Control Plane Protection (Policing) configuration on Catalyst 3850

Similar Messages

• Control plane protection

  Hi guys,
  I want to implement control plane protection for fragmented packets. As far as i know if fragmented packet are traversing through router then service-policy will be applied at control-plane transit but if fragmented packets are destine to router itself then it will be applied at control-plane host. Correct me if i am wrong. Moreover I want to know the difference between
  Control-plane
  Control-plane host
  Control-plane transit
  Control-plane cef

  Hi Bro
  What you’re doing is good. It’s always best to block the fragmented packets at the control-plane level, rather than via the normal ACL.
  In the basic/lower feature sets IOS versions, there is no breakdown in terms of control-plane. With the advanced/higher feature sets IOS versions, you have control-plane host, control-plane transit and control-plane cef. Your next question would be when do I apply them, in what given situations, am I right? Basically, in a nutshell, here goes
  a)    control-plane host handles packets destined for router itself e.g. management traffic (telnet/ssh/tacacs+/radius) and routing traffic.
  b)    control-plane transit works on IP based packets traversing through the router e.g. internet browsing, email etc.
  c)    control-plane cef focuses on non-IP packets e.g. CDP, ARP etc.
  With this in mind, you might wanna expand your knowledge in depth, by reading this Cisco document http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html
  P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

• Control-plane protection| soft ware hardware counters

  Hi everybody
  Today I noticed something stange at work. I was looking at how we implemented a policy to drop ICMPS hitting our processor after certains constraints are met.
  cisco#show running-config | begin control-plane
  control-plane
  service-policy input copp-aggregated
  +++++++++++++++++++++++
  Policy defination:
  policy-map copp-aggregated
  class cpp-icmp
     police cir 5000000 bc 93750 be 187500 conform-action transmit exceed-action drop violate-action drop
  class-map match-all cpp-icmp
    match access-group name cpp-icmp
  cisco#show ip access cpp-icmp
  Extended IP access list cpp-icmp
      10 permit icmp any any (156222580 matches)
  ++++++++++++++++++++++++++++++
  cisco#show policy-map control-plane
   Control Plane Interface
  Service-policy input: copp-aggregated
  Hardware Counters:
      class-map: cpp-icmp (match-all)
        Match: access-group name cpp-icmp
        police :
          5000000 bps 93000 limit 93000 extended limit
        Earl in slot 5 :
          5295068971 bytes
          5 minute offered rate 9528 bps
          aggregate-forwarded 5259145173 bytes action: transmit
          exceeded 35923798 bytes action: drop
          aggregate-forward 9936 bps exceed 0 bps
    Software Counters:
      Class-map: cpp-icmp (match-all)
        99672582 packets, 14936584392 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: access-group name cpp-icmp
        police:
            cir 5000000 bps, bc 93750 bytes, be 187500 bytes
          conformed 99672950 packets, 14936253164 bytes; action: transmit
          exceeded 289 packets, 422518 bytes; action: drop
          violated 0 packets, 0 bytes; action: drop
          conformed 13000 bps, exceed 0 bps, violate 0 bps
  +++++++++++++++++++++++++++++++++++
  I can see " software counters' just show the constraints defined under policy "  copp-aggregated", how did we end up with hardware counters ?
  Hardware counters shows " 5000000 bps 93000 limit 93000 extended limit"  which we never defined that anywhere.
  I appreciate your help
  Thanks

  BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

• Control Plane Protection (CPPr) and Traffic Rates

  Hi Everybody,
  currently I'm working on implement policies according to the CPPr but a couple of questions comes to my mind:
  1. Is there any standard to start policing the Management traffic (SSH, SNMP, Telnet, etc)??
  2. How can I identify the current rates for the management protocols in order to Policy them??
  I understand how the MQC works and for sure understand the the CPPr optiones and benefits but I cannot find a way to start using it in my network or tuning it for my needs.
  Kind Regards,
  Jose-Manuel Cortes 

  BTW, don't know why but the **** above should have read k - n - o - b.  Probably the decorum police checking in...

• Catalyst 3850 QoS police

  Hello,
  Here is the config for Catalyst 3560 found under the link below.
  I would like to do same setting on Catalyst 3850.
  http://itknowledgeexchange.techtarget.com/network-engineering-journey/how-to-configure-per-vlan-qos-in-cisco-3550-and-3560/
  mls qos
  interface fa0/2
  mls qos vlan-based
  class-map INT
  match input-interface fa0/2
  policy-map NESTED_POLICE
  class INT
  policy 12800 1600 exceed-action drop
  class-map HTTP
  match protocol http
  policy-map PARENT_MARK
  class HTTP
  set dscp af11
  service-policy NESTED_POLICE
  interface vlan 10
  service-policy input PARENT_MARK
  But commands like "mls qos", "mls qos vlan-based" and "match input-interface " doesn't work on 3850.
  There is no helpful Cisco manual for it.
  Could anyone help me?
  Thanks in advance,
  Taro

  Hello Paul,
  Thank you for the attention.
  Here is the information.
  #sh ver
  Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.01.SE RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Wed 20-Mar-13 17:10 by prod_rel_team
  Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.
  (http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  ROM: IOS-XE ROMMON
  BOOTLDR: C3850 Boot Loader (C3850-HBOOT-M) Version 1.1, RELEASE SOFTWARE (P)
  SW01 uptime is 21 weeks, 6 days, 14 hours, 27 minutes
  Uptime for this control processor is 21 weeks, 6 days, 14 hours, 30 minutes
  System returned to ROM by reload at 22:27:58 JST Wed Jan 8 2014
  System restarted at 22:27:52 JST Wed Jan 8 2014
  System image file is "flash:packages.conf"
  Last reload reason: Reload command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  License Level: Ipservices
  License Type: Permanent
  Next reload license Level: Ipservices
  cisco WS-C3850-24T (MIPS) processor with 4194304K bytes of physical memory.
  Processor board ID FOC1717V01B
  24 Virtual Ethernet interfaces
  56 Gigabit Ethernet interfaces
  8 Ten Gigabit Ethernet interfaces
  2048K bytes of non-volatile configuration memory.
  4194304K bytes of physical memory.
  250456K bytes of Crash Files at crashinfo:.
  250456K bytes of Crash Files at crashinfo-2:.
  1609272K bytes of Flash at flash:.
  1609272K bytes of Flash at flash-2:.
  0K bytes of Dummy USB Flash at usbflash0:.
  0K bytes of Dummy USB Flash at usbflash0-2:.
  0K bytes of  at webui:.
  Base Ethernet MAC Address          : 44:ad:d9:6d:4e:00
  Motherboard Assembly Number        : 73-12238-06
  Motherboard Serial Number          : FOC17163HB8
  Model Revision Number              : B0
  Motherboard Revision Number        : D0
  Model Number                       : WS-C3850-24T
  System Serial Number               : FOC1717V01B
  Switch Ports Model              SW Version        SW Image              Mode
       1 32    WS-C3850-24T       03.02.01.SE       cat3k_caa-universalk9 INSTALL
       2 32    WS-C3850-24T       03.02.01.SE       cat3k_caa-universalk9 INSTALL
  Switch 02
  Switch uptime                      : 21 weeks, 6 days, 14 hours, 31 minutes
  Base Ethernet MAC Address          : 20:bb:c0:01:86:80
  Motherboard Assembly Number        : 73-12238-06
  Motherboard Serial Number          : FOC17163HCM
  Model Revision Number              : B0
  Motherboard Revision Number        : D0
  Model Number                       : WS-C3850-24T
  System Serial Number               : FOC1717V01K
  Configuration register is 0x102
  SW01#sh sdm prefer
  Showing SDM Template Info
  This is the Advanced template.
    Number of VLANs:                                 4094
    Unicast MAC addresses:                           32768
    Overflow Unicast MAC addresses:                  512
    IGMP and Multicast groups:                       8192
    Overflow IGMP and Multicast groups:              512
    Directly connected routes:                       32768
    Indirect routes:                                 8192
    Security Access Control Entries:                 3072
    QoS Access Control Entries:                      2816
    Policy Based Routing ACEs:                       1024
    Netflow ACEs:                                    1024
    Input Microflow policer ACEs:                    256
    Output Microflow policer ACEs:                   256
    Flow SPAN ACEs:                                  256
    Tunnels:                                         256
    Control Plane Entries:                           512
    Input Netflow flows:                             8192
    Output Netflow flows:                            16384
  These numbers are typical for L2 and IPv4 features.
  Some features such as IPv6, use up double the entry size;
  so only half as many entries can be created.

• Control Plane Policing (CoPP) for Data Center

  Hi All,
  I am planning to apply CoPP on different routers and switches of Data Center. This Data Center comprises of Cisco 6513 (VSS), Catalyst 3750, Cisco 3845 and Cisco 2811.
  My question are:
  1. Do we have to apply CoPP on Catalyst 3750, as these are DMZ switches only?
  2. How to find the packet processing rate from router and switches?
  3. Any best practices CoPP template for routers running OSPF and BGP?
  Thanks and Regards,
  Ahmed.

  1. You would need to apply CoPP to all routers/switches that are 
  manageable from untrusted sites. So even if you have non-DMZ switches 
  that will be able to be telneted to from the outside for example, 
  CoPPing them would be helpful for you.Do we not need to apply
  CoPP on switches and routers that are not telneted from outside?
  Control plan traffic is traffic that goes to the control plane of the router like management traffic, snmp etc. If there is a firewall securing you from the outside I would feel my switches are more secure and it is not easy to bring them to their knees with an attacker doing too much from the outside. Control plane policing applies to all control plane traffic, but it is mostly against outsiders that someone would try to protect himself.
  2. "sh proc
  cpu" would give you some  insight for processes like ssh or telnet and
  how much the take. Not  control packet rate processing though.I
  want to know the maximum packet processing rate of a router or switch?
  I don't think you will be able to pull that number.
  3. Depends
  on how powerful the  router is, how many commands you are running, how
  much route processing  is going on.Best practice for a router
  running OSPF with 200 routes?
  Don't know of any.
  PK

• Control-plane policing on ML Card

  Hi All,
  We are experiencing high CPU utilization on one of our ML Card in the ONS 15454. The "IP Input" has relatively higher CPU utilization consumed irrespective of the proper fast/CEF switching enabled on the interfaces. We are trying to figure out,whether there is an attack to the control-plane or even any IP Packets destined local to the ML Card,which is causing those packet to process switched.
  In order to figure that,we thought we may try to use Control plance policing on the control-plane but it seems not taking the service-policy associated with that. Is this feature supported in the ML card or any other suggestion would be really appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Try the "clear ip mroute" command on the ML card with high cpu usage and check for the issue. Ml card having a large number of mac address traffic can also cause high cpu usage.In very large bridged networks, which may connect directly to 1000s of layer-3 devices, it may also be wise to increase the MAC table limit above the default of 1000 MAC addresses. This is done with the configuration command:
  bridge X limit dynamic entries 10000

• Control plane policing

  please does anyone understand the diference in using a class-map of type que-threshold and using a default class-map with que-limit in the policy-map???
  class-map type queue-threshold match-all http-que
       match  protocol http
  policy-map type  queue-threshold http-que
       class http-que
       que-limit 100
  class-map match-all http
  match access-group name http
  policy-map http
  class http
     bandwidth 100000
     queue-limit 100

  The type queue-limit will be matching http packets that are for the router management.
  If you set a queue-limit under a regular class-map you are matching http traffic that is routed through the traffic.
  In other words CPP queue limit protects the control-plane (router management) queue from getting full and DoS the router or locking someone out.
  Regular class-map is for traffic through the routers.
  I hope it helps.
  PK

• 3750 / 3850 Stack - Control Plane

  Hi all.
  In a relatively small environment, if I were to stack two switches as my core, say two 3750X's or two 3850's, will I be able to come up with a single control plane so that there won't be any need for FHRP's?

  Thanks for taking the time to rate our posts, Carlos.  :)

• What snmp OID to use to monitor control-plane of router

  Hi there!
  I've applied policy-maps on control-plane, based on cisco recomandation.
  Now i need to know, what snmp OID i've to use to monitor them (i'm using zabbix)
  Let me know.
  Regards!

  If you are using IOS which uses a policy-map to configure Control Plane Policing then you are asking in the wrong place as this forum is for IOS-XR not IOS but you can poll objects in the CISCO-CLASS-BASED-QOS-MIB::cbQosPoliceStatsTable (for example cbQosCMDropByte64, cbQosPoliceExceededByte64, cbQosPoliceConformedByte64).
  If you mean you have changed the LPTS policers to help protect the control-plane in IOS-XR then I believe there is currently no support for polling the counters via SNMP. See the section on monitoring in Xander's document https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp

• Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question

  Hello there:
  Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
  Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
  We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
  We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
  We have several 10GB connections to servers.
  We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
  No ip phones, no POE.
  Inter-VLAN connectivity/throughput and security are priorities.
  Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
  Thank you.

  If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job.  If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers.  These memory buffers get swamped when servers do non-stop traffic. 
  Ideally, Cisco recommends the Nexus solution to connect servers to.  One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
  In a DC environment, if you have a lot of VM stuff, then stick with Layer 2.  V-Motion and Layer 3 don't go hand-in-hand.

• Catalyst 3850 Cross-Stack EtherChannel

  On 3850 configuration guide, I came across PAgP desirable mode is not supported in the switch stack (cross-stack EtherChannel).
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/layer2/configuration_guide/b_lay2_3se_3850_cg/b_lay2_3se_3850_cg_chapter_0101.html
  But on Q&A document, it mentioned 3850 supports PAgP.
  Q.    What cross-stack EtherChannel link bundling protocols are supported?
  A.     The Cisco Catalyst 3850 supports Cisco Port Aggregation Protocol (PAgP) and industry-standard IEEE 802.3ad Link Aggregation Control Protocol (LACP). Other 3750 Series Switches support only LACP for cross-stack EtherChannel.
  Seems like both statements are contradicting.
  Can someone shed some light on this?
  Thank you.

  Hi, adimakmur 
  Cisco Catalyst 3850 Cross-Stack EtherChannel can be PAgP+ and can be used for VSS dual active detection.
  In last deployment of 3850 we use Cross-Stack EtherChannel and use it as trusted for VSS dual active detection.
  c6500-V#sh switch virtual dual-active pagp
  PAgP dual-active detection enabled: Yes
  PAgP dual-active version: 1.1
  ----skiped----
  Channel group 106 dual-active detect capability w/nbrs
  Dual-Active trusted group: Yes
            Dual-Active     Partner              Partner   Partner
  Port      Detect Capable  Name                 Port      Version
  Te1/7/7   Yes             c3850-307            Te1/1/3   1.1
  Te2/7/7   Yes             c3850-307            Te2/1/3   1.1
  ---skiped----
  c6500-V#sh etherchannel 106  protocol 
  Protocol:  PAgP
  c3850-307#sh etherchannel port-channel 
                  Channel-group listing: 
  Group: 1 
                  Port-channels in the group: 
  Port-channel: Po1
  Age of the Port-channel   = 235d:20h:50m:10s
  Logical slot/port   = 12/1          Number of ports = 2
  GC                  = 0x00010001      HotStandBy port = null
  Port state          = Port-channel Ag-Inuse 
  Protocol            =   PAgP
  Port security       = Disabled
  Ports in the Port-channel: 
  Index   Load   Port     EC state        No of bits
  ------+------+------+------------------+-----------
    0     00     Te1/1/3  Desirable-Sl       0
    0     00     Te2/1/3  Desirable-Sl       0
  Time since last port bundled:    169d:04h:58m:49s    Te1/1/3
  Time since last port Un-bundled: 169d:05h:00m:47s    Te1/1/3

• ASA Control Plane

  Hello,
  I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.
  Here is what I configured:
  access-list vpn_control extended permit tcp object-group allowed_clients interface outside
  access-group vpn_control in interface outside control-plane
  any suggestions would be appreciated.
  Thanks!

  I'm having a problem which I think is described here.  I would essentially like to whitelist networks for ssl anyconnect vpn access.  I understand that the anyconnect client would attempt a connection to my outside interface on 443 and that it would be considered "to the box traffic" which would bypass the interface ACL's. I set up an acl to deny traffic from a specific test network to test the control plane option.  At first I tried 443 traffic and later expanded it to a deny any from the external network, but in either case I was still able to VPN to the asa from this test network using the anyconnect client.  I assume this has something to do with management traffic having priority and not distiguishing between managment traffic destined for /admin and ssl vpn connections.  However, I do not have the outside interface enabled as a management interface, so even that is a little puzzling.
  access-list outside_access_in_1 extended deny ip object test_network any
  access-list outside_access_in_1 extended permit ip any any
  access-group outside_access_in_1 in interface outside control-plane
  If I do a packet trace for 443 traffic from that network to my outside interface IP it does show the traffic passing and the ACL section specifically shows it passing via implicit rule...

• New Dial plan & Voice policies not taking effect with Polycom CX 600 Desktop Phone in production deployment, Worked fine in Testing

  Hi,
  We are in the process of Migrating Cisco CUCM & Voice Gateway (From another vendor to Cisco).
  The requirement is all internal calls between Cisco IP Phones & Lync to be flown through CUCM. Means internal extension to extension. Remaining all calls like Mobile, National, International, Toll Free, Emergency, Shared numbers calling to be routed
  to Cisco Voice Gateway.
  We created the test dial plan, Voice policies, Route and assigned it to couple of user from Lync (2 extensions) and from Cisco side we have taken 2 IP Phones which is pointed to new CUCM. We tested all below scenarios,everything was working fine.
  Lync to Lync Call using internal Extension number – Routed through Cisco new CUCM
  Lync to Cisco Call using internal Extension number – Routed through Cisco new CUCM
  Cisco to Lync Call using internal Extension number – Routed through Cisco new CUCM
  Lync to Hotline Numbers (66XX, 68XX Numbers) – Routed through Cisco Gateway
  Lync to Shared Numbers starting with 600 (Verified the number 600535353) - Routed through Cisco Gateway
  Lync to Emergency numbers & Toll Free Numbers (Not verified the emergency Number as we decided to do it at end) - Routed through Cisco Gateway
  Lync to Landline Numbers – Any 7 digit numbers - Routed through Cisco Gateway
  Lync to National Numbers – Starting with 3,4,6,7,8 followed by 7 digits - Routed through Cisco Gateway
  Lync to Mobile Phones – Starting with 05 contains exactly 10 digits - Routed through Cisco Gateway
  Lync to International Numbers – Starting 00 contains at least 11 digits - Routed through Cisco Gateway
  All Incoming calls – From Landline, Mobiles, International Numbers - Routed through Cisco Gateway
  Call Transfer – To another Lync Extension, Cisco Extension, Landline, Mobiles, International Number
  Conference – with another Lync Extension, Cisco Extension, Landline, Mobiles, International Number
  Call Forwarding – To another Number, Voice mail
  Response Groups
  Click to call – As if user try to place a call by directly click the number from Outlook, Websites will be in E.164 format
  Dial in meeting – Conference calls are works fine
  But when we roll out to the production we are facing issues listed below
  1) The phones we used during testing are working which is using same dial plan, Voice policy, Route, PSTN Usage. But from production most of the phones are not working (using the same dial plan, voice policy, Route). Also Problem is only with external calls
  as the internal calls are working fine between Cisco & Lync even in production (Routed through CUCM) NOTE: All incoming calls are working fine (From international, local, national, extension)
  2) How long its going to take for Lync to push the new voice policies, Dial plans to the Phones?
  3) Is there a way to forcefully update the policies, dial plans to the Phone?
  4) Also the environment is using over 100 dial plans, so I just copied and pasted the Normalization rules that we tested and working fine.  Most of the dial plans are assigned to individual users as every dial plan contains a normalization rule for
  international calling with Unique Prefix (Example: User John international Normalization rules says #1234#00#CountrycodePhonenumber, means if John has to place the international call he need to dial #1234# followed by 00 and then country code, then actual
  phone number). In this case how long its take for the users / phones to get updated with new dial plans? 
  6) Is it recommended to use multiple dial plans ? What are the best practices?
  5) Also calls are working fine one & failing on subsequent tries. Means when I dial first 1 or 2 times. Call fails, but when I try 3rd time and subsequently it works. After some again there will be failure during 1 or 2 attempts. Why is it so?
  6) After updating the dial policies, voice Route, Voice policies If i reboot all the phones from Switch, Will the changes take effect immediately?
  7) Also when some one calling from mobile or external number to Lync extensions they cant here any Dial tones or caller tunes? Its working fine when they call Cisco Extensions. Also to Lync its working if we dial in E.164 Format, if we dial like 023XXXXX
  format its not working. Any guess about this issue?
  Waiting for some one to help, 
  Best regards
  Krishna
  Thanks & Regards Krishnakumar B

  Hi,
  1.  As all incoming call worked normally, please double check outgoing ports for Lync FE Server and Mediation Server.
  You can refer to the link of “Ports and protocols for internal servers in Lync Server 2013” below:
  http://technet.microsoft.com/en-us/library/gg398833.aspx
  2.  When an administrator makes a change to Lync Server (for example, when an administrator creates a new voice policy or changes the Address Book server configuration settings) that change is recorded in the Central Management store.
  In turn, the change must then be replicated to all the computers running Lync Server services or server roles.
  So it may not replication completely immediately.
  3.  You can run the following cmdlet with Lync Server Management Shell on FE server to
  forcibly replicate information to a computer: Invoke-CsManagementStoreReplication
  4.  As you used over 100 dial plans, it may be the issue of multiple dial plans. Would you please tell us why you created different dial plan for individual user with unique prefix?
  5.  Multiple dial plans and undue normalization rules may cause call fail. You can double check the normalization rule.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****