There are a number of different methods for connecting Cisco C-Series UCS servers back to the Fabric interconnect (FI) depending on the traffic types you want as well as the speed of the link.
UCS servers generally need 2 paths back to the UCS, data and management. I have a feeling there is a way of combining these into 1 but as of this point I cannot find it.
One of the scenarios (possibly the cheapest) involves connecting the data connection directly into the FI. The management connection goes through the FEX as normal and the data connection can plug directly into the FI using an onboard gigabit ethernet port and a GLC-T optic in the FI. The caveat on this is that it would be data only with no support for FC / FCOE. For this you would need to use a PCI-E VIC card in the server.
Thursday 28 March 2013
(CWNCM) Cisco Works Network Compliance Manager HA Licensing
In order to have high availability in a CWNCM environment you need both core licenses and high availability (HA) licenses. This is true for both the core software and also the node licenses.
CWNCM-1.7-HA-K9
CWNCM-1X-INC100
CWNCM-1X-INC500
CWNCM-1X-HAINC100
CWNCM-1X-HAINC500
CiscoWorks Network Compliance Manager 1.7
Please note CWNCM is now end of life, but I'm keeping note of this just in case... The recommended replacement is either Cisco Prime or to buy HPs Network Automation, CWNCM is an OEM of HPs network Automation product.
http://www.cisco.com/en/US/partner/prod/collateral/netmgtsw/ps6911/ps6923/end_of_life_notice_c51-716755.html
So for example, if you want to manage 600 nodes and have HA servers you would need the Core and HA software license as well as 600 node and 600 HA node licenses:
CWNCM-1.7-CORE-K9CWNCM-1.7-HA-K9
CWNCM-1X-INC100
CWNCM-1X-INC500
CWNCM-1X-HAINC100
CWNCM-1X-HAINC500
CiscoWorks Network Compliance Manager 1.7
Installation and Upgrade Guide for CiscoWorks Network
Compliance Manager 1.7
Please note CWNCM is now end of life, but I'm keeping note of this just in case... The recommended replacement is either Cisco Prime or to buy HPs Network Automation, CWNCM is an OEM of HPs network Automation product.
http://www.cisco.com/en/US/partner/prod/collateral/netmgtsw/ps6911/ps6923/end_of_life_notice_c51-716755.html
6500 X6700, X6800, X6900 line card inter-operation
When deploying line cards and supervisors into a 6500 series chassis there are a number of things to consider. One of which is the line cards you will use and how they will actually operate.
This post specifically talks about the Sup2T because the older SUP720s are pretty much end of life, and if you are still getting hold of them for whatever legacy / governance reasons you probably know all about them anyway so from here on out all references in this post will be assuming we are using a Sup2T.
When deploying a 6500 chassis with a Sup2T you have the choice of the following line cards: X6700, X6800, X6900 and select X6100. There is only one X6700 which isn't compatible, the WS-X6708-10G.
Older DFCs are not compatible, the DFC, DFC2 or DFC3x, this is because DFCs use the same architecture as the PFC on the supervisor and the Sup2T uses a different PFC architecture to older Sups. The Sup2T uses a PFC 4 and as such only DFC4s can operate with it. X6700 cards with DFC3x will have to be upgraded to DFC4s and will function in dCEF720 mode.
X6100 line cards will function in "classic mode"
X6700 line cards which are equipped with CFC will function in CEF720 mode.
X6700/X6800 line cards equipped with DFC4 will function in dCEF720 mode
X6900 line cards which are equipped with DFC4 will function in dCEF2T mode.
X6700 line cards which are upgraded with DFC4 will be functionally equivalent to X6800 line cards but still shown as X6700 as an identity.
CEF720 mode has 1 or 2 x 20Gbps connections to the switch fabric for data forwarding and a connection to the 32Gbps shared bus for control traffic.
dCEF720 mode doesn't connect to the shared bus just the 2 x 20Gbps switch fabric channels. dCEF720 mode has a top throughput of 40Gbps because of the fabric channels, make a note of this when calculating over subscription ratios.
dCEF2T mode supports 2 x 40Gbps channels to the switch fabric
Sup2T switch crossbar fabric:
The Sup2T has 26 fabric channels which each run at 40Gbps, or 20Gbps to provide backwards compatibility with X65700 and X6800 line cards. Each line card slot has 2 dedicated fabric channels so even a 6513 chassis has the full bandwidth available to each port. N.B In a 6513-E chassis slots 7 and 8 are sup only slots because they get only one channel each. The reason for this is because 2 channels are used to connect to the fabric ASIC and Bridge ASIC leaving only 24 channels for slots, but as it is designed in this way the line cards are never affected and always get the full 2 channels each.
This image was taken from the Cisco Sup2T architecture white paper linked below.
The Sup2T architecture White paper is a fantastic resource well worth anyone reading:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-676346.html
The other arctiture document worth reading is older and touches on the Sup720, still interesting:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html
ASA Mobile Device license
The mobile devices license on ASA appliances allows mobile devices to use a VPN tunnel to connect back to the ASA. it's an "enabling / feature license" so rather than purchasing one per user you purchase it for the ASA just once. It must be used in conjunction with AnyConnect essentials or AnyConnect premium. Essentials is another example of a "enabling license" you purchase it once and you get the full number of basic VPNs tunnels available on your box. Premium is a per user license, you purchase the number of premium user licenses required for your number of users.
An example of these licenses combined would be:
An ASA5550 with 1000 devices, which could be mobile devices, laptops, destops etc. You would require:
The Appliance:
1 x ASA5550-BUN-K9
The SSL Premium Licenses or Essential Licenses:
1 x ASA5500-SSL-1000 or 1 x ASA-AC-E-5550
And the Mobile Devices License
1 x ASA-AC-M-5550
If using premium SSL licenses the number can be raised or lowered depending on the number of users you have, the mobile license would be unaffected, you purchase this once and thats that.
On a side note AnyConnect essentials and premium are mutually exclusive, you cannot have both, you either have to have essentially VPNs or premium VPNs.
An example of these licenses combined would be:
An ASA5550 with 1000 devices, which could be mobile devices, laptops, destops etc. You would require:
The Appliance:
1 x ASA5550-BUN-K9
The SSL Premium Licenses or Essential Licenses:
1 x ASA5500-SSL-1000 or 1 x ASA-AC-E-5550
And the Mobile Devices License
1 x ASA-AC-M-5550
If using premium SSL licenses the number can be raised or lowered depending on the number of users you have, the mobile license would be unaffected, you purchase this once and thats that.
On a side note AnyConnect essentials and premium are mutually exclusive, you cannot have both, you either have to have essentially VPNs or premium VPNs.
NCS Wireless device licenses
Based on the documents below, WLC do not take up licenses in NCS.
WLCs do not count against NCS license count.
Cisco Prime NCS 1.1 Deployment Guide
For example a deployment comprising of 280 AP's and 6 WLC, just
purchase licenses enough to cover the 280 access points. You can either go with 1 instance of
the 100 Base license 'R-PI-1.1-100-K9' then choose under Add On option, 2
instances of the 100 Add On licenses to come up with 300 licenses, or go with
the 500 user license 'R-PI-1.1-500-K9' to have room for more devices as your
network expands.
Other devices which do not take up NCS license count
would be: WLCs, Autonomous APs, and
MSE's. These devices are not licensed but they need to be counted on the
'scalability' of the appliance.
WLC Old Licensing
For the longest time
before, Cisco had 2 separate SKUs for Base and PLUS licenses on WLC but it all
changed with the 6.0.196 code.
"Before 6.0.196, licenses were separated into BASE
and PLUS types.—With 6.0.196 and all later code (including 7.0 releases), all
features included in a Wireless LAN Controller Wplus license are now included
in the base license."
Understanding Cisco 5508 Wireless LAN Controller
Licensing
Thus, the licenses bundled along with the WLC at the
initial order; for example, AIR-CT5508-100-K9 which has both the 5508 hardware
and the 100- AP count license, already has the 'PLUS' features on it. Removing
the additional cost for Plus license for these features:
•Office Extend AP
•Enterprise Mesh
•CAPWAP Data Encryption
WCS / Prime NCS Location tracking perimeter
WCS doesn't have the feature to locate wireless devices as well as set up a perimeter. For location tracking you need to use the Mobility Service Engine (MSE).
http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9742/data_sheet_c07-473865.html
Prime Infrastructure is exactly the same the MSE is still required for location tracking:
The latest version of Prime Infrastructure, which is 1.3 (28/03/2013), still requires MSE for location services. Refer to the links below for the components of a Cisco Context-Aware Mobility Solution.
http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9742/data_sheet_c07-473865.html
Prime Infrastructure is exactly the same the MSE is still required for location tracking:
The latest version of Prime Infrastructure, which is 1.3 (28/03/2013), still requires MSE for location services. Refer to the links below for the components of a Cisco Context-Aware Mobility Solution.
“The Location Analytics Service analyzes wireless device
location information in a particular network. The Location Analytics Service
uses the data provided by the Cisco Mobility Services Engine (MSE) to calculate
the location of Wi-Fi devices in the Wireless Local Area Network (WLAN).”
Q. Which WLC and Prime infrastructure versions do I need
for Advanced Location Services?
A. You need 7.2 release or above on your WLAN controller
and software version 1.3 or above for Prime infrastructure.
Cisco Wireless LAN Controller licensing and 2500 / 5500 WLC difference
The 2500 and 5500 series controller don't support shared licensing, so we need to make sure that both controller has the same number of licenses, which will be able to support the required number of APs. I've touched on this previously.
Other than the number of AP's each controller can support some of the differences are:
A more complete comparison can be found here:
Other than the number of AP's each controller can support some of the differences are:
- Link aggregation group
- Guest services (wired)
- Guest anchor
- Greater number of WLANs
- Greater number of access points groups
- Greater AP scalability
A more complete comparison can be found here:
Other than this they are pretty similar and use the same code.
Cisco Security Manager CSM4.0 to 4.3 upgrade
Upgrading from version 4.0 to 4.3 is a minor upgrade and as such will be covered by a support contract.
If the customer does not have a valid software support on their existing CSM 4.0, then it will be chargeable.
Please check the links below for your reference:
http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5739/ps6498/qa_c67-711959.html
ACS Licensing and deployment sizes
The large deployment license is required per deployment if the deployment will control more than 500 nodes. If your had more than 500 AAA client devices (talking about switches, routers, etc. and not end-hosts or end-users), then they would need ONE Large Deployment license PER DEPLOYMENT.
If the customer has two ACS servers in the same deployment so one of them is a primary and the other is a secondary and they synchronize between each other, this is a deployment. A primary and all the secondary ACS that are kept in synchronized status by the primary consist a deployment.
The rule is the following: if there is more than 500 AAA clients (networking devices) in the same deployment, then they would need a Large Deployment license installed on the primary ACS.
If they didn't want to buy the Large Deployment license, then they would need to create two separate deployments each having a primary server only. However in this case there would be no configuration synchronization between the two servers so each and every user, policy and other settings must be configured on both appliances manually.
WCS Plus licenses, does this replace the Location License?
The PLUS license include location services, but also supports HA and more:
Cisco WCS PLUS includes all WCS Base features plus the ability to track location of a single Wi-Fi device such as a client, tag, or rogue access point on demand (limited location), N:1 High Availability (HA) for WCS servers, and Cisco 3300 Series Mobility Services Engine (MSE) management which can expand location capabilities by adding Cisco Context-Aware Software to simultaneously track up to 18,000 assets.
Please note for upgrades: Cisco WCS PLUS license products introduced in release 5.2 are backward compatible with existing Cisco WCS Location and Enterprise licenses.
Source: http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps6301/ps6305/product_data_sheet0900aecd804b4646.html
Chances are this information is less useful nowadays with WCS being eventually replaced by Prime NCS. WCS is still available as a product but support for the newest APs and controllers is only supported on Prime NCS (1600,2600,3600 for example)
FL-CME-SRST-5 On Cisco 2811 router
Unfortunately you can’t use this license FL-CME-SRST-5 on a Cisco2811 Router. You will need one of these. FL-SRST-25, FL-SRST-35, FL-SRST-50, up to 250 users. The minimum is 25 for the Cisco 2811.
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps2169/data_sheet_c78-520521.html
This is a sad face for me :( I'm still planning to upgrade my 2811 at home to run CCME and I'll need to buy some licenses to do this, looks like the start will be 25 though, rather than the 5 I wanted to start with.
Unity Connection 8.5
This was another bit of information that is now obvious to me. But once upon a time I was unsure. So I'm putting the snippet up in case anyone else finds it useful.
Unity Connection 8.5
All user and interoperability functions are offered under a single, low-cost user license that you can use for either voicemail or integrated messaging. Port capacity, failover and redundancy licensing, and Speech Connect for Cisco Unity Connection are included in this base license.
So basically, Voicemail Licenses are already included in the Base licenses so you don't need to purchase Voicemail licenses anymore..
Please refer to this link for further information:
Cisco Unity Connection 8.5 (Go to Licensing Section)
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5745/ps6509/data_sheet_c78-634096.html
Unity Connection 8.5
All user and interoperability functions are offered under a single, low-cost user license that you can use for either voicemail or integrated messaging. Port capacity, failover and redundancy licensing, and Speech Connect for Cisco Unity Connection are included in this base license.
So basically, Voicemail Licenses are already included in the Base licenses so you don't need to purchase Voicemail licenses anymore..
Please refer to this link for further information:
Cisco Unity Connection 8.5 (Go to Licensing Section)
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5745/ps6509/data_sheet_c78-634096.html
VS-6509 Common Criteria Certification for EAL3
So this was a question I had to punt to the partner helpline and below is the response I got:
Below is what I have found, but I believe this is the document where you found the certificate for 12.2(18)SXF11.
Industry Solutions - Common Criteria
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_common_criteria.html
Below is some information I found from our internal resources regarding Common Criteria:
There is no targeting for new Common Criteria update for Sup720 at this
time. We will have to rely on 12.2(33)SXF with the Sup720-3B. For a new round of Common Criteria, we are targeting the Sup2T by June 2012. The EAL4 designation is no longer being certified in the US and several other Common Criteria certifying countries like UK, Australia, etc. so we will have to go with what is offered in the US which is a EAL1/EAL2 based Network Device Protection Profile Common Criteria
Certification. So going forward, the EAL4/3/2/1 designations won't mean anything with relation to Common Criteria.
You can refer to the link below for more information.
Security Requirements for Network Devices
http://www.commoncriteriaportal.org/files/ppfiles/pp_nd_v1.0.pdf
Hopefully this wont be too relevant any more because the Sup-720 is end of life and the SUP2T is the way forward but it's good to keep a not of it!
Below is what I have found, but I believe this is the document where you found the certificate for 12.2(18)SXF11.
Industry Solutions - Common Criteria
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_common_criteria.html
Below is some information I found from our internal resources regarding Common Criteria:
There is no targeting for new Common Criteria update for Sup720 at this
time. We will have to rely on 12.2(33)SXF with the Sup720-3B. For a new round of Common Criteria, we are targeting the Sup2T by June 2012. The EAL4 designation is no longer being certified in the US and several other Common Criteria certifying countries like UK, Australia, etc. so we will have to go with what is offered in the US which is a EAL1/EAL2 based Network Device Protection Profile Common Criteria
Certification. So going forward, the EAL4/3/2/1 designations won't mean anything with relation to Common Criteria.
You can refer to the link below for more information.
Security Requirements for Network Devices
http://www.commoncriteriaportal.org/files/ppfiles/pp_nd_v1.0.pdf
Hopefully this wont be too relevant any more because the Sup-720 is end of life and the SUP2T is the way forward but it's good to keep a not of it!
Cisco Multi WLC Redundancy
Firstly there is no license needed for WLC high availability except for the AP count license, the feature is inherently available on the box as long as you have enough AP licenses.You can use the WLC for redundancy, please check the links below for the configuration example, best practices and FAQ.
WLAN Controller Failover for Lightweight Access Points Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008064a294.shtml#c4
Wireless LAN Controller (WLC) Configuration Best Practices
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml
Wireless LAN Controller (WLC) Design and Features FAQ
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
WLCs need to have enough AP licenses to cater for all the access points should a single controller fail. There is no option currently of sharing AP licenses from one WLC to another WLC. An example of this is if you have an environment with 1000 APs and 3 WLC you would have to license each for 500 APs. This is to cater for the event of a single WLC failure there will still be 1000 AP licenses between the remaining operational WLC. If you have a particularly mission critical wireless environment you might consider 4 WLC each licensed with 500 APs. This way you can loose 2 WLC without incurring any Wireless AP outage.
CP7937 IP phone UCL Licenses
The type of license that the 7937 conference phone uses is Enhanced license for UCL.
Cisco Unified IP Phones Guide
http://www.cisco.com/en/US/partner/prod/collateral/voicesw/ps6788/phones/ps7193/guide_c07-685702_ps379_Products_Data_Sheet.html
This is another question that after doing much more with IPT I know where to find the license types of pretty much all the phones. The IP Phone Comparison Matrix is the place to go this:
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps7193/guide_c07-685702_ps10451_Products_Data_Sheet.html
ASA Services module Code version 8.4 and below
Version 8.4 and before isn't available on the ASA services module, only version 8.5 onwards. So if you want to deploy version 8.4 or below then you will need a physical ASA appliance.
Release Notes for the Cisco Catalyst 6500 Series ASA Services Module, 8.5(x)
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn85.html
Release Notes for the Cisco Catalyst 6500 Series ASA Services Module, 8.5(x)
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn85.html
ISE Sizing on Virtual Machines
The current ISE VM performance/scalability guidelines are based on the ISE appliance configuration (i.e. similar configuration yields similar results). If you have the same VM requirements as the appliance has, it will have the same results. As an example 3315 can support up to 3,000 concurrent endpoints, 3355 can support up to 6,000 concurrent endpoints and 3395 can support up to 10,000 concurrent endpoints.
Below are the documents you need for reference. Installing the Cisco ISE System Software on a VMware Virtual Machine. See. Table 4-1 Minimum VMware System Requirements
http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_vmware.html
**Update 10/01/2014
http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_vmware.html
Introducing the Cisco ISE Hardware. See. Cisco ISE 3300 Series Appliance Hardware Summary
http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_ovr.html
**Update 10/01/2014
http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_ovr.html
So just to recap the maximum number of end points on the virtual appliance is 10,000 but it depends on the amount of resources allocated to that virtual appliance as to what can actually be supported.
If the virtual appliance only has a similar amount of resources as the physical 3315 appliance then it will only handle 3,000. And the same is true for the 3355 etc.
**Updates 10/01/2014
It's worth noting the ISE hardware has recently been updated, the appliances are now the SNS 3400 series and below is a link to the hardware specification:
LIC-CM-DL e-delivery version
The Electronic Delivery Part Number for LIC-CM-DL-10 is L-CM-DL-10=. This would not require a Top Level Part Number.
I'm not sure why I couldn't find this originally, but I'm putting it in here because even though it's simple information I saved it for a reason and might well need it one day.
Please check the link for your reference.
Electronic License Delivery (ELD) SKUs
http://www.cisco.com/web/tsweb/edelivery/pilot/SKUS.pdf
CD-3560-EMI= Electronic Delivery
CD-3560-EMI= Electronic version
There is no electronic delivery option for the 3560 upgrade to IP Services. This is presumably because the 3560 is end of life now so there is no point creating a new electronic delivery part, so I understand the reasoning. It just means you can't upgrade a 3560 IOS in a hurry, not officially anyway.
Cisco Catalyst 3560 Series Switches Data Sheet
http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps5528/product_data_sheet09186a00801f3d7d.html
VSS on the 7600
Q1/ Can you please tell me if the 7600 chassis supports VSS? If I was to get 2 x VS-SUP720-10G supervisors could I configure the 7600 with VSS?
A1/ Yes the 7600 chasis support VSS using VS-SUP720-10G supervisor, please refer to the following link below on table 1:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a0080159856_ps2797_Products_Data_Sheet.html
LAN versions of only IOS
It seems that LAN only IOS tries to streamline the code by removing support for WAN interface modules (6500/7600 Flex WAN modules and Optical Services Modules (OSMS):
https://supportforums.cisco.com/message/136460#136460
March 2013 Update
So another 4 months have passed without an update... whoops!
I started this blog hoping to have it as a central repository for study notes etc, but it turns out I study better un-interupted and writing things down so I never get round to updating the blog... hmm.
So I'm trying a new approach... Every time I run into a question I don't know the answer to I keep the information as an email and store it that way. This is getting unwieldy and difficult to search, I can't tell you how many times I've hit control+F in outlook only for it to forward the email rather than find... why is there no decent search system in Outlook! Agh.
What I intend to do is store all my discoveries and question answers here. The primary reason is the searchability of the Blogger platform, it's really good! And secondly it's public so hopefully this will help others too.
I'm going to upload all my old emails here initially so there will be a lump upload of information at first, and then hopefully further queries will trickle through steadily.
So going forward there will less exam specific / focused material and more just general information and useful tidbits which you may or may not already know.
I started this blog hoping to have it as a central repository for study notes etc, but it turns out I study better un-interupted and writing things down so I never get round to updating the blog... hmm.
So I'm trying a new approach... Every time I run into a question I don't know the answer to I keep the information as an email and store it that way. This is getting unwieldy and difficult to search, I can't tell you how many times I've hit control+F in outlook only for it to forward the email rather than find... why is there no decent search system in Outlook! Agh.
What I intend to do is store all my discoveries and question answers here. The primary reason is the searchability of the Blogger platform, it's really good! And secondly it's public so hopefully this will help others too.
I'm going to upload all my old emails here initially so there will be a lump upload of information at first, and then hopefully further queries will trickle through steadily.
So going forward there will less exam specific / focused material and more just general information and useful tidbits which you may or may not already know.
Subscribe to:
Posts (Atom)