Summary of the content on the page No. 1
Guide
Cisco Catalyst 3850 Switch
Services Guide
April 2013
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 70 ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Summary of the content on the page No. 2
Contents Overview ................................................................................................................................................................... 3 Cisco Catalyst 3850 Security Policy....................................................................................................................... 3 Configuring 802.1X in Converged Access ............................................................................................................. 3 80
Summary of the content on the page No. 3
Overview ® ® The Cisco Catalyst 3850 Switch is built on a unified access data plane (UADP) application-specific integrated circuit (ASIC). This is a state-of-the-art ASIC that has all services fully integrated in the chip and thus requires no additional modules. The ASIC is programmable and is flexible to support future requirements. It also delivers services with flexibility and visibility across wired and wireless networks. The access layer of the network has evolved from just pushing t
Summary of the content on the page No. 4
Figure 1. 802.1X with Converged Access The authentication, authorization, and accounting (AAA) group and RADIUS server are set up on the Cisco Catalyst 3850. The authentication and authorization are redirected to the ISE server. The wireless clients are set up to get authenticated using dot1x. aaa new-model aaa authentication dot1x CLIENT_AUTH group radius aaa authorization network CLIENT_AUTH group radius ! The ISE server is the RADIUS server, and the switch is defined on the ISE
Summary of the content on the page No. 5
To define the Cisco Catalyst 3850, on the ISE screen, navigate to Administration Network Resources Network Devices as in Figure 2. Figure 2. Device Definition in ISE The dot1x needs to be enabled on the switch globally for wired and wireless clients. dot1x system-auth-control ! 802.1X Configuration for Wired Users 802.1X for wired users is configured per port. Here is the port configuration: interface GigabitEthernet1/0/13 switchport access vlan 12 switchport mode access
Summary of the content on the page No. 6
class-map type control subscriber match-all DOT1X_NO_RESP match method dot1x ! policy-map type control subscriber DOT1X event session-started match-all 1 class always do-until-failure 2 authenticate using dot1x retries 3 retry-time 60 event authentication-success match-all event authentication-failure match-all 5 class DOT1X_NO_RESP do-until-failure 1 authentication-restart 60 ! 802.1X Configuration for Wireless Users For wireless clients, 802.1x is configured under
Summary of the content on the page No. 7
I - Awaiting IIF ID allocation P - Pushed Session (non-transient state) R - Removing User Profile (multi-line status for details) U - Applying User Profile (multi-line status for details) X - Unknown Blocker The following output shows the detailed view of the wireless client session: Switch#sh access-session mac b065.bdb0.a1ad details Interface: Capwap0 IIF-ID: 0xE49A0000000008 MAC Address: b065.bdb0.a1ad IPv6 Address: Unkno
Summary of the content on the page No. 8
The following is the detailed output of the wired client session: Switch#sh access-session mac 0024.7eda.6440 details Interface: GigabitEthernet1/0/13 IIF-ID: 0x1092DC000000107 MAC Address: 0024.7eda.6440 IPv6 Address: Unknown IPv4 Address: 10.3.0.113 User-Name: corp1 Status: Authorized Domain: DATA Oper host mode: single-host Oper control dir: both Session t
Summary of the content on the page No. 9
After defining ACL in ISE, it can be associated with an authorization profile, as shown in Figure 4. Figure 4. Authorization Profile Note: If a named authentication method-list is in place for AAA, an attribute needs to be set from ISE, as shown in 4 Method-List in this example is CLIENT_AUTH. After successful download of ACL, the client is authorized, and the following is the output of ACL: Switch#sh access-lists Extended IP access list xACSACLx-IP-user1-46a243eb (per-user) 1
Summary of the content on the page No. 10
The total capacity of the ACEs is an aggregate number that constitutes all types of ACEs. One type of ACE, however, can scale up to 1500. For example, the total number of Port ACL (PACL) access control entries cannot exceed 1500. But a combination of PACL and Router ACL (RACL) access control entries can scale up to 3000. Cisco Catalyst 3850 Quality of Service One of the primary advantages of the Cisco Catalyst 3850 is the visibility into wireless packets at the access layer. This visibili
Summary of the content on the page No. 11
Unlike wired, wireless is considered untrusted on the Cisco Catalyst 3850. The default trust setting for wireless target is untrust: that is, the packets are marked down to 0 in the absence of SSID-based policy. The startup configuration on the Cisco Catalyst 3850 always has the following CLI: qos wireless-default-untrust This CLI is part of the default configuration (automatically created) and cannot be modified in the current release. That means the wireless will always be untrusted. I
Summary of the content on the page No. 12
permit udp any any eq 1214 ip access-list extended SIGNALING remark SCCP permit tcp any any range 2000 2002 remark SIP permit tcp any any range 5060 5061 permit udp any any range 5060 5061 ip access-list extended TRANSACTIONAL-DATA remark HTTPS permit tcp any any eq 443 remark ORACLE-SQL*NET permit tcp any any eq 1521 permit udp any any eq 1521 The following is the configuration for creating a class-map for each application service and applying match statements: cla
Summary of the content on the page No. 13
With table-maps, one can create a map of values that can be used between the same or different markings such as DSCP, CoS, and so on. The values that can be mapped are from 0 through 99 in decimal. Table-map also has a default mode of operation for values that do not have a mapping explicitly configured. If it is set to ignore, there will not be any change to the marking, unless an explicit mapping is configured. It can be configured to copy or to set a specific value. The following is a
Summary of the content on the page No. 14
Applying Ingress Policies Like other Cisco Catalyst platforms, Cisco Catalyst 3850 Switches offer two simplified methods to apply service policies. Depending on the deployment model, either of the following methods may be used: ● Port-based QoS: Applying service policy on a per-physical port basis will force traffic to pass through QoS policies before entering the network. ● VLAN-based QoS: Applying service policy on per-VLAN basis requires the policy map to be attached to a logical La
Summary of the content on the page No. 15
class-map CALL-SIG match dscp cs3 class-map CRITICAL-DATA match dscp af21 af22 af23 class-map VIDEO-STREAM match dscp af31 af32 af33 class-map Scavenger-Q match dscp cs1 After traffic is identified using DSCP, policy bases can be applied on classifications. policy-map 2P6Q3T class VOICEQ priority level 1 class VIDEOQ priority level 2 class NETWORK-MGMT bandwidth remaining percent 10 class CALL-SIG bandwidth remaining percent 10 class CRITICAL-DATA bandwi
Summary of the content on the page No. 16
Wireless: Ingress Quality of Service Ingress Marking and Policing on Wireless Client In the ingress direction, traffic can be marked and policed at client level. The following example provides differentiated marking and policing for the different class of application sourced from the client: policy-map PER-CLIENT class VOICE set dscp ef police 128k 8000 exceed-action drop class SIGNALING set dscp cs3 police 32k 8000 exceed-action drop class MULTIMEDIA-CONFERENCING
Summary of the content on the page No. 17
The applied policy can be shown with the following CLI: Switch# sh policy-map interface wireless client Client 000A.CC10.0001 Service-policy input: Standard-Employee Class-map: Voice (match-all) Match: access-group name Voice police: cir 128000 bps, bc 4000 bytes conformed 0 bytes; actions: transmit … QoS Set dscp ef … Class-map: TRANSACTIONAL-DATA (match-all) Match: access-group name TRANSACTIONAL-DATA
Summary of the content on the page No. 18
If the policy name is downloaded from the ISE server, the server needs to be configured as shown in Figure 6, with the AV pair ip:sub-qos-policy-in=Standard-Employee. Figure 6. Authentication Profile The same policy can be applied for open wired ports as well. The policy needs to be attached to the port and not to the clients. Currently QoS policies cannot be attached to wired “clients.” Note: Wired port application is described earlier in the wired section. Ingress Policies on WLA
Summary of the content on the page No. 19
table-map dscp2dscp default copy Policy-map TRUST Table Map dscp2dscp default copy The QoS policy is applied under the WLAN configuration. The SSID policy is applied as shown in the following example. This results in “trusted” behavior for traffic ingressing from wireless, similar to wired. wlan open 1 Employees service-policy input TRUST Wireless: Egress Quality of Service This explains the capabilities of QoS that are available on the Cisco Catalyst 3850. On the egress (dow
Summary of the content on the page No. 20
The following is the default behavior of the four queues: Q0 (RT1): Control traffic Q1 (RT2): None Q2 (NRT): Everything other than multicast NRT and control traffic Q3 (multicast NRT): Multicast and nonclient traffic Default QoS policy is applied to the wireless port in the downstream (egress) direction. On port level no policy is supported in upstream (ingress) direction. The policy on the port is applied to the CAPWAP encapsulated packets egressing out to the access point. The defaul
