What does the Cisco Mobility Express Solution can do for you? It sounds good that Cisco Mobility Express Solution can easily help you deploy a wireless network with all Cisco advanced wireless innovations, using a simple, over-the-air configuration interface.
Nowadays, at your school, students might be using digital textbooks. And you might be required to provide a tablet or laptop for every student. Network connections will probably be wireless for the flexibility to use devices from anywhere on campus. Faculty and administrative personnel, too, rely on wireless networking for internal communications that are part of their jobs.
If your IT staff is tiny or nonexistent, how can you deploy and manage the wireless network? Especially if there are multiple schools scattered throughout the district to cover?
Cisco Mobility Express Solution targets just such situations. Mobility Express is built into Cisco Aironet 1850 and 1830 Series Access Points, which support 802.11ac Wave 2. Wave 2 is the very latest Wi-Fi standard, supporting gigabit speeds and protecting your Wi-Fi access point investment into the future.
- Ideal for schools needing up to 25 Wi-Fi access points
- Supports Cisco’s industry-leading features with no price premium
- Non-IT personnel can set up the wireless network in less than 10 minutes
- Three-step, wizard-based setup means no command lines to learn
- Delivers 802.11ac Wave 2, the latest and fastest wireless LAN technology on the market
- Bundles virtual WLAN controller management capabilities into the AP at no extra cost
- Cisco Connected Mobile Experience (CMX) can be added to boost customer engagement and give you presence-based analytics
Be Prepared for Wave 2 Client Devices--New 802.11ac Wave 2 client devices will soon appear on your network as students, faculty, and staff upgrade their smartphones and tablets.
Installing a Wave 2 Wi-Fi access point prepares you to deliver the most robust performance possible to them from day one. Turn to Cisco, a leader in helping advance the 802.11ac specifications, to help you stay ahead of the growing Wi-Fi traffic volumes that the new devices will generate.
1, 2, 3, and You’re Up
Supported on the Cisco Aironet 1850 and 1830 Series Access Points, the Mobility Express Solution lets you deploy your wireless LAN in less than 10 minutes. You can simultaneosly configure multiple Aironet access points with industry best-practice settings already enabled by default. Follow just three steps to configure your network:
- Connect to an 1850 or 1830 access point using any wireless device
- Use the Cisco WLAN Express Setup Wizard to configure multiple access points simultaneously. Your wireless network can contain a mix of Cisco Aironet 1850, 1830, 1600, 2600, 3600, 1700, 2700 and 3700 Series Access Points. You just need an 1850 or 1830 for the control function.
- Access the management dashboard – available via a browser or a mobile app – to operate, monitor, and troubleshoot your network.
When you want to access your Mobility Express dashboard from your mobile device, use the Cisco Wireless app, available at the Google Play Store and Apple App Store.
Using a virtual wireless LAN controller built right into the Cisco Aironet 1850 and 1830 access points, you can manage all your access points from a central console. You can easily manage up to 25 APs and 500 clients for each Mobility Express virtual controller you deploy. That means if you are a smaller venue, you can now deliver the same quality user experiences as large enterprises. There’s no price premium, and you don’t have to understand command-line interfaces.
There’s no longer the burden of having to manage autonomous APs one at a time, and no need to invest in a separate WLAN controller appliance for management.
To learn more about Cisco Mobility Express Solution, Cisco Aironet 1850 and 1830 Series Access Points, and 802.11ac Wave 2, visit: http://www.cisco.com/go/mobilityexpress.
Original from http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/mobility-express/at-a-glance-c45-734261.pdf
It is well known that Cisco ASA series supports IPv6 and it can be setup very easily and quickly. In the following part it focuses on a basic ASA setup for a native IPv6 network. As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.
Here is a quick way to configure up your ASA firewall for IPv6 connectivity.
In this step we assign a link local address to the interface. There are 2 ways to assign a link local address to the interface
Configure the interface to generate a link local address from its MAC address.
interface GigabitEthernet 0/0 no shutdown nameif inside ipv6 enable
When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).
Configure a link local address manually.
interface GigabitEthernet 0/0 no shutdown nameif inside ipv6 address <ipv6-address> link-local
Using the above command you can assign a link local address to the interface manually.
You can verify the link local address by executing the “show ipv6 interface” command.
Next we have to assign the global address to the interface. There are 2 ways of doing this.
You can manually assign a global IPv6 address to the interface.
interface GigabitEthernet 0/0 ipv6 address 2001::db8:2:3::1/64
With the IPv6 address command above, you are manually specifying the global IPv6 address for the interface. You can specify more than one IPv6 addresses for the interface using the command.
You can configure the interface to obtain the address automatically using stateless address autoconfiguration.
interface GigabitEthernet 0/0 ipv6 address autoconfig
Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.
NOTE: There was a defect (CSCuq62164) in the ASA software that caused the ASA to not assign an address if it received a RA message with both the M and A flags set. This has been fixed in 9.3(1) release and hence we recommend this version if you intend to use SLAAC for configuring the address on ASA interfaces.
Verify IPv6 configuration.
show ipv6 interface inside is up, line protocol is up IPv6 is enabled, link-local address is fe80::e6c7:22ff:fe84:eb2 Global unicast address(es): 2001:db8:2:3::1, subnet is 2001:db8:2:3::/64 Joined group address(es): ff02::1:ff00:1 ff02::1:ff84:eb2 ff02::2 ff02::1 ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 1000 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.
Step 4 (Optional)
Suppress Router Advertisement messages on an interface.
By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
ipv6 nd suppress-ra
Neighbor discovery will continue to be operational even though RA suppression has been configured.
Define an IPv6 default route.
ipv6 route outside ::/0 next_hop_ipv6_addr
Using ::/0 is equivalent to “any”. The IPv6 route command is functionally similar to the IPv4 route.
Using the regular access-list command define the access-lists with IPv6 addresses in them so as to permit the required traffic to flow through the ASA.
access-list test permit tcp any host 2001:db8::203:a0ff:fed6:162d access-group test in interface outside
The above is permitting traffic to a specific server 2001:db8::203:a0ff:fed6:162d.
SECURING THE FIREWALL
If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network. This will help prevent the ASA from being auto configured from unknown routers.
access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement access-list outsideACL deny icmp6 any any router-advertisement access-group outsideACL in interface outside interface GigabitEthernet 0/0 nameif outside security-level 0 ipv6 address autoconfig ipv6 enable
The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified. All other RAs will be denied.
Configuring ASA to help autoconfigure IPv6 addresses on hosts behind the ASA
The hosts in the network behind the ASA might be configured to autoconfigure their IPv6 address. Dynamic address assignment happens in 2 ways on IPv6 networks. It could either be a stateful address assignment or stateless address assignment.
Stateful dynamic address assignment
For stateful address assignment, a DHCPv6 server needs to be configured on the network that can assign address to hosts upon request. ASA currently does not have the ability to host a DHCPv6 server on its interfaces. But the ASA can act as a DHCPv6 relay agent. In order to enable stateful dynamic address assignment to hosts behind the ASA, the DHCPv6 relay agent needs to be configured on the ASA.
To configure the DHCPv6 relay agent the following configuration is needed:
ipv6 dhcprelay server 2001:db8:c18:6:a8bb:ccff:fe03:2701 ipv6 dhcprelay enable inside
The first command specifies the address of a DHCPv6 server to which the DHCP requests are forwarded. The command also accepts an optional interface name that specifies the output interface for the destination. The second command enables DHCP relay on an interface. When DHCP relay is enabled on an interface, all the DHCP requests coming on that interface get forwarded to the configured DHCP server.
Stateless dynamic address assignment
In Stateless Autoconfiguration (SLAAC) the client picks up its own address based on the prefix being advertised by the ASA. The prefix is advertised by means of an IPv6 router advertisement. ASA sends out IPv6 router advertisements by default from any interface on which a global IPv6 address is configured. Additionally, a DHCPv6 relay agent can be configured to point to a DHCPv6 server that can advertise a DNS server address and a domain name only.
IPv6 Prefix delegation
ASA does not support IPv6 prefix delegation yet. If the network behind the ASA requires to be assigned IPv6 addresses based on the prefix delegated by a delegation router, then we need to place an ASA between the provider edge (PE) router and the IPv6 capable customer premise router. The ASA must be in transparent mode. This way the ASA protects the entire IPv6 network, including the infrastructure router, on the customer premises. All ICMP6 traffic must be permitted on the ASA running in transparent mode.
The following must be configured on the ASA:
firewall transparent interface BVI1 no ip address ipv6 enable interface GigabitEthernet0/0 nameif outside bridge-group 1 security-level 0 interface GigabitEthernet0/1 nameif inside bridge-group 1 security-level 100 access-list permit_icmp6 extended permit icmp6 any6 any6 access-group permit_icmp6 global
This example uses a link-local IPv6 address on the BVI interface. You can also configure an explicit IPv6 address for in-band management purposes.
The original article was shared from https://supportforums.cisco.com/document/61451/cisco-asa-ipv6-quick-start
More Cisco Firewall & Network Security Topics you can read here...http://blog.router-switch.com/category/reviews/cisco-firewalls-security/
There are 2 methods of booting and running IOS XE software in 3850 switch/stack.
By default, the switches are shipped in Install mode.
Bundle mode: Bundle mode is where we boot the switch/stack using the .bin file. This is the traditional method of booting the switch where the switch extracts the .bin file to the RAM of the switch and run from there.
Install Mode: Install mode is where we pre-extract the .bin file in the flash and boot the witch/stack using the packages.conf file created during the extraction.
Install mode is the recommended mode of running the switch. Not all features may be available in this Bundle mode
IOS XE installation and software rollback are supported only when the switch is running in “Install” mode. (i.e.: The commands “software install” and “software rollback”.)
Use “software expand” command to convert the switch into Install mode from Bundle mode. The steps are mentioned below.
Upgrading a stand-alone switch:
The packages and provisioning file used to boot in installed mode must reside in the flash.
Booting in installed mode from usbflash0: or TFTP is not supported.
Booting a bundle in bundle mode is just like booting a monolithic IOS image.
For example: boot flash:cat3k_caa-universalk9.SSA.03.08.83.EMD.150-8.83.EMD.bin
Hence, the boot variable should not be pointing to the .bin file. If so, the switch will boot in Bundle mode. The boot variable should be pointing to the “packages.conf” file in order for the switch to boot in Install mode.
Before doing the upgrade, we need to check the mode in which the switch is currently booted in.
C3850#show version | begin Switch Port
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24T 03.03.01SE cat3k_caa-universalk9 INSTALL •ß Install mode
Upgrading from Install mode:
By default, switches are shipped in Install mode.
In order to upgrade the switch from Install mode, please follow the below-mentioned procedure.
- •1. Download the new image from the TFTP server to the flash / USB on the switch. (optional)
Copy tftp: flash:
Copy tftp: usbflash0:
- •2. Use the command “software install” to install the newly downloaded image (or) the image present in the network.
C3850-01#software install file <source>:<filename.bin> new
The “new” keyword is used so that that the post-install package set should contain only the packages being installed. The old packages file will be renamed for future rollback purpose. Without this option, the post-install package set is a merged set of the currently installed software and the new packages being installed.
The source can be
- flash: or usbflash0: (or a sub-directory of these)
- The network via tftp, ftp or http
NOTE: When performing ‘software install’ on a switch with a source bundle that resides in the network, the source bundle is first downloaded to RAM on switch. The source bundle is deleted from RAM when the operation completes.
Refer to the configuration guide to know about the other optional parameters of this command,
Directory of flash:/
29511 -rwx 220716072 Oct 15 2012 12:57:59 +00:00 cat3k_caa-universalk9.SSA.03.08.88.EMP.150-8.88.EMP.bin
C3850#software install file flash:cat3k_caa-universalk9.SSA.03.08.88.EMP.150-8.88.EMP.bin
[1 ]: Creating pending provisioning file
[1 ]: Finished installing software. New software will load on reboot.
[1 ]: Committing provisioning file
[1 ]: Do you want to proceed with reload? [yes/no]: n
Once the installation is completed, reload the switch and it will boot into the newly installed IOS XE image.
From Bundle mode:
If the switch is currently running in “Bundle” mode, then we need to use the “software expand” command to convert the switch into the Install mode first and then install the new IOS XE.
The ‘software expand’ exec command is used to extract the package files and the provisioning file (packages.conf) from a source bundle (possibly the running bundle) and copy them to the specified destination directory in a local storage device.
This command will typically be used to convert from the bundle running mode to the installed running mode.
NOTE: When performing ‘software expand’ on a switch with a source bundle that resides in local storage, the source bundle is first copied to the corresponding local storage device on the switch. The source bundle used for the expand operation is left intact after it is expanded.
NOTE: When performing ‘software expand’ on a switch with a source bundle that resides in the network, the source bundle is first downloaded to RAM of the switch. The source bundle is deleted from RAM on the switch when the operation completes.
This example uses the following steps to prepare a switch for booting in installed mode, i.e., booting a package provisioning file (packages.conf)
- Boot in bundle mode using ‘boot flash:<bundle name>’
Can also boot from usbflash0: or via tftp
- Use the ‘software clean file flash:’ command to remove any unused package, bundle and provisioning files from flash:
- Use the ‘software expand running to flash:’ command to expand the running bundle to flash:
- Reload the switch
- Boot the installed packages using ‘boot flash:packages.conf’
The 'software rollback' exec command can be used to revert to a previous version of the installed software package set (i.e., an older packages.conf file)
This functionality relies on the existence of one or more 'rollback provisioning files’ in flash:, along with all of the .pkg files listed in the rollback provisioning file(s)
- The rollback provisioning files are visible in flash: as packages.conf.00-, packages.conf.01-, etc.
- packages.conf.00- is a snapshot of the packages.conf file as it looked prior to the last installation operation
- packages.conf.01- is a snapshot of the packages.conf file as it looked two installations ago
- And so on
When the 'software rollback' command is used, packages.conf.00- becomes packages.conf. packages.conf.01- becomes packages.conf.00-. And so on
Note: If the 'software clean' command is used, future attempts to do a software rollback are likely to fail