Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Fortify Your LAN with Cisco Catalyst Switching - FAQ from live webcast

Vaibhav Katkade is a product manager in Cisco's Enterprise Networking Group  covering Cisco TrustSec and identity-based solutions on the Cisco Catalyst switching and ISR/ASR series routers. Prior to this, he was a software engineer on the Cisco Catalyst 4500 Series switching team, with experience on Layer 2 protocols, Layer 3 forwarding, Power over Ethernet, and system management. He has also worked as a software engineer at a WAN optimization startup, working on data deduplication algorithms. He has his master’s degree in electrical engineering from the University of Southern California (USC).



General Questions:

Q: What is EVN?

A: EVN stands for Easy Virtual Network. Refer to the Easy Virtual Network web page for more information. 

Q: What if a user keeps moving up and down the floor and gets the wireless device connected to different Access Point (AP) - will Bring Your Own Device (BYOD) track that too?

A: If the user is in the same mobility domain, then the client's state machine will be maintained in the Wireless controllers, if not a reauthentication is necessary.

Q: What if a user keeps moving up down the floor and gets it wireless device connected to different AP,Will BYOD maintains a track of that too?

A: If the user is in the same mobility domain, then the client's state machine will be maintained in the Wireless controllers; if not, a re-authentication is necessary.

Q: ­How does Switched Port Analyzer (SPAN) treat MAC Security (MACSec) traffic? Is it copied encrypted or unencrypted?­

A: ­SPAN succeeds the MACSec process. MACSec is a hop-by-hop (one hop) encryption protocol. When an encrypted frames hits the mirrored port, it is decrypted and then subjected to SPAN.­

Q: ­Is it possible to implement TrustSec with the Access Control System (ACS)? How does it work?­

A: ­Yes, Trustsec can be implemented with the Cisco Secure ACS to some extent. The Security Group Tags can be sent from ACS for authorization.­

Q: ­If you use open mode, what specific method do you use in order to find/fix all of the bad authentications from the authentication reports?­

A: ­Yes, you can look at the failed authentications/report that provides network device information, the interface, and the MAC address of the end user device that failed authentication.­ The switches do track authentication sessions in monitor mode. However, for centralized visibility on all failed and passed authentication, the RADIUS server is the tool.­

Q: What is monitor mode with Trustsec?

A: ­Monitor mode for TrustSec is in the road-map and not currently committed against a release. Right now, monitor mode is available only for dot1x­.

Q: What does MAB stand for?

A: MAB stands for Mac Authentication Bypass.

Q: Is the global identity template feature available in Cisco IOS Version 12.2.55?­

A: ­No. The interface template will be available in the 15.2(2)E Release that is due next quarter. The global identity template is a work in progress and is part of the road-map for the release due at the end of 2014. Contact me if you need a version for the global identity template.

Q: Are there any limits for the max security groups?

A: ­Security groups, identified by Security Group Tags (SGTs), are 16-bit numbers. So, you can potentially have 2(16) Security Groups.­

Q: Does Cisco have an Netflow appliance yet?

A: Yes. Cisco has the 3000 series Netflow appliances. For more information, refer to the Cisco NetFlow Generation 3000 Series Appliances web page.

Q: ­How can you assure users that they will be allowed into the network only from predefined devices?­

A:  One way to do this is to use certificates issued by the Active Directory (AD) and make sure to verify the device certificate during login. The other way is to use MAC Authentication Bypass (MAB) for the device verification and the userid for the user verification.

You can also do this with Extensible Authentication Protocol (EAP) Chaining.  Refer to TrustSec How-To Guide: Deploying EAP Chaining with AnyConnect NAM and Cisco ISE for more information.  

Q: Where does Sourcefire fit into this?

A: ­Sourcefire Intrusion Prevention System (IPS) primarily performs perimeter security.

Q: Will Cisco Prime accept Flexible Netflow flows?

A: Yes, Cisco Prime Assurance has a Flexible NetFlow (FNF) collector.


Identity Services Engine (ISE):

Q: Prime and ISE the same?

A: ­No, Prime is the management tool, the Network Management Suite (NMS), and ISE is the policy server, which handles Authentication, Authorization, and Accounting (AAA)­.

Q: ­During research to implement wired 802.1x authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) (Certs) and ISE Version 1.2-6 and also to migrate from Microsoft Windows XP to Microsoft Windows 7, the documentation for TrustSec and the ISE seemed to indicate that TrustSec was outdated.  Is TrustSec obsolete?

A: No TrustSec is not obsolete.

Q:  Is Switch Cisco IOS Version 15.x required for profiling or is Cisco IOS Version 12.2.55 the ISE basic requirement?­

A: ­You need 15.X for the Device sensor, which enables profiling in terms of efficiency. The ISE can profile for end points with various other means (SNMP, DHCP, HTTP) from switches with earlier versions too.­

Q: ­What ports does it pass this data on? There might be a number of firewalls in the way­. Is this about device profiling?­

A: ­If profiling is done with a device-sensor, then only RADIUS packets are used. If you choose conventional methods, then the respective traffic type, like HTTP/SNMP/DHCP, has to be redirected to ISE, and if a firewall is in between, these packet types should be permitted­.


Q: ­When is MACSec due to be released for Cisco Catalyst 3850/3650 (3XK) Series Switches?

A: It is already available for 3XK on all ports and service modules except the network modules with the IP Base license.­ For the Cisco Catalyst 3850 Series Switch, MACSec support (switch-switch) will be available in Q42014­.

Q: Will we discuss the WS-C4500X?

A: ­This session does not focus on the C4500X in particular. 

Q: Is it true that Cisco Catalyst 3650 Series Switches have support but no real functionality yet. Is a software release needed?­

A: ­For the Cisco Catalyst 3850/3650 Series Switches, MACSec is not available yet. However, its hardware-capable software release is planned in a later release at the end of this year.­