cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2324
Views
0
Helpful
9
Replies
mohankumarm
Beginner

One PK/SDN support for 3850

Hello,

With the recent release of Cisco 3850 to support One PK, just wondering if this can be enabled for OnePK out of the box. I believe the IOSd release is 15.x and just wondering if there is any guide available to enable the switch for OnePK. Also, is there any special license required for enabling OnePK or will IP Services license feature suffice?

Thanks and Regards,

Mohan

9 REPLIES 9
Reza Sharifi
Hall of Fame Expert

Hi Mohan,

Looking at the Q&A for the 3850 series, there are the 3 types of licenses (LAN Base, IP Base and IP Services) which is the same as the 3750X series switches.  So, I am not sure what exact license you need for the OnePK feature, but I guess if you have IP Services, then you are good to go.  I have a couple of 3850s with IP services under my desk at work.  Let me know if you want me to look for any specific feature/command, etc...

table-2 in this link goes over the licenses and their features:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html

HTH

Reza

Hi Reza,

Thanks very much indeed. It would be great if you can try the following: This is the enabling commands for the ISR G2 routers 29xx, 39xx for One PK. and the requirement is to run cxxxx-universalk9-mz.SPA.153-2.T.bin on the ISR G2 platforms for OnePK support.

Here are the steps:

Enable onePK on your router. The onePK infrastructure is disabled by default on your router. To enable it, you must choose a communication method and then connect to the router console and issue a set of commands through the IOS CLI.

Choose one of the following options:

Option 1 – Unencrypted communication between the router and onePK applications Using the onep transport socket communication option means that all communication between the onePK application and the router, including router userids and passwords used to authenticate the onePK application to the router will be sent unencrypted or “in the clear.” Note: onep socket communication is very similar to using telnet to administer a router. Therefore, great care must be taken to ensure the communication path between the onePK application and the router cannot be intercepted and the socket communication traffic to the router is allowed only from the specific hosts running the onePK applications. See the Cisco Guide to Harden Cisco IOS Devices for more information on restricting traffic to/from your router.

If you accept the security risks of unencrypted communication, enable onep transport socket as follows:

router> enable router# configure terminal

router(config)# onep router

(config-onep)# transport socket

router(config-onep)# start

router(config-onep)# exit

Option 2 – Encrypted communication between the router and onePK applications The onep transport TLS communication option enables the onePK application to communicate with the router over an encrypted link. TLS communication is similar to using SSH for router administration and therefore should be used for production deployments of onePK or in any development or test environment where traffic between the onePK application and the router may be intercepted. Note: TLS communication should be used with onePK applications whenever possible. In addition to enabling encrypted communications, TLS supports an additional layer of security by providing the option for the onePK application to use certificates to authenticate to the router (i.e., client authentication). See the Configuring onePK Application Authentication using Transport Layer Security (TLS) section below for more information.

NOTE: Before entering the following commands, make sure the clock on your router is set to the correct time. If the clock is not set, issue the command clock set e.g., clock set <21:10:00> <1 apr 2013> or configure NTP on the router – see http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf012.html#wp1001170 for more information.

router> enable router# configure terminal

router(config)# ip http server router(config)# onep

router(config-onep)# transport tls disable-remotecert-validation

router(config-onep)# start router(config-onep)# exit

router(config)# crypto pki server onepkCA

router(cs-server)# database level minimum

router(cs-server)# grant auto

router(cs-server)# no shut

%Some server settings cannot be changed after CA certificate generation % Please enter a passphrase to protect the private key % or type return to exit

Hi Mohan,

I will try these commands tomorrow and let you know.

Reza

Hi Mohan,

The IOS in my switch is 150-1.EX1.bin and I don't have an option to enter "onep" at all.

Is this feature supposed to be supported in this platform and IOS version or am I missing something?

HTH

Reza

Hi Reza,

Thanks for this and to the best of my knowledge Cisco have announced full SDN support( meaning OnePK support) on the 3850 platform but i am not sure if this is the correct code level or not. The OnePK Guide states that this support is available on ISR G2 platforms installed with 15.3-2.T (Universal K9) image. Is it possible to check if any special license is required to enable this feature or do we have to wait until the right code level is released..and this 3850 platform runs  IOS-XE as well as IOSd combined isnt' it? I have checked the release notes and cannot find any information..As you have the equipment is it possible to raise a TAC case and check directly with Cisco?

Thanks and Regards,

Mohan

Hi Mohan,

Unfortunately, I can not open a ticket with TAC, as this switch was given to me by Cisco as a loner for a short time.

As far as I can tell, it runs IOS-XE.  I am not sure about IOSd. As for license, I do have IP Services, which is the highest level of license, but not sure if we have to wait for a new IOS to support it or this version does. Also, since this switch is so new, there isn't much info out there for it.  I will play with it some more when I have some times.

Thanks,

Reza

Thanks Reza. I have put a post on this issue on the Cisco developer forum as well and will update if i get any feedback. But i am really disappointed that despite Cisco announcing full support for SDN on 3850, still unable to support it, which really is very very misleading information as i have requested some customers to purchase this device for wired,wireless and OnePk enabling!

Hi Mohan,

Reading the 3850 data sheet, I see this statment;

Foundation for Open Network Environment

The heart of the Cisco Catalyst 3850 is the UADP ASIC with programmability for future features and intelligence with investment protection. The new ASIC provides the foundation for converged APIs across wired and wireless, Cisco Open Network Environment, software-defined networking (SDN) readiness and OnePK SDK through software updates over the product lifetime.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/data_sheet_c78-720918.html

So, I guess, at some point these features will be available in software, but who knows when.

Thanks,

Reza

Hi Reza,

Wow! That was a nice pick indeed! I was going through all the OnePK related info for 3850, but couldn't locate the above sentence. Anyway will have to only rely on the ISR G2's then for testing OnePK until it becomes available on the switches..so i guess will have to order the additional Ether switch modules to emulate the switching functionality on the routers and use One PK to program them i suppose. Currently i am trying to get my head around for designing a solution to enable One PK on  2960 access switches, so was thinking of using 3850 for testing OnePK for Proof of concept and cut them over to the 29xx when the feature becomes available. Looks like the G2 with ESM module is the only way to go!

Thanks again

Mohan