cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4443
Views
15
Helpful
7
Replies

Cisco 3850 and its security features!

ehs.rajabi1
Level 1
Level 1

Hello guys

I hope you're having fun with networks:D

We recently bought two cisco 3850-48P-E for our buildings as core device ( actually 4 X 3850 to keep redundancy as high as possible in core block).

We're planning to connect buildings using UBNT radios ( Transparent Bridge Connection ) to pass traffic. Here's the question! How can we have secure connection between them ? I mean, we're going to have GRE over IPSec tunnel between switches behind radios or something like that. Does 3850 supports this feature? I guess it doesn't ! The word "K9" stands as a useless thing in Image name :D. Unfortunately, switches are in stock and I'm not able to check CLI right know. 

Another unrelated question: If you were going to connect different buildings together , Did you use cisco 3850 as core in each building ?( For about 150 - 200 staff in each one) . How did you Connect them and pass traffic?

7 Replies 7

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi ,

On 3850 VPN is not supported. 

3850 does not support onboard encryption and vpn configuration which is mentioned on this link:


http://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3000/software/release/15-2_2_e/configuration/guide/scg_ie3000/swuncli.html#pgfId-1100553

Earlier there was a module AGM which was used to ipsec encryption, however, its been end-of-life.

There's a bug CSCtz13264 which mentions that doing tunnels on the switches cause the system to crash. Thus it is not recommended to create tunnels on the 3850 platform particularly. This feature has been removed from IOS-XE to avoid the switch from crashing.

https://tools.cisco.com/bugsearch/bug/CSCtz13264/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thank your dear Aditya

May I know your idea about second question please?

Hi,

I do not have too much expertise on switching.

However you can use 3850 as a core switch.

You just need to make sure that the device throughput is not reached, for further clarity check this doc:

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/data_sheet_c78-720918.html

Here are some useful links for deploying 3850 switches:

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/deployment_guide_c07-727067.pdf

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800-series-switches/guide-c07-733457.html

http://www.cisco.com/c/en/us/products/switches/catalyst-3850-series-switches/index.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thank you Aditya

Please explain me your experiences about core devices you've worked with

[@ehs.rajabi1]  ,

3850 is not positioned as a core switch (it's an access switch, distribution at best) thus the lack of support of some features we might want to use when looking at the things we expect a core switch to do.

That said, we normally connect 3850s in different building together via fiber. If you have no fiber and are, as you have indicated, using third party radios your choices are even further limited. You may be able to use MACsec if the radio devices will process the frames correctly.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110101.html

Thank you dear Marvin

Could you tell me about limitations with radios or 3850 as core please?

In a network with 3-4 buildings and less than 600 users(at all), it's not reasonable to use Nexus series. As you know, 3850-48P-E is an IP Service L3 switch with full support of L3 except NAT and VPN ( Am I right or there are some more limitations? ) 

So, I thought it's a good idea to separate edge block and core block, and put Routers there, We can also buy a router and put it in WAN block of our architecture. Thus 3850 handles Routing , ACL , VLAN , Private VLAN , maybe IP SLA to check links connectivity between building and ... ( everything except NAT , VPN ) .

I'm really longing to know your opinion.

Do you have any experience about working with ubnt or mikrotik radios as Transparent L2 Bridge Links? 

I am always hesitant to try to use a switch outside its normal use type even if a given feature may be technically supported. Those seldom used features may encounter bugs as they are not used by a majority of users. For instance, I once had a 4500-X that worked fine as a campus core for over 6 months but when I turned on BGP and QoS it started crashing every couple of weeks.

I have no experience with the radios you mention. Generally that type of device has no interaction with the switch except to appear as a connected Ethernet interface. If they are truly acting in transparent mode, your switch should see the neighboring building switch on the link and know nothing about the radio.