There are three 1572 models:
- Cisco Aironet 1572IC—Internal Antennas with cable modem
- Cisco Aironet 1572EC—External Antennas with cable modem
- Cisco Aironet 1572EAC—External Antenna AC powered Model
The AP1572 highlights include:
- Most advanced carrier-grade outdoor Wi-Fi AP.
- Dual-band 2.4 and 5 GHz with 802.11ac Wave 1 support on the integrated 5 GHz radio.
- Maximum radiated RF power allowed by law.
- High Density Experience (HDX):
- Cisco CleanAir 2.0 technology provides integrated spectrum intelligence for a self configuring and self-healing network on 80 MHz channels.
- ClientLink 3.0 improves reliability and coverage for legacy 802.11n and 802.11ac data rates.
- Optimized Roaming to allow clients to join the most optimal access point.
- Turbo performance which uses Cisco ASIC design to maximize radio performance.
- Improved 802.11ac range and performance with 4x4:3 multiple-input multiple-output (MIMO) technology.
- 1.3 Gbps (5 GHz) 802.11ac data rates.
- Cisco Flexible Antenna Port technology.
- DOCSIS 3.0 / EuroDOCSIS / JapanDOCSIS 3.0, 24x8 hybrid fiber-coaxial (HFC) cable modem option.
- Improved radio sensitivity and range performance with four antenna MIMO and three spatial streams.
- Multiple uplink options (Gigabit Ethernet-10/100/1000 BaseT, Fiber SFP, Cable modem).
- Power: AC, DC, Cable, UPOE, PoE-Out (802.3at).
- 4G LTE coexistence.
- NEMA Type 4X certified enclosure.
- Module option: Investment protection and future proofing.
- Low visual profile design.
- Unified or autonomous operation.
More about the Aironet 1570 Deployment Guide you can read here:
Watch this video for an overview on Cisco Digital Network Architecture.
Raakhee Mistry (Marketing Manager, has been with Cisco for over 12 years, serving in product management, partner program and solutions marketing roles.) collected the different audiences’ responses to Cisco Digital Network Architecture. She pointed out: Analysts agree that Cisco DNA is a Game Changer. Yes. The New Cisco DNA is a Game Changer for the Digital Era.
Cisco DNA is short for Digital Network Architecture. The Cisco Digital Network Architecture is a platform that will give our customers both a roadmap to digitization and a path to recognize immediate benefits of network automation, assurance and security. Cisco released it at Cisco Partner Summit 2016.
Cisco DNA complements Cisco’s market leading, data center based Application Centric Infrastructure (ACI) technology by extending the policy driven approach and software strategy throughout the entire network: from campus to branch, wired to wireless, core to edge.
Cisco DNA is delivered within the Cisco ONE Software family, enabling simplified software-based licensing, and helping with investment protection and flexibility.
The IT networking industry continues to demand knowledgeable professionals to help manage, secure and optimize their network infrastructure. Networking jobs can be found worldwide in exciting industries such as fashion, sports, and entertainment. Research indicates that a certification is second only to a four year college degree as a way to qualify people for positions and certifications were rated to be the top criteria in being able to determine an applicant's qualifications.
Cisco Digital Network Architecture Benefits
- Insights. The network touches all things digital – users, devices, applications, sensors and cloud – and networking professionals are in a unique position to help their organizations capture insights in real time that allows businesses to make better decisions instantly and deliver better experiences.
- Automation. This area is centered on IT speed and simplicity. Today’s networking professionals are CLI jockeys, but that will offer less value as time goes on. The network is evolving to software with software-defined networking, open APIs, network function virtualization and more. These new technologies provide networking IT with unprecedented agility that helps IT deliver business requirements faster and can free up cycles to support more strategic projects for their organization.
- Security. While digital technologies have opened up new opportunities, they have also introduced a level of risk. As we see the proliferation of mobile devices and cloud adoption, the network perimeter is evolving and the attack surface has the potential to grow significantly. To combat that risk, networking professionals will be able to offer the business a new approach to inject security pervasively through the network, which can be the sensor and enforcer of security threats.
Do you know the Cisco IP Phone Registration, Boot UP Sequence and related issues? Someone shared the main issues of IP Phone, SCCP & SIP Phone Registration Process with CUCM before. In this article we will talk something about the IP PHONE REGISTRATION ISSUES.
Firstly, let’s understand what Cisco IP Phone Registration & Boot UP Sequence are.
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2: a. Phone Sends DHCP Request
b. DHCP Server Sends DHCP Response
Step 3: a. Phone Sends TFTP Request for a Configuration File
b. TFTP Server Sends the Default Configuration File
Step 4: a. TFTP Server Sends the Specific Configuration File of the Phone
b. Phone Registration Finishes
FIRST UNDERSTAND THE BOOTUP PROCESS, START TROUBLESHOOTING ACCORDING:
General Troubleshooting Sequence:
- Disable DHCP and DNS to Test a Phone
- Check for the Incorrect MAC Address on the Phone Label
- Cisco CallManager and TFTP Services Do Not Run
- Delete and Recreate a Phone
- Understand a Network Trace File
- Use Performance Monitor to Analyze Phone Activity
- Manually Configure the IP Parameters on a 12 SP+ or 30 VIP Phone
- Add Phones to Cisco CallManager
- Enable, Configure, and Disable Auto−Registration
- Manual Registration (Add an IP Phone Manually) etc....
THESE ISSUES COULD BE THERE:
- IP Phone Registration Toggles between Primary and Secondary CallManagers.
- Registration Rejected
- Cisco IP Phones Not Registered But seems to be working fine.
- Cisco IP Phones Take Too Long to Register.
- Cisco IP Phone Always Get Registered to the Publisher Server.
- Get "version error" on the Cisco IP Phone screen When Try to Register.
- Cisco phones causing excessive DHCP requests.
See the Figure"CISCO IP Phone Boot UP Process" above
Step 1: Phone Loads Software (Image) and Starts the Configuration Process:
During this step, these issues could be there,
* Registration with a Cisco CallManager server is successful only when the server adds the phone or when the server has Auto−Registration enabled. (The default for Auto−Registration is disabled.)
* Note: If the phone LCD screen does not light up, you could have a faulty phone. The phone also could be faulty if the message the phone displays never changes after you plug in the phone. Contact Cisco Technical Support to request a replacement if your phone is under warranty.
* If your phones do not use DHCP, see the Step 3a: Phone Sends TFTP Request for a Configuration File section of this document.
a). Phone Sends DHCP Request:
During this step, these issues could be there,
For Cisco 7940 and 7960: (to manually enable the DHCP Parameter on the phone itself):
Complete these steps on the Cisco 7940 and 7960:
1. Choose Settings.
2. Choose 3 (Network).
Scroll down to the DHCP Enabled parameter.
The selection must be Yes.
Complete these steps on the Cisco 7910:
1. Choose Settings.
2. Choose 6 (Network).
3. Scroll down to the DHCP Enabled parameter.
The selection must be Yes.
Cisco 12 SP+ and 30 VIP
Complete these steps on the Cisco 12 SP+ and 30 VIP:
1. Enter **#.
2. Enter 1.
3. Set all parameters to zero (0).
Note: Cisco 7910G supports only 10 MB speed, but 7910G+SW supports 10/100. If you have a 7910G, be sure to set the switch port that connects to the phone to 10 MB or Auto.
Any IP parameters that you have hard coded on the phones override the parameters that the DHCP server provides. In particular, the Alternate TFTP Server option overrides the TFTP server IP address that the DHCP provides. For information on how to reset your phone configuration to the original factory defaults, refer to either of these documents:
¨ Resetting 7900 Series IP Phones to Factory Defaults
b). DHCP Server Sends DHCP Response:
The DHCP response contains the phone IP address and the IP address of the TFTP server (which is usually a Cisco CallManager server). The response can also contain any of or all these common options:
· IP address of the default router (gateway)
· IP address of the Domain Name System (DNS) server
· Domain name includes option 150 for the TFTP server.
a). Phone Sends TFTP Request for a Configuration File:
- The phone requests a specific configuration file. The name for this file is SEPMAC−Address.cnf. For example, the file name for a phone with the MAC address 0030.94C2.D5CA is SEP003094C2D5CA.cnf. If the file exists on the Cisco CallManager server, see the Step 4a: TFTP Server Sends the Specific Configuration File of the Phone section of this document.
- If the phone is not in the Cisco CallManager database, the request for the specific configuration file results in a TFTP File Not Found response from the TFTP server. The phone then requests the file with the name SEPDEFAULT.cnf. If you have configured the Cisco CallManager server for Auto−Registration, this file exists and the server sends it to the phone. See the Step 3b: TFTP Server Sends the Default Configuration File section of this document.
Otherwise, the TFTP server of the Cisco CallManager server sends another File Not Found TFTP response. At this point, the phone restarts the configuration process.
b). TFTP Server Sends the Default Configuration File:
Note: This step only occurs if you have enabled Auto−Registration and the phone has not already registered
with the Cisco CallManager server.
If you have configured the Cisco CallManager server for Auto−Registration, it sends the SEPDEFAULT.cnf
file in response to the phone request. After the Cisco CallManager server database adds a phone by Auto−Registration, the phone has a SEPMAC−Address.cnf file. It does not reference the SEPDEFAULT.cnf
a). TFTP Server Sends the Specific Configuration File of the Phone:
Note: This step only takes place if the phone creation occurred on the Cisco CallManager server. The configuration file contains several parameters for the phone. These include the device pool, the Cisco CallManager servers to use, configured speed dials, and other parameters. In general, any time you make a change in Cisco CallManager that requires the phone (device) to be reset, you have made a change to the phone configuration file.
b). Phone Registration Finishes:
The Cisco CallManager server sends the phone additional configuration elements during the final phases of the registration process.
In general, the registration process must complete successfully if the process goes this far.
To learn what takes place at this point, you need to set up a network analyzer to capture the IP packets that the phone sends to and receives from the server.
7961G Phone does not Register until it is Configured as a 7961>
IP phones CP−7961 and CP−7961G are basically the same platform. The G stands for global use that supports all languages.
So when you add a 7961G phone, you should add it as a regular 7961 phone. CP−7961G−GE is another IP phone with two gigabit Ethernet ports (10/100/1000).
If IP phone 7961G is added as 7961G−GE, it does not register with Cisco CallManager.
TASKS TO PERFORM:
Disable DHCP and DNS to Test a Phone
Check for the Incorrect MAC Address on the Phone Label
Cisco CallManager and TFTP Services Do Not Run
Delete and Recreate a Phone
Understand a Network Trace File
Use Network Monitor to Analyze Phone Activity
By default, Cisco phones are DHCP−enabled. If you do not use DHCP, you need to disable DHCP on the phone and manually assign the phone an IP address. In order to disable DHCP on a phone, use the phone keypad to program the phone IP address and other network addresses.
Enable, Configure, and Disable Auto−Registration
Manual Registration (Add an IP Phone Manually)
Note: If you have your Cisco CallManager servers set up in a cluster, every server has the configuration files for every phone that is in the Publisher database. Therefore, any Cisco CallManager server can serve as a TFTP server for the phones. The device pools to which you have assigned the phones determine the server with which the phones register. A phone can obtain the configuration file from a different server than the server with which the phone registers.
Original reference and more discussions from
DHCP is short for Dynamic Host Configuration Protocol. We know that DHCP is used in LAN environments to dynamically assign host IP addresses from a centralized server, which reduces the overhead of administrating IP addresses.
I’ve read an article “DHCP Snooping and DHCP Snooping Configuration” that is about a CCIE’s experience. In that article it also shares the DHCP Option 82 concept.
In this article we will share some info of using the DHCP Option 82.
DHCP also helps conserve limited IP address space because IP addresses no longer need to be permanently assigned to client devices; only those client devices that are connected to the network require IP addresses. The DHCP relay agent information feature (option 82) enables the DHCP relay agent (Catalyst switch) to include information about itself and the attached client when forwarding
DHCP requests from a DHCP client to a DHCP server. This basically extends the standard DHCP process by tagging the request with the information regarding the location of the requestor. (See the Figure “DHCP Option 82 Operation”)
The following are key elements required to support the DHCP option 82 feature:
• Clients supporting DHCP
• Relay agents supporting option 82
• DHCP server supporting option 82
The relay agent information option is inserted by the DHCP relay agent when forwarding the client-initiated DHCP request packets to a DHCP server. The servers recognizing the relay agent information option may use the information to assign IP addresses and to implement policies such as restricting the number of IP addresses that can be assigned to a single circuit ID. The circuit ID in relay agent option 82 contains information identifying the port location on which the request is arriving.
1. The DHCP option 82 feature is supported only when DHCP snooping is globally enabled and on the VLANs to which subscriber devices using this feature are assigned.
2. DHCP and the DHCP option 82 feature have not been validated in the lab for EttF version 1.1. At this time, Cisco recommends considering only DHCP with option 82 for the application servers at level 3.
Mobile devices are so popular today, which range from laptops, tablets, smartphones to others. And now all kinds of mobile device types now connect to your wireless LAN. All these mobile devices might use a mix of new and old Wi-Fi technologies – 802.11ac, 802.11n, and 802.11a connections – for access. To keep the older and slower clients from impeding the performance of newer and faster 802.11ac Wave 1 and 2 connections, there is Cisco ClientLink.
ClientLink is a beamforming capability built into Cisco Aironet wireless LAN access points. When the access point (AP) concentrates signals toward the receiving client, that client is better able to “hear” the AP’s transmission, so throughput is greater. ClientLink also enhances performance in the uplink (client-to-AP) direction, so that the AP can also better hear the client communications. The result is improved performance in both directions.
By comparison, many competing 802.11ac-capable APs offer uplink-only enhancements, from client to access point. Many 802.11ac-capable AP suppliers also base their downlink enhancements on the optional transmit beamforming (TxBF) feature in 802.11ac, which requires TxCBF support in the client device to operate. Cisco ClientLink technology is unique in offering both uplink and downlink performance improvements, and it doesn’t require any special capabilities in the client device to work.
ClientLink works with all client technologies. It makes sure each client type always operates at the best possible rate, as determined by the 802.11 access technology supported, network conditions, and the distance of the client from the Wi-Fi AP. ClientLink helps maintain maximum client rates even at cell boundaries, when clients are farthest away from the AP.
How to Get the Most from 802.11ac?
The 802.11ac standard inherently provides performance increases compared with earlier 802.11 technology versions. But because 802.11-based equipment is backward-compatible with older versions of the standard, it pays to run a mixed-client network to get the most out of your device investments. At the same time, however, your older clients can delay communications for the faster 802.11ac clients, hindering 802.11ac performance benefits.
Cisco ClientLink overcomes this issue for more reliable mobile experiences. In Aironet 802.11ac APs, ClientLink uses four transmit antennas to focus transmissions in the direction of the Wi-Fi client, surpassing the industry norm. This support improves downlink signal-to-noise ratio (for better client “hearing”) and boosts the data rate over range so you can reduce coverage holes and enhance overall system performance. Table 1 illustrates the Cisco performance advantages of using ClientLink technology.
You get beamforming enhancements across your entire client population of new and old devices: Cisco ClientLink beamforming works with all client types, and IEEE-standard transmit beamforming (TxBF) is also built into all Cisco Wi-Fi-Certified 802.11ac access points to benefit the 802.11ac clients that support it.
ClientLink also works with multiuser multiple input, multiple output (MU-MIMO), part of the 802.11ac standard that enables concurrent transmissions between an AP and multiple 802.11ac client devices that also support MU-MIMO. As a result, Cisco ClientLink can now also provide performance boosts across a mixture of 802.11ac, 802.11 n, and 802.11a clients to further benefit your entire wireless network.
The wireless difference is in the implementation details. Turn to Cisco ClientLink-enhanced APs to get best performance from all Wi-Fi clients on your network.
More Related Cisco Wireless Topics…
The IP Phone 7800 Series introduced 4 models to the portfolio: Cisco IP Phone 7811, 7821, 7841 and IP Phone 7861. The models range in their support, from a single-line model for users with light voice communications needs to a 16-line model for highly active users of VoIP communications.
The Cisco IP Phone 7800 Series delivers advanced IP Telephony features and crystal clear wideband audio performance to deliver an easy-to-use, full-featured voice communications experience on Cisco on-premises and hosted infrastructure platforms and third party hosted call control.
Small-to-large enterprise companies are well suited for the Cisco IP Phone 7800 Series.
The 7800 Series supports secure connectivity for remote worker access to the Cisco network, such as for full-time teleworkers.
Note: Support is provided on 7821, 7841, and 7861 endpoints with IP Phone software update 10-3-1-1 or later. The 7811 is also planned for support–contact your Cisco representative for timing details.
How to start your Cisco IP Phone 7800 Series for Third-Party Call Control? Firstly, let’s look at the Cisco IP Phone 7841 shown.
Refer to the photo graphic above...
We talked Cisco ASA with Firepower Services a lot before. With Cisco ASA with FirePOWER Services, you consolidate multiple security layers in a single platform, eliminating the cost of buying and managing multiple solutions.
The Cisco Firepower Next-Generation Firewall is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It includes Application Visibility and Control (AVC), optional Firepower next-gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP), and URL Filtering. Cisco Firepower NGFW provides advanced threat protection before, during, and after attacks.
Cisco ASA with FirePOWER Services, Stop more threats with a threat-focused NGFW
Beat sophisticated cyber attacks with superior security. We offer the industry’s first threat-focused next-generation firewall (NGFW). You get the confidence of the most-deployed stateful firewall combined with application control, next-generation intrusion prevention system (NGIPS), and advanced malware protection (AMP).
Discussion: Management of ASA with Firepower Services
There are a few questions about the Management of ASA with Firepower Services. Let’s look at the discussion from Cisco Communities
1. An ASA with Firepower Services requires a Firesight management device (physical or virtual) - Correct?
Yes, that’s correct.
2. Is there a High Availability option for a physical Firesight management?
Read about this in the bottom of Table 2 on this page:
3. Does the Firesight management also manage the ASA's firewall rules?
--Not yet. Cisco is developing Firepower Threat Defence that does excately that.
4. I ask because I believe there was mention that a rule could have a specific IPS policy assigned to it. This is correct in the terms on Firepower Access Control Rules. Not ASA firewall rules.
5. If this is true I would believe that the use of CLI or ASDM on the ASA would no longer be usable - Correct?
The new Threat Defence system will be managed from Firepower Management Center. Not CLI nor ASDM.
6. When changes are made on the Firesight management station are they applied immediately to the ASA, like managing via CLI or is there another step to applying he changes?
No. You will have to deploy the new policy to the Firepower sensor first.
7. When change are applied what if anything happens to existing connections?
- I actually am not sure about this. I have never seen any connections being dropped when applying policy. Cisco has made a note about this in their manual: Firepower Management Center Configuration Guide, Version 6.0 - Policy Management [Cisco FireSIGHT Management Center] -…
- When you enable Inspect traffic during policy apply:
- Certain configurations can require the Snort process to restart.
- When the configurations you deploy do not require a Snort restart, the system initially uses the currently deployed access control policy to inspect traffic, and switches during deployment to the access control policy you are deploying.
- When you disable Inspect traffic during policy apply, the Snort process always restarts when you deploy.
- How a Snort restart affects traffic depends on the interface configuration and the platform.
Original Discussion from https://communities.cisco.com/thread/59509
Both switch engines are scheduled to ship in April.
In general, the Catalyst switches are designed for the campus backbone, the wiring closet, or a small office or retail network. Switch engines, which are the brains of the Catalyst, extend the usefulness of the hardware as application-driven network traffic rises.
The 6T raises speeds to 400 Gbps per slot on the Catalyst 6807-XL chassis. As a result, the supervisor engine can increase switch capacity to 6 Tbps and scale to 12 Tbps when in the Virtual Switching System configuration. The Supervisor Engine 6T is compatible with 10 Gb, 40 Gb and 100 Gb line cards, and has 8 x 10 GbE and 2 x 40 GbE uplinks to support high-performance applications.
The 8L-E has up to 560 Gbps of wired switching capacity and can handle independent packets simultaneously at a rate of 48 Gbps. The extension has four 10 GbE uplinks.
Cisco upgrades wireless, UCS platforms
With the latest switch engines, Cisco introduced the Catalyst 3650-Mini for companies with space-constrained locations. The hardware mirrors the 3650 family of switches in a 1RU form factor. It's available with 24 or 48 fixed PoE+ GbE ports.
For wireless networks, Cisco introduced 802.11ac Wave 2 access points under the Aironet and cloud-managed Meraki brands. The company also introduced stackable Meraki MS Switches that feature 16 or 32 1 Gbps ports, and hot-swappable power supplies and fans.
The Catalyst and wireless network upgrades reflect Cisco's two-prong product strategy of strengthening its on-premises and cloud-managed technology, which also includes security, said Rohit Mehra, an analyst at IDC. By focusing on both, Cisco is bolstering its core platforms for switching and routing, while also addressing the needs of the "midmarket, distributed enterprise that is developing a greater affinity for leveraging cloud for IT infrastructure."
For the data center, Cisco introduced the 6300 Series Fabric Interconnect for the company's Unified Computing System (UCS), which combines compute, storage and networking into a single platform. Cisco's fabric interconnects provide the management and communication backbone of the UCS B-Series Blade Servers, 5100 Series Blade Server Chassis and the C-Series Rack Servers.
The 6300 Series features two 1RU 40 GbE switches and a 40 GbE Fabric Extender. The products leverage the Virtual Interface Card 1300 series, which is designed to support up to 40 GbE networks. The card supports network overlay technologies, such as VXLAN.
The Article from http://searchnetworking.techtarget.com/news/4500272897/Cisco-switch-engines-boost-Catalyst-performance
There are two main categories of Ethernet Switches: Modular and Fixed Configuration.
What are the Exact Modular and Fixed Configuration switches?
Modular switches, as the name implies, allows you to add expansion modules into the switches as needed, thereby delivering the best flexibility to address changing networks. Examples of expansion modules are application-specific (such as Firewall, Wireless, or Network Analysis), modules for additional interfaces, power supplies, or cooling fans.
Fixed Configuration switches are switches with a fixed number of ports and are typically not expandable.
The Fixed configuration switch category is further broken down into:
– Unmanaged Switches
– Smart Switches
– Managed L2 and L3 Switches
This category of switch is the most cost effective for deployment scenarios that require only basic layer 2 switching and connectivity. As such, they fit best when you need a few extra ports on your desk, in a lab, in a conference room, or even at home.
With some Unmanaged switches in the market, you can even get capabilities such as cable diagnostics, prioritization of traffic using default QoS settings, Energy savings capabilities using EEE (Energy Efficient Ethernet) and even PoE (Power Over Ethernet). However, as the name implies, these switches generally cannot be modified/managed. You simply plug them in and they require no configuration at all.
Cisco 100 Series switches are good examples of this category.
Smart Switches (also known as Lightly Managed Switches):
This category of switches is the most blurred and fastest changing. The general rule here is that these switches offer certain levels of Management, QoS, Security, etc. but is “lighter” in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective alternative to Managed switches. As such, Smart switches fit best at the edge of a large network (with Managed Switches being used in the core), as the infrastructure for smaller deployments, or for low complexity networks in general.
The capabilities available for this Smart switch category vary widely. All of these devices have an interface for Management – historically a browser-based interface used to be the only way to configure these devices, though nowadays you can manage some of these devices with CLI and/or SNMP/RMON as well. Regardless, these capabilities are lighter than what you will find in their Managed switch counterparts. Smart switches tend to have a management interface that is more simplified than what Managed Switches offer.
Smart switches allow you to segment the network into workgroups by creating VLANs, though with a lower number of VLANs and nodes (MAC addresses) than you’d get with a Managed switch.
They also offer some levels of security, such as 802.1x endpoint authentication, and in some cases with limited numbers of ACLs (access control lists), though the levels of control and granularity would not be the same as a Managed switch.
In addition, Smart switches support basic quality-of-service (QoS) that facilitates prioritization of users and applications based on 802.1q/TOS/DSCP, thereby making it quite a versatile solution.
Cisco 200 Series switches are good examples of this category.
Fully Managed L2 and L3 switches:
Managed Switches are designed to deliver the most comprehensive set of features to provide the best application experience, the highest levels of security, the most precise control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As a result, they are usually deployed as aggregation/access switches in very large networks or as core switches in relatively smaller networks. Managed switches should support both L2 switching and L3 IP routing though you’ll find some with only L2 switching support.
From a Security perspective, Managed switches provide protection of the data plane (User traffic being forwarded), control plane (traffic being communicated between networking devices to ensure user traffic goes to the right destination), and management plane (traffic used to manage the network or device itself). Managed switches also offer network storm control, denial-of-service protection, and much more.
The Access Control List capabilities allows for flexibly dropping, rate limiting, mirroring, or logging of traffic by L2 address, L3 address, TCP/UDP port numbers, Ethernet type, ICMP or TCP flags, etc.
Managed switches are rich in features that enable them to protect themselves and the network from deliberate or unintended Denial of Service attacks. It includes Dynamic ARP Inspection, IPv4 DHCP snooping, IPv6 First Hop Security with RA Guard, ND Inspection, Neighbor Binding Integrity, and much more.
Additional Security capabilities may include Private VLANs for securing communities of users or device isolation, Secure Management (downloads through SCP, Web-based Authentication, Radius/TACACS AAA, etc), Control Plane Policing (CoPP) for protecting the CPU of the switch, richer support for 802.1x (time-based, Dynamic VLAN Assignment, port/host-based, etc)
From a Scalability perspective, these devices have large table sizes so that you can create large numbers of VLANs (for workgroups), devices (MAC table size), IP routes, and ACL policies for flow-based security/QoS purposes, etc.
For highest network availability and uptime, Managed switches support L3 redundancy using VRRP (Virtual Router Redundancy Protocol), large numbers of Link Aggregation groups (which is used both for scalability and resiliency), and capabilities for protecting L2 such as Spanning Tree Root Guard and BPDU Guard.
When we talk about QoS and Multicast features, the richness of capabilities goes far beyond what you’d see in a Smart Switch. Here you’d see things such as IGMP and MLD Snooping with Querier functions for optimizing IPv4/v6 multicast traffic in the LAN, TCP Congestion Avoidance, 4 or 8 queues to treat traffic differently by importance, setting/tagging traffic by L2 (802.1p) or L3 (DSCP/TOS), and rate limiting traffic.
In terms of Management, things such as multiple ways to configure (using CLI, Web GUI, SNMP Management application), discovering of neighbor devices in the networks (using CDP, LLDP, Bonjour, etc), and troubleshooting capabilities (such as VLAN and Port Mirroring, Traceroute, Ping, Syslog, Cable Diagnostics, RMON, etc) are all included.
What I highlighted is by no means exhaustive, but gives you a sense of what some of the differences may be between Managed and Smart Switches.
Cisco Catalyst and Cisco 300 Series and 500 Series switches are good examples of this category of products.
Managed Switches can go even further than what I’ve highlighted. For example, there’s even richer support for Dynamic Unicast and Multicast Routing protocols, deeper flow intelligence or macro flow statistics with Netflow/SFlow, non-Stop Forwarding capabilities, MPLS/VRF support, Policy enforcement, and many others.
Now, to take a deeper dive into these switch categories and talk about various options, you can select the switches based on:
– Number of ports
– POE versus non-POE
– Stackable versus Standalone
You can find Fixed Configuration switches in Fast Ethernet (10/100 Mbps), Gigabit Ethernet (10/100/1000 Mbps), Ten Gigabit (10/100/1000/10000 Mbps) and even some 40/100 Gbps speeds. These switches have a number of uplink ports and a number of downlink ports. Downlinks connect to end users – uplinks connect to other Switches or to the network infrastructure. Currently, Gigabit is the most popular interface speed though Fast Ethernet is still widely used, especially in price-sensitive environments. Ten Gigabit has been growing rapidly, especially in the datacenter and, as the cost comes down, it will continue to expand into more network applications. With 10GBase-T Ten Gigabit copper interfaces being integrated into LOM (LAN on the Motherboard) and 10G-Base-T switches becoming available now (see the Cisco SG500XG-8F8T 16-port 10-Gigabit switch), building a Storage or Server farm with 10 Gigabit interfaces has never been easier or more cost-effective. 40G/100G is still emerging and will be mainstream in a few years.
Number of ports:
Fixed Configuration Switches typically come in 5, 8, 10, 16, 24, 28, 48, and 52-port configurations. These ports may be a combination of SFP/SFP+ slots for fiber connectivity, but more commonly they are copper ports with RJ-45 connectors on the front, allowing for distances up to 100 meters. With Fiber SFP modules, you can go distances up to 40 kilometers
POE versus non-POE:
Power over Ethernet is a capability that facilitates powering a device (such as an IP phone, IP Surveillance Camera, or Wireless Access Point) over the same cable as the data traffic. One of the advantages of PoE is the flexibility it provides in allowing you to easily place endpoints anywhere in the business, even places where it might be difficult to run a power outlet. One example is that you can place a Wireless Access Point inside a wall or ceiling.
Switches deliver power according to a few standards – IEEE 802.3af delivers power up to 15.4 Watts on a switch port whereas IEEE 802.3at (also known as POE+) delivers power up to 30 Watts on a switch port. For most endpoints, 802.3af is sufficient but there are devices, such as Video phones or Access Points with multiple radios, which have higher power needs. It’s important to point out that there are other PoE standards currently being developed that will deliver even high levels of power for future applications. Switches have a power budget set aside for running the switch itself, and also an amount of power dedicated for POE endpoints.
To find the switch that is right for you, all you need to do is choose a switch according to your power needs. When connecting to desktops or other types of devices which do not require POE, the non-POE switches are a more cost-effective option.
Stackable versus Standalone:
As the network grows, you will need more switches to provide network connectivity to the growing number of devices in the network. When using Standalone switches, each switch is managed, troubleshot, and configured as an individual entity.
In contrast, Stackable switches provide a way to simplify and increase the availability of the network. Instead of configuring, managing, and troubleshooting eight 48-port switches individually, you can manage all eight like a single unit using a Stackable Switches. With a true Stackable Switch, those eight switches (total 384 ports) function as a single switch – there is a single SNMP/RMON agent, single Spanning Tree domain, single CLI or Web interface – i.e. single management plane. You can also create link aggregation groups spanning across multiple units in the stack, port mirror traffic from one unit in the stack to another, or setup ACLs/QoS spanning all the units. There are valuable operational advantages to be gained by this approach.
Here’s a word of warning. Be careful about products in the market which are sold as “Stackable” when they merely offer a single user interface, or central management interface, for getting to each individual switch unit. This approach is not stackable, but really “clustering”. You still have to configure every feature such as ACLs, QoS, Port mirroring, etc, individually on each switch. Use the following as a proof point – can I create a link aggregation group with one port in one unit of the stack and another port of that group in another unit of the stack? Can I select a port on one unit in the stack and mirror the traffic to a port on another unit of the stack? When I configure an ACL for Security purposes, can I apply that to any port on any unit in the stack? If the answer is “No” to any of these questions, you’re probably not working with a stackable switch.
There are other advantages of True Stacking as well. You can connect the stack members in a ring such that, if a port or cable fails, the stack will automatically route around that failure, many times at microsecond speeds. You can also add or subtract stack members and have it automatically recognized and added into the stack.
Cisco Catalyst 2K-X and 3K or Cisco 500 Series Switches are examples of Switches in this category.
As you can see there’s a multitude of switch options to choose from. So, have a close look at your current deployment and future needs to determine the right switch for your network.
More Related Cisco Network Switch Topics
Do you know how to configure the ASA as CA Server? You know the Cisco ASA can act as a Certificate Authority server an issue certificates to the VPN clients or other network devices.
The Cisco ASA only provides browser-based certificate enrollment.
Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.
We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time.
Under the Crypto ca server mode, we have multiple options explained as follows:
CA Server configuration commands:
- CDP-URL: Specifies the certificate revocation list distribution point to be included in the certificates issued by the CA.
- Database: Specifies a path or location for the local CA database. The default location is flash memory.
- Enrollment-retrieval: Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file.
- Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
- Keysize: Configure the size of keypair to generate for certificate enrollments for the local CA server.
- Lifetime CA-certificate: Specify the lifetime for the CA certificate.
- Lifetime certificate: Specify the lifetime for the user certificate.
- Lifetime CRL: Specify the lifetime for the CRL.
- OTP expiration: Specify the lifetime for the OTP expiration.
- Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
- Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email.
- SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
- SMTP subject: Customize the email subject.
- Subject-name-default: Specify an optional SUBJECT-NAME DN.
Basic ASA configuration as CA server
ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority
Equivalent CLI configuration.
ASA(config)# Crypto ca server
ASA(config-ca-server)# lifetime ca-certificate 100
ASA(config-ca-server)# lifetime certificate 30
ASA(config-ca-server)# smtp from-address firstname.lastname@example.org
ASA(config-ca-server)# smtp subject Certificate enrollment
ASA(config-ca-server)# keysize 2048
ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl
ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US
ASA(config-ca-server)# no shutdown
Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.
Show and debugs commands:
- Debug crypto ca server
- Show crypto ca server
- Show crypto ca server cert-db
More information http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html
Original Guide From https://supportforums.cisco.com/document/12597006/how-configure-asa-ca-server
More Cisco and Network Guide