Simplify Access Control without Network Redesign
What’s the Cisco TrustSec Software? What benefits will you get from this Security Solution? You should read some tips about this. Nowadays, we know that business demand for cloud services, mobility, and the Internet of Things (IoT) has created exponential network growth and complexity. It has introduced risk, too. Each new user, device, and data connection represents a potential attack entry point. So your attack surface is expanding. How to deal with these? Now you can control the situation with Cisco TrustSec. Embedded in your existing Cisco network infrastructure, the TrustSec security solution simplifies the provisioning and management of network access control. It uses software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without network redesign.
TrustSec is powered by the Cisco Identity Services Engine. The centralized policy management platform gathers advanced contextual data about who and what is accessing your network. It then uses security group tags to define roles and access rights and pushes the associated policy to your TrustSec-enabled network devices, such as switches, routers, and security equipment.
You get better visibility through richer contextual information, are better able to detect threats, and accelerate remediation. So you can reduce the impact and costs associated with a potential breach.
What are the Main Benefits You can Get?
• Quickly isolate and contain threats using technology already in your network.
• Limit the impact of data breaches by dynamically segmenting your network.
• Centrally apply and enforce granular and consistent policies across wired, wireless, and remote-access users and devices.
• Reduce operational expenses by defining firewall and access control rules based on asset or application context.
• Easily provide dynamic campus segmentation to enforce security policies in quickly changing environments without provisioning and maintaining access control lists.
• Cater to changing workforces and business relationships by defining security groups based on business roles, not IP addresses.
How It Works
Traditional network segmentation approaches use IP-address-based access control lists (ACLs), VLAN segmentation, and firewall policies that require extensive manual maintenance. Cisco TrustSec simplifies the effort by dynamically grouping machines into objects, called security groups, and provisioning security policies between those objects.
The interaction of systems is determined by the security-group-based policies, eliminating the need for VLAN or address-based policy provisioning. TrustSec is available in virtual and physical switches and treats virtual and physical workloads across the campus and data center consistently.
“Effective network segmentation... reduces the extent to which an adversary can move across the network.”
US Department of Homeland Security
United States Computer Emergency Readiness Team
Failover problem on Cisco ASA 5525x after upgrade to version 9.4.1
A user of Cisco ASA 5525x shared his experience of Failover problem on Cisco ASA 5525x after upgrade to version 9.4.1. What’s his problem and how to solve the problem? Let’s have a look.
The man faced with problem after he has done upgrade from 8.6.1 to 9.4.1 on Cisco ASA 5525x with IPS software in Active/Standby configuration.
One of his customers asked him to upgrade to verion 9.4.1 his Active/Standby Cisco ASAs. The man read release notes for this version and started with upgrade. As mentioned in release notes he did upgrade to version 9.0.4 first. Upgrade finished without any problems! All interface were in monitoring state, failover was in perfect state, no errors no issues, everything was as should be. Then started with upgrade to required version 9.4.1. He did everything as before, download image and ASDM, changed boot config, and did failover reload-standby.
After standby unit rebooted he expected standby ready state. But state of standby unit was-Other host: Secondary-Failed
ASA-Firewall# show failover
Failover unit Primary
Failover LAN Interface: failoverlink GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
failover replication http
Version: Ours 9.0(4), Mate 9.4(1)
Last Failover at: 14:42:17 AZDT Jun 5 2015
This host: Primary - Active
Active time: 3542 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
Interface inside (10.34.10.254): Normal (Waiting)
Interface outside (xx.132.xx.xxx): Normal (Waiting)
Interface management (10.34.7.252): Normal (Waiting)
slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(1)) status (Up Sys)
Interface inside (10.34.10.253): Unknown (Waiting)
Interface outside (xx.132.xx.xxx): Unknown (Waiting)
Interface management (10.34.7.251): Unknown (Waiting)
slot 1: UNKNOWN hw/sw rev (N/A/) status (Unresponsive)
He did investigtion, checked everything (e.g. interface, config, show commands and so on). He was confused how it can be, he did upgrade till version 9.0.4 for 5 minutes but on version 9.4.1 I stuck. After more deep investigation he thought he found the reason of this problem. He connected to active and standby unit and execute comand:
On Standby ASA-Firewall# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH18037CSR
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH18037CSR
cxsc Unknown N/A FCH18037CSR
sfr Unknown N/A FCH18037CSR
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 18e7.282e.8bbd to 18e7.282e.8bc6 1.0 2.1(9)8 9.4(1)
ips 18e7.282e.8bbb to 18e7.282e.8bbb N/A N/A 7.1(9)E4
cxsc 18e7.282e.8bbb to 18e7.282e.8bbb N/A N/A
sfr 18e7.282e.8bbb to 18e7.282e.8bbb N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(9)E4
sfr Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable Not powered on completely
sfr Unresponsive Not Applicable
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled perpetual
AND THE SAME ON ACTIVE
On Active ASA-Firewall# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH17517QRK
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH17517QRK
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 3c08.f6d9.9278 to 3c08.f6d9.9281 1.0 2.1(9)8 9.0(4)
ips 3c08.f6d9.9276 to 3c08.f6d9.9276 N/A N/A 7.1(9)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(9)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
--- -------------- --------------- ---------------
ips IPS Module Enabled perpetual
We know that ASA failover algorithm do a lot of ckecks and one of this check is to monitor modules. As we can see on the output after upgrade to version 9.4.1 NEW module appears on standby unit: cxsc and sfr as we can see. On Active unit there are no such modules. May be standby unit can’t check the state, or Active unit cant interpret standby unit messages, I dont know realy (
He had questions:
1) Why this new modues appeared, for what for, how they work...?
2) Can I upgrade my Cisco ASAs till that version?
3) What I shuld do to upgrdade? I need this upgrade very much, because I need Policy Based Routing functionality?
4) Can I do upgrade without interruption ?
Someone solved it and answered like this: “Yes, complete your upgrade on the active unit and it will show the same unknown status for the cxsc and sfr modules. Once you do that successfully, you should have a healthy HA pair.
Support for cxsc and sfr as module types was introduced in versions 9.1(1) and 9.2(2) respectively.
You can stick with your ips (classic IPS module) as long as it's meeting your needs. It is end of sales now (as is the CX module shortly) and both are deprecated in favor of the newer "sfr" or FirePOWER module. More about FirePOWER is on the product data sheet (and elsewhere).”
What’s your ideas, welcome to share here…
The Case From
As the world’s largest maker of switches and routers, Cisco is upping its game in three of the hottest areas in wireless: SDN, “Internet of Things” and Wi-Fi now.
Cisco has already staked its claim with carriers that are working to virtualize network functionality. Verizon Wireless and AT&T have both named Cisco as a partner in their respective SDN/NFV initiatives.
Also at Cisco Live2015, the company unveiled new cloud software and partnerships with 35 independent software vendors to help customers leverage the Internet of Things. The company says its intercloud fabric has already won more than 100 customers and 65 partners worldwide.
Wi-Fi was also in the spotlight at Cisco Live. Cisco is the world’s leading vendor of Wi-Fi access points.
Cisco said it is seeing broad enterprise adoption of 802.11ac Wi-Fi standard, which is deployed in the 5 GHz spectrum band. The company said that education has been the lead vertical, but that all enterprise sectors are seeing the need for robust and seamless connectivity solutions. Cisco said its new Wave 2 solutions are designed to help enterprise handle the demands of multiple devices at once.
MU-MIMO is a key feature of Cisco’s new access points. The company also has added two new service controllers (Cisco 8540 & 5520 Services Controller) and two new switches (Catalyst 6840-X and Catalyst 3850 10G Series Switch), one of which includes a programmable data plane, enabling the deployment of software-defined networking services.
More Related Cisco Topics
If you want to design data center or campus LAN with Cisco products, Cisco has many options for you. So it’s not easy to select the right one according to your actual needs. In this article, we just give you some look on this. Go and find more information for your own special case. (Note: In this article it is gravitated towards having L3 features incorporated as well (not an L2-only implementation).
We take this option of Nexus 5500 here in the beginning anyway. Nexus 5500 (5548P, 5548UP, 5596UP) supports all 4094 VLANs and all the ports are 10G with 1G ability as well. When equipped with L3 forwarding module it has the features that are enough for many situations. 5548 has 32 fixed ports (one module slot for 16-port module) and 5596 has 48 fixed ports (three slots for 16-port modules). With Nexus 5500 you at least know in advance how many ports you can get when you by them (compared to the modular switches that have different port densities in different line cards in different oversubscription levels in different generations).
In Nexus family the important advantage is the FEX selection: remote line cards in top of the rack implementations. That also brings one major limitation: with current software (NX-OS 5.1(3)N1) only 8 FEXes are supported when L3 module is used. If you single-home your FEXes then you can have a total of 16 FEXes with each Nexus 5500 pair (you implement core switches in pairs, right?). When dual-homing the FEXes then the maximum total number is of course 8 because all FEXes are seen by both Nexus 5500.
Nexus 5500 switches only have one supervisor but Cisco still boasts that it supports ISSU (In-Service Software Upgrade). However, ISSU is not supported with L3 module installed. Depending on your environment (and FEXing style [can you say that?]) that may or may not be an important factor for you. When dual-homing everything it may not be so big deal after all.
Also, when comparing Nexus 5500 L3 features with bigger core switches you need to make sure that you know your route and MAC address limitations, as always.
Cisco Catalyst 6500
…Catalyst 6500 is the good old DC and campus core switch. With modern supervisors and line cards it can really kick the frames through the rich services it provides in the same box. Plenty of chassis choices for different installations and requirements, as well as line cards and service modules. Do I need to say more? You can “dual-everything”, use VSS to combine two chassis together and so on. Cat6500 can do almost anything you can imagine. It may not be absolutely the fastest, but hey, if you needed the ultimate raw speed you would have selected Nexus 7000 anyway, you remember? Btw, 160 gigs per slot was announced to be coming for Cat6500 so that gives some picture of the situation.
How about Catalyst 4500? A user said like that: “I don’t know Catalyst 4500 very well in core use. My first experiences from Catalyst 4000 were with a separate 4232-L3-whatever module, and it was horrible to configure (CatOS on the supervisor, IOS on the L3 module, internal GEC trunk between those). And Catalyst 4500 (or should I say 4500E?) is totally different: supervisors worth of 7 or so generations (running IOS or IOS-XE), line cards almost as many generations, different chassis generations, and so on. Current maximum bandwidth per slot seems to be 48 Gbps per slot with Sup7E. The supervisor still does all the forwarding for the line cards. Catalyst 4500 does not provide any separate service modules but it provides a set of IOS features. There are also various chassis sizes. In short: not very exciting option for a LAN core but may work well for you.” Well, what’s your experience about Catalyst 4500? Share with us, please!
The newcomer in Catalyst family is Catalyst 4500-X. They are 1U switches with a small expansion module slot. The base ports (16 or 32) are 1G/10G ports and the expansion module is promised to have 40G ports available later. (But again, your DC is apparently not needing those.) Cat4500-X runs IOS-XE and supports VSS to cluster two switches together. If your access layer is not very wide you could run your core with Cat4500-X.
And then there is more DC-grade stuff:
- Nexus 3000: L2/L3 10G switch but more oriented to low-latency implementations with no special feature requirements
- Catalyst 4948, Catalyst 4900M, and so on: The features are similar to Catalyst 4500 but in smaller box with limited number of interfaces available.
…In fact, we can talk more about the Cisco’s Core Switches. If you have any ideas and experience about the Cisco Core Switches, it’s so excited that you can share them with us.
More about Cisco switches’ topics you can read here: http://blog.router-switch.com/category/reviews/cisco-switches/
Cisco’s QSFP 40G BiDi (bidirectional) transceiver, allows zero-cost fiber migration by reusing the current 10-Gbit/sec cabling for 40-Gbit/sec device connectivity. With duplex LC ports, it enables 100 meters of 40G transmission over OM3, 125 meters over OM4 fiber, and 150 meters over certain “OM4+” fibers.
Migrate to a 40-Gbps Data Center with Cisco QSSFP BiDi Technology? Cisco makes the case for its transceiver technology, taking direct aim at “the need for a major upgrade of the cabling infrastructure” when transitioning from 10G to 40G, “which can be too expensive or disruptive to allow data centers to quickly adopt and migrate to the 40-Gbit/sec technology.”
“Existing short-reach transceivers for 40-Gbit/sec connectivity in a QSFP form factor … use independent transmitter and receiver sections, each with 4 parallel fiber strands. For a duplex 40-Gbit/sec connection, 8 fiber strands are required.
Both QSFP SR4 and QSFP CRS4 use MPO 12-fiber connectors. As a result, 4 fiber strands in each connection are wasted.
“With existing QSFP transceivers, each direct connection between two devices requires an MPO-to-MPO 12-fiber cable. In the case of structured cabling with patch panels and fiber trunks, a 40-Gbit/sec connection needs MPO-to-MPO fibers between devices and patch panels, and 4 duplex multimode fibers in the fiber trunk.
“In most of today’s data center networks, the aggregation fiber infrastructure is built for 10Gbit/sec connectivity that either supports direct connections between devices over LC-to-LC multimode fiber or uses LC-to-LC fibers to attach devices to patch panels and provides one duplex multimode fiber in the fiber trunk for each 10-Gbit/sec connection.
“40-Gbit/sec connectivity using traditional 40-Gbit/sec transceivers cannot reuse directly connecting LC-to-LC fibers. It also requires four to six times greater fiber density in the fiber trunks to meet the requirements of a 40-Gbit/sec connection. These characteristics make it expensive for customers to migrate from 10-Gbit/sec connectivity to 40-Gbit/sec connectivity in their existing data centers.
“The Cisco QSFP BiDi transceiver addresses the challenges of fiber infrastructure by providing the capability to transmit full-duplex 40 traffic over one duplex multimode fiber cable with LC connectors. In other words, the Cisco QSFP BiDi transceiver allows 40-Gbit/sec connectivity to reuse the existing directly connecting 10-Gbit/sec fibers and the existing fiber trunk without the need to add any fibers.”
The technical paper details two deployment scenarios/case studies to emphasize the savings accomplished by eliminating the parallel-optic cabling infrastructure. The first scenario is a 288x40G setup with unstructured cabling. The second is a 384x40G setup with structured cabling. In this second scenario, the paper explains, “Cisco QSFP BiDi technology allows the existing cabling system—including the patch cables, patch panels with MTP/MPO LC modules, and fiber trunks—to be repurposed for 40-Gbit/sec connectivity. In contrast, QSFP SR4 transceivers require new patch cables and patch panels because the connector types differ and the size of the fiber trunk needs to be quadrupled.”
“Migrate to a 40-Gbps Data Center with Cisco QSFP BiDi Technology” you can read the full paper report at
More benefits you can get from migrating to 40-Gbps Data Center with Cisco QSFP BiDi Technology
• Reuse existing 10GE fiber infrastructure for 40GE migration
• Lower CapEx and installation labor costs
• Minimal disruption to the data center during migration
• Four times the bandwidth over the same fiber plant
• Up to 70% savings over other current solutions
Cisco’s innovative 40-Gbps Quad Small Form-Factor Pluggable (QSFP) bidirectional (BiDi) transceiver is a pluggable optical transceiver with a duplex LC connector interface for short-reach data communication and interconnect applications. By using the existing 10 Gigabit Ethernet duplex MMF fiber infrastructure for 40 Gigabit Ethernet, the Cisco BiDi transceiver offers significant cost savings and simplifies data center upgrading.
The Cisco BiDi transceiver supports link lengths of 100m and 150m on laser-optimized OM3 and OM4 multimode fibers. It complies with the QSFP MSA specification, enabling customers to use it on all QSFP 40-Gbps platforms to achieve high-density 40 Gigabit Ethernet networks.
Use Your Existing 10 Gigabit Ethernet Fiber for 40 Gigabit Ethernet
Whether your cable plant is structured or unstructured, Cisco’s BiDi transceiver delivers significant savings and a smooth migration to 40 Gigabit Ethernet. The Cisco BiDi transceiver enables the use of an existing 10 Gigabit Ethernet fiber plant infrastructure for 40 Gigabit Ethernet, delivering four times the bandwidth over the same fiber plant and up to 70% savings over other current solutions.
For building out new data centers, deploying 40 Gigabit Ethernet for aggregation and core is no longer an option but a requirement to meet today’s data demands. Designing new cable plants using Cisco’s BiDi transceivers offers:
• 75% less fiber and MPO requirements
• Reduced cable sprawl and rack footprints
• Cost savings with the industry’s lowest-priced 40 Gigabit Ethernet transceiver
•Investment protection with future support for 100 Gbps over duplex fiber
Designing your new fiber cable plant with Cisco’s 40 Gigabit Ethernet BiDi transceiver allows you to reduce your fiber requirements and CapEx and OpEx while future proofing your data center for 100 Gigabit Ethernet.
Cisco’s QSFP 40 Gigabit Ethernet BiDi technology removes 40-Gbps cabling cost barriers for migration from 10-Gbps to 40-Gbps connectivity in data center networks. Cisco’s BiDi transceivers provide simpler and less expensive 40-Gbps connectivity compared to other 40-Gbps transceiver solutions. The Cisco QSFP BiDi transceiver allows organizations to migrate their existing 10-Gbps cabling infrastructure to 40 Gbps with little capital investment.
More Related: Move to 40G Today? Yes!
How to configure a Cisco CSR1000V Router for terminating Anyconnect client based connections? Namita Sharma (A volunteer in Cisco Support Community) shared a guide of configuring a Cisco CSR1000V Router. What do you need to prepare before configuration. What are the detailed steps? Let’s see…
Firstly, you should ensure that you meet these requirements before you attempt this configuration:
Cisco Cloud Services Router 1000V running IOS XE 3.12 or higher
Cisco AnyConnect Secure Mobility Client 3.x or higher
Cisco Cloud Services Router 1000V running IOS XE 3.12
Cisco AnyConnect Secure Mobility Client 3.1.05160
Microsoft Windows 7 PC
Network Diagram-Configure SSLVPN on Cisco CSR1000V (The Figure)
1. Configure SSL Server Self-Signed Certificate
# Generate an Rivest-Shamir-Addleman (RSA) Key with a length of 2048 bytes: crypto key generate rsa general-keys label anyconnect modulus 2048 # Configure a trustpoint for the self-signed certificate, and apply this RSA Keypair: crypto pki trustpoint anyconnectvpn enrollment selfsigned subject-name CN=126.96.36.199 revocation-check none rsakeypair anyconnect # Once the trustpoint is configured, enroll the self-signed certificate crypto pki enroll anyconnectvpn % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created
2. Upload and Apply the Anyconnect client software
copy tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg flash Address or name of remote host [10.0.0.150]? Source filename [anyconnect-win-3.1.05160-k9.pkg]? Destination filename [anyconnect-win-3.1.05160-k9.pkg]? Accessing tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg...!!!!!!!!!!!!! Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2635734 bytes copied in 4.480 secs (658933 bytes/sec) # Apply this Anyconnect client image to the configuration crypto vpn anyconnect flash:/anyconnect-win-3.1.05160-k9.pkg sequence 1
3. Configure the User Database
new-model aaa authentication login sslvpn local aaa authorization network sslvpn local username Anyconnect password Anyconnect123
4. Configure the VPN pool
# Define the local pool that is used in order to assign IP addresses to the clients when they connect ip local pool SSL_Client 192.168.10.1 192.168.100.20
5. Define the supported ciphers under SSL Proposal
crypto ssl proposal sslvpn-proposal protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
6. Create a split-tunnel access-list to be pushed out as a secure route to the Anyconnect clients
ip access-list standard sslvpn-tunnel permit 10.0.0.0 0.255.255.255
7. Configure an SSL Policy that defines the ciphers to be supported and the trustpoint to be used during SSL negotiation.
crypto ssl policy sslvpn-policy ssl proposal ssl_proposal pki trustpoint anyconnectvpn sign ip address local 188.8.131.52 port 443 no shut
8. Create an SSL Authorization Policy locally on the Router with the authorization parameters to be pushed out to the clients
crypto ssl authorization policy sslvpn-auth-policy pool SSL_Client dns 10.0.0.120 def-domain cisco.com route set access-list sslvpn-tunnel
9. Define the configured authentication and authorization lists under an SSL Profile
crypto ssl profile sslvpn-profile match policy sslvpn-policy aaa authentication list sslvpn aaa authorization group list sslvpn sslvpn-auth-policy authentication remote user-credentials max-users 100
10. Verify your connection
Once a Client connects, you can view the status using: show crypto ssl session user Anyconnect detail Session Type : Full Tunnel Client User-Agent : AnyConnect Windows 3.1.05160 Username : Anyconnect Num Connection : 1 Public IP : 184.108.40.206 Profile : ssl_profile Policy : ssl_policy Last-Used : 00:00:06 Created : *10:00:00.928 UTC Mon Apr 6 2014 Session Timeout : 43200 Idle Timeout : 1800 DNS primary : 10.0.0.120 DPD GW Timeout : 300 DPD CL Timeout : 300 Address Pool : SSL_Client MTU Size : 1406 Disconnect Time : 0 Rekey Time : 3600 Lease Duration : 43200 Keepalive : 30 Tunnel IP : 192.168.10.2 Netmask : 0.0.0.0 Rx IP Packets : 533 Tx IP Packets : 462 Virtual Access : 1 CSTP Started : 00:46:50 Last-Received : 00:00:06 CSTP DPD-Req sent : 0 Msie-ProxyServer : None Msie-PxyOption : Disabled Msie-Exception : None Split DNS : None ACL : sslvpn-tunnel Default Domain : cisco.com Client Ports : 49423 Detail Session Statistics for User:: Anyconnect ---------------------------------- CSTP Statistics:: Rx CSTP Frames : 322 Tx CSTP Frames : 0 Rx CSTP Bytes : 63453 Tx CSTP Bytes : 3423 Rx CSTP Data Fr : 643 Tx CSTP Data Fr : 233 Rx CSTP CNTL Fr : 36 Tx CSTP CNTL Fr : 0 Rx CSTP DPD Req : 0 Tx CSTP DPD Req : 0 Rx CSTP DPD Res : 0 Tx CSTP DPD Res : 0 Rx Addr Renew Req : 0 Tx Address Renew : 0 Rx Dropped Frames : 0 Tx Dropped Frame : 0 Rx IP Packets : 167 Tx IP Packets : 532 Rx IP Bytes : 8375 Tx IP Bytes : 18573 CEF Statistics:: Rx CSTP Data Fr : 0 Tx CSTP Data Fr : 0 Rx CSTP Bytes : 0 Tx CSTP Bytes : 0
Guide from https://supportforums.cisco.com/document/12470701/configure-sslvpn-cisco-cloud-services-router-1000vcsr1000v... More discussion you can read here…
More Topics Related to Cisco Routers you can visit here…
Modular and Fixed Configuration, these two are the main categories of Cisco Ethernet switches.
Modular switches, modular, as the name implies, allows you to add expansion modules into the switches as needed, thereby delivering the best flexibility to address changing networks. Examples of expansion modules are application-specific (such as Firewall, Wireless, or Network Analysis), modules for additional interfaces, power supplies, or cooling fans. Cisco Catalyst 4K and 6K (including Cisco Nexus 7000 Series Switches, Catalyst 6800 Series Switches, Catalyst 6500 Series Switches, Catalyst 4500-X Series Switches, Catalyst 3850 Fiber Switch Models) are good examples of Modular switches.
Fixed Configuration switches are switches with a fixed number of ports and are typically not expandable. This category is discussed in further detail below. Cisco Catalyst 2K, 3K (contains Catalyst 4500E Series Switches, Catalyst 3850 Series Switches, Catalyst 3650 Series Switches and Catalyst 2960-X Series Switches) and the Cisco300/500 series (Cisco 100 Series Unmanaged Switches, 200 Series Smart Switches, 220 Series Smart Plus Switches, 300 Series Managed Switches, 500 Series Stackable Managed Switches, and Catalyst 2960, 2960-C and 2960-S Series Switches) are good examples of Fixed Configuration switches.
The Fixed configuration switch category is further broken down into:
–Managed L2 and L3 Switches
This category of switch is the most cost effective for deployment scenarios that require only basic layer 2 switching and connectivity. As such, they fit best when you need a few extra ports on your desk, in a lab, in a conference room, or even at home.
With some unmanaged switches in the market, you can even get capabilities such as cable diagnostics, prioritization of traffic using default QoS settings, Energy savings capabilities using EEE (Energy Efficient Ethernet) and even PoE (Power over Ethernet). However, as the name implies, these switches generally cannot be modified/managed. You simply plug them in and they require no configuration at all.
Cisco 100 Series switches are good examples of this category.
Smart Switches (also known as Lightly Managed Switches):
This category of switches is the most blurred and fastest changing. The general rule here is that these switches offer certain levels of Management, QoS, Security, etc. but is “lighter” in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective alternative to Managed switches. As such, Smart switches fit best at the edge of a large network (with Managed Switches being used in the core), as the infrastructure for smaller deployments, or for low complexity networks in general.
The capabilities available for this Smart switch category vary widely. All of these devices have an interface for Management – historically a browser-based interface used to be the only way to configure these devices, though nowadays you can manage some of these devices with CLI and/or SNMP/RMON as well. Regardless, these capabilities are lighter than what you will find in their Managed switch counterparts. Smart switches tend to have a management interface that is more simplified than what Managed Switches offer.
Smart switches allow you to segment the network into workgroups by creating VLANs, though with a lower number of VLANs and nodes (MAC addresses) than you’d get with a Managed switch.
They also offer some levels of security, such as 802.1x endpoint authentication, and in some cases with limited numbers of ACLs (access control lists), though the levels of control and granularity would not be the same as a Managed switch.
In addition, Smart switches support basic quality-of-service (QoS) that facilitates prioritization of users and applications based on 802.1q/TOS/DSCP, thereby making it quite a versatile solution.
Cisco 200 Series switches are good examples of this category.
Fully Managed L2 and L3 switches
Managed Switches are designed to deliver the most comprehensive set of features to provide the best application experience, the highest levels of security, the most precise control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As a result, they are usually deployed as aggregation/access switches in very large networks or as core switches in relatively smaller networks. Managed switches should support both L2 switching and L3 IP routing though you’ll find some with only L2 switching support.
From a Security perspective, Managed switches provide protection of the data plane (User traffic being forwarded), control plane (traffic being communicated between networking devices to ensure user traffic goes to the right destination), and management plane (traffic used to manage the network or device itself). Managed switches also offer network storm control, denial-of-service protection, and much more.
The Access Control List capabilities allows for flexibly dropping, rate limiting, mirroring, or logging of traffic by L2 address, L3 address, TCP/UDP port numbers, Ethernet type, ICMP or TCP flags, etc.
Managed switches are rich in features that enable them to protect themselves and the network from deliberate or unintended Denial of Service attacks. It includes Dynamic ARP Inspection, IPv4 DHCP snooping, IPv6 First Hop Security with RA Guard, ND Inspection, Neighbor Binding Integrity, and much more.
Additional Security capabilities may include Private VLANs for securing communities of users or device isolation, Secure Management (downloads through SCP, Web-based Authentication, Radius/TACACS AAA, etc), Control Plane Policing (CoPP) for protecting the CPU of the switch, richer support for 802.1x (time-based, Dynamic VLAN Assignment, port/host-based, etc)
From a Scalability perspective, these devices have large table sizes so that you can create large numbers of VLANs (for workgroups), devices (MAC table size), IP routes, and ACL policies for flow-based security/QoS purposes, etc.
For highest network availability and uptime, Managed switches support L3 redundancy using VRRP (Virtual Router Redundancy Protocol), large numbers of Link Aggregation groups (which is used both for scalability and resiliency), and capabilities for protecting L2 such as Spanning Tree Root Guard and BPDU Guard.
When we talk about QoS and Multicast features, the richness of capabilities goes far beyond what you’d see in a Smart Switch. Here you’d see things such as IGMP and MLD Snooping with Querier functions for optimizing IPv4/v6 multicast traffic in the LAN, TCP Congestion Avoidance, 4 or 8 queues to treat traffic differently by importance, setting/tagging traffic by L2 (802.1p) or L3 (DSCP/TOS), and rate limiting traffic.
In terms of Management, things such as multiple ways to configure (using CLI, Web GUI, SNMP Management application), discovering of neighbor devices in the networks (using CDP, LLDP, Bonjour, etc), and troubleshooting capabilities (such as VLAN and Port Mirroring, Traceroute, Ping, Syslog, Cable Diagnostics, RMON, etc) are all included. What I highlighted is by no means exhaustive, but gives you a sense of what some of the differences may be between Managed and Smart Switches.
Cisco Catalyst and Cisco 300 Series and 500 Series switches are good examples of this category of products.
Managed Switches can go even further than what I’ve highlighted. For example, there’s even richer support for Dynamic Unicast and Multicast Routing protocols, deeper flow intelligence or macro flow statistics with Netflow/SFlow, non-Stop Forwarding capabilities, MPLS/VRF support, Policy enforcement, and many others.
Now, to take a deeper dive into these switch categories and talk about various options, you can select the switches based on:
– Number of ports
– POE versus non-POE
– Stackable versus Standalone
You can find Fixed Configuration switches in Fast Ethernet (10/100 Mbps), Gigabit Ethernet (10/100/1000 Mbps), Ten Gigabit (10/100/1000/10000 Mbps) and even some 40/100 Gbps speeds. These switches have a number of uplink ports and a number of downlink ports. Downlinks connect to end users – uplinks connect to other Switches or to the network infrastructure. Currently, Gigabit is the most popular interface speed though Fast Ethernet is still widely used, especially in price-sensitive environments. Ten Gigabit has been growing rapidly, especially in the datacenter and, as the cost comes down, it will continue to expand into more network applications. With 10GBase-T Ten Gigabit copper interfaces being integrated into LOM (LAN on the Motherboard) and 10G-Base-T switches becoming available now (see the new Cisco SG500XG-8F8T 16-port 10-Gigabit switch), building a Storage or Server farm with 10 Gigabit interfaces has never been easier or more cost-effective. 40G/100G is still emerging and will be mainstream in a few years.
Number of ports
Fixed Configuration Switches typically come in 5, 8, 10, 16, 24, 28, 48, and 52-port configurations. These ports may be a combination of SFP/SFP+ slots for fiber connectivity, but more commonly they are copper ports with RJ-45 connectors on the front, allowing for distances up to 100 meters. With Fiber SFP modules, you can go distances up to 40 kilometers
POE versus non-POE
Power over Ethernet is a capability that facilitates powering a device (such as an IP phone, IP Surveillance Camera, or Wireless Access Point) over the same cable as the data traffic. One of the advantages of PoE is the flexibility it provides in allowing you to easily place endpoints anywhere in the business, even places where it might be difficult to run a power outlet. One example is that you can place a Wireless Access Point inside a wall or ceiling.
Switches deliver power according to a few standards – IEEE 802.3af delivers power up to 15.4 Watts on a switch port whereas IEEE 802.3at (also known as POE+) delivers power up to 30 Watts on a switch port. For most endpoints, 802.3af is sufficient but there are devices, such as Video phones or Access Points with multiple radios, which have higher power needs. It’s important to point out that there are other PoE standards currently being developed that will deliver even high levels of power for future applications. Switches have a power budget set aside for running the switch itself, and also an amount of power dedicated for POE endpoints.
To find the switch that is right for you, all you need to do is choose a switch according to your power needs. When connecting to desktops or other types of devices which do not require POE, the non-POE switches are a more cost-effective option.
Stackable versus Standalone
As the network grows, you will need more switches to provide network connectivity to the growing number of devices in the network. When using Standalone switches, each switch is managed, troubleshot, and configured as an individual entity.
In contrast, Stackable switches provide a way to simplify and increase the availability of the network. Instead of configuring, managing, and troubleshooting eight 48-port switches individually, you can manage all eight like a single unit using a Stackable Switches. With a true Stackable Switch, those eight switches (total 384 ports) function as a single switch–there is a single SNMP/RMON agent, single Spanning Tree domain, single CLI or Web interface–i.e. single management plane. You can also create link aggregation groups spanning across multiple units in the stack, port mirror traffic from one unit in the stack to another, or setup ACLs/QoS spanning all the units. There are valuable operational advantages to be gained by this approach.
Here’s a word of warning. Be careful about products in the market which are sold as “Stackable” when they merely offer a single user interface, or central management interface, for getting to each individual switch unit. This approach is not stackable, but really “clustering”. You still have to configure every feature such as ACLs, QoS, Port mirroring, etc, individually on each switch. Use the following as a proof point – can I create a link aggregation group with one port in one unit of the stack and another port of that group in another unit of the stack? Can I select a port on one unit in the stack and mirror the traffic to a port on another unit of the stack? When I configure an ACL for Security purposes, can I apply that to any port on any unit in the stack? If the answer is “No” to any of these questions, you’re probably not working with a stackable switch.
There are other advantages of True Stacking as well. You can connect the stack members in a ring such that, if a port or cable fails, the stack will automatically route around that failure, many times at microsecond speeds. You can also add or subtract stack members and have it automatically recognized and added into the stack.
Cisco Catalyst 2K-X and 3K or Cisco 500 Series Switches are examples of Switches in this category.
As you can see there’s a multitude of switch options to choose from. So, have a close look at your current deployment and future needs to determine the right switch for your network.
More Related Cisco Switches Topics you can read here:
It’s so cool that Cisco Nexus 9000 series, through their dual-mode capabilities, allow you to deploy them as traditional switches within your existing data center network. Cisco Nexus 9000 Series Switches are ideal for small-to-medium-sized data centers, it makes the next generation of data center switching accessible to customers of any size. And what’s the data center? Why is it so important? The data center infrastructure is central to the overall IT architecture. It is where most business-critical applications are hosted and various types of services are provided to the business. A classic network is the typical three-tier architecture commonly deployed in many data center environments. It has distinct core, aggregation, and access layers, which together provide the foundation for any data center design.
Note: The figure above shows a classic design using the current Cisco Nexus product portfolio, including Cisco Nexus 7000 Series Switches and 2000 Series Fabric Extenders (FEXs). You can use this three-tier design to migrate to the new Cisco Nexus 9000 Series Switches.
Many types of services, primarily firewalls and load balancers, can be integrated into these designs. Careful planning is needed for a smooth migration from this type of hardware and topology combination to the new Cisco Nexus 9000 Series hardware and topology combination.
The main features of the new Cisco Nexus 9000 Series are support for FEX, virtual Port Channel (vPC), and Virtual Extensible LAN (VXLAN). The data center architecture can be deployed in a classic design in which existing designs variations are supported, such as the following:
● Data center pods
● Large-scale multitier designs
● VXLAN fabric
…More about data center design and Nexus switches including Nexus 7000, Nexus 9000 family you can read the full info page: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/guide-c07-730115.pdf
More Related Cisco Nexus 9000 Topics
Do you know how to use nProbe as NetFlow-Lite Collector? What’s the problem of NetFlow-Lite? What’s the typical nProbe Deployment? And how does the NetFlow-Lite Support in nProbe? In this article, we will share the main info related to these questions.
• NetFlow-Lite brings visibility to switched networks.
• NetFlow-Lite are exports in v9/IPFIX format and contain packets sections.
• Legacy NetFlow collectors need additional support to understand and analyze NetFlowlite flows.
More Related NetFlow-Lite Topics
We discussed the Cisco Catalyst 4948E NetFlow-lite/NFLite before. What’s the difference between the NetFlow and Netflow-Lite? We knew that NetFlow-lite was first introduced with Catalyst 4948E, and it bridges the gap by providing a lightweight solution that allows capturing of important flow information through packet sampling mechanisms combined with the extensibility of NetFlow version 9 and IPFIX. NetFlow-Lite introduces traffic visibility on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches for the first time.
NetFlow-Lite collects packets randomly, classifies them into flows, and measures flow statistics as they pass through the switch. It is a true flow-based traffic-monitoring mechanism that conserves valuable forwarding bandwidth when exporting flow-based data for analysis and reporting.
Firstly we can read what NetFlow-Lite is used for again
NetFlow-Lite offers network administrators and engineers the following capabilities:
● Unprecedented visibility: NetFlow-Lite provides real-time information about traffic flows from endpoints such as PCs, phones, IP cameras, etc. You can use this information for traffic monitoring of Layer 2 and Layer 3 traffic as well as capacity planning.
● Network planning: You can use NetFlow-Lite to capture data over a long period of time so that customers can understand traffic patterns, top talkers, top applications, etc. This feature provides accurate data to track and anticipate network growth and plan upgrades.
● Simplified troubleshooting: You can use NetFlow-Lite flow-based analysis techniques to understand traffic patterns, which can help in proactively detecting problems, troubleshooting efficiently, and resolving problems quickly.
NetFlow-Lite provides a granular packet-sampling mechanism that is adjustable up to 1:32 and available for all interfaces. The implication is that a subset of all packets passing through the switch is selected for reporting.
NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches have the following capabilities:
- NetFlow-Lite is supported on all downlink and uplink ports.
- NetFlow-Lite is natively available with no additional hardware required.
- The sampling range is from 1:32 to 1:1022.
- The application measures 16,000 flows per switch.
- Physical ports and VLAN Interfaces (switched virtual interfaces [SVI]) are supported.
- NetFlow-Lite supports ingress flows only.
- Export using standards-based IP Information export (IPFIX) or Version 9 record format.
NetFlow-Lite Sampling Techniques
The sampling method of the traffic can be random or deterministic. Random sampling chooses one packet randomly out of a configured sample size, whereas deterministic sampling chooses the first packet out of a configured sample size. For example, for 1:32 sampling, deterministic mode would choose the 1st, 33rd, 65th, 97th, and so on packet coming into an interface, and random mode can choose the 5th, 39th, 72nd, 103rd, and so on packet coming into an interface. Random packet sampling is statistically more accurate than deterministic packet sampling.
NetFlow-Lite Solution-NetFlow-Lite configuration on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches
Steps-Only 5 Steps
Step1. Configure a Flow Record, which defines the data collection. You can customize it for specific requirements. You can use the following example with most NetFlow collectors:
flow record v4 match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect transport tcp flags collect interface input collect flow sampler collect counter bytes long collect counter packets long collect timestamp sys-uptime first collect timestamp sys-uptime last
Step2. Configure a Flow Exporter, which defines where the collected data needs to be sent. Please refer to the NetFlow collector application user guides and manual for specific details such as port number, differentiated services code point (DSCP), and other options. The configuration follows:
flow exporter Replicator description Exporter to Cisco Prime 2.0 destination 10.2.44.12 source GigabitEthernet1/0/1 dscp 16 template data timeout 60 option interface-table
Step3. Configure a Flow Monitor, which binds the flow record and exporter along with options to configure the flow cache:
flow monitor v4 record v4 exporter Replicator cache timeout active 30
Step4. Configure a Flow Sampler. Define the sampling technique and sample size. The configuration follows:
sampler v4 mode random 1 out-of 32
Step5. Attach the Flow Monitor and Sampler to the interface:
interface GigabitEthernet1/0/1 ip flow monitor v4 sampler v4 input
Reference from http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/solution_overview_c22-728776.html