Upload
others
View
13
Download
5
Embed Size (px)
Citation preview
IOS-XE 3.6.0E / IOS 15.2(2)E
September 2014
One Combined Software Release for Cat2K/3K/4K/WLC5760
SE René Andersen
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IOS-XE3.6.0E / IOS15.2(2)E Software Release – Highlights
One Combined Release
For newly introduced IOS-XE (Cat3850/3650/3850 Fiber, Sup8E & WLC5760) and Classic IOS Platforms (2960S, 2960X/R, 3750-X, 3560-X etc)
Software Service Innovations
IT Simplicity, Mobility and Application Experience
Certifications
Complete Govt. certifications for NG and Classic shipping platforms (Wired & Wireless)
Feature Parity
• Maximum feature parity for Sup8E including VSS support
• Critical Feature parity Cat3850/3650 with improved manageability
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential – For NDA use only, not for further disclosure or distribution
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 CY2015
CY2012 CY2013 CY2014
Catalyst Access Switching - Software Roadmap
EM Release
EM: Extended Maintenance Release
Darya rebuild
3.3.2SE
C3850 Fiber
Catalyst 4500E/X
Release
Catalyst 2K/3K Feature
Release
IOS-XE NG3K Releases
2K/3K/4K One Release
Amur
XE 3.6.0E/15.2(2)E Beni
XE 3.7.0/15.3(1)E
One Combined
Release for
Cat2K/3K/4K/5760
Yap XE 3.3.0SG/ IOS 15.1.(1)SG
Texel XE 3.4.0SG/ IOS 15.1(2)SG
Indus XE 3.5.0E/IOS 15.2(1)E
4K Release
Nile
15.0(2)SE
2960-SF
Launch
XE 3.2.0SE Darya
3.3.0SE
3K-X UPOE
Launch
C3850 Launch
2K/3K Release
C3850/5760 FCS
Release
Sup-8E Launch
15.0(2)EX
2960X/XR
Launch
IOS XE 3.3.0XO
EM Release
EM Release
C3650 C3850 Fiber
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customer benefits of combined release ?
• One release to Qualify, Deploy and Maintain for Cat2K/3K/4K
• Lower TCO
What combined release does not provide ?
• Merging of IOS to IOS-XE or vice-versa
• Change in existing platform behavior
5 © 2014 Cisco and/or its affiliates. All rights reserved. BRKARC-3438 Cisco Public
IOS
IOS XE 3 .x
Management Interface
Module Drivers
Common Infrastructure / HA
IOS-XE
• Modern IOS to enable multi-core CPU
• Easy customer migration
• While maintaining IOS functionality and look and feel
• Allow hosted applications like Wireshark
Management Interface
Module Drivers
Linux Kernel
Common Infrastructure / HA
IOSd
Features Components
Hosted Apps
Features Components
WCM
Kernel
IOS XE Evolution
Wireshark
IOS 15.x
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SM Rebuilds EM Rebuilds
• Total 3 rebuilds spanned over 18 months.
• Last rebuild is PSIRT only.
• Total 9 rebuilds spanned over 44 months.
• Last 2 rebuilds are PSIRTS only.
• Extended Maintenance (EM) and Standard Maintenance (SM)
• Two feature releases every year, alternating between SM and EM
3.x/15.x SM SM EM SM EM EM
Release Guidelines
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
One Policy
One Management
One Network
Policy ISE 1.2/1.3
Manageability
Prime 2.1,WEBGUI, MSE8.0
BYOD & Mobility
Service Discovery Gateway Ph 2,
Device Profiling for Wired/Wireless
Application Experience
AVC Wireless on AP Ph II(QoS tie-in with Policy), Medianet on 3850/3650(Wired)
IT Simplicity Interface Template, Auto-conf Plug & Play Agent
Infrastructure
New APs- AP2700, AP700I,AP700W, AP1530
Optics: Active/Passive SFPs CX1, Active SFP
IOS-XE3.6.0E/15.2(2)E (Amur) Software Release C4K(SUP8,7,6,4500-X,49xx), C3K(3850,3650,X,C), C2K(2960S,FE,X,XR,C), WLC5760
Shipping
Complete Govt. Certification, One Combined Release, Extended Maintenance
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
3850/3650 Wired Feature Parity with 3750-X
3.3.0SE (Shipping)
Core
• HSRPv2
• 9 member stack
• QoS Enh
Core
• VRRPv3, IPv6 VRFs • IPv6 Multicast Routing • QinQ/L2PT
Software Services • Security: SGT/SGACL,
Critical Voice VLAN,
(SXP/SXP2 Enhancements
• BYOD: Service Discovery
Gateway (wired & wireless),
Wired Guest Access
• IT Simplicity : Wireshark
(wired & wireless)
(
Compliance • FIPS & Common Criteria
• UCAPL (DoD/JITC)
Other • 10G DWDM SFP+, ZR
(3.3.3SE rebuild, Target
CCO: 4/30/14)
Software Services
• Security: Device Sensor • AVC: Medianet (Perf Mon,
Mediatrace, Metadata) • EW : Energywise Parity
Compliance • FIPS & Common Criteria
• UCAPL & USGv6
Other • Extended Maint
• Active/Passive SFP/SFP+
Optical Cables
3.7.0E - EC(Q4CY14)
Core • PVLAN
• XPS Power supply, IPv6
FHS Ph II, Etherchannel
support for IPv6 FHS
Software Services • Security: MACSec uplink
(sw-2-sw)
• AVC: Medianet (Metadata
QoS)
CY15 Roadmap
Core • CoPP
• BFD, REP, MVR
• Smart Call Home
• Embedded Syslog manager
Software Services • Security: MACSec
downlink(sw-2-host)
• AVC: Medianet (IP SLA VO)
3.6.0E (Shipping)
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IOS-XE 3.6.0E/ IOS15.2(2)E Release
Wired Features Infrastructure • Active and Passive CX1 SFP, Active CX1 SFP+,
• Sup8-E wired feature parity w/ SUP7E (except IPv6 PBR)
• Migration enablers for 3850 & 3650* (See next slide for details)
• TDR in Lan Base (4K,parity with 3K), WCCP in IP-base (3K), IPv6 PIM in IP-lite(2960XR)
Layer 3 • IPv6 VRF (Sup8E, 3850/3650)
• IPv6 uRPF, IPv6 PBR (3850/3650)
• IPv4 & IPv6 SDM Templates (3850/3650)
• VRRPv3 (Sup8E, 3850/3650)
IT Simplicity • PnP Agent, PnP Smart Install Proxy
• Smart Install Client (4K)
• Auto Conf and Interface Templates
• Easy VSS, Auto Secure
Services • Device Sensor w/ISE – Wired & Wireless
• Service Discovery Gateway Ph II (Location, Static service,,HA)
• IP4 FQDN ACL, Secure CDP, IPv6 CTS, Bidir SXP
Application Experience • Medianet on 3850 & 3650 (Perf Mon, Mediatrace, Metadata)
Wireless Features
Infrastructure • New AP Support: AP700I, AP700W, AP2700
• Outdoor AP1530 series (Centralized Mode Only)
Mobility Services • AVC-Wireless Ph II ( QoS tie-in with Policy) • Service Discovery Gateway Ph II (location static
service) • Device Sensor (Policy Classification Engine)
Interop • Prime 2.1, ISE 1.2/1.3, MSE 8.0
Compliance for Wired and Wireless
• Wired & Wireless FIPS 140-2, CC, UCAPL
Shipping
Last Release for Sup6E/L-E, 2960S/SF,
2K/3K Gig compact
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New Hardware Support
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Starts at $1,095 List Price
3x4 MIMO: 3 SS 802.11ac AP
3x performance of 802.11n
RF Excellence enabled in Hardware
HDX Technology
2 GigE Ports
Downstream device support only
Cisco Aironet 2700 Access Point Series
Aironet 2700 Series
Shipping Now
CUWN 7.6 MR2
IOS XE 3.6 (Amur)
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Aironet 1530 Outdoor N Access Point Series Ultra Compact and Flexible for Enterprise and Service Provider
• Ideal for Campus coverage between buildings, seamless indoor to outdoor to indoor roaming
• Small and ruggedized IP67 design for outdoors • Innovative flexible port architecture: dual or
single band external antenna configuration via software
• Only supported in Centralized AP mode(No support for Mesh mode)
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Aironet 700W N Access Point Series Wall Mount, Dual Radio with 4 (four) integrated GbE ports • Target Hospitality, Dorm, Multi Dwelling
• Enterprise class RF performance, integrated
antennas, Dual Radio 2x2:2
• 4x GbE local ports with 1x PoE out
• Sleek design in a small form factor (6 x 4 x 1.5 in)
• Purpose-built bracket for ease of mounting to numerous wall-box standards
• Physical security enhancements: Torx screw or Kensington lock
• Only supported in AP mode(No support for Mesh mode)
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
2960-X Fan Less Model Silent Operation : co-locate with end users
First 8 ports PoE/PoE+ (110W PoE Budget)
4 uplink ports 2 * SFP + 2 * 1G BT
LAN Base only Non-Stackable
Front Vents
Heat Sinks
Top Vents
Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 15
The NEW Catalyst 3850 Fiber Switches
Key Benefits
•12 and 24 port 1G
Fiber SKUs
• 2x10G or 4x1G Uplinks
• Built on UADP ASIC
• Integrated Mobility Controller
• StackPower
• Stackable with 3850 Access
switches
Converged Access Por t fo l io s t reng thened wi t h t he New 3850 F iber swi t ches
Licensing Options: IP Base and IP Services
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Compliance & Certifications
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Compliance - Catalyst 2K, Compact, 3K-X, 3850, 3650, 5760 Certified In Progress with 3.6.0E
2960S/SF, 2960X/XR 2960S/SF All
2960C, 3560C All All
3K-X, 3K-X UPoE 3K-X All
Wired & Wireless
3850, 3650, 3850-UPoE, 5760 All
2960S/SF, 2960X/XR 2960S/SF All
2960C, 3560C 2960C, 3560C All
3K-X, 3K-X PoE 3K-X All
Wired & Wireless
3850, 3650, 3850-UPoE, 5760 All
2960S/SF, 2960X/XR 2960S/SF All
2960C, 3560C 3560C All
3K-X, 3K-X PoE 3K-X All
Wired & Wireless
3850, 3650, 3850-UPoE, 5760 All
2960S/SF, 2960X/XR 2960S/SF 2960X/R
2960C, 3650C All
3K-X, 3K-X PoE All
Wired & Wireless
3850, 3650, 3850-UPoE, 5760 3850, 3850-UPoE 3650
NA
Certified NA
Not Applicable Not Certified
NA
Products
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Compliance - Catalyst 4500E/X,49xx Series Switches Currently Certified In Progress with 3.6.0E
Sup2, Sup4, Sup5, Sup6E, Sup6LE Sup2, Sup4, Sup5
Sup7E, Sup7LE, 4500X Sup7E,7LE,4500X All
Sup8E Sup8E (Wired)
49xx 4900M, 4948E, 4948EF
Sup2, Sup4, Sup5, Sup6E, Sup6LE
Sup7E, Sup7LE, 4500X Sup7E,7LE, 4500X All
Sup8E Sup8E (Wired)
49xx
Sup2, Sup4, Sup5, Sup6E, Sup6LE Sup6E, Sup6LE
Sup7E, Sup7LE, 4500X Sup7E,7LE,4500X All
Sup8E Sup8E (Wired)
49xx
Sup2, Sup4, Sup5, Sup6E, Sup6LE Sup6E, Sup6LE
Sup7E, Sup7LE, 4500X Sup7E,7LE,4500X
Sup8E Sup8E (Wired)
49xx 4900M, 4948E, 4948EF
Certified NA Not Applicable
Product
NA
NA
NA
Not Certified
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Feature Details: SIMPLICITY!
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Easy VSS
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Problem with Traditional VSS Configuration
Up to 30 Lines
Configuration on both Active & Standby
Error prone
Version Mismatch – More manual tasks
Easy VSS
Access Switch
Multi-Chassis Etherchannel
Access Switch
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Easy VSS Configuration
1 Line – ‘switch convert mode easy-vss’
Zero touch on Standby (No Config Needed)
Mismatch Discovery & Fix
Needs an L3 Reachability to the pair for communication
Option to choose VSL Link
Easy VSS
Access Switch
Multi-Chassis Etherchannel
Access Switch
#(easy-vss)#VSL ?
Local Interface Remote Interface Hostname Standby-IP
GigabitEthernet3/5 TenGigabitEthernet1/1 4K-DEMO 2.2.2.4
GigabitEthernet3/6 TenGigabitEthernet1/2 4K-DEMO 2.2.2.4
GigabitEthernet3/7 TenGigabitEthernet1/1 4K-DEMO2 2.2.2.5
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Easy VSS
Switch 1
Switch-1(config)# switch virtual domain 100
Switch-1(config-vs-domain)# switch 1
Switch-1(config-vs-domain)# exit
Switch-1(config)# interface port-channel 10
Switch-1(config)# switchport
Switch-1(config-if)# switch virtual link 1
Switch-1(config-if)# no shutdown
Switch-1(config-if)# exit
Switch-1(config)# interface range tengigabitethernet 3/1-2
Switch-1(config-if)# channel-group 10 mode on
Switch-1# switch convert mode virtual
Switch 2
Switch-2(config)# switch virtual domain 100
Switch-2(config-vs-domain)# switch 2
Switch-2(config-vs-domain)# exit
Switch-2(config)# interface port-channel 20
Switch-2(config)# switchport
Switch-2(config-if)# switch virtual link 2
Switch-2(config-if)# no shutdown
Switch-2(config-if)# exit
Switch-2(config)# interface range tengigabitethernet 5/2-3
Switch-2(config-if)# channel-group 20 mode on
Switch-2# switch convert mode virtual
Traditional VSS Config
Easy VSS Config Switch 1
Switch-1# switch convert mode virtual
#(easy-vss)#VSL Te3/1 Te3/2
Switch 2
Switch-2(config)#
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AutoSecure
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Auto Secure
Generally Applied Security Configuration
• 3 Simple Security Features
• DHCP Snooping
• Dynamic ARP Inspection
• Port Security
• Several Lines of Configuration
• Difficult to Validate
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Auto Security – Features Enabled
• DHCP Snooping
Globally
ip dhcp snooping
ip dhcp snooping vlan 2-4094
no ip dhcp snooping information option
Per Access Port
ip dhcp snooping limit rate 100
Per Trunk Port
ip dhcp snooping trust
• Dynamic Arp Inspection
Globally
ip arp inspection vlan 2-4094
Per Access Port
ip arp inspection limit rate 100
Per Trunk Port
ip arp inspection trust
• Port Security
Per Access Port
switchport port-security
switchport port-security maximum 2
switchport port-security maximum vlan access 1
switchport port-security maximum vlan voice 1
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
Per Trunk Port
switchport port-security maximum 100
switchport port-security violation restrict
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Auto Secure
Auto Security Config
• 1 Line – ‘auto security’
• Uplinks & Downlinks
• Global & Per Port Option
• Global Config enables on all ports as well
• Based on port mode – access OR trunk, it applies host config or uplink config
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Auto Secure – Features Enabled
• DHCP Snooping
Globally
ip dhcp snooping
ip dhcp snooping vlan 2-4094
no ip dhcp snooping information option
Per Access Port
ip dhcp snooping limit rate 100
Per Trunk Port
ip dhcp snooping trust
• Dynamic Arp Inspection
Globally
ip arp inspection vlan 2-4094
Per Access Port
ip arp inspection limit rate 100
Per Trunk Port
ip arp inspection trust
• Port Security
Per Access Port
switchport port-security
switchport port-security maximum 2
switchport port-security maximum vlan access 1
switchport port-security maximum vlan voice 1
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
Per Trunk Port
switchport port-security maximum 100
switchport port-security violation restrict
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Auto Secure – Actual Config & show Commands auto security
!
interface GigabitEthernet3/3
description Connected to wired PC
switchport access vlan 11
switchport mode access
auto security-port host
!
interface TenGigabitEthernet1/1
description Trunk Port
switchport mode trunk
auto security-port uplink
Switch#sh auto security configuration
%AutoSecure provides a single CLI config 'auto secure'
to enable Base-line security Features like
DHCP snooping, ARP inspection and Port-Security
Auto Secure CLIs applied globally:
---------------------------------
ip dhcp snooping
ip dhcp snooping vlan 2-1005
no ip dhcp snooping information option
ip arp inspection vlan 2-1005
ip arp inspection validate src-mac dst-mac ip
Auto Secure CLIs applied on Access Port:
----------------------------------------
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
Auto Secure CLIs applied on Trunk Port:
--------------------------------------
ip dhcp snooping trust
ip arp inspection trust
switchport port-security maximum 100
switchport port-security violation restrict
switchport port-security
Switch#sh auto security
Auto Secure is Enabled globally
AutoSecure is Enabled on below
interface(s):
-----------------------------------
---------
TenGigabitEthernet1/1
GigabitEthernet3/1
GigabitEthernet3/3
GigabitEthernet3/4
GigabitEthernet3/5
GigabitEthernet3/6
Switch#
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Interface Templates
Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Auto Conf and Interface Template
Port based only Usability/Bloated config Inflexible
• Simplified running-config
• Parsed at definition time
• Built-in templates
Lower TCO
• Config rollback
• Precedence management
• Integrated with session aware networking
Easy to use &
Intuitive
Next Gen Auto Smart Port
Current Challenges
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
P1
P4
P2
Auto conf – Use case
Access
Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan ALL
switchport mode trunk
switchport nonegotiate
auto qos voip trust
mls qos trust cos
srr-queue bandwidth limit $LIMIT
S1, S2, S3
S4
auto qos voip trust
switchport trunk encapsulation dot1q
switchport trunk allowed vlan ALL
switchport mode trunk
vlan 100
access-group corp
inactivity 300
vlan 200
access-group corp
service-policy corp
interface-template service-template
interface-template
service-template
Phone
Compact switch
Access
point
Interface Templates • Activated on INTERFACES
• Auto-conf one network device per port
e.g. Switch or AP
• Impacts all the traffic exchanged via that
interface
• Stays ON as long as activated
Service Templates • Activated on NETWORK SESSIONS
• No impact on other session’s sharing
that port
• Stays ON as long as the session exists
Platforms supported:4K/3K/2K/Compact
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
3750X# show run interface Gig 1/0/10
Building configuration...
Current configuration : 79 bytes
!
interface GigabitEthernet1/0/10
source template DMP_INTERFACE_TEMPLATE
end
3750X(config-if)#source template DMP_INTERFACE_TEMPLATE
3750X(config-if)# end
3750X# show derived-config interface Gig 1/0/10
Derived configuration : 249 bytes
!
interface GigabitEthernet1/0/10
switchport mode access
switchport block unicast
switchport port-security
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
end
Interface Templates
• Easy to build, modify and troubleshoot
• Simplify Running config BEFORE
AFTER
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Config File Readability and Manageability
Smaller configuration files
Built-in Interface Templates for ease of use
All Interface Templates are customizable.
Advantages over Auto Smart Ports
Templates updates immediately ripple to interfaces
• Per session or per port templates
• No change to running-config
• Full rollback and precedence management
• Compatible with Session Networking/AutoConf
Interface Templates Benefits Overview
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Interface Templates: Built-in Templates
11 Built-in Templates based on common end devices
3750X# show template interface brief
Template-Name Source Bound-to-Interface
------------- ------ ------------------
AP_INTERFACE_TEMPLATE Built-in No
DMP_INTERFACE_TEMPLATE Built-in No
IP_CAMERA_INTERFACE_TEMPLATE Built-in No
IP_PHONE_INTERFACE_TEMPLATE Built-in No
LAP_INTERFACE_TEMPLATE Built-in No
MSP_CAMERA_INTERFACE_TEMPLATE Built-in No
MSP_VC_INTERFACE_TEMPLATE Built-in No
PRINTER_INTERFACE_TEMPLATE Built-in No
ROUTER_INTERFACE_TEMPLATE Built-in No
SWITCH_INTERFACE_TEMPLATE Built-in No
TP_INTERFACE_TEMPLATE Built-in No
Good Defaults
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Similar to Nexus Port Profiles
Easy
Intuitive
Reduces configuration file size
Interface Templates: Summary
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AutoConf
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Automates Interface Templates
Combines User Sessions and Interface sessions into one architecture
AutoConf is Flexible (see Gumby)
No impact to running configuration
Easy to Enable
AutoConf Benefits Overview
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
P1
P4
P2
Autoconf – Campus Use case
Access
Switch
switchport trunk encapsulation dot1q
switchport trunk allowed vlan ALL
switchport mode trunk
switchport nonegotiate
auto qos voip trust
mls qos trust cos
srr-queue bandwidth limit $LIMIT
S1, S2, S3
S4
auto qos voip trust
switchport trunk encapsulation dot1q
switchport trunk allowed vlan ALL
switchport mode trunk
vlan 100
access-group corp
inactivity 300
vlan 200
access-group corp
service-policy corp
interface-template service-template
interface-template
service-template
Phone
Compact switch
Access
point
Interface Templates • Activated on INTERFACES
• Auto-conf the network device (one per
port) e.g. Switch or AP
• Template impacts all the traffic via that
interface
• Stays ON as long as activated
Service Templates • Activated on NETWORK SESSIONS
• Template impacts only the control or data
packets to the session
• No impact on other sessions sharing port
• Stays ON as long as the session exists
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AutoConf – Interface Templates relationship
AutoConf
Templates
Templates are the
foundation for AutoConf
Templates can work
without AutoConf
AutoConf requires
Templates
Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
To Enable Autoconf Globally “Autoconf enable”
Builtin parameter map auto generated BUILTIN_DEVICE_TO_TEMPLATE
Not shown in running configuration unless modified
Based on Templates (Interface and Service)
Maps Device-Type to Interface Template automatically
By default uses builtin Interface Templates (see previous section)
Builtin Policy Map & builtin Parameter Map
AutoConf: the Basics
Cisco Confidential 42 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
BUILTIN_AUTOCONF_POLICY - AutoConf policy
that identifies parameter map
AutoConf: default Hierarchy
AutoConf Policy
Parameter Map
Container relationship
Mapping Device type A to
interface template X
Mapping Device type B to
interface template Y
Mapping Device type C to
interface template Z
3750X# show parameter-map type subscriber attribute-to-service all
Parameter-map name: BUILTIN_DEVICE_TO_TEMPLATE
Map: 10 map device-type regex "Cisco-IP-Phone"
Action(s):
20 interface-template IP_PHONE_INTERFACE_TEMPLATE
Map: 20 map device-type regex "Cisco-IP-Camera"
Action(s):
20 interface-template IP_CAMERA_INTERFACE_TEMPLATE
Map: 30 map device-type regex "Cisco-DMP"
Action(s):
20 interface-template DMP_INTERFACE_TEMPLATE
All builtin by default
3750X# show policy-map type control subscriber BUILTIN_AUTOCONF_POLICY
BUILTIN_AUTOCONF_POLICY
event identity-update match-all
10 class always do-until-failure
10 map attribute-to-service table BUILTIN_DEVICE_TO_TEMPLATE
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Parameter Map: Brains behind autoconf
Parameter Map role
Maps device-type to interface template
BUILTIN_DEVICE_TO_TEMPLATE
Automatically created when autoconf enabled
Not shown in running-config unless modified
Easy to modify
Ways to map device to template
device-type specify device-type
mac-address specify mac-address
oui specify oui
user-role specify user-role
username specify username
AutoConf: default parameter map
3750X# show parameter-map type subscriber attribute-to-service all
Parameter-map name: BUILTIN_DEVICE_TO_TEMPLATE
Map: 10 map device-type regex "Cisco-IP-Phone"
Action(s):
20 interface-template IP_PHONE_INTERFACE_TEMPLATE
Map: 20 map device-type regex "Cisco-IP-Camera"
Action(s):
20 interface-template IP_CAMERA_INTERFACE_TEMPLATE
Map: 30 map device-type regex "Cisco-DMP"
Action(s):
20 interface-template DMP_INTERFACE_TEMPLATE
Map: 40 map oui eq 00.0f.44
Action(s):
20 interface-template DMP_INTERFACE_TEMPLATE
Map: 50 map oui eq 00.23.ac
Action(s):
20 interface-template DMP_INTERFACE_TEMPLATE
Map: 60 map device-type regex "Cisco-AIR-AP"
Action(s):
20 interface-template AP_INTERFACE_TEMPLATE
Map: 70 map device-type regex "Cisco-AIR-LAP"
Action(s):
20 interface-template LAP_INTERFACE_TEMPLATE
Map: 80 map device-type regex "Cisco-TelePresence"
Action(s):
20 interface-template TP_INTERFACE_TEMPLATE
Map: 90 map device-type regex "Surveillance-Camera"
Action(s):
10 interface-template MSP_CAMERA_INTERFACE_TEMPLATE
Map: 100 map device-type regex "Video-Conference"
Action(s):
10 interface-template MSP_VC_INTERFACE_TEMPLATE
Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
After IP Phone connected to Interface Gi1/0/2
No change to running configuration
Show run int <intf>
AutoConf In Action: Dynamic Binding to Interface (1) 3750X# show run interface gi1/0/2
Current configuration : 38 bytes
!
interface GigabitEthernet1/0/2
End
Gig1/0/2
Nothing
shown
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
After IP Phone connected to Interface Gi1/0/2
No change to running configuration
Show run int <intf>
Full Configuration displayed with derived command show derived int <intf>
AutoConf In Action: Dynamic Binding to Interface (2) 3750X# show run interface gi1/0/2
Current configuration : 38 bytes
!
interface GigabitEthernet1/0/2
end
3750X# show derived int gi1/0/2
Derived configuration : 616 bytes
!
interface GigabitEthernet1/0/2
switchport mode access
switchport block unicast
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security violation restrict
switchport port-security
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
end
Gig1/0/2
Nothing
shown
Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What template is bound to interface? Show template interface
binding
show template binding
AutoConf In Action: Dynamic Binding to Interface (3) 3750X# show template interface binding all
Template-Name Source Method Interface
------------- ------ ------ ---------
IP_PHONE_INTERFACE_TEMPLATE Built-in dynamic Gi1/0/2
3750X# show template binding target gi1/0/2
Interface Templates
===================
Interface: Gi1/0/2
Method Source Template-Name
------ ------ -------------
dynamic Built-in IP_PHONE_INTERFACE_TEMPLATE
Service Templates
=================
Interface: Gi1/0/2
Session Source Template-Name
------- ------ -------------
Gig1/0/2
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Policy Classification Engine
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACTIONS
RADIUS
Aut
h
AD memberOf
= cisco-av-pair
Device
Profiling AV
C
Wired Wireless Policy Classification Engine
• Integrated on 5760, 3850, 3650
• No separate server/license required
• Ability to classify 237 device profiles
• Apple iPhone, Apple iPad, Windows XP,
• Windows7/8, Samsung Galaxy S3,
• iOS 5.1/6, Ice Cream Sandwich, Jelly Bean
• Policy Actions
• Prioritize, Drop traffic DEVICE TYPE
USER ROLE CISCO-AV-
PAIR
Faculty
Student
APPLICATION NAME
Voice
Video
BIND
Prioritize QoS
Drop ACL
Change VLAN VLAN
Cisco Confidential
WLC
Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Visibility & Control Wireless Only
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Visibility and Control on Gen-2 AP For wireless clients
Gen2 AP
NBAR2 Engine NBAR2 Protocol Pack
16 8
Upstream SSID Marking and Policing
Upstream Client Marking and Policing
Upstream drop
Downstream SSID Marking and Policing
Downstream Client Marking and Policing
Updated NBAR2 Engine and Protocol Pack
Note AVC is not supported on legacy Gen-1 platforms or APs with low memory such as AP700I and AP700W
Ability to support Microsoft Lync 2013,
Jabber, Dropbox and many more…
ROLE BASED APPLICATION POLICY
• Alice & Bob are both employees connected to same SSID. Bob can access
certain applications but Alice cannot.
DEVICE BASED APPLICATION POLICY
• Alice can access application on (Company issued) Windows Laptop but not on
(Personal) iPad on the same WLAN
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Key Takeaways
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Key Takeaways
• One Combined and Extended maintenance for Cat2K/3K/4K/WLC5760
• Rich Software Services - IT simplicity, Mobility, Application Experience
• VSS support on Sup8-E
• Critical Feature Parity for Cat3850/3650
• Complete Government Certifications (Wired & Wireless)
• Improved Managebility
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simplicity
Plug-N-Play– Simplified Day 0/ Day 1 Provisioning
Pre Provision Projects/Sites • Policies • Match Rules • Configs/Image • IP Addressing
Network Admin
1
Campus-
Bldg-2
Smart Install Proxy
PnP Agent
Smart Install-Client
PnP Agent
PnP Agent
PnP Agent
PnP Server
Installer
Remote Installer • Mount and cable devices • Power-on
2
APIC EM
3
• Network Admin remotely monitors status of install while in progress.
• Booting devices call out to PnP Server, requesting instructions
Thank you.