06-02-2013 05:13 PM - edited 03-07-2019 01:41 PM
Hello,
With the recent release of Cisco 3850 to support One PK, just wondering if this can be enabled for OnePK out of the box. I believe the IOSd release is 15.x and just wondering if there is any guide available to enable the switch for OnePK. Also, is there any special license required for enabling OnePK or will IP Services license feature suffice?
Thanks and Regards,
Mohan
06-02-2013 06:06 PM
Hi Mohan,
Looking at the Q&A for the 3850 series, there are the 3 types of licenses (LAN Base, IP Base and IP Services) which is the same as the 3750X series switches. So, I am not sure what exact license you need for the OnePK feature, but I guess if you have IP Services, then you are good to go. I have a couple of 3850s with IP services under my desk at work. Let me know if you want me to look for any specific feature/command, etc...
table-2 in this link goes over the licenses and their features:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
HTH
Reza
06-02-2013 06:23 PM
Hi Reza,
Thanks very much indeed. It would be great if you can try the following: This is the enabling commands for the ISR G2 routers 29xx, 39xx for One PK. and the requirement is to run cxxxx-universalk9-mz.SPA.153-2.T.bin on the ISR G2 platforms for OnePK support.
Here are the steps:
Enable onePK on your router. The onePK infrastructure is disabled by default on your router. To enable it, you must choose a communication method and then connect to the router console and issue a set of commands through the IOS CLI.
Choose one of the following options:
Option 1 – Unencrypted communication between the router and onePK applications Using the onep transport socket communication option means that all communication between the onePK application and the router, including router userids and passwords used to authenticate the onePK application to the router will be sent unencrypted or “in the clear.” Note: onep socket communication is very similar to using telnet to administer a router. Therefore, great care must be taken to ensure the communication path between the onePK application and the router cannot be intercepted and the socket communication traffic to the router is allowed only from the specific hosts running the onePK applications. See the Cisco Guide to Harden Cisco IOS Devices for more information on restricting traffic to/from your router.
If you accept the security risks of unencrypted communication, enable onep transport socket as follows:
router> enable router# configure terminal
router(config)# onep router
(config-onep)# transport socket
router(config-onep)# start
router(config-onep)# exit
Option 2 – Encrypted communication between the router and onePK applications The onep transport TLS communication option enables the onePK application to communicate with the router over an encrypted link. TLS communication is similar to using SSH for router administration and therefore should be used for production deployments of onePK or in any development or test environment where traffic between the onePK application and the router may be intercepted. Note: TLS communication should be used with onePK applications whenever possible. In addition to enabling encrypted communications, TLS supports an additional layer of security by providing the option for the onePK application to use certificates to authenticate to the router (i.e., client authentication). See the Configuring onePK Application Authentication using Transport Layer Security (TLS) section below for more information.
NOTE: Before entering the following commands, make sure the clock on your router is set to the correct time. If the clock is not set, issue the command clock set
router> enable router# configure terminal
router(config)# ip http server router(config)# onep
router(config-onep)# transport tls disable-remotecert-validation
router(config-onep)# start router(config-onep)# exit
router(config)# crypto pki server onepkCA
router(cs-server)# database level minimum
router(cs-server)# grant auto
router(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation % Please enter a passphrase to protect the private key % or type return to exit
06-02-2013 07:11 PM
Hi Mohan,
I will try these commands tomorrow and let you know.
Reza
06-03-2013 09:29 AM
Hi Mohan,
The IOS in my switch is 150-1.EX1.bin and I don't have an option to enter "onep" at all.
Is this feature supposed to be supported in this platform and IOS version or am I missing something?
HTH
Reza
06-03-2013 04:30 PM
Hi Reza,
Thanks for this and to the best of my knowledge Cisco have announced full SDN support( meaning OnePK support) on the 3850 platform but i am not sure if this is the correct code level or not. The OnePK Guide states that this support is available on ISR G2 platforms installed with 15.3-2.T (Universal K9) image. Is it possible to check if any special license is required to enable this feature or do we have to wait until the right code level is released..and this 3850 platform runs IOS-XE as well as IOSd combined isnt' it? I have checked the release notes and cannot find any information..As you have the equipment is it possible to raise a TAC case and check directly with Cisco?
Thanks and Regards,
Mohan
06-03-2013 04:50 PM
Hi Mohan,
Unfortunately, I can not open a ticket with TAC, as this switch was given to me by Cisco as a loner for a short time.
As far as I can tell, it runs IOS-XE. I am not sure about IOSd. As for license, I do have IP Services, which is the highest level of license, but not sure if we have to wait for a new IOS to support it or this version does. Also, since this switch is so new, there isn't much info out there for it. I will play with it some more when I have some times.
Thanks,
Reza
06-03-2013 04:59 PM
Thanks Reza. I have put a post on this issue on the Cisco developer forum as well and will update if i get any feedback. But i am really disappointed that despite Cisco announcing full support for SDN on 3850, still unable to support it, which really is very very misleading information as i have requested some customers to purchase this device for wired,wireless and OnePk enabling!
06-04-2013 06:17 AM
Hi Mohan,
Reading the 3850 data sheet, I see this statment;
Foundation for Open Network Environment
The heart of the Cisco Catalyst 3850 is the UADP ASIC with programmability for future features and intelligence with investment protection. The new ASIC provides the foundation for converged APIs across wired and wireless, Cisco Open Network Environment, software-defined networking (SDN) readiness and OnePK SDK through software updates over the product lifetime.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/data_sheet_c78-720918.html
So, I guess, at some point these features will be available in software, but who knows when.
Thanks,
Reza
06-04-2013 07:04 AM
Hi Reza,
Wow! That was a nice pick indeed! I was going through all the OnePK related info for 3850, but couldn't locate the above sentence. Anyway will have to only rely on the ISR G2's then for testing OnePK until it becomes available on the switches..so i guess will have to order the additional Ether switch modules to emulate the switching functionality on the routers and use One PK to program them i suppose. Currently i am trying to get my head around for designing a solution to enable One PK on 2960 access switches, so was thinking of using 3850 for testing OnePK for Proof of concept and cut them over to the 29xx when the feature becomes available. Looks like the G2 with ESM module is the only way to go!
Thanks again
Mohan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide