industry-standard IEEE 802.3ad Link Aggregation Control Protocol (LACP). Other 3750 Series Switches support only LACP for cross-stack EtherChannel.
Seems like both statements are contradicting.
Can someone shed some light on this?
Thank you.Hi, adimakmur
Cisco Catalyst 3850 Cross-Stack EtherChannel can be PAgP+ and can be used for VSS dual active detection.
In last deployment of 3850 we use Cross-Stack EtherChannel and use it as trusted for VSS dual active detection.
c6500-V#sh switch virtual dual-active pagp
PAgP dual-active detection enabled: Yes
PAgP dual-active version: 1.1
----skiped----
Channel group 106 dual-active detect capability w/nbrs
Dual-Active trusted group: Yes
Dual-Active Partner Partner Partner
Port Detect Capable Name Port Version
Te1/7/7 Yes c3850-307 Te1/1/3 1.1
Te2/7/7 Yes c3850-307 Te2/1/3 1.1
---skiped----
c6500-V#sh etherchannel 106 protocol
Protocol: PAgP
c3850-307#sh etherchannel port-channel
Channel-group listing:
Group: 1
Port-channels in the group:
Port-channel: Po1
Age of the Port-channel = 235d:20h:50m:10s
Logical slot/port = 12/1 Number of ports = 2
GC = 0x00010001 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = PAgP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Te1/1/3 Desirable-Sl 0
0 00 Te2/1/3 Desirable-Sl 0
Time since last port bundled: 169d:04h:58m:49s Te1/1/3
Time since last port Un-bundled: 169d:05h:00m:47s Te1/1/3 -
Hello,
I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.
Here is what I configured:
access-list vpn_control extended permit tcp object-group allowed_clients interface outside
access-group vpn_control in interface outside control-plane
any suggestions would be appreciated.
Thanks!I'm having a problem which I think is described here. I would essentially like to whitelist networks for ssl anyconnect vpn access. I understand that the anyconnect client would attempt a connection to my outside interface on 443 and that it would be considered "to the box traffic" which would bypass the interface ACL's. I set up an acl to deny traffic from a specific test network to test the control plane option. At first I tried 443 traffic and later expanded it to a deny any from the external network, but in either case I was still able to VPN to the asa from this test network using the anyconnect client. I assume this has something to do with management traffic having priority and not distiguishing between managment traffic destined for /admin and ssl vpn connections. However, I do not have the outside interface enabled as a management interface, so even that is a little puzzling.
access-list outside_access_in_1 extended deny ip object test_network any
access-list outside_access_in_1 extended permit ip any any
access-group outside_access_in_1 in interface outside control-plane
If I do a packet trace for 443 traffic from that network to my outside interface IP it does show the traffic passing and the ACL section specifically shows it passing via implicit rule... -
Hi,
We are in the process of Migrating Cisco CUCM & Voice Gateway (From another vendor to Cisco).
The requirement is all internal calls between Cisco IP Phones & Lync to be flown through CUCM. Means internal extension to extension. Remaining all calls like Mobile, National, International, Toll Free, Emergency, Shared numbers calling to be routed
to Cisco Voice Gateway.
We created the test dial plan, Voice policies, Route and assigned it to couple of user from Lync (2 extensions) and from Cisco side we have taken 2 IP Phones which is pointed to new CUCM. We tested all below scenarios,everything was working fine.
Lync to Lync Call using internal Extension number – Routed through Cisco new CUCM
Lync to Cisco Call using internal Extension number – Routed through Cisco new CUCM
Cisco to Lync Call using internal Extension number – Routed through Cisco new CUCM
Lync to Hotline Numbers (66XX, 68XX Numbers) – Routed through Cisco Gateway
Lync to Shared Numbers starting with 600 (Verified the number 600535353) - Routed through Cisco Gateway
Lync to Emergency numbers & Toll Free Numbers (Not verified the emergency Number as we decided to do it at end) - Routed through Cisco Gateway
Lync to Landline Numbers – Any 7 digit numbers - Routed through Cisco Gateway
Lync to National Numbers – Starting with 3,4,6,7,8 followed by 7 digits - Routed through Cisco Gateway
Lync to Mobile Phones – Starting with 05 contains exactly 10 digits - Routed through Cisco Gateway
Lync to International Numbers – Starting 00 contains at least 11 digits - Routed through Cisco Gateway
All Incoming calls – From Landline, Mobiles, International Numbers - Routed through Cisco Gateway
Call Transfer – To another Lync Extension, Cisco Extension, Landline, Mobiles, International Number
Conference – with another Lync Extension, Cisco Extension, Landline, Mobiles, International Number
Call Forwarding – To another Number, Voice mail
Response Groups
Click to call – As if user try to place a call by directly click the number from Outlook, Websites will be in E.164 format
Dial in meeting – Conference calls are works fine
But when we roll out to the production we are facing issues listed below
1) The phones we used during testing are working which is using same dial plan, Voice policy, Route, PSTN Usage. But from production most of the phones are not working (using the same dial plan, voice policy, Route). Also Problem is only with external calls
as the internal calls are working fine between Cisco & Lync even in production (Routed through CUCM) NOTE: All incoming calls are working fine (From international, local, national, extension)
2) How long its going to take for Lync to push the new voice policies, Dial plans to the Phones?
3) Is there a way to forcefully update the policies, dial plans to the Phone?
4) Also the environment is using over 100 dial plans, so I just copied and pasted the Normalization rules that we tested and working fine. Most of the dial plans are assigned to individual users as every dial plan contains a normalization rule for
international calling with Unique Prefix (Example: User John international Normalization rules says #1234#00#CountrycodePhonenumber, means if John has to place the international call he need to dial #1234# followed by 00 and then country code, then actual
phone number). In this case how long its take for the users / phones to get updated with new dial plans?
6) Is it recommended to use multiple dial plans ? What are the best practices?
5) Also calls are working fine one & failing on subsequent tries. Means when I dial first 1 or 2 times. Call fails, but when I try 3rd time and subsequently it works. After some again there will be failure during 1 or 2 attempts. Why is it so?
6) After updating the dial policies, voice Route, Voice policies If i reboot all the phones from Switch, Will the changes take effect immediately?
7) Also when some one calling from mobile or external number to Lync extensions they cant here any Dial tones or caller tunes? Its working fine when they call Cisco Extensions. Also to Lync its working if we dial in E.164 Format, if we dial like 023XXXXX
format its not working. Any guess about this issue?
Waiting for some one to help,
Best regards
Krishna
Thanks & Regards Krishnakumar BHi,
1. As all incoming call worked normally, please double check outgoing ports for Lync FE Server and Mediation Server.
You can refer to the link of “Ports and protocols for internal servers in Lync Server 2013” below:
http://technet.microsoft.com/en-us/library/gg398833.aspx
2. When an administrator makes a change to Lync Server (for example, when an administrator creates a new voice policy or changes the Address Book server configuration settings) that change is recorded in the Central Management store.
In turn, the change must then be replicated to all the computers running Lync Server services or server roles.
So it may not replication completely immediately.
3. You can run the following cmdlet with Lync Server Management Shell on FE server to
forcibly replicate information to a computer: Invoke-CsManagementStoreReplication
4. As you used over 100 dial plans, it may be the issue of multiple dial plans. Would you please tell us why you created different dial plan for individual user with unique prefix?
5. Multiple dial plans and undue normalization rules may cause call fail. You can double check the normalization rule.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Hello,
I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
well as the Wireless solution.
At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
between the two switches and their integrated controller.
Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
state of their connections to the WLAN infrastructure.
To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
subnets need to be assigned to the SSIDs.
As such, I have the following questions:
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
the solution as per the next question. Please advise which is a better option?
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
Regards,
AmirHi Amir,
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
MO is not required (it is only for very large scale deployments)
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Yes, documents are hard to find :(
These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
http://mrncciew.com/2014/05/06/configuring-new-mobility/
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
HTH
Rasika
*** Pls rate all useful responses ****
Maybe you are looking for
-
My 5s iPhone is stuck on Itunes icon and a cable. I tried to do a restore but the iPhone isn't updated. All the labs that i send it to, couldn't fix it, what I can to? help! thanks.
-
How can i remove something from my headphone jack
HOw can i get a broken cord out from my headphone jack?? I dont want to go to a shop to get it fixed. What tools might i need?
-
How do I transfer Notes from my iPhone4s and iPad to my new MacBook Pro?
How do I transfer Notes from my iPhone4s and iPad to my new 13" MacBook Pro with retina display?
-
Trying to understand tnfdump log
Hi, I am tracing a pthread and socket program to see where the bottleneck is as it is slow. However I am not sure which value to use for the tracing of the program. This is my tnfdump log Here should I be using the Elapsed(ms) or Delta(ms). Is the el
-
TS1702 ibooks will not download
My ibooks will not download