ISE - Branch Wired Design - Non-Converged Access - Best policy on the switch??

Similar Messages

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• Access restriction policy

  I own a e2000 router with the latest firmware. Set up access restriction policy for the mobile devices from my children. Deny policy based on Mac adress. Sometimes it works en sometimes it won' t work. It seems that my children keep using for instance whatssapp busy that the internet connections keeps open despite the policy. Does anyone know a solution for this?
  kind regards,
  cees

  Thanks Jake,
  Ik know that factory reset is possible via the webinterface. My quenstion was if it is possible to do a scheduled reboot with a option in the firmware? Indeed the time-zone is important. I checked this.
  Does anybody know if access restriction policy works on a live internet connection? For example: my daughter uses her smartphone with Facebook and she uses it from 16:00 tot 17:00 hour and the policy is that at 16:30 it must be blocked? Or can the policy only work on a connection when it starts up (and then checks the time in the policy to know if a restriction is possible.
  cheers

• ISE Auth Policy with Converged Access

  Hi
  Im setting up a Dot1X authentication using ISE 1.3 and 5760/3850 WLAN controllers. The problem is that im not able to match my authentication policy defined on ISE. It jumps directly to the default policy, im using Called Station id= SSID but it is not able to match this.
  I have configured this before on WLC Air OS but not with converged access. Is there something that needs to be done on the 3850 wlc to send this info to ISE ?

  Yes i can see that everything is working, with certificate and other stuff..It is only that it is not matching the SSID.
  I have tried different ways to do the SSID filtering: 
  NAS port ID Equals SSID,
  Called Station ID  Equals SSID
  But noen of these works. Does anyone know if i have to do something different when doing this setup through converged access ?

• ISE web auth for non-cisco switch(D-link 3528)

  Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
  And the wired users will get full network access after they pass the web auth.

  you can use ISE ln-line posture node with 3rd part switches
  RADIUS access device must supply the following RADIUS attributes:
      Calling-Station-Id (for MAC_ADDRESS)
      User-Name
      NAS-Port-Type
      RADIUS accounting message must have the Framed-IP-Address attribute
  VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

• Converged or Non-Converged 2012 R2 Hyper-V Cluster

  Here's the scenario.
  I have 4 Poweredge R710 Servers each with a total of 12 1Gb NICs connected to 2 phyical switches for redundancy. I have 4 of these reserved for ISCSI storage connectivity.
  For the remaining 8 NICs previously in a Server 2008 R2 cluster I would have had the following:
  Management Team (2 NICS)
  Backup Team (2 NICS)
  Hyper-V Team (2 NICS)
  Live Migration (1 NIC)
  Cluster/CSV (1 NIC)
  Now I want to upgrade the Hyper-V cluster to Server 2012 R2 using the same hardware and I have read much on converged networks, smb multichannel and new inbuilt NIC teaming.
  I understand there are many different ways to design the networking now and therefore for the networking hardware I have available what are other peoples thoughts on the best design.
  Should I keep the old style non-converged networking and have underutilized NICS for much of the time or would a converged network design be able to provide better network performance?
  Say for example I create a TEAM of 8 x 1gb NICs and split the Management, Backup, Hyper-V, Live-Mig and Cluster/CSV with vNICS and weighted QOS I would see improvements in the networking?
  What are your thoughts?
  Microsoft Partner

  Hi ,
  You can  converge all NICs then split every type  traffic on virtual NIC ,please refer to the 2nd senario within following link:
  http://technet.microsoft.com/en-us/library/jj735302.aspx
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SharePoint Designer 2013 cannot access workflows in Office 365 Site

  I have an Office 365 SharePoint site with a number of workflows that I have created on my machine with SPD 2013. After a number of weeks I was unable to access the workflows from my machine through SPD (while still being able to access pages, site assets
  etc.), getting the following error: (Am restricted from submitting images)
  "Server-side activities have been updated. You need to restart SharePoint Designer to use the updated version of activities"
  Restarting SPD doesn't help, after clicking OK I get the "SharePoint Designer cannot display the item" screen, prompting me to refresh. 
  When I do refresh, I get the following:
  "Windows Workflow Foundation, part of .Net Framework 3.0, must be installed to use this feature"
  This is happening on my machine, Windows 7 64 Bit, SPD 2013 64 Bit, but on a colleague's machine, Win 7 64 Bit, SPD 2013 64 Bit I can access the workflows. 
  I get the same error if I try to create a new Workflow on my machine but I can create it on my colleague's machine.
  I downloaded SPD 2013 on a 32 bit laptop I have access to, in which I can create a workflow. One existing workflow can be accessed, updated etc. with no issue, one opens to a prompt to "Insert a stage" and one tells me that it "Failed to load
  the workflow definition for the workflow", then the "SharePoint Designer cannot display the item" screen. All of these workflows can be accessed from my colleague's machine.
  Here are the actions that I have taken to date on my own machine:
  Cleared the caches multiple times
  Checked for updates
  Installed .Net Framework 4.5
  Re-installed .Net Framework 4.0 (which contains 3.0)
  Uninstalled and re-installed SPD 2013 
  Due to issues with a workflow on the site I am in contact with MS Support who are aware of this issue, they sent me a link to a hot fix that was already installed but they have no concrete idea of what might be going on.
  I was convinced that it was an issue on my machine, but I don't know what the issues that I have seen on the 32 bit SPD on the new laptop mean.
  I have been searching the internet for a fix with no success, I would appreciate any help.
  Thanks
  Mick

  Hi,
  According to your post, my understanding is that SharePoint Designer 2013 cannot access workflows in Office 365 Site.
  There was an issue recently when a service release was implemented that incremented the version number in the HTML header on some SharePoint online sites to '16' when SPD was expecting '15'. 
  I suggest to install internet explore 10 and install a patch for IE10. Then test with "open with windows explore" then opened in SPD from sharepoint online.
  In addition, I suggest that in SPD go to Account > Switch Account and type in the credentials of the site you are trying to open (it defaults to your Microsoft Login).
  If the issue persists, to troubleshoot this issue, you can uninstall all versions of SharePoint Designer on workstation, clear cache and then reinstalling the latest SharePoint Designer. For the detailed information, you can refer to the
  article: http://support.microsoft.com/kb/2794961
  Here are two similar threads for you to take a look at:
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/15fd1436-3166-4e43-8b22-cdb480091548/cant-open-sharepoint-online-site-in-sharepoint-designer-2013
  http://community.office365.com/en-us/forums/154/t/149314.aspx?PageIndex=2
  By the way, you can also post the question in Office 365 forum and more experts will assist you.
  Office 365 forums
  :http://community.office365.com/en-us/forums/default.aspx
  More information:
  SharePoint
  Designer 2013: Server-side activities have been updated:
  http://www.andreasthumfart.com/2013/08/sharepoint-designer-2013-server-side-activities-have-been-updated/
  Best Regards,
  Linda Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• ISE Network Access Security Policy Document - High/Low

  Has anybody created the High and Low level designs for the NASP?
  This is my first time and its always easier to have a template to work off of than to reinvent the wheel.  An incomplete example is displayed below but I was hoping someone had a complete one of high and low.
  Employee Authorization Rule
  Table of Contents for Employee Security Policy:
  I. Members pg. xxx
  II. Acceptable Use Policy pg. xxx
  III. Windows 7 Security Requirements pg. xxx
  1. Approved AV Installed & Up-to-date pg. xxx
  a. Security checks pg. xxx
  b. Security rules pg. xxx
  IV. Network Access Permissions pg. xxx
  1. VLAN Segmentation pg. xxx
  a. Noncompliant Posture VLAN pg. xxx
  b. Access VLAN Name/ID pg. xxx
  2. Access Control List pg. xxx
  3. SmartPort Macro pg. xxx
  4. Security Group Tag number pg. xxx
  IV. Network Access Permissions
  1. VLAN Segmentation – Yes
  a. Noncompliant Posture VLAN = quarantine-vlan/100
  b. Access VLAN Name/ID = employees/10
  2. Access Control List – Yes
  a. Compliant ACL = permit All IP
  b. Noncompliant ACL =
  5 Permit TCP from any to “AUP web server” equaling 80
  Description: Allow anyone to access the acceptable use policy link
  64 Cisco ISE for BYOD and Secure Unified Access
  10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443
  Description: Allow web traffic to the appropriate remediation resources
  20 Permit TCP from any to “file based remediation” equaling 80 & 443
  Description: Allow web traffic to the cam for remediation file distribution
  30 Permit UDP from any to “dmz DNS Server” equaling DNS
  Description: Allow DNS only to the dmz dns server
  40 Deny IP from any to any
  Description: Block everything else
  3. SmartPort Macro – no
  4. Security Group Tag number – 10

  You can download Cisco ISE High Level design document template from the following link
  ATP Partner Resource Center
  http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp

• Converged access

  Hi 
  Im about to set up a converged access solution with WLC 5760 as MC and several 3850 as MA. It is not clear to me what needs to be configured on the MC and what needs to be configured on the MA´s.
  I know that each MA has to be configured with the WLAN configuration , but what about things like security profile, acl ,radius ? Anyone has a good documentation explaining this ?

  Hi
  Below should help you to start with basic peering between MA & MC
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  WLAN configuration to be done on MA
  http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
  http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
  Below post should also helps you on 5760/3850 basic configs
  http://mrncciew.com/2013/12/12/getting-started-with-5760/
  http://mrncciew.com/2013/09/29/getting-started-with-3850/
  http://mrncciew.com/2013/12/16/configuring-radius-on-5760/
  Also this thread listed some useful documentation about CA.
  https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
  HTH
  Rasika
  **** Pls rate all useful responses ***

• Converged ACCESS CWA

  Hi
  Im doing CWA with my 3850 wlc, but the client seems to be stuck in "WEBAUTH_PEND " on the WLC client list.
  It all looks ok in the ISE logs and in the client detail i can see that it has gotten the redirect url, but nothing is happening.
  Someone who can give me some ideas to where i should look into ?

  See if these links help
  https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst
  HTH
  Rasika
  *** Pls rate all useful responses ***

• AP1262 bridge to Non-Cisco Access Point?

  I would like to use a Cisco AP1262 in a mobile command vehicle to bridge to any WiFi Access Point that I know the SSID and Pasword to.  Will the 1262 Bridge to a Non-Cisco Access Point?
  If so, any assistance in finding an example configuration would be appreciated.
  Thanks,
  Brian

  Hi Brian,
  Yes, you can configure 1262 as Universal Workgroup bridge where it will associate to any cisco or non-cisco root AP. You can only connect one wired client behind universal WGB.
  You just need to configure "station-role workgroup-bridge universal <wired_client_MAC>" under radio interface of WGB. (1262)
  Something similar should work for your 1262, if you want it in 5GHz, otherwise configure radio 0 interface for WGB
  hostname WGB
  dot11 ssid <SSID-NAME>
     authentication open 
     authentication key-management wpa version 2
     wpa-psk ascii <PASSWORD>
  interface Dot11Radio1
   encryption mode ciphers aes-ccm
   station-role workgroup-bridge universal 068d.098a.d422 <- Ur wired MAC
   ssid <SSID-NAME>
   bridge-group 1
  interface GigabitEthernet0
   bridge-group 1
  NB: I haven't tested this, so you  have to test & confirm. If WPA2/AES is not supported then you may need to choose suitable security protocol & encryption mechanism.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• HT3775 I NEED I TUNES FOR A 64 BIT PC. OPERATING SYSTEM IS WINDOWS 8, NON TOUCH SCREEN. WHICH IS THE ABSOLUTELY BEST WAY TO GET ITUNES OPERATING CORRECTLY ON MY PC????//I HAVE TRIED SEVERAL THINGS, NONE OF WHICH ARE WORKING. IS ITUNES DELIBERATELY EXCLUDI

  I cannot get itunes to work/install on myPC. I am running windows 8 in a 64 bit machine. I also want to purchase books via itunes for my Nook. Are you deliberately excluding PC owners so we cannot use ituens on our computers???? I have selected a community but have no idea what community I should be working with. Can somone explai these communities to me? Also. you don't allow much time to go thru the sign up process. I had to start over SEVERAL times as you kept timing me out. Jesus...when people are signing up for the first time, we have no idea of the questions that will be asked. Give us a break and give us time to sign up. Not everone is disability free and able to go thru your process quickly...you are NOT user friendly. You should be for people who are wanting to join your community. I used to want an Apple product but now that  I have had first hand experience with your web page, I think I will probably stay away from Apple products. VERY DISAPPOINTING

  Jan 11, 2014 10:26 AM  Re: I NEED I TUNES FOR A 64 BIT PC. OPERATING SYSTEM IS WINDOWS 8, NON TOUCH SCREEN. WHICH IS THE ABSOLUTELY BEST WAY TO GET ITUNES OPERATING CORRECTLY ON MY PC????//I HAVE TRIED SEVERAL THINGS, NONE OF WHICH ARE WORKING. IS ITUNES DELIBERATELY EXCLUDING
    Re: I NEED I TUNES FOR A 64 BIT PC. OPERATING SYSTEM IS WINDOWS 8, NON TOUCH SCREEN. WHICH IS THE ABSOLUTELY BEST WAY TO GET ITUNES OPERATING CORRECTLY ON MY PC????//I HAVE TRIED SEVERAL THINGS, NONE OF WHICH ARE WORKING. IS ITUNES DELIBERATELY EXCLUDING PC'S  in response to Birdlover1      
  Post over in the iTunes for Windows forum, here:
  https://discussions.apple.com/community/itunes/itunes_for_windows
  sebastian

• Auto deploying branch office printers with Direct Access

  Hello there
  I am implementing my first Direct Access topology and have a question. We will have branch offices with workstations deployed using Direct Access for administrative purposes. We have staff moving around from branch to branch with the goal to
  make logging on to the network and accessing resources for users as automated as possible. One of the questions I have regards auto configuring branch printers for users using Group Policy. The branch offices have workstations, printers and NAT modem/routers
  with DHCP - but no servers.
  If we have a stand alone network printer, how do we list that printer in Active Directory allowing the user to auto-configure it using group policy? If we install it on a server at Head Office, would the print job travel there first and then back to
  the branch? Obviously this is not ideal. Or can it be directed straight to the printer using a script or something?
  Alternatively we can install and share it on a branch workstation and list it in the directory, but would this not be same the problem as above? This is not ideal either as it would depend on the workstation being always on and available.
  Any input Direct Access gurus?
  Thanks in advance
  MIS5000

  Hi,
  Thanks for your post.
  We could have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:
  1) Group Policy Preferences – available in Windows Server 2008 and later
  2) Print Management – available in Windows Server 2003 R2 and later
  http://blog.powershell.no/2009/11/08/deploying-printers-using-group-policy/
  Did you try to use the Print Management? You can share printers on a network and centralize print server and network printer management tasks using the Print Management Microsoft Management Console (MMC) snap-in. Print Management helps you to monitor print
  queues and receive notifications when print queues stop processing print jobs. It also enables you to migrate print servers and deploy printer connections using Group Policy.
  https://technet.microsoft.com/en-us/library/cc731857.aspx
  Meanwhile, if you have any Direct Access related issue, I think you may ask in network forums:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNIS
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]