Академический Документы
Профессиональный Документы
Культура Документы
83331000
83331001
84441000
84441001
2
2
7
4
8
3
7-8
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
Figure 7-3 Localized Call Input; IP Phone Calling Off-net Dstination
Figure 7-3 shows the following partitions:
NANP_Loc2globThe system has one translation pattern, used by all sites, to perform the
following modifications to called numbers:
Remove the PSTN access code of 9 on emergency numbers
Replace the PSTN access code of 9 with the + code, on National numbers
Replace the PSTN access code and the international dialing access code with the + code on
international calls.
xx_loc2globEach site has a site-specific partition containing a translation pattern to replace the
PSTN access code for 7 digit local dialing with the + code and the NNAP country code of 1, and the
local area code for that site.
NNAP_pstn_partThe translation patterns in the other partitions translated numbers into a
globalized number. After the call has been translated into a E.162 off-net number, the CSS of the
translation pattern is used to direct the call to the NNAP_pstn_part partition. The NNAP_pstn_part
partition is used by all sites, to route globalized called numbers out the appropriate gateway. The
Globalized call routing section will detail how the gateways are used for each of the patterns in this
partition.
There are patterns for each sites local area code so that Tail End Hop Off may be used to route
the call to the gateway local to that area code.
The +1xxxxxxxxxx pattern is for NNAP numbers
The +! pattern will route international calls.
Emergency numbers (911) should always be routed out the local gateway of the calling phone,
when available.
2
2
7
4
8
5
CUCM Gateway definition
for District Office
Site code: 333
333-456-1xxx -> 83331xxx
CUCM Gateway definition
for Site 2
Site code: 222
222-345-1xxx -> 82221xxx
CUCM Gateway definition
for Site 1
Site code: 444
444-567-1xxx -> 84441xxx
M
7-9
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
Localized Calling Number on IP Phones
On cluster IP phones are configured with a directory number that is in the global on-net format. In this
example the directory number is an 8-digit number that includes the access code, the site number, and
the 4-digit extension. This directory number is already in the globalized format and is therefore not
changed on ingress. If the call is directed out a gateway, the calling number will be changed by the
gateway to a full E.164 number.
Localized Call Ingress on Gateways
Just as with IP phones discussed previously, we need to localize call ingress on gateways. We accept
incoming calls on gateways in the local format of the telephone network to which the gateway is
connected, and we convert the called and calling numbers to a globalized format. The global format is
later used to route the call within the voice over IP network to its destination.
Localized Called Number on Gateways
Incoming PSTN calls require that the E.164 number be manipulated to obtain the eight-digit internal
number in order to reach the destination phone. Within this example dial-plan, this requirement has been
implemented by configuring the Num Digits and Prefix Digits fields within the Gateway Configuration
page in Unified CM. These fields strip and then prefix the needed digits.
In Figure 7-4, the Significant Digits field maps the last 4 digits of the incoming called DID number to
the local 4-digit extension. The Prefix DN field adds the inter-site access code (8) and a site code (222).
Figure 7-4 Converting from localized PSTN called DID number format to globalized on-net
directory number format
Localized Calling Number on Gateways
Incoming calling party settings can be configured on individual gateways, at the device pool level, or at
the service parameter level, in order of precedence. For each numbering type (Subscriber, National,
International, or Unknown), Unified CM allows for the appropriate prefix digits to be configured. Digits
2
2
7
4
8
5
CUCM Gateway definition
for District Office
Site code: 333
333-456-1xxx -> 83331xxx
CUCM Gateway definition
for Site 2
Site code: 222
222-345-1xxx -> 82221xxx
CUCM Gateway definition
for Site 1
Site code: 444
444-567-1xxx -> 84441xxx
M
7-10
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
can be stripped from and prefixed to the string provided as the incoming party number. The notation
takes the form PP:SS, where PP represents the digits to be prefixed and SS represents a quantity of digits
to be stripped. The digit stripping operation is performed first on the incoming calling party number, and
then the prefix digits are added to the resulting string. For example, if the prefix digits field is configured
as +33:1 and the incoming calling party number is 01 58 40 58 58, the resulting string will be +33 1 58
40 58 58.
Figure 7-5 shows the incoming calling-party settings for the gateway at school 2.
Figure 7-5 Localized calling party number on gateways
For the example dial plan above, the following actions are taken:
Incoming national calls have the area code included in the calling number, and the gateway is
configured to add the + and the 1 for North America.
Incoming international calls have the international country code included in the calling number, and
the gateway is configured to just add the +.
For incoming unknown calls, the gateway is configured to just add the +.
For incoming subscriber calls, and the gateway is configured to add the + and then the 1 for North
America, and then the local area code for that gateway.
Globalized Call Routing
In this section, we assume the calling number has been manipulated into one of the following:
Globalized to an 8-digit on-net number
Globalized to an E.164 external number
This section discusses how the call is routed to the appropriate destination.
2
2
7
4
8
6
CUCM Device Pool definition
for District Office
Site code: 333
CUCM Gateway definition
for Site 2
Site code: 222
CUCM Device Pool definition
for Site 1
Site code: 444
M
7-11
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
Globalized Call Routing to an 8-digit On-net Number
The sample network is deployed as a single CUCM cluster the CUCM cluster has full knowledge of
every 8-digit on-net number, and can route calls directly to the destination phone.
Globalized Call Routing to an E.164 External Number
Where the destination is an external PSTN number, we have to route the call to the appropriate PSTN
gateway. Figure 7-6 shows how calls are routed in our example deployment. Route patterns point to
route lists that in turn point to egress gateways.
Figure 7-6 Call Routing Example
The following discussion of the dial plan in Figure 7-6 includes the use of local route groups which are
discussed further in the section following this one.
The route patterns that include the area code implement Tail End Hop Off (TEHO) by pointing to a route
list which is comprised of the following route groups:
A route group containing the gateways at the local site in which the directly connected gateways are
connected.
A route group containing the local route group which will route calls out a gateway connected to the
site the calling phone is dialing from. For more details on local route group, refer to Using Local
Route Group section on page 7-12.
A route group containing the gateways at a different site. This provides redundancy in the event that
the previous two route groups both point to the gateways at the same site.
The route patterns in Figure 7-6 for national, international, and emergency calls point to a route list that
is comprised of the following route groups:
Partitions Route Lists Route Groups
pt-nnap-pstn
+1444!
+1222!
+1333!
+!
911
+1XXXXXXXXXX
2
2
7
4
8
7
rl-nnap
LRG
DO-RG
S1-RG
rl-do-teho
DO-RG
LRG
S1-RG
rl-s2-teho
S2-RG
LGR
DO-RG
rl-s1-teho
S1-RG
LRG
DO-RG
S1-RG
V
V
S2-RG
V
V
DO-RG
V
V
S1 Gateways (444)
Local
Route
Group
S2 Gateways (222)
DO Gateways (333)
7-12
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
A route group containing the Local Route Group which will route calls out a gateway connected to
the site the calling phone is dialing from. For more details on Local Route Group, refer to Using
Local Route Group section on page 7-12.
A route group containing the gateways at the district office.
A route group containing the gateways at Site 1. This provides redundancy in the event that the
previous two route groups both point to the gateways at the same site.
Other variations are possible in a real deployment. For example, it might be preferable to route some
calls out the district office as a first choice, and out the Local route group if the district office gateways
are unavailable.
Using Local Route Group
Local Route Group is a Cisco Unified CM 7.0 feature that simplifies the configuration of site-specific
routing of off-net calls. Route patterns using the local route group allow for dynamic selection of the
egress gateway, based on the device originating the call.
Before local route group route patterns were site specific. For example, before local route groups:
The 911 route pattern for site 1 would point to site 1's PSTN gateway
The 911 route pattern for site 2 would point to site 2's PSTN gateway.
With local route groups, a single 911 route pattern can be configured pointing to the Local Route
Group.
Phones in sites 1 and 2 will use the PSTN gateway pointed to by the Local Route Group field in each
sites device pool.
Phones acquire their local route group from the Local Route Group field in the phones device pool.
Localized Call Egress
Calls are routed to a destination using the global form of the called and the calling numbers. These
numbers need to be transformed into the format expected by the telephone network to which the gateway
is connected.
Localized Call Egress to an IP Phone
Called Number
In this dial plan, IP phones directory numbers are the same as the globalized on-net number format; no
conversion of the called number is required.
Calling Number
As a call is delivered to a phone, the calling number will be in its global form, which might not be
recognizable to the called party. Typically, users prefer to see calls from callers within their country
presented with an abbreviated form of the caller's number.
For example, users in the US want to see incoming calls from US callers with a ten-digit national
number, without the + sign or the country code (1). If a user whose global phone number is +1 222 345
1234 calls +1 333 456 4000, the called phone would like to receive 222 345 1234 as the calling-party
number while the phone is ringing.
7-13
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
To achieve this, the system administrator should configure a calling-party transformation pattern of:
+1.!, strip pre-dot. The calling-party transformation pattern is placed in a partition included in the
destination phone's calling-party transformation pattern CSS, configured at the device-pool level. As a
call from +1 222 345 1234 is offered to the phone, it matches the configured calling-party transformation
pattern, which removes the +1 and presents a calling-party number of 222 345 1234 as the call rings.
Figure 7-7 shows how the device pool of the destination phone determines the calling party
transformation
Figure 7-7 IP Phone Outgoing Calling-Party Transformation
Note The calling-party number stored in the missed and received calls directories is left in its globalized form
to allow one-touch dialing from the directories without requiring manual editing of the directory's stored
number string.
Note Many phone users are becoming accustomed to the globalized form of PSTN numbers, mainly due to the
common use of mobile phones across international boundaries. The system administrator can forgo the
configuration of calling-party transformation patterns for phones if displaying the global form of
incoming numbers is preferred.
Localized Call Egress to a Gateway
Gateway Called-Party Number Localization
As a call is delivered to a gateway, the called party number must be adapted to the requirements of the
PSTN service provider providing the trunk group to which the gateway is connected. Called-party
number transformation patterns can be used to change the called-party number digit-string and
CSSs CUCM Partitions
css-s1-calling-party-trans
css-do-calling-party-trans
css-s2-calling-party-trans
T
r
a
n
s
l
a
t
i
o
n
P
a
t
t
e
r
n
s
pt-do-calling-party-trans
\+1.xxxxxxxxxx, pre-dot, national
pt-s2-calling-party-trans
\+.1xxxxxxxxxx, pre-dot, national
pt-s1-calling-party-trans
\+.1xxxxxxxxxx, pre-dot, national
2
2
7
4
8
8
CUCM Device Pool
for District Office
Calling Party Transformation
CSS field
Site code: 333
CUCM Device Pool
for Site 2
Calling Party Transformation
CSS field
Site code: 444
CUCM Device Pool
for Site 1
Calling Party Transformation
CSS field
Site code: 222
M
7-14
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
numbering type. Typically, a called-party number featuring the gateway's country code should be
changed to remove the + sign and the explicit country code, and they should be replaced with the national
prefix. Also, the numbering type of the called-party number should be changed to national. If the
gateway is connected to a trunk group featuring a specific area, region, or city code, the specific
combination of + sign, country code, and local area code usually must be replaced by the applicable local
prefix. Also, the numbering type must be adjusted to subscriber.
For example, assume that a call to an external user in site 1s area code (+1 444 555 2222) is routed
through a route list featuring a Site 1 gateway (San Francisco) as a first choice and a Site 2 (Chicago)
gateway as a second choice. The Site 1 gateway is configured with two called-party transformation
patterns:
+1444.XXXXXXX, strip pre-dot, numbering type: subscriber
+1.!, strip pre-dot, numbering type: national
As the call is delivered to the Site 1 gateway, the called-party number matches both of the called-party
transformation patterns. However, the first one is a more precise match and is selected to process the
called party number. Thus, the resulting transformed number is 5552222, with a called party type set to
subscriber.
If the gateway had not been able to process the call (for example, if all ports were busy), the call would
have been sent to the Site 2 gateway to egress to the PSTN. The Chicago gateway is configured with the
following two called-party transformation patterns:
+1222.XXXXXXX, strip pre-dot, numbering type: subscriber
+1.!, strip pre-dot, numbering type: national
As the call is delivered into the Chicago gateway, the called-party number matches only the second
called-party transformation pattern. Therefore, the resulting called-party number offered to the gateway
is 4445552222, with a called-party number type set to national.
Figure 7-8 shows how the device pool of the destination gateways determines the calling-party
transformation.
7-15
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Call Routing
Figure 7-8 Gateway Called-Party Transformation
Gateway Calling Party Number Localization
As a call is delivered to a gateway, the calling-party number must be adapted to the requirements of the
PSTN service provider providing the trunk group that the gateway is connected to. The calling-party
number transformation patterns can be used to change the calling-party number digit-string and
numbering type. Typically, a calling-party number featuring the gateway's country code should be
changed to remove the + sign and the explicit country code, and they should be replaced with the national
prefix. Also, the numbering type of the calling-party number should be changed to national. If the
gateway is connected to a trunk group featuring a specific area, region, or city code, the specific
combination of + sign, country code, and local area code usually must be replaced by the applicable local
prefix. Also, the numbering type must be adjusted to subscriber.
For example, assume that a call from a Site 1 user (+1 444 567 1234) is routed through a route list
featuring a San Francisco gateway as a first choice and a Chicago gateway as a second choice. The San
Francisco gateway is configured with two calling-party transformation patterns:
+1444.XXXXXXX, strip pre-dot, numbering type: subscriber
+1.!, strip pre-dot, numbering type: national
As the call is delivered to the Site 1 gateway, the calling-party number matches both calling-party
transformation patterns. However, the first one is a more precise match and is selected to process the
calling-party number. Thus, the resulting transformed number is 5671234, with a calling-party type set
to subscriber.
If the gateway had not been able to process the call (for example, if all ports were busy), the call would
have been sent to the Site 2 gateway to egress to the PSTN. The Site 2 gateway is configured with the
following two calling-party transformation patterns:
+1222.XXXXXXX, strip pre-dot, numbering type: subscriber
+1.!, strip pre-dot, numbering type: national
CSSs CUCM Partitions
css-s1-called-party-trans
css-do-called-party-trans
css-s2-called-party-trans
T
r
a
n
s
l
a
t
i
o
n
P
a
t
t
e
r
n
s
pt-do-called-party-trans
\+1333.xxxxxxx, pre-dot, subscriber
\+.1xxxxxxxxxx, pre-dot, national
\+.!, pre-dot, international
pt-s2-called-party-trans
\+1444.xxxxxxx, pre-dot, subscriber
\+.1xxxxxxxxxx, pre-dot, national
\+.!, pre-dot, international
pt-s1-called-party-trans
\+1222.xxxxxxx, pre-dot, subscriber
\+.1xxxxxxxxxx, pre-dot, national
\+.!, pre-dot, international
2
2
7
4
8
9
CUCM Device Pool
for District Office
Called Party Transformation
CSS field
Site code: 333
CUCM Device Pool
for Site 2
Called Party Transformation
CSS field
Site code: 444
CUCM Device Pool
for Site 1
Called Party Transformation
CSS field
Site code: 222
M
7-16
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Building Classes of Service for Unified CM with the Line/Device Approach
As the call is delivered into the Chicago gateway, the calling-party number matches only the second
calling-party transformation pattern. Therefore, the resulting calling-party number offered to the
gateway is 4445671234, with a calling-party number type set to national.
Figure 7-9 shows how the device pool of the destination gateways determines the calling-party
transformation pattern.
Figure 7-9 Gateway Calling-Party Transformation Pattern
Building Classes of Service for Unified CM with the Line/Device
Approach
Class-of-Service (CoS) for the Cisco Unified CM refers to the ability to apply call restrictions to certain
users and/or phones in the dial plan. The dial plan outlined above allows every IP phone to dial any
destination; local, long distance, or international. When it is necessary to dial restrictions to certain
phones, this document uses the line/device approach.
The line/device approach works by appending the line CSS to the device CSS on each phone. If the same
route pattern appears in two partitions, one contained in the line's calling search space and one contained
in the device's calling search space, then the Cisco Unified CM selects the route pattern listed first in the
concatenated list of partitions (in this case, the route pattern associated with the line's calling search
space).
In the route plan listed above, every phone had a device CSS that allowed it to call any destination. CoS
will be applied by defining a line CSS for the restricted lines, that will override the device CSS and deny
access to defined call destinations.
CSSs CUCM Partitions
css-s1-calling-party-trans
css-do-calling-party-trans
css-s2-calling-party-trans
T
r
a
n
s
l
a
t
i
o
n
P
a
t
t
e
r
n
s
pt-do-calling-party-trans
\+1.xxxxxxxxxx, pre-dot, national
pt-s2-calling-party-trans
\+.1xxxxxxxxxx, pre-dot, national
pt-s1-calling-party-trans
\+.1xxxxxxxxxx, pre-dot, national
2
2
7
4
9
0
CUCM Device Pool
for District Office
Calling Party Transformation
CSS field
Site code: 333
CUCM Device Pool
for Site 2
Calling Party Transformation
CSS field
Site code: 444
CUCM Device Pool
for Site 1
Calling Party Transformation
CSS field
Site code: 222
M
\+1333.xxxxxxx, pre-dot, subscriber
\+1444.xxxxxxx, pre-dot, subscriber
\+1222.xxxxxxx, pre-dot, subscriber
7-17
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Survivable Remote Site Telephony (SRST)
To better understand how to apply these rules, consider the example shown in Figure 7-10, where the
device calling search space contains a partition with route patterns to all PSTN numbers, including
international numbers. The route patterns point to a PSTN gateway via the route list and route group
construct.
Figure 7-10 Line/Device Approach
At the same time, the line calling search space contains a partition with a single translation pattern that
matches international numbers and that has been configured as a blocked pattern. The resulting calling
search space therefore contains two identical patterns matching international numbers, with the blocked
pattern in the line calling search space appearing first. The result is that international calls from this line
will be blocked.
Survivable Remote Site Telephony (SRST)
When deploying the Cisco Unified Communications across a WAN with the centralized call processing
model, additional steps must be taken to ensure that data and voice services at the remote sites are highly
available.
The Schools SRA design uses SRST to provide high availability for voice services, by providing a subset
of the call processing capabilities within the remote office router and enhancing the IP phones with the
ability to rehome to the call processing functions in the local router if a WAN failure is detected.
Figure 7-11 illustrates a typical call scenario with SRST.
Block Int'l Partition
IP
2
2
7
4
9
1
Device
Redail CFwdAll
Your current options
15644
NewCall more
15644
15644
Line
Block Int'l Partition
9.011!
Blocked Route Pattern
Routed Route Patterns
Line CSS
Device CSS
Resulting CSS
9.011!
9.[2-9]XXXXXX
9.1 [2-9]XX [2-9]XX XXXX
PSTN Partition
9.011!
9.011!
PSTN Partition
Device CSS
allows access to?
all external routes
Line CSS
selectively blocks
undesired routes
(according to
class of service)
...
7-18
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Survivable Remote Site Telephony (SRST)
Figure 7-11 Survivable Remote Site Telephony (SRST)
Under normal operations shown in the left part of Figure 7-11, the branch office connects to the central
site via an IP WAN, which carries data traffic, voice traffic, and call signaling. The IP phones at the
branch office exchange call signaling information with the Cisco Unified CM cluster at the central site
and place their calls across the IP WAN. The branch router or gateway forwards both types of traffic
(call signaling and voice) transparently and has no knowledge of the IP phones.
If the WAN link to the branch office fails, or if some other event causes loss of connectivity to the Cisco
Unified CM cluster, the branch IP phones reregister with the branch router in SRST mode. The branch
router SRST queries the IP phones for their configuration and uses this information to build its own
IP
IP
IP
M
M M
V V
V
Central site
Unified CM
cluster
Branch office Branch office
Normal operation WAN failure
Unified CM
cluster
Central site
ISDN
backup
IP WAN
PSTN
Voice traffic
Signaling Signaling
Voice traffic
IP IP
IP
IP
IP
V
IP IP
M
M M
V V
ISDN
backup
IP WAN
PSTN
7
4
3
5
3
7-19
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Survivable Remote Site Telephony (SRST)
configuration automatically. The branch IP phones can then make and receive calls either internally or
through the PSTN. The phone displays the message Unified CM fallback mode, and some advanced
Unified CM features are unavailable and are grayed out on the phone display.
When WAN connectivity to the central site is reestablished, the branch IP phones automatically
reregister with the Unified CM cluster and resume normal operation. The branch SRST router deletes its
information about the IP phones and reverts to its standard routing or gateway configuration. Unified
CME running in SRST mode at the branch can choose to save the learned phone and line configuration
to the running configuration on the Unified CME router by using the auto-provision option. If
auto-provision none is configured, none of the auto-provisioned phone or line configuration information
is written to the running configuration of the Unified CME router. Therefore, no configuration change
is required on Unified CME if the IP phone is replaced and the MAC address changes.
Note When WAN connectivity to the central site is reestablished, or when Unified CM is reachable again,
phones in SRST mode with active calls will not immediately re-register to Unified CM until those active
calls are terminated.
SRST CUCM Configuration
When communication with the CUCM is lost, the default SRST action is for IP phones to attempt to register
to the router listed as their default gateway. In the example deployment used in this guide, the IP phones
default gateway is not the ISR router running SRST, so a SRST instance needs to be configured on CUCM
to tell the IP phones what router to register with instead when communication with CUCM is lost. The SRST
reference is configured to point to the ISR router. This is configured by navigating to System -> SRST on
CUCM. See Figure 7-12.
Figure 7-12 Configuring SRST Reference
After the SRST instance is defined, it needs to be added to the appropriate device pool corresponding to each
each site. This is configured by navigating to System -> Device Pool on CUCM.
7-20
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Survivable Remote Site Telephony (SRST)
When a remote phone is in SRST mode, and is unregistered to the CUCM but still reachable from the
PSTN,CUCM to be configured to know how to reach it. The required configuration is shown in Figure 7-13.
Figure 7-13 Configuring Call Forward Unreachable in CUCM for Remote Phones in SRST Mode
In Figure 7-13, The Forward Unregistered Internal setting is set to forward to the PSTN number of
814445671001 when this phone line is unregistered to CUCM. This setting also has a specific CSS in order
to override any restrictions that might otherwise prevent callers from using the PSTN.
SRST Router Configuration
The sections of Site2 ISR router configuration that are relevant to the SRST configuration are provided
below.
ccm-manager fallback-mgcp
! This command causes the gateway to fall back and provide call processing services if
connectivity is lost between the gateway and all Cisco CallManager servers.
application
global
service alternate default
! If the MGCP application is not available, the default application (H.323) takes over.
call-manager-fallback
!--- Enables SRST support and enters Cisco CallManager fallback mode.
max-conferences 12 gain -6
transfer-system full-consult
ip source-address 10.40.63.9 port 2000
! The IP address used by SRST must match the IP phones default gateway, or if an SRST
reference is configured the phones device pool in CUCM, it must match that.
max-ephones 10
max-dn 20
!
!
dial-peer voice 1 pots
description srst incoming
translation-profile incoming S2-SRST-in
service mgcpapp
incoming called-number .
direct-inward-dial
port 2/0/1:23
forward-digits 8
dial-peer voice 91 pots
7-21
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Survivable Remote Site Telephony (SRST)
description SRST; Any long distance number
destination-pattern 91..........
port 2/0/1:23
forward-digits 10
dial-peer voice 91444 pots
description SRST; PSTN School2 to School1
destination-pattern 91444.......
port 2/0/1:23
forward-digits 10
dial-peer voice 91333 pots
description SRST; PSTN School2 to district office
destination-pattern 91333.......
port 2/0/1:23
forward-digits 10
dial-peer voice 91222 pots
description SRST; School2 local dialing with area code
destination-pattern 91222.......
port 2/0/1:23
forward-digits 10
dial-peer voice 9345 pots
description SRST; School2 local dialing (PSTN-router num-exp adds area code)
destination-pattern 9345....
port 2/0/1:23
forward-digits 7
dial-peer voice 911 pots
description SRST; Emergency call without External access code
destination-pattern 911
port 2/0/1:23
forward-digits 3
dial-peer voice 84441 pots
description SRST; translate calls to School1 using internal number format
translation-profile outgoing S2-SRST-out
destination-pattern 84441...
port 2/0/1:23
forward-digits 10
dial-peer voice 83331 pots
description SRST; translate calls to District office using internal number f
translation-profile outgoing S2-SRST-out
destination-pattern 83331...
port 2/0/1:23
forward-digits 10
dial-peer voice 9911 pots
description SRST; Emergency call with External access code
destination-pattern 9911
port 2/0/1:23
forward-digits 3
!
!
voice translation-rule 1
rule 1 /^222345/ /8222/
voice translation-rule 10
rule 1 /^84441/ /4445671/
rule 2 /^83331/ /3334561/
voice translation-profile S2-SRST-in
translate called 1
! Called by Dial-peer 1 to translate incoming calls from E.164 format to local CUCM
phone number format
voice translation-profile S2-SRST-out
translate called 10
! Called by Dial-peers 8333 and 8444 to translate outgoing calls to phones at another
CUCM site from local CUCM phone number format to E.164 format.
7-22
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Emergency Notification of 911 Calls with Cisco Emergency Responder
Emergency Notification of 911 Calls with Cisco Emergency
Responder
Ease of administration for adds, moves, and changes is one of the key advantages of IP telephony
technology. To provide for adds, moves, and changes that automatically update 911 information without
user intervention, Cisco has developed a product called the Cisco Emergency Responder (Cisco ER).
The Schools SRA design uses Cisco ER to provide the following primary functionality:
Dynamic association of a phone to an ERL, based on the detected physical location of the phone.
Dynamic association of the emergency location identification number (ELIN) to the calling phone,
for callback purposes. Cisco ER enables the callback to ring the exact phone that initiated the 911
call.
On-site notification to designated parties (by pager, web page, or phone call) to inform them that
there is an emergency call in progress. The pager and web page notifications include the
calling-party name and number, the emergency response location (ERL), and the date and time
details associated with the call. Phone notification provides the information about the calling
number from which the emergency call was placed.
Note For more information on Cisco ER, refer to the Unified Communications SRND and to the Cisco ER
product documentation available online at the following URL:
http://www.cisco.com/en/US/products/sw/voicesw/ps842/tsd_products_support_series_home.html
The key functionality of Cisco ER relies on the detection of the phone's location by discovery of the
network port (Layer-2 port, such as a Fast Ethernet switched port) from which the phone made the 911
call. The discovery mechanism relies on two main assumptions:
The wired infrastructure of the enterprise is well established and does not change sporadically.
The infrastructure is available for Cisco ER to browse; that is, Cisco ER can establish Simple
Network Management Protocol (SNMP) sessions to the underlying network infrastructure and can
scan the network ports for the discovery of connected phones.
Once the Cisco ER discovers the originating port for the call, it associates the call with the preestablished
ERL for the location of that port. This process also yields an association with a preestablished ELIN for
the location and the selection of the appropriate egress point to the E911 infrastructure, based on the
originating ERL.
The School SRA dial plan is configured so that the system easily recognizes emergency calls, whether
an access code (for example, 9) is used or not; the system has been configured to recognize both the
strings 911 and 9911. The emergency route patterns have also been explicitly marked with urgent
priority so that Unified CM does not wait for the inter-digit timeout (Timer T.302) before routing the
call.
Voice Messaging
The Cisco Unified Communications messaging portfolio consists of three main messaging products:
Cisco Unity, Cisco Unity Connection, and Cisco Unity Express. Each product fits different
requirements, yet each one contains overlapping features and scalability with regard to the others. They
also have the ability to interwork with one another using Voice Mail Networking and can also leverage
the Cisco Unified Messaging gateway to achieve this in a highly scalable fashion, as discussed later in
7-23
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Voice Messaging
this chapter. When considering these products, it helps to think of the messaging types that the products
apply to in order to understand the messaging options they include and to determine which options could
fit your deployment requirements. The following definitions help define these messaging types:
Voicemail-onlyRefers to a telephony voicemail integration where there is no access to the
voicemail via any messaging client.
Integrated messagingRefers to voicemail with telephony access as well as voicemail-only access
via a messaging client.
Unified messagingRefers to voicemail with telephony access as well as voicemail, E-mail, and
fax access via a messaging client.
Based on the above messaging types and definitions, the three messaging product options are as follows:
Cisco UnityThis solution option scales to meet the needs of large enterprise organizations and
delivers powerful voice, integrated, and unified messaging options that integrate with Microsoft
Exchange (including Exchange 2007) and Lotus Domino.
Cisco Unity ConnectionThis option combines integrated messaging, voice recognition, and call
transfer rules into an easy-to-manage system for medium-sized businesses with up to 10,000 users,
or it can network up to 5 systems to support larger-sized businesses with up to 50,000 users. For
organizations with up to 500 users, Cisco Unity Connection is available as a single-server solution
with Cisco Unified Communications Manager Business Edition.
Cisco Unity ExpressThis option provides cost-effective voice and integrated messaging,
automated attendant, and interactive voice response (IVR) capabilities in certain Cisco Integrated
Services Routers for small and medium-sized businesses and enterprise branch offices with up to
250 users.
For the Schools SRA test network, Cisco Unity 7.0 for Microsoft Exchange was deployed. Deploying
Unity allows for a centralized deployment with the greatest scalability and broadest feature set. The
following Unity collaboration capabilities are important in this decision;
Unified messagingCisco Unity unified messaging integrates transparently with Microsoft
Exchange, allowing you to handle all your messages - E-mail, voice, and fax - through a single inbox
using the Outlook E-mail client. Icons provide simple visual descriptions of each message type, and
because every message is delivered to one inbox, you can see the number, type, and status of all your
communications at a single glance. You also can reply to, forward, and save your messages -
regardless of media type - in public or personal Microsoft Outlook folders with just a click of the
mouse, decreasing response times and increasing organizational agility and customer service.
Mobile access to voice messagesCisco Unity unified messaging delivers all-in-one messaging for
mobile users. Mobile workers using a Palm Treo or RIM BlackBerry device can simply double-click
to play voice messages within their smartphone E-mail applications. The Cisco Unity solution
supports a variety of notification options that allow you to customize the way you are notified of
new voice messages. Cisco Unity Unified Messaging for Microsoft Exchange users can access their
voice messages using Cisco Unified Mobile Communicator, which integrates with Exchange to
provide mobile access to messages. Even for users with basic mobile phones, the Cisco Unity
solution is optimized to enhance mobile productivity. When you call in from a mobile phone, speech
recognition allows for hands-free usage of the system. If a call is dropped because of a
less-than-fully reliable mobile phone network, the Interrupted Session Recovery feature resumes,
on the next call-in, the session where the call left off, reducing lost time.
Note Unity requires integration with Microsoft Active Directory and Exchange, smaller school districts might
opt for a simpler Cisco Unity Connections deployment instead of deploying Unity.
7-24
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Cisco Unified Personal Communicator 7.0
Cisco Unified Personal Communicator 7.0
Cisco Unified Personal Communicator provides a very versatile communications platform to the schools
SRA. Cisco Unified Personal Communicator is a Microsoft Windows or Apple Mac application that
operates in one of two modes, Desk Phone (CTI control of the user's desk phone for click to call) and
Soft Phone (software client operation), and it is supported on Apple Macintosh and Microsoft Windows
platforms.
Cisco Unified Personal Communicator integrates the most frequently used communications applications
and services into a single desktop software application. Cisco Unified Personal Communicator
facilitates streamlined communications from your desktop or laptop computer, including integrated
contact lists, click to call, instant messaging, voicemail playback, inbound call notification, and media
escalation. By being able to control your communications from a single window, you can communicate
more effectively and be more productive.
Figure 7-14 Cisco Unified Personal Communicator
Cisco Unified Personal Communicator Features and Benefits
Communication integrationTake advantage of a single, intuitive interface for voice and video
calls, instant messaging, voicemail playback, web conferencing, and integrated directories.
PresenceView real-time availability of other Cisco Unified Personal Communicator and Cisco
Unified IP Phone users. You can also display customized messages, set an out-of-office message,
and automatically show your availability based on free and busy status on your Microsoft Outlook
Calendar.
Do not disturb (DND)Easily block incoming calls with synchronized DND status from your Cisco
Unified Personal Communicator or Cisco Unified IP Phone or use the privacy preference setting to
block instant messages when you need additional privacy.
Contact listSearch your corporate directory from one easy-to-use interface to locate contacts
quickly and simply click to call. Add your most frequently contacted personal contacts, co-workers,
and federated business contacts
7-25
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Cisco Unified Mobility
Media escalationAdd communication methods during a conversation; for example, you can add
video to an audio conversation or add web conferencing or white-boarding to an existing audio or
video conversation.
Click to callDial from the contact list, using either the integrated softphone or an associated Cisco
Unified IP Phone. You can also click to call directly from Microsoft Outlook using an Outlook
toolbar.
Integrated voice and video callingExchange ideas face-to-face with a coordinated video display
on the PC screen and audio conversation with the softphone. You can place video calls using Cisco
Unified Personal Communicator, Cisco Unified Video Advantage, or the Cisco Unified IP Phone
7985G, a personal desktop videophone.
IP phone associationUse Cisco Unified Personal Communicator to control your desktop Cisco
Unified IP Phone to make, receive, or merge calls.
Instant messagingChat in real time using instant messaging with other Cisco Unified Personal
Communicator users to save time and reduce phone tag. In addition, enable business-to-business
federation between Cisco Unified Presence and Microsoft Live Communications or Microsoft
Office Communications server to exchange presence information and instant messages with
Microsoft Office Communicator and Cisco Unified Personal Communicator users.
ConferencingCreate voice or video conferencing sessions by simply merging conversation
sessions. There is no need to call into a separate conference bridge.
Web conferencingLaunch a Cisco Unified MeetingPlace, Cisco Unified MeetingPlace Express, or
Cisco WebEx web conferencing session at a moment's notice to share content, such as a
presentation, with others.
Voice messagesAccess secure Cisco Unity or Cisco Unity Connection encrypted voicemail
messages - view, play back, sort, and delete messages - all from within the application.
Languages supported for both Microsoft Windows and Apple Macintosh desktops includeArabic,
Chinese (Traditional Chinese and Simplified Chinese), Danish, Dutch, English, French, German,
Italian, Japanese, Korean, Portuguese (Brazilian), Spanish, Russian, and Swedish.
Cisco Unified Mobility
Cisco Unified Mobility is natively available with Cisco Unified CM on the school SRA network. Cisco
Unified Mobility extends rich call control capabilities of Cisco Unified Communications Manager from
a mobile worker's primary workplace desk phone to any location or device of their choosing.
Some of the key benefits of enabling Cisco Unified Mobility capabilities with Cisco Unified
Communications Manager include:
Single Business Number Reach and Single Business VoicemailCisco Unified Mobility makes it
possible for workers to consolidate all their incoming business calls (i.e. incoming business calls to
mobile phones, home office phone, or any temporary telework phone) into a single business phone
number and immediately receive them wherever they are working. Coworkers, business partners,
and customers now only need a single business phone number to reach workers who can be more
responsive without additional effort. If mobile workers are unable to answer the call extended to one
of the many user-defined alternative phone numbers, they can rely on Cisco Unified Mobility to
store the unanswered calls into a single business voicemail on Cisco Unity or other business
voicemail system. Cisco Unified Mobility reduces the burden on workers of having to share multiple
phone numbers with business contacts and having to check multiple voicemail boxes at the end of
the day.
7-26
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Cisco Unified Mobile Communicator
Seamless Transition of Ongoing Extended CommunicationsMobile phones are great when moving
from location to location, but when a mobile worker arrives at the office, they would rather take
advantage of speakerphone or other IP Phone services on their Cisco Unified IP Phone at their desk.
Cisco Unified Mobility provides seamless transition of extended ongoing calls from mobile phones
to desk phone and vice versa. This provides workers with the ability to maintain business
communications continuity while taking advantage of least cost routing of mobile calls across
company's IP communications infrastructure while in the office. Hence they can start the
conversation from their mobile phone and seamlessly transition that conversation to a desk phone
upon arrival in the office without needing to call back. Similarly they can transition the call
seamlessly back to the mobile phone and wander away at will for another appointment.
Cisco Mobile Voice AccessWith Cisco Unified Mobility, workers who need to place national or
international calls from their mobile phone can use the Cisco Mobile Voice Access line to place the
call as if they are placing the call from their business extension on their desk. The worker dials the
Cisco Mobile Voice Access line from the mobile phone and places the call on the IP
communications network over a tie line. The call is connected and remains in control of Cisco
Unified Communications Manager providing the opportunity to reduce mobile communications
costs associated with national or international calls placed directly from mobile phone. With Cisco
Mobile Voice Access, the person being called sees the caller-id as coming from a desk phone in the
office rather than from the personal cell phone that may have actually initiated the call.
Access to Mid Call Control Cisco Unified Communications Manager CapabilitiesCisco Unified
Mobility extends key call control features of Cisco Unified Communications Manager (such as hold,
resume, transfer, and conferencing) on calls extended to devices and locations of the workers
choice. For workers who have become accustomed to such productivity capabilities in the office can
now access them while they are away from their desk.
Personalized Access ListsMobile workers can access the secure user profile webpage to enter
mobile and other alternate phone numbers and create filters that restrict the types of calls that are
extended using Cisco Unified Mobility. Cisco Unified Mobility intelligently manages, filters, and
routes each call between a worker's business extension and alternate phone numbers based on rules
defined by the worker on their profile. Unanswered calls are consolidated into single business
voicemail and voice communications resources are only used to extend relevant calls as determined
by rules specified by the worker.
Web-Based System AdministrationCisco Unified Mobility provides system administrators with
the flexible to define and manage user profiles. System administrators can use the secure
Administration Webpage to determine how much control users will have over their profiles and
make user profile changes when needed. Users enjoy the advantages of personal choice, while the
system administrator retains control over resource use and can provide backup support.
Cisco Unified Mobile Communicator
Cisco Unified Mobile Communicator (see Figure 7-15) is an easy-to-use software application for mobile
handsets that facilitates more effective communications for mobile employees. By extending enterprise
communications applications and services to mobile phones and smartphones, Cisco Unified Mobile
Communicator streamlines the communication experience, facilitating real-time collaboration across the
enterprise. With Cisco Unified Mobile Communicator, you can place and receive calls, access company
directory contacts, check presence information, and review voicemail messages, as well as receive Cisco
Unified MeetingPlace notifications and other vital information-all from a single, intuitive interface
connected to Cisco Unified Communications.
7-27
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Cisco Unified Mobile Communicator
Figure 7-15 Cisco Unified Mobile Communicator
Using Cisco Unified Mobile Communicator, employees have the Key Features and Benefits available
on the mobile cellular phone;
Communication integrationUse one intuitive interface for mobile calls, directory and presence
information, voicemail playback, text messaging, and conferencing.
Unified contact listSearch your corporate directory (Active Directory) and personal contacts
(Microsoft Outlook) from one easy-to-use interface to locate contacts quickly. Simply select a name
to call.
PresenceFind a contact and see whether the person is available to talk-before placing the call.
View a person's availability status from the directory on the mobile handset.
Select to callDial from the directory by simply selecting a name.
Single-business-number reachProvide colleagues with a single number to reach you. Supported
by Cisco Unified Mobility, calls to your desk phone can be answered from your mobile phone. If
you are busy, simply decline or ignore the call and it will be diverted to your office voicemail.
Secure text messagingSend and receive text messages from colleagues when they are unavailable
to talk. A visual list on your mobile handset shows at a glance who is trying to reach you. Incoming
messages are conveniently grouped by person, showing the sender, the priority, and a brief subject
line, if available.
Voice messagesAccess Cisco Unity voicemail messages to select, view, play back, and delete
messages in any order, all from the mobile handset.
ConferencingReceive notifications of conference calls on your mobile phone from the Cisco
Unified MeetingPlace solution. Simply press a button to call the conference bridge.
Call logsView a list of recent calls on your mobile phone and learn what calls were missed,
placed, and received from your mobile phone or your Cisco Unified IP Phone.
SecurityCisco Unified Mobile Communicator is deployed securely behind the enterprise firewall.
Cisco Unified Mobile Communicator uses industry-standard, Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) encryption to protect transmission of data between handsets and
your data center. End users authenticate with existing Lightweight Directory Access Protocol
(LDAP) directories. If a mobile handset is lost or stolen, IT staff can remotely deactivate the device
and erase sensitive company information.
ManagementSimple, Web-based management allows IT staff to manage user activation,
configuration, and administration; set system privileges and security; report statistics; and manage
devices. The end-user portal allows provisioning, directory management, and configuration of user
preferences.
7-28
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 7 Unified Communications Design
Cisco Unified Mobile Communicator
Broad operator and device supportWorking simultaneously across multiple networks, mobile
operators, and handset platforms, Cisco Unified Mobile Communicator helps ensure end-user
choice and delivery of consistent performance at work, at home, and on the road.
C H A P T E R
8-1
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
8
Digital Media and Video Surveillance Design
Digital Media System Overview
The schools Service Ready Architecture (SRA) network architecture in combination with the Cisco
Digital Media System (DMS) creates an environment which streamlines and automates information flow
and process throughout school districts.
The evolution of digital communication in the 21st century education environment is transforming
processes and empowering educators to develop and deploy eye-catching, compelling, and integrated
video content.
Digital media communication in school systems is an extremely effective tool to deliver dynamic
and cost effective subject matter to staff and students.
Using digital media school systems keeps the education community connected, increases awareness,
and integrates with safety and security system notifications.
Integrating digital media technologies assists teacher's curriculum development and professional
development.
Comprehensive digital video systems transform video delivery processes in individual classrooms;
school administrator can create customized, on-demand educational video content or even relay live
video feed during national events or local emergencies.
Video Surveillance Overview
Video surveillance has been a key component of safety and security groups for many organizations. As
an application, video surveillance has demonstrated its value and benefits countless times by providing
real-time monitoring of a facilitys environment, people, and assets as well as by recording events for
subsequent investigation, proof of compliance, and audit.
For school systems that need to visually monitor or record events video, surveillance has become more
important as the number of security risks increases. In addition to video analytics, the value of video
surveillance has grown significantly with the introduction of motion, heat, and environmental sensors.
In a typical school environment, several systems are deployed for disparate applications, such as
physical access control, fire and smoke detection, and video surveillance. These applications typically
do not communicate with each other and require different management and support personnel. As a
result, owners and operators suffer from a lack of operational consistency, interoperability, and
capabilities that translate into higher capital and operational costs and limit the return on their
investment.
8-2
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Video Surveillance Overview
Ciscos solution offers software and hardware to support video transmission, monitoring, recording, and
management. Cisco video surveillance solutions work in unison with the advanced features and
functions of the IP network infrastructureswitches, routers, and other network security devicesto
enable secure, policy-based access to live and recorded video.
Cisco Digital Media System Architecture
Cisco has developed a comprehensive, scalable, and network-centric DMS architecture that is built on
three major digital application components. Each application is specifically designed to address key
challenges, regardless of how or where the digital content is designed and developed. The multifunction
management and adaptive media system is common to these three applications:
Desktop videoInteractive education training application that allow students to watch instructional
videos on-demand or via live streaming. Students can use classroom PCs to navigate a Cisco Video
Portal database to securely access relevant training video content.
Enterprise TVWhile the targeted users for desktop video applications are individuals or group of
students, enterprise TV expands the same video capability to a larger audience and so extends the
classroom. Live or on-demand pre-recorded training video can be broadcast in a classroom. In
addition to internally developed video material, district and school administration can also enable
live educational TV programming like science, discovery, etc.
Digital signageEnables innovative ways to publish content and information that improves the user
experience, allows dynamic updates, and increases campus safety and security. Some of the
common digital signage use cases in schools system include announcing school and district news,
major events, classroom assignments, PTA meetings, etc.
Figure 8-1 shows a Cisco DMS solution suite that is a set of product and technologies developed to
create an end-to-end digital media network. The products are divided into three major functions, create,
manage, and access.
Figure 8-1 Cisco DMS Solution Suite
Flash,
Shockwave,
HTML
Digital Media
Player
Cisco Video Portal
Cisco LCS
Display
Cisco LCD
Display
Digital Media Manager
Cisco MCS
Digital Media
Encoders
Create Manage Access
Digital
Application
Digital
Signage
Desktop
Video
Enterprise
TV
Scientific Atlanta
Encoders
2
2
7
8
5
3
8-3
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Video Surveillance Overview
The digital media components in the Cisco DMS solution suite assist schools in deploying digital media
solutions at their own pace; e.g., initially deploy digital signage with simple development applications
and deploy interactive video solutions in subsequent phases.
The Cisco Digital Media Manager (DMM) is a Web-based application that simplifies deploying all three
digital media applications in schools.
DMS Solution for Schools
DMS solutions in schools have proven valuable in overcoming key challenges in the development of
next-generation education delivery processes. DMS provides the flexibility to develop training content
that can be accessed by students anytime, and anywhere. Cisco DMS relies on a resilient, scalable, and
reliable network infrastructure for seamless end-to-end content delivery.
Figure 8-2 shows an end-to-end digital media reference model with all three applications enabling a
unified digital network service for the school district.
The following are some of the key benefits of this DMS design model:
Centralized management at the district office providing consistent publishing policies, security,
scalability. and reduced operational and maintenance cost.
Distributed storage and media access points enabling district office and schools to use centrally
developed content with reduced bandwidth capacity and increased availability during network
instability.
In large-scale video networks, the Cisco Application and Content Network Services (ACNS) or
WAN optimization appliances can be deployed to increase media performance and reduce expensive
WAN bandwidth requirements.
8-4
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Video Surveillance Overview
Figure 8-2 End-to-End Reference DMS Solution in School Network Architecture
The following section provides an overview of various deployment scenarios, device components,
communication, and network requirements for digital media applications in schools. For a detailed
digital media design and implementation guide, refer to:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/DMS_DG/DMS_dg.html
Internet
WAN
Video
Admin
Regional School
Data Center Studio Classroom
HDTV
HDTV
HDTV HDTV
HDTV
HDTV
HDTV
Lobby Cafe
HDTV HDTV
Cafe
HDTV
Streaming
Server
Web Server
Video
Scientific Atlantic
Encoders
Digital Media Encoder
Digital Signage
Enterprise TV
Desktop Video
with Video Portal
Digital Media
Player
School Web
Admin
Admin
District Office
Data Center Studio Conference
Room
HDTV HDTV HDTV
HDTV
HDTV
HDTV
Lobby Cafe
HDTV
Streaming
Server
MXE
ADS/LDAP
DMM
DMS
Admin
CVP
Web Server
Scientific Atlantic
Encoders
Digital Media
Encoder
2
2
7
8
5
4
8-5
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Desktop Video Application Overview
Desktop Video Application Overview
Students, teachers, and administrative staff can watch live or pre-recorded video events from their
personal computers at any location and at any time. The Cisco DMS Digital Video application empowers
faculty to extend the classroom audience to remote locations by broadcasting live or recording training
sessions available as video on-demand (VoD).
Cisco Desktop Video applications offer several benefits:
Customizable interface with program guide and search window.
Students can create a personalized video playlist.
Questions and comments can be made during live video broadcast events.
Restrict video content access based on Active Directory or LDAP authentication and privilege.
Wide format supportAdobe Flash, Windows Media, H.264, QuickTime, etc.
Player ControlsSynchronized slides, advanced video and controls, etc.
Desktop Video Components
As one of the integrated components of the Cisco DMS solution suite, the digital video application uses
common video development, management, and publishing components. In combination, external
authentication servers can provide secure, on-demand video content and live video broadcast services to
the desktop or on Cisco LCD TVs deployed in different physical locations.
The Cisco DMS solution suite consists of:
Digital Media Manager (DMM)Centralized management appliance in district office governs the
content and communicates with local or remotely deployed critical desktop video components, e.g.,
CVP, HTTP server etc.
Digital Media Encoder (DME)Single or multi-channel media encoder receives live analog/digital
feed from cameras or television service providers and transports over the IP network to the
streaming server.
Streaming ServerProvides stream splitting capabilities, allowing many clients to view a single
live stream from DME or pre-recorded source (replay)
Cisco Video Portal (CVP)Web-based video navigation engine provides access to users after
successful authentication with Active Directory or LDAP server.
Web Server/Content RepositoryStores all VoDs referenced by Video Portal server. User triggers
VoD request to access video content through CVP and the request gets redirected to pull video file
from the content repository to the requested user.
Publishing Live and Video On-Demand Content
A critical feature of the Cisco Digital Media System for Cisco Desktop Video is its ability to simplify
the publishing of live and on-demand digital media files to the Cisco Video Portal (CVP). On-demand
video content can be uploaded from the developers computer directly to the DMM server for staging
and previewing prior to deployment. This staging capability includes the addition of an approval process
within the content workflow to help ensure that school branding, publishing policies, and messaging are
properly incorporated in the content. Post approval process, the content can be moved or deployed to the
Cisco Video Portal using secure file transmission.
8-6
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Enterprise TV Application Overview
The Cisco DMM works in conjunction with Cisco Digital Media Encoders (DME) to create and deploy
live content to the Cisco Video Portal. The Cisco DMM first manages the Cisco DME to set up their
encoding profiles, defining the bit rate, format, and media type. The Cisco DMM also defines the port
that the Cisco Digital Media Encoders will stream from, so that the streaming servers can pull the stream
to their live publishing points. These publishing points are then deployed to the Cisco Video Portal
through the Cisco Digital Media Manager deployment process. The same workflow defined for the
on-demand digital media content is applied to live events, providing a consistent, easy-to-use process
for all types of deployments. Figure 8-3 shows a schematic of Cisco DMM video management.
Figure 8-3 VoD and Live Video Broadcast Using Digital Video Application
Enterprise TV Application Overview
The Enterprise TV (ETV) application brings standard or high-definition television network channels
into IP-based networks. Deploying Scientific Atlanta encoders in a video head-end role performs the
interworking function that transforms video source from television service provider to an IP based video
delivery within the campus network. When the ETV module is enabled in Cisco DMM appliance, the
school administrator can program the channel guide information to be broadcast in different physical
locations, e.g., channel number, name, port number, etc. To improve the user experience in navigating
video channels, ETV Electronic Program Guide (EPG) can be programmed to provide information on
channel lineup, and current and future programming information, which is similar to television service
HDTV
Multicast/HTTP
Scientific Atlantic
Encoders
Studio
DME
Live
Video
Feed
Video On-Demand (VoD) Live Video Broadcast
ADS/LDAP
DMM
Content
Sever
DMS
Admin
CVP
Video
Portal Access
2
2
7
8
5
5
8-7
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Enterprise TV Application Overview
provided programming guide. To watch the live video channels, users can use Cisco DMP and remote
control to navigate and access the channel. Video delivery over IP networks can be unicast or multicast,
depending on how IP/multicast is designed in campus network.
With larger displays in key physical locations, the ETV application becomes the primary
communications interface in the district targeting large audiences. For example, live or VoD broadcast
for education training, demonstrations, meetings, etc., targeting all the students in a classroom, or live
news, etc.
Enterprise TV Components
To broadcast school developed VoD or live video through ETV, the core Cisco DMS components used
in the desktop video application can be leveraged to integrate ETV in the network. The primary
difference between ETV and desktop video in this case would be Digital Media Player (DMP) instead
of a PC as an access end point for a large screen display targeting a larger audience. To broadcast
television network channels in the campus network, the Scientific Atlanta encoder must be integrated
along with other ETV components. It is recommended to deploy distributed television service in local
campus and not forward non-critical video traffic over the WAN infrastructure.
Scientific Atlanta EncoderAn encoder system that provides interworking function between
analog or digital television service provider and IP network. Encodes live video input and
transforms into MPEG-2 or MPEG-4 multicast stream.
Cisco Digital Media Player (DMP)Key media access end point that connects to Cisco LCD TV
for large size displays. DMP provides capabilities to decode multi-format graphics and stream video
content received over unicast or multicast IP network.
Broadcasting Live TV or Video On-Demand Content
The communication flow between the DMP and the DMM and Video Portal function is similar to
desktop video applications. Proper planning, technologies, and equipment must be deployed in campus
network for successful live television video delivery. When designing the playlist in Cisco Enterprise
TV module, the school administrator must understand that it can support up to 99 live and on-demand
video channels broadcast in the campus network. The DMM administrator in the district office can use
the DMM-ETV software module to create customized TV navigation interfaces, such as adding school
logo and skins, programming video channel assignments, and configuring specific video channel
assignment to DMP deployed in specific campus location. Figure 8-4 shows a schematic of the
Enterprise TV video architecture.
District and school architects must understand the codec type required for publishing video in the
campus network. Deployed digital encoders must follow the MPEG2 standard specification to stream
the video. It is recommended to deploy Scientific Atlanta 9032SD or 9050HD encoder to stream live
video stream to DMP for Enterprise TV application.
8-8
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-4 Live Video Broadcast and VoD Using Enterprise TV Application
Digital Signage Application Overview
Ciscos Digital Signage solution is a comprehensive solution for the publishing of dynamic and
on-demand signage using digital media displays deployed locally or regionally in schools over an IP
network. The key benefits of digital signage over traditional static signs in school are that the digital
content can be exchanged and updated more dynamically, using digital media tools to make the content
more relevant and interactive. Publishing school messages, local announcements, or emergency alerts
through Cisco digital signage becomes more effective and with better investment return compared to
traditional models.
The Cisco digital signage application is a Web-based media management and publishing application that
creates a playlist with a set of content that is required to be published to a single or group of DMPs in a
network. The digital signage application use standard HTTP protocols to communicate with centrally
deployed DMM in the district office data center and single or distributed Web servers to pull and publish
the real-time information to display on large Cisco LCD TVs. With flexible user administration, the
DMM administrator is empowered to create groups of users with different privileges who can develop,
publish, and manage the signage content; e.g., user group like school Web admin, IT admin, and security
admin can create content assets, control display properties, etc.
HDTV HDTV HDTV
RTSP/HTTP/
Multicast
Scientific Atlantic
Encoders
Set-Top-Box
Studio
DME
Live
Video
Feed
Video On-Demand (VoD) Live Video Broadcast Live TV
ADS/LDAP
DMM
Content
Sever
DMS
Admin
CVP
Live
Video
TV
Portal Access
2
2
7
8
5
6
8-9
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Digital Signage Components
The requirements of the integrated digital media components depend on which content needs to be
published through a signage module. The Cisco digital signage application provides the flexibility for
the DMM administrator or school Web administrator to develop multi-functional, integrated content that
can play key messages, stream VoD files from a content server, and keep connected with external
information. For example, schools can publish a single Adobe flash file that is composed of static text
information, embedded with education short VoD stream and live news information with RSS feed. The
basic digital signage components are:
Digital Media Manager (DMM)Centralized management appliance in district office governs the
content and communicate with local or remotely deployed critical desktop video components, e.g.,
CVP, HTTP server, etc.
Cisco Digital Media Player (DMP)The Cisco DMP is a highly reliable IP-based hardware
endpoint for video decoding and playback of digital media contentincluding high-definition live
broadcasts and VoD, Flash animations, text tickers, and other Web contentacross digital displays.
DMP is a critical component of the digital signage and ETV applications allow for the networking
of digital displays and the broadcasting of live and on-demand media. The current DMP portfolio
includes the Cisco DMP 4305G for standard signage and ETV and the Cisco DMP 4400G for
high-end signage and ETV.
Cisco LCD Professional SeriesFor an end-to-end Cisco digital media solution, the Cisco LCD
professional series displays is a high definition LCD display that can be centrally managed through
DMM.
Web Server/Content RepositoryStores all HTML, VoDs, flash files referenced by HTTP server
or Video Portal server. Multiple files can be played on same DMP; based on Web application design,
the program triggers the content request and it is pulled by DMP from a source server.
Video Surveillance System Architecture
The Cisco Video Surveillance solution relies on an IP network infrastructure to link all components. The
design of a highly available hierarchical network has been proven and tested for many years and allows
applications to converge on an intelligent and resilient infrastructure.
Figure 8-5 shows the main components of the Cisco Physical Security solution, including video
surveillance, physical access control, incident response and integration with third-party systems.
8-10
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-5 Cisco Physical Security Components
Some of the benefits of Ciscos Video Surveillance solution include the following:
Access to video at any time from any network location, enabling real-time incident response and
investigation.
Transfer of control and monitoring to any other point in the network in an emergency situation.
Ability to manage devices and alarms from a centralized location.
Ability for products from various vendors to interoperate in the same network.
An open, standards-based infrastructure that enables the deployment and control of new security
applications.
The main components of the Cisco Video Surveillance solution include the following:
Cisco Video Surveillance Media ServerThe core component of the network-centric Video
Surveillance Manager solution. This software manages, stores, and delivers video from a wide range
of cameras and encoders over an IP network
Cisco Video Surveillance Operations ManagerThe Operations Manager authenticates and
manages access to video feeds. It is a centralized administration tool for management of Media
Servers, Virtual Matrixes, cameras, encoders, and viewers and for viewing network-based video.
Cisco Video Surveillance IP CamerasThe high-resolution digital cameras are designed for
superior performance in a wide variety of environments.
Cisco Video Surveillance Virtual MatrixThe Virtual Matrix monitors video feeds in command
center and other 24-hour monitoring environments. It allows operators to control the video being
displayed on multiple local and remote monitors.
Cisco Video Surveillance Encoding ServerThis all-in-one appliance encodes, distributes,
manages, and archives digital video feeds for analog cameras. Each server encodes up to 64
channels and provides up to 12 TB of storage.
Cisco Video Surveillance Storage SystemThis complementary component allows the Media
Servers internal storage to be expanded with direct attached storage (DAS) and storage area
networks (SANs). The Storage System allows video to be secured and accessed locally or remotely.
The following subsections describe the components used for this solution.
Video and Device
Capture
Video Surveillance, Access Control
and Incident Management
Response
2
2
7
6
7
7
IP Surveillance
Cameras
Radios, Mobile Phones,
IP Phones
Digital Signage
Desktop
Cisco Video
Surveillance
Operations
Manager (VSOM)
Safety and
Security
Third Party
Analog and IP
Cameras
IP
Physical Access
Manager Multiservices
Platform
Physical Access
Gateway
IP
IPICS
Multiservices
Platform
ISR - Video Media
Management and
Storage
Open API - Third
Party Systems
IP
8-11
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Cisco Video Surveillance Media Server
The Cisco Video Surveillance Media Server (VSMS) is the core component in the Cisco Video
Surveillance Manager solution and performs the following networked video surveillance system
functions:
Collection and routing of video from a wide range of third-party cameras and video encoders over
an IP network
Event-tagging and recording of video for review and archival purposes
Secure local, remote, and redundant video archive capabilities
In Figure 8-6, the Media Server is responsible for receiving video streams from different IP cameras and
encoders and replicating them as necessary to different viewers.
Figure 8-6 Video Surveillance Media Server (VSMS)
By using the power and advanced capabilities of todays IP networks, the Media Server software allows
third-party applications, additional users, cameras, and storage to be added over time. This system
flexibility and scalability supports the following:
Hundreds of simultaneous users viewing live or recorded video
Standard video compression algorithms such as MJPEG, MPEG-2, MPEG-4, and H.264
simultaneously via a single Media Server
Conservation of storage using events and loop-based archival options
Integration with other security applications
Cisco Video Surveillance Operations Manager
Working in conjunction with the Cisco Video Surveillance Media Server, the Cisco Video Surveillance
Operations Manager (VSOM) enables organizations to quickly and effectively configure, manage, and
view video streams throughout the enterprise. Figure 8-7 shows the Operations Manager main screen,
which is accessed through a Web browser.
IP Cameras
Encoder
OM Viewer OM Viewer 2
2
7
6
7
8
Media Server
(VSMS)
Operations
Manager
(VSOM)
Analog Cameras
A
D
IP
IP
IP
8-12
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-7 Video Surveillance Operations Manager
The Operations Manager meets the diverse needs of administrators, systems integrators, and operators
by providing the following:
Multiple Web-based consoles to configure, manage, display, and control video throughout a
customers IP network.
The ability to manage a large number of Cisco Video Surveillance Media Servers, Cisco Video
Surveillance Virtual Matrixes, cameras and users.
Customizable interface, ideal for branded application delivery.
Encoder and camera administration.
Scheduled and event-based video recording.
Interface to Media Server and Virtual Matrix software for pushing predefined views to multiple
monitors.
User and role management.
Live and archived video views.
Friendly user interface for PTZ controls and presets, digital zoom, and instant replay.
Event setup and event notifications.
Record Now feature while viewing live video
Cisco Video Surveillance IP Cameras
Cisco 2500 Series Video Surveillance IP Camera
The Cisco 2500 Series Video Surveillance IP camera is a high resolution standard-definition,
feature-rich digital camera designed for secure performance in a wide variety of environments. The
camera supports MPEG-4 and MJPEG compressions with up to 30 frames per second.
Contact closure and two-way audio allow integration with microphones, speakers, and access control
systems. By providing wired and wireless models, the Cisco 2500 IP camera provides an ideal platform
for integration and operation as an independent device or as part of the Cisco Video Surveillance
network. Figure 8-8 shows both the wired and wireless models of the 2500 IP Camera.
8-13
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-8 Cisco 2500 Series IP Cameras
The 2500 Series IP camera provides the following features:
The camera employs powerful digital imaging technology, allowing it to capture high-quality
images in a wide variety of indoor and outdoor lighting conditions. It uses a progressive scan
image-sensor with global electronic shuttering to ensure natural color rendition, and minimal
motion blurring.
The wireless IP camera model supports 1X2 Multiple Input Multiple Output (MIMO)
communication, which provides better data throughput and higher link range than single antenna
designs. The wireless IP camera offers strong wireless security using Wi-Fi Protected Access
(WPA)/WPA2 and supports various network protocols for 802.1x authentication.
Power over Ethernet (PoE) 802.3af or DC power through an optional external power supply.
Support for the Cisco Media API, an open, standards-based interface that allows integration with
compatible video surveillance management systems.
Support for 802.1x authentication on both the wired and wireless models.
Cisco 4000 Series Video Surveillance IP Camera
The Cisco Video Surveillance 4000 Series IP Cameras employ true high-definition (HD) video and
H.264 compression, streaming up to 30 frames per second at 1080p (1920 x 1080) resolution. The Cisco
4000 IP Camera series also supports contact closure and two-way audio allow integration with
microphones, speakers, and access control systems.
The Cisco 4000 Series includes two models: the CIVS-IPC-4300 and CIVS-IPC-4500. These cameras
have identical feature sets, with the exception of the additional digital signal processor capabilities
specifically designed to support real-time video analytics at the edge on the CIVS-IPC-4500. On this
model, applications and end users have the option to run multiple analytics packages without
compromising video streaming performance on the camera.
Figure 8-9 shows a Cisco 4000 IP Camera with an optional DC Auto Iris Lens.
8-14
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-9 Cisco 4000 Series IP Camera
The 4000 Series IP camera provides the following features:
True high-definition videoThe camera streams crisp and clear 1080p (1920 x 1080) video at 30
frames per second while maintaining surprisingly low network bandwidth.
Progressive scan videoThe camera captures each frame at its entire resolution using progressive
scan rather than interlaced video capture, which captures each field of video.
Embedded security and networkingThe camera provides hardware-based Advanced Encryption
Standard (AES).
IP Multicast for enhanced bandwidth management.
Event notificationThe camera can examine designated areas for activity and notify users or other
applications when it detects activity that exceeds a predefined sensitivity and threshold.
True day/night functionality that includes an infrared (IR) filter that automatically switches to night
mode in low light scenes.
The camera supports Power-over-Ethernet (PoE) 802.3af, 12 VDC or 24 VAC power through an
optional external power supply.
The camera can be installed with a fixed mount or with an optional external pan/tilt mount and
motorized zoom lens.
For more information, see the Physical Safety for Schools Application Deployment Guide:
http://www.cisco.com/en/US/docs/solutions/Verticals/Education/safe_sec_ed_dg.html
Deploying Digital Signage in School Campus
To ensure a successful digital media deployment, network, display, and management planning must be
done prior to deploying digital signage in the schools network. A well-planned digital signage network
design provides flexibility to incrementally deploy desktop video and ETV digital media applications
without making major infrastructure changes. As described earlier, digital signage uses standard HTTP
protocols to pull and publish the signage content on displays. Network bandwidth consumption for
digital signs varies widely as it depends on playlist and content types. This document provides the best
practices to design and configure the digital signage with content developed with rich text, flash, and
animation and located on distributed Web servers to increase network efficiency.
Centralized Management Model
Cisco DMM is highly scalable appliance server that can be deployed centrally in district office location
to manage up to 1000 DMPs deployed in local and regional school campus network. Cisco DMP
deployed in local district offices or remote regional schools can communicate with centralized DMM
8-15
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
over LAN and WAN network using standard HTTP as the control protocol to receive Web or content
server re-direction information to display content. Deploying DMM in a centralized location allows the
DMM administrators in district offices to manage all registered DMP in various ways:
Add and archive digital content and assign metadata and keywords.
Create and manage play lists, ticker alerts, messages, closed captions, and promotional interstitials.
Preview digital signage content and manage approval workflow.
Ability to pre-configure the playlist and schedule for instant and future deployments.
Take WAN optimization solution advantage and provide tight integration with Cisco ACNS and
Cisco Content Engines.
Manage user administrator accounts and permissions.
Centralizing DMP management and publishing signage content centrally at a district office allows the
DMM administrator to advertise consistent information and messaging throughout the network. To
minimize WAN network utilization, the school administrator must leverage internal storage or their
local Web server to store and advertise the local, regional, and department news and information.
However the district office and Internet news must be communicated over the WAN.
The network architect must consider integrating enterprise-class Cisco Application and Content
Networking System (ACNS) that uses caching technology and offers higher scalability and reliable
video delivery solution at the schools to improve end user experience and application response time.
When integrated with the Cisco Wide-Area Application Services (WAAS) solution, it helps in
optimizing WAN bandwidth utilization significantly with local redirection and high data compression
over the WAN.
Figure 8-10 is a validated design to integrate digital signage with centralized management in the district
office with distributed DMP in a large-scale school network.
8-16
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-10 Centralized DMM with Distributed DMP in School SRA
Distributed Content Storage Model
Digital signage content is typically wrapped with HTML or Adobe Flash applications that provide
greater flexibility for a Web administrator to display more types of content from various sources on a
single page. When deploying large numbers of DMPs with rich and static digital signage content, the
unicast communication between DMP and the distributed content server may waste network bandwidth
by retrieving the same content for continuous display. Hence it becomes important for the network
architect to understand the content distribution and network level requirements to optimally deploy
signage application in a campus network.
Depending on DMP scalability, overall network capacity, and the bandwidth allocation for digital
signage application, Cisco DMS offers the following three distributed content storage solutions for
Cisco DMP to pull and display the static content from the local network instead of downloading all of it
through the WAN network:
HTTP
Web Server
Regional Office
District Office
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
HDTV
Conference
Room
ADS/LDAP
Data Center
DMM
DMS
Admin
2
2
7
8
5
7
Web Server
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
Server Room
School
Web
Admin
8-17
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Cisco DMS-Content Distribution (CD)Is an ideal solution for a small-scale school network with
few Cisco DMPs. Cisco DMM can push the static HTML or flash content via FTP or SFTP protocol
to Cisco DMM on internal storage or to external storage device like USB drive and redirect Cisco
DMP to access internal storage. This solution helps to minimize WAN bandwidth utilization.
Local Content Server (Web or CIFS)Storing the digital media content on a single local content
server, like HTTP or CIFS sever, gives the network administrator more flexibility and management
of the content distribution solution. The Web administrator can dynamically add, modify, and store
the updated HTML or Flash file on a centralized server for Cisco DMP to retrieve and display. On
the next HTTP request from DMP, the refreshed copy is displayed automatically. This solution
provides more flexibility compared to Cisco DMS-CD solution, as it can dynamically update
content without updating and managing content on each individual Cisco DMP.
Cisco ACNSHighly scalable and intelligent large size video content distribution to remote
locations. Hierarchical content distribution system at district office and school sites distributes
single copy of pre-recorded video to ACNS edge at the schools. To increase WAN network
efficiency, Cisco ACNS leverages the caching technology and provides unicast VoD delivery in
local LAN networks to end users instead of downloading one copy for each user over the WAN
network.
SRA Validated Content Distribution Model
To provide a simplified, scalable, and cost-effective content distribution and management solution in
SRA architecture, it is recommended to leverage local Web or CISF servers in the district office and
schools to store and publish local digital signage content. Cisco DMM can be programmed to re-direct
local DMPs to a local Web server and remote DMPs to pull the content from a local Web server. Such
distributed content storage design minimizes the critical WAN bandwidth usage to publish local
information. However, the WAN network may still be utilized to access global signage information,
such as county or state level education and emergency news that can be broadcast by Web server from
district office, and similarly real-time news ticker from the Internet can be embedded in major content
that provides constant world-wide news updates.
School network architects and Web administrators must perform pre-deployment exercise to assess the
type of local versus distributed content (text/graphics/VoD/RSS) embedded in signage and the number
of DMPs to be deployed in schools. This assessment provides WAN bandwidth guidelines to integrate
digital signage in schools. As described earlier, Cisco WAN optimization solution like ACNS and
WAAS must be integrated in the network if it demands higher WAN bandwidth. Figure 8-11 depicts the
unicast communication flow between Cisco DMP deployed across the network and Web servers located
in intranet and Internet domains.
8-18
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-11 Distributed Content Server Communication
Implementing Network Services for Digital Signage
Prior to integrating digital signage applications, the network architect must make network services ready
with the best practices for resilient and seamless operation and integration. Building the network as a
highly-available platform is a foundational requirement for applications like IP telephony and digital
media solutions as they demand constant bandwidth and network availability. Deploying centralized
DMM with a distributed content server spans the digital communication beyond the campus boundary;
hence it is recommended to deploy digital media solutions based on these network design principles:
Low latencyDeploy the high-speed campus network that offers lower latency for real-time
applications like voice and video.
WAN
Regional School
District Office
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
HDTV
Conference
Room
Data Center
2
2
7
8
5
8
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
WAN
Web Server
Regional School
District Office
Intranet Content Server Communication Internet Content Server Communication
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
HDTV
Conference
Room
Data Center
Web Server
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
Server Room
School
Web
Admin
Internet
8-19
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
High availabilityTo increase network resiliency it is recommended to deploy the network with
redundant modules, systems, and power supplies offering non-stop communication and sub-second
network recovery during minor or major network failure events.
QoSEnhance user experience and content quality with robust QoS policies at the campus network
edge.
ConfidentialityProtect digital media end points, appliances, and data with centralized
authentication and encryption.
This section provides access ayer design and configuration guidelines to deploy Cisco DMP at the
campus network edge and DMM in a centralized data center in a district office. For more information
on design and implementation guideline for building a strong and resilient core and foundational campus
network, refer to the following URL:
http://www.cisco.com/en/US/docs/solutions/Verticals/Education/SRA_Schools/school_sra_campus_dg
.pdf
Deploying Cisco DMP in the Access Layer Network
Cisco DMP is a school managed and trusted end point in the campus access layer, hence the network
administrator must apply the common security and QoS policy for DMP as defined for other trusted
end-points like IP phones. In a typical deployment scenario, a single access layer switch may be
connected to several other trusted and un-trusted end-points, hence it becomes an important task for
administrator to provide secure and suitable network services.
Cisco access layer switches provides the flexibility to deploy Cisco DMP in two different modes, manual
deployment and plug-and-play Auto Smartport (ASP) macro.
Manual Deployment
School administrator must manually implement the following three major network services to
successfully integrate DMP in the network:
Assigning unique Layer 2 VLAN
Implement network edge security
Implement network edge QoS
Assigning Unique Layer 2 VLAN
To provide secured and simplified digital signage communication, the DMP must be assigned a unique
broadcast domain. De-coupling DMP with other trusted and un-trusted end points makes DMP more
secure during any attacks and is easier to manage and troubleshoot. When single access layer connects
to multiple DMPs, then all the DMPs can be assigned on the same Layer 2 VLAN. Like any other logical
network partition design, it is recommended to use unique Layer 2 VLAN for DMP that are physically
deployed on different Cisco access layer switches. Figure 8-12 provides recommended Cisco DMP
Layer 2 segmentation guidelines in the access-layer:
8-20
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-12 Cisco DMP-Layer 2 VLAN Segmentation
Cisco DMP cannot transmit or receive 802.1Q tagged frames, hence it is recommended to change default
switchport mode from dynamic to access mode. The following is a sample configuration to enable
VLAN in the database and apply VLAN on the DMP physical port:
2960
cr24-2960-DO(config-if)#interface FastEthernet0/7
cr24-2960-DO(config-if)# description CONNECTED TO LOBBY DMP
cr24-2960-DO(config-if)# switchport mode access
cr24-2960-DO(config-if)# spanning-tree portfast
cr24-2960-DO(config-if)# switchport access vlan 10
3750
cr25-3750-DO(config-if)#interface range GigabitEthernet 1/0/1 - 3
cr25-3750-DO(config-if-range)# switchport mode access
cr25-3750-DO(config-if-range)# spanning-tree portfast
cr25-3750-DO(config-if-range)# switchport access vlan 20
For flexible and scalable DMP deployment, it is recommended that the DMP edge port be in Layer 2
mode even when the access layer switch is deployed in a multilayer or routed access network design.
Implement Network Edge Security
Cisco DMP player is an extremely silent system and it requires communication with certain critical
systems in the network, such as an IP gateway, Cisco DMM, Web servers, SNM, and NTP. To display
the digital signage content and synchronize with management servers, Cisco DMP receives more data
from the network than transmitting to the network.
Cisco Catalyst integrated security feature must be deployed on the physical port to protect DMP from
being attacked by viruses or unauthorized hosts. Based on the protocol and data communication
characteristics of Cisco DMP, it is recommended to apply the following set of security configurations to
protect the network and the DMP from unknown traffic floods and attacks:
Access
interface FastEthernet0/7
! Block transmitting all unknown unicast traffic
switchport block unicast
! Enable port-security on this port
switchport port-security
! Default, allow single-host to access this port
switchport port-security maximum 1
! Block receiving BPDU from this port
spanning-tree bpduguard enable
Access
Lobby
DMP
Cafe
DMP-1
Cafe
DMP-2
Cafe
DMP-3
2
2
7
8
5
9
Access
VLAN 10 VLAN 20
8-21
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Implement Network Edge QoS
It is important to implement differential service treatment for digital media applications over non-critical
network traffic in the network. Depending on the digital media applications and the distributed content,
appropriate QoS services must be implemented at the network edge that connects media end-points and
in the data center where typically centralized management and content servers are deployed. As
described earlier, the Cisco DMP primarily use standard HTTP protocol to communicate with
centralized DMM management server and the distributed Web server to publish the digital signage
content.
By default, HTTP packets between digital media end-points are set with default DSCP values and rely
on intermediate network devices to classify the traffic and provide advanced QoS techniques to protect
the digital media communication between DMP and other back end systems. Since the communication
and publish content is delivered using HTTP protocol, it becomes challenging to distinguish between
HTTP control traffic versus digital content in the campus network. Following RFC 4594 QoS
deployment guidelines, the unicast control plane communication between Cisco DMM and DMP system
can be classified as signaling traffic and must be marked an appropriate DSCP value and assigned a
proper queue. Figure 8-13 provides QoS references to deploy digital media application in a campus
network:
Figure 8-13 Digital Signage QoS Reference Chart
OAM
Network Control
Broadcast Video
Application
Class
Call-Signaling CS3*
*Cisco classification method slightly differs from RFC 4594. CS3 and CS5 definition are interchanged.
Realtime Interactive
CS5
CS2
Transactional Data AF2
Bulk Data AF1
Best Effort DF
Best Effort DF Scavenger CS1
Best Effort DF
VoIP Telephony
Multimedia Streaming AF3 Recommended
Multimedia Conferencing AF4 Required
Required
Admission
Control
Required
Required
BW Queue
BW Queue
BW Queue + DSCP WRED
BW Queue + DSCP WRED
Optional (PQ)
Congestion Managment
and
Congestion Avoidance
BW Queue
Optional (PQ)
BW Queue + DSCP WRED
BW Queue + DSCP WRED
Best Effort
Best Effort Min BW Queue (Deferential)
Default Queue + RED
Priority Queue (PQ)
Cisco DMS (VoDs)
Cisco CUPC/CUVA/CI IP Phone 7985G
Cisco DMS (Live Streams)/Enterprise TV/IPVS
Cisco Video Applications
DMM/DMP Control Traffic
Cisco TelePresence
Cisco WebEx/CU MeetingPlace
Best Effort YouTube/Xbox Live/iTunes/BitTorent/etc.
PHB
EF
CS6
2
2
7
8
6
0
CS4
8-22
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Applying Ingress QoS Policy on DMP and DMM Port
Network QoS policies must be set at the campus access edge to mark recommended DSCP bit for control
or management traffic between DMM and DMP. HTML or Flash based digital signage content can
remain in same best-effort class. The control traffic can be identified from digital signage content based
on TCP flow between Cisco DMM and DMP. Figure 8-14 provides QoS marking guidelines between
Cisco DMP, Cisco DMM appliance, and content server:
Figure 8-14 QoS Marking Between Digital Signage Components
Based on TCP and static Cisco DMM and DMP player information, the following configuration
guideline must be implement QoS policy on access layer switches that connect to Cisco DMP and Cisco
DMM in a centralized data center:
! Classify DMP and DMM HTTP traffic with extended ACL
ip access-list extended DMS-SIGNALING
remark DMM-DMP-MGMT
permit tcp host <DMP-IP-Address> host <DMM-IP-Address>
permit tcp host <DMM-IP-Address> host <DMP-IP-Address>
!
class-map DMS-SIGNALING
match access-group name DMS-SIGNALING
!
policy-map DMS-Policy
class DMS-SIGNALING
set dscp cs3 ? Explicit mark DSCP CS3
!
interface FastEthernet0/7
description CONNECTED TO LOBBY DMP
mls qos trust dscp
service-policy input DMS-Policy?Apply ingress service-policy
!
interface FastEthernet0/10
description CONNECTED TO Cisco DMM Appliance
mls qos trust dscp
service-policy input DMS-Policy?Apply ingress service-policy
cr24-3560r-DO#show mls qos interface fas0/7 | inc policy-map|dscp
Attached policy-map for Ingress: DMS-Policy
trust state: trust dscp
HDTV
DMP
DSCP=DF
DMM-DMP Control Traffic
DMP-Content Server Traffic
DSCP=DF
DSCP=CS3
DMM
2
2
7
8
6
1
Internet
Web Server
8-23
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
trust mode: trust dscp
Additional ingress QoS policies, such as policers, can be implemented on access switches if the network
administrator is concerned about securing the restricting ports to consume higher bandwidth.
Applying Egress QoS Policy on DMP and DMM Port
Ingress QoS policy helps the network to distinguish between HTTP control and digital media content
traffic within the campus backbone. Similar QoS techniques are required to provide differential services
between control and digital media content traffic exiting the port connected to Cisco DMP and DMM
appliance on the access layer switches. For global egress policy for trusted and un-trusted device, it is
recommended to share the egress bandwidth to each hardware queue and enable prioritization for the
low-latency traffic:
cr24-3560r-DO(config)#interface FastEthernet0/7
cr24-3560r-DO(config-if)# srr-queue bandwidth share 1 30 35 5 ? Enable BW share
cr24-3560r-DO(config)#priority-queue out? Enable Priority-Queueing
cr24-3560r-DO#show mls qos interface fast0/7 queueing
FastEthernet0/7
Egress Priority Queue : enabled
Shaped queue weights (absolute) : 25 0 0 0
Shared queue weights : 1 30 35 5
The port bandwidth limit : 100 (Operational Bandwidth:100.0)
The port is mapped to qset : 1
To deploy QoS in a school campus network design, refer to the following URL:
http://www.cisco.com/en/US/docs/solutions/Verticals/Education/SRA_Schools/SchoolSRA_QoS_sba.
pdf
Auto Smartport Macro Deployment
Cisco access layer switches provide a zero-touch or plug-n-play type network provisioning solution by
dynamically detecting connected end-points and automatically applying best practices and
recommended configurations. Cisco Auto Smartport macro helps network architects to reduce the
number of challenges in implementation when deploying complex configurations. Cisco validated
design comprehensively validates multiple set of tools and technologies to solve the critical business
problems. Cisco Auto Smartport leverages validated and recommended network configuration and
parameters that dynamically provision the network without any user intervention. Implementing
recommended and validated configuration parameters helps school network administrators to
automatically provide network and device security and optimize application performance.
Cisco Auto Smartport leverages several Layer 2 protocol techniques to dynamically detect the end-point
platform that intelligently triggers the function and applies the configuration from pre-defined
recommended templates. To further increase operational efficiency, Cisco Auto Smartport removes all
dynamically applied configurations when the device is un-plugged or removed from the network. The
following is the list of Layer 2 technologies and end-point types that Cisco Auto Smartport macros use
to dynamically apply configurations:
Layer 2 Technologies
Cisco Discovery Protocol (CDP)
IEEE AB - LLDP
802.1x
MAC-Authentication Bypass (MAB)
8-24
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Layer 2 Source MAC address
Ethernet OUI
Supported End-Point Platforms
IP PhonesCisco and Avaya IP Phone
Wireless Access-PointsCisco AP 11xx series
IP Video SurveillanceCisco IPVS 25xx and 4xxx series camera
Digital Media PlayerCisco DMP 4x00 series players
This section focuses on providing guidelines for the basic configuration needed to enable Cisco Auto
Smartport to dynamically provision Cisco DMP in the network.
Cisco Auto Smartport macro leverages a simple shell function to execute the pre-defined configuration
template embedded in the switch for each type of supported end-point. Cisco DMP configuration gets
executed dynamically based on the port event triggers. The following output provides the Auto
Smartport event trigger and dynamic configuration guideline when it detects Cisco DMP on the physical
port:
cr26-3750#show shell functions CISCO_DMP_AUTO_SMARTPORT
function CISCO_DMP_AUTO_SMARTPORT () {
!!Provision this configuration when Link up event is triggered
!!and Cisco DMP is detected:
if [[ $LINKUP -eq YES ]]; then
conf t
interface $INTERFACE
macro description $TRIGGER
switchport access vlan $ACCESS_VLAN
switchport mode access
switchport block unicast
mls qos trust dscp
spanning-tree portfast
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
spanning-tree bpduguard enable
priority-queue out
exit
end
fi
!!Remove dynamic configuration when Link Down event is triggered.
if [[ $LINKUP -eq NO ]]; then
conf t
interface $INTERFACE
no macro description
no switchport access vlan $ACCESS_VLAN
no switchport block unicast
no switchport port-security
no switchport port-security maximum 1
no switchport port-security violation shutdown
no mls qos trust dscp
no spanning-tree portfast
no spanning-tree bpduguard enable
no priority-queue out
if [[ $AUTH_ENABLED -eq NO ]]; then
no switchport mode access
fi
exit
end
fi
8-25
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
}
Comparing the Auto Smartport macro configuration with a recommended manual configuration, it can
be seen that the majority of the recommended manual configuration is in the macro template. Some of
the advanced QoS parameters, such as MQC-based DSCP marking, may have to be manually configured.
Implementing Auto SmartPort Macro
School network administrators must enable Cisco Auto SmartPort Macro function along with basic
network parameters on access layer switches to dynamically detect and provision the configuration for
various types of end-points. Enabling Cisco Auto Smartport macro function globally enables all the
physical ports and provisions and un-provisions the network configuration for the Cisco DMP based on
shell triggers and functions. It also provides the flexibility to disable the Auto Smartport function on a
per-port basis where the static configuration is required. The following is the simple global configuration
to enable Cisco Auto Smartport processing for all the physical ports:
3750
cr26-3750(config)#macro auto global processing
cr26-3750#show macro auto interface | inc Auto
Global Auto Smart Port Status
Auto Smart Ports Enabled
As described earlier, Cisco Auto Smartport can leverage multiple Layer 2 technologies to detect the
end-points, by default Auto SmartPort use the pre-defined MAC address-group range to dynamically
detect the Cisco DMP based on Ethernet OUI address. To deploy Cisco DMP based on Ethernet OUI,
no additional configuration is required. To enable secure access-control solution, Cisco Secure ACS and
MAB can be integrated to authenticate Cisco DMP based on registered MAC address in the ACS
database.
cr26-3750#show macro auto address-group CISCO_DMP_EVENT
MAC Address Group Configuration:
Group Name OUI MAC ADDRESS
--------------------------------------------------------------------------
CISCO_DMP_EVENT 0023.AC
000F.44
Because some of the network parameters like VLAN IDs are unique in the network, the school
administrator needs to determine the common VLAN ID to deploy for a common set of end points. For
example, when Cisco DMP is detected on Switch1, then it must dynamically detect the media player and
assign it to appropriate VLAN and execute the network configuration template. By default, when Cisco
Auto Smartport detects the Cisco DMP device on the port it configures the port in access-mode and
assigned it a default VLAN ID = 1. After applying following single global configuration, the Auto
Smartport automatically assigns all the Cisco DMP in to user-defined VLAN.
cr26-3750(config)#macro auto device media-player ACCESS_VLAN=58
cr26-3750#show macro auto device media-player | inc Device|ACCESS
Device:media-player
Configurable Parameters:ACCESS_VLAN
Defaults Parameters:ACCESS_VLAN=1
Current Parameters:ACCESS_VLAN=58
Tuning Auto SmartPort Macro
Cisco Auto Smartport is optimized in detecting the end points and provisioning the configuration for
rapid and error-free deployments. The shell function that performs the configuration provisioning and
un-provisioning task is based on physical link up and down events. In initial deployment, the end-points
8-26
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
can be detected using different Layer 2 techniques and all dynamically provisioned configurations can
be saved in configuration files. Due to its nature the configuration is removed and then the same
configuration is re-applied when the link goes down temporarily for any common reason, e.g., link flap,
end-point is power cycled, etc.
To make configuration persistent during such a link flap, the following single global configuration can
be applied to retain the dynamic configuration during a link flap:
cr26-3750(config)#macro auto sticky
Implementing Cisco Digital Media Player
Once the recommended network edge configuration on the access layer is implemented, the Cisco DMP
is ready to be deployed. Since Cisco DMP uses an embedded Linux OS which is not accessible directly
to end users, the basic network parameters must be provisioned using Web-based Cisco DMP-Device
Manager (DM). The Cisco DMP-DM is divided into three major configuration modes:
Settings (Network/Browser/Storage)
Display
DMP Administration
The school administrator must configure the basic network parameters to deploy Cisco DMP in
production network; the DMM administrator from the district office can apply the global display and
management parameters to DMP without intervening school administrator for any advanced
configuration task.
This chapter provides the following deployment guidelines to successfully deploy Cisco DMP and Cisco
DMM appliance server communication in the network:
Assigning IP address to Cisco DMP
Registering Cisco DMP to Cisco DMM database
Assigning IP Address to Cisco DMP
The default IP setting on Cisco DMP is to dynamically acquire IP address and gateway information from
DHCP server. It is recommended to assign a unique static IP address to DMP as it provides flexibility
to the network administrator to provide secured DMP-DM GUI access with ACLs and the ability to
provide distinguished QoS treatment for control traffic between Cisco DMP and DMM appliance server.
Figure 8-15 is a simple IP configuration task that the school administrator must perform to change the
default IP address method from DHCP to static IP address mode:
8-27
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-15 Assigning DMP Static IP Address
Registering Cisco DMP to Cisco DMM Database
The first step to enable communication between digital signage components is to register network wide
deployed Cisco DMP into the centralized Cisco DMM appliance database. Cisco DMM appliance
requires basic information from Cisco DMM to registerMAC and IP address firmware version and
storage information. Centralized DMM appliance can register large numbers of DMPs across the school
network and it may become an operational challenge to manage each DMP player. DMM administrator
can create a logical DMP group along with the range of IP subnet; DMM-DSM automatically groups the
registered DMPs based on assigned IP address. The following are some of the advantages in deploying
DMP group in school architecture:
Organize registered DMPs into a single logical group.
Instead of managing each individual DMP, the DMP group allows the DMM administrator to
manage a group of DMPs collectively.
Accelerate digital signage content deployment and instruction to the DMP group instead of
individual players.
Like content management, common display attributes to all DMPs in the DMP group.
The Cisco DMS solution provides flexibility to the DMM administrator for manual or automatic Cisco
DMP registration into the database. Depending on the number of Cisco DMP deployed across the
network, either of the registration process can be selected.
Manual DMP RegistrationThe DMM administrator must manually enter Cisco DMP MAC and IP
address information into the DMM database. For better operational management and
troubleshooting, the DMP must be assigned to an logical DMP groups.
Auto DMP RegistrationIs a highly scalable, simplified, and error-free DMP registration solution
for large deployments. To auto-register and auto-group the DMP in user-defined groups, the range
of IP subnets or CIDR ranges must be specified to scan the Cisco DMP players in the network.
Multiple IP subnets can be configured for single DMP group. The DMM appliance transmits TCP
based unicast packet with pre-defined port number 7777 to scan Cisco DMP, which cannot be
modified by the user. Hence for successful auto-registration process, it is recommended to make
sure TCP port 7777 is not filtered anywhere in the network. The DMM admin can control the DMM
appliance to trigger on-demand or schedule scan to locate DMP in the network for auto registration.
8-28
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
The DMM admin must complete these three steps sequentially to successfully deploy DMM groups and
auto DMP registration in the DMM-DSM:
Step 1 Configure DMM Group and assign an IP subnet.
Figure 8-16 Configuring DMP Group Using DMM-DSM
Step 2 Configure DMP Discovery Application and assign an IP subnet.
Figure 8-17 Configuring DMP Discovery Application
Step 3 Trigger the DMP discovery with manual action or schedule to discover in future.
Manual DMP Discovery Trigger
8-29
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-18 Triggering DMP Discovery Manually
Refreshing the window in few seconds will reflect the dynamically discovered Cisco DMP that gets
automatically registered and grouped as depicted in Figure 8-19. The default name of the auto-registered
DMP is the same as their MAC address; the DMM admin must change to reflect with proper name or
location name.
Figure 8-19 Dynamically Discovered DMP Discovery Triggered Manually
Scheduling DMP Discovery
Depending on the number of DMP groups, network ranges, and DMP players in the network, the DMP
discovery may take some time. In large deployments, it is recommended to schedule Cisco DMP
discovery during non-business hours. Scheduling DMP discovery in the network is identical to
scheduling the digital signage publishing time. To schedule DMP discovery using Cisco DMM-DSM:
1. Click on Schedules ->Play in Future->Select discovery month and date
2. Select the DMP group to be discovered->Click on Add an Event Button.
3. Select DMP group from Select Group Tab and click OK.
4. Select Advanced Task from Task Type Tab and click on Select Advanced Tasks Tab.
5. Select DMP Discovery from Types and the Action Name and click OK.
6. Configure Start and Stop Action run time and optionally configure repeat value to dynamically
discover Cisco DMP based on schedule.
Implementing Digital Signage
Upon successfully discovering and registering the Cisco DMP in the DMM appliance database, the
DMM administrator can start preparing to implement digital signage in the network. The provision
checklist must include exact content path and schedule to display the content on individual or group
DMP in the network. As described earlier, the content must be stored on a Web or CISF server that is
physically located on the same campus network as a Cisco DMP. Hence when creating the playlists, it
is recommended to specify the URL path where the content is stored.
Publishing digital signage requires three simple configuration step on DMM-DSM as depicted in
Figure 8-20:
8-30
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-20 Digital Signage Deployment Steps
Executing each step populates content information in DMM in the common repository, provides
flexibility to compile playlist with distributed content, and schedules the digital signage publishing time
by mapping the playlist to individual or group DMPs. The network topology in Figure 8-21 is used as a
reference point to configure each deployment step.
Figure 8-21 Digital Signage Network Topology
WAN
Web/CISF
Server
Regional Office
District Office
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
HDTV
Conference
Room
Data Center
DMM
creekcountyschools.com
Web/CISF
Server
DMS
Admin
2
2
7
8
6
8
HDTV
Admin
HDTV
Lobby
HDTV
Cafe
Server Room
creek.rosenelementary.com
8-31
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Step 1 Adding Asset in Media Library.
Cisco DMM-DSM builds an asset of digital media content in a common Media Library database.
Figure 8-22 provides information about the variety of digital media content types supported and can be
stored in two major locationsremote Web/CISF content server or it must be uploaded to local DMM
appliance server. As described earlier, the recommended content distribution model is to keep content
distributed on remote servers that reside on the same LAN as Cisco DMPs. Cisco DMM appliance must
not be used as a content server. Each asset type must be entered one at a time in the media library. Each
asset is executed serially within the playlist; the Cisco DMM-DSM also provides flexibility to publish
digital signage content in random order.
Figure 8-22 Supported Asset Types
Execute the following steps to add distributed digital signage (non-video) content asset into Media
Library:
1. Click on Add Media Asset Button.
2. Click on Single Tab.
3. Click URL in radio button as a Source and type the exact URL to access content (e.g.,
http://creek.rosenelemetary.com/default.html). Prior to deploying, the content must be tested and
verified by applying same URL from local internet browser.
4. Do not click on download check box. This will prevent downloading provided HTTP URL content
to the local DMM hard-drive.
5. Select File Type from drop down window based on URL extension.
6. Enter estimated or planned playback time for this asset.
7. Select the media category from Category window in which this URL fits in.
8. Optionally, provide description and content owner/developer information.
9. Click on Save button to review the entered information.
10. Click the Close button to exit the window.
Step 2 Creating Playlist.
8-32
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Playlist is a user-defined logical group that is packaged with the compiled list of distributed digital
signage assets which are being added in the shared Media Library database. For example, a playlist can
include the intranet home page of the district office and regional school and library books catalog
developed in Adobe Flash.
Cisco DMM-DSM provides the flexibility to develop playlists in two different modesStandalone and
Cisco Digital Media Designer (DMD). When the digital signage content is designed and developed
outside the DMM-DMD, then DMM administrator must create a standalone playlist.
Cisco Digital Media Designer (DMD) is a Java-based, powerful, drag and drop design tool to create
customized digital signage content. Cisco DMM offers pre-designed assets that can be leverage to create
personalized design. DMD also offers flexibility to customized horizontal and vertical screen display
orientation.
Figure 8-23 Digital Signage Playlist Options
This section provides guideline to implement a standalone playlist. Multiple playlists can be created and
associated to an individual or group of DMPs. When designing the asset in the playlist, it is important
to remember that the content publishing time and mappings to DMP groups are applied based on
per-playlist and not on per-asset basis. The order of playlist execution is done serially based on specified
time. Figure 8-24 depicts the playlist order and duration time on per-cycle basis.
Figure 8-24 Digital Signage Display Order and Duration
In a best practice, the playlist can be created based on individual district office or school departments
that can provide flexibility to announce the news or any other department specific content at specific
time without impacting the playlist for other DMP groups deployed in different departments. Execute
the following steps to compile the distributed digital signage asset and estimated or planned run time for
each individual asset.
Click on Create Playlist button and follow step-by-step instruction provided in Figure 8-25 to create a
complied and distributed digital signage content in playlist.
8-33
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Figure 8-25 Compiling Assets with Standalone Playlist
Step 3 Scheduling Playlist.
After successfully completing the above two steps the URL of distributed digital signage content is
added in media library database and the playlist is compiled with the list of signage content that needs
to be played for DMP group. The DMM administrator can send the playback command in two different
modesInstant Play and Future Play.
Instant Play or Play Now sends the playback command to selected DMP groups and all the DMPs can
start displaying digital signage content immediately. Instant Play option provides an option for
immediate signage content deployment; it can also be used to publish the newly added or updated
signage asset in an already playing playlist. When Cisco DMP receives the new and updated playlist
command from centralized DMM appliance, it aborts playing the previous playlist commands and
immediately starts the display based on new information.
Future Play or Play in Future gives flexibility to the DMM administrator to pre-deploy digital signage
in the DMM appliance database and schedule to play the playlist on a pre-determined month, date, or
specific time. For example, you could have next months caf lunch menu automatically published in
the last week of the current month.
Figure 8-26 depicts tab selection to schedule the playlist in both deployments modes.
Figure 8-26 Playlist Scheduling Modes
Implementing Instant Play mode
8-34
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 8 Digital Media and Video Surveillance Design
Digital Signage Application Overview
Execute the step-by-step procedure as depicted in Figure 8-27 to deploy digital signage instantly in the
network. Cisco DMM-DSM provides the flexibility to select single, multiple, or all the DMPs using
shift-key to instantaneously publish digital signage in large deployments.
Figure 8-27 Publishing Instant Digital Signage
Implementing Future Play mode
Click on Play in Future tab to schedule a future digital signage content publishing time. Click on Add
an Event button from the bottom window and follow the step-by-step configuration guideline as
displayed in Figure 8-28 to schedule future signage deployment:
Figure 8-28 Scheduling Signage Deployment
C H A P T E R
9-1
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
9
Access Layer Security Design
One of the most vulnerable points of the network is the access edge. The access layer is where end users
connect to the network. In the past, network administrators have largely relied on physical security to
protect this part of the network. Unauthorized users were not allowed to enter a secure building where
they could plug into the network, and students didn't carry computers with them. Today, contractors and
consultants regularly have access to secure areas, and a student carrying a laptop is unsurprising. Once
inside, there is nothing to prevent a contractor or student from plugging into a wall jack and gaining
access to the corporate network. There is no need to enter an employee office to do this. Conference
rooms frequently offer network access through wall jacks or even desktop switches. Once connected to
the network, everyone (employees, contractors, consultants, guests, students, and malicious users) has
access to all the resources on the network.
What is commonly called the access layer in network design is the business end of the network, the part
of the network that your users see and interact with. The end users do not see or appreciate the power of
your collapsed core distribution layer, the elegance of your addressing plans, or the genius of your end
to end network design. Your more technical users may be able to identify an RJ-45 port or WLAN access
point if asked, but most users simply expect the network to be there. Training users on using the access
is focused upon smallthe smaller the betternumber of steps users must go through to gain access to
their network applications.
At the same time as providing simple uncomplicated network access for users, the access layer provides
the first line of security defense for the network, provide service differentiation based upon management
policies and, providing power to support the deployment of specialized devices.
The roles can be broken broadly into the following areas:
Access layer security
Access layer QoS
Access layer Power-over-Ethernet (PoE)
Access Layer Security
The access layer is where your clients network devices directly connect to your network. You want their
connection to be as efficient, simple, and secure as possible. This involves controlling who accesses the
network and for what services. Controlling access may be as simple as blocking access, or it may involve
a redirection or quarantining action.
To continue the general security metaphor part of controlling the boundary is also observing
inappropriate behavior at the boundary can also result in blocked access.
9-2
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
The Schools SRA uses the native Cisco switch features and Cisco security products to provide boundary
control services. The primary tools for access layer security in the schools are as follows:
Catalyst Integrated Security Features (CISF)
Cisco Clean Access (NAC)
Cisco Identity-Based Network Networking Services (IBNS)
When implementing the security features, consideration needs to be made upon the client requirements
using the access layer. In the Schools SRA, the following client connections are considered:
Ethernet PC client ports
Printer ports
IP phone ports
Wireless clients
AP ports
Access layer PoE
Access layer QoS
Catalyst Integrated Security Features (CISF) Protected Ports
Catalyst Integrated Security Features (CISF) includes private VLANs, port security, DHCP snooping,
IPSource Guard, secure Address Resolution Protocol (ARP) detection, and dynamic ARP inspection.
These features protect the network against attacks such as man-in-the-middle, spoofing, and
infrastructure denial-of-service (DoS) attacks.
Port SecurityWhere the number of MAC addresses allows on a switch port is monitored, and the
switch can respond to violations with management messages and changes in the port state.
DHCP snoopingWhere DHCP messages are inspected, and filtered to ensure that DHCP server
messages only come from a trusted interface.
IPSource GuardWhere the IP traffic is restricted based upon DHCP or static IP address MAC
bindings to ensure a host doesn't attempt to use the IP address of a neighboring host
Dynamic ARP inspectionWhere the all ARP packets from untrusted interfaces are inspected to
ensure that they contain valid MAC address and IP address pairings, preventing ARP spoofing
attacks
ARP rate limitingWhere an excessive rate of ARP request (which must be processed by network
hosts CPUs), and the switch responds with access restriction if this rate is exceeded.
Storm ControlPrevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast
storm
CISF Port Configuration
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
storm-control broadcast level 20.00 10.00
storm-control multicast level 50.00 30.00
9-3
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
NAC Protected Ports
This section discusses he Cisco NAC Appliance (also known as Cisco Clean Access) in the Schools
SRA. It is not intended to be a comprehensive guide on the Cisco NAC Appliance solution itself. This
chapter focuses on general NAC Appliance design principles and how they apply to components of the
Schools SRA.
Cisco NAC Appliance is an easily deployed NAC product that uses the network infrastructure to enforce
security policy compliance on all devices seeking to access network computing resources. With Cisco
NAC Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired,
wireless, and remote users and their machines prior to network access. The Cisco NAC Appliance
identifies whether networked devices such as laptops, or IP phones are compliant with network security
policies, and repairs any vulnerabilities before permitting access to the network.
When deployed, the Cisco NAC Appliance provides the following benefits:
Recognizes users, their devices, and their roles in the network. This first step occurs at the point of
authentication, before malicious code can cause damage.
Evaluates whether machines are compliant with security policies. Security policies can include
specific anti-virus or anti-spyware software, OS updates, or patches. Cisco NAC Appliance supports
policies that vary by user type, device type, or operating system.
Enforces security policies by blocking, isolating, and repairing non-compliant machines.
Non-compliant machines are redirected to a quarantine network, where remediation occurs at the
discretion of the administrator.
Figure 9-1 shows the following four key functions of the NAC:
Authenticate and authorize
Scan and evaluate
Quarantine and enforce
Update and remediate
Figure 9-1 The Four Functions of the NAC Framework
Authenticate and Authorize
Enforces authorization
policies and privilges
Supports multiple user roles
Quarantine and Enforce
Isolate non-compliant devices
from rest of network
MAC and IP-based quarantine
effective at a per-user level
Scan and Evaluate
Agent scan for required versions
of hotfixes, AV, etc.
Network scan for virus
and worm infections and
port vulnerbilities
Update and Remediate
Network-based tools for
vulnerbility and threat
remediation
Help-desk integration
2
2
7
4
9
7
9-4
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
For a more in-depth overview of the Clean Access Server and Clean Access Manager, see the following
URLs:
Cisco NAC Appliance-Clean Access Server Installation and Administration Guide
http://www.cisco.com/application/pdf/en/us/guest/products/ps7122/c1626/ccmigration_09186a008
07a4090.pdf
Cisco NAC Appliance-Clean Access Manager Installation and Administration Guide
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/45cam-boo
k.html
Cisco Clean Access Components
Cisco NAC Appliance is a network-centric integrated solution administered from the Cisco Clean
Access Manager web console and enforced through the Clean Access Server and (optionally) the Clean
Access Agent or Cisco NAC Web Agent. Cisco NAC Appliance checks client systems, enforces network
requirements, distributes patches and antivirus software, and quarantines vulnerable or infected clients
for remediation before clients access the network. Cisco NAC Appliance consists of the components
shown in Figure 9-2.
Figure 9-2 NAC Components (Source Document NAC CAM Configuration Guide)
Clean Access
Server (CAS)
Authentication sources
(LDAP, RADIUS, Kerberos,
WindowsNT)
DNS
server
Clean Access
Manager (CAM)
Firewall
2
2
7
4
9
8
PCs with
Clean Access
Agent (CAA)
Switch
L2
Router
L3
Internet
eth1 eth0
Admin laptop
Clean Access Manager
Web admin console
LAN/Intranet
9-5
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Clean Access Manager (CAM)
CAM is the administration server for Clean Access deployment. The secure web console of the Clean
Access Manager is the single point of management for up to 20 Clean Access Servers in a deployment
(or 40 CASs if installing a SuperCAM). For Out-of-Band (OOB) deployment, the web admin console
allows you to control switches and VLAN assignment of user ports through the use of SNMP. In the
Schools SRA, the CAM would be located at the district office.
Clean Access Server (CAS)
CAS is the enforcement server between the untrusted (managed) network and the trusted network. The
CAS enforces the policies you have defined in the CAM web admin console, including network access
privileges, authentication requirements, bandwidth restrictions, and Clean Access system requirements.
You can install a CAS as either a standalone appliance (like the Cisco NAC-3300 Series) or as a network
module (Cisco NME-NAC-K9) in a Cisco ISR chassis and deploy it in-band (always inline with user
traffic) or OOB (inline with user traffic only during authentication/posture assessment).
The CAS can also be deployed in Layer 2 mode (users are Layer-2-adjacent to CAS) or Layer 3 mode
(users are multiple Layer-3 hops away from the CAS). You can also deploy several CASs of varying
size/capacity to fit the needs of varying network segments. You can install Cisco NAC-3300 Series
appliances in your company headquarters core, for example to handle thousands of users and
simultaneously install one or more Cisco NAC network modules in ISR platforms to accommodate
smaller groups of users at a satellite office, for example.
In the Schools SRA, the CAS would be located at the schools sites and the district office, and it would
be used to provide Layer-2 or Layer-3 OOB authentication/posture assessment.
Clean Access Agent (CAA)
CAA is optional read-only agent that resides on Windows clients. It checks applications, files, services,
or registry keys to ensure that clients meets your specified network and software requirements prior to
gaining access to the network.
Note There is no client firewall restriction with CAA posture assessment. The agent can check the client
registry, services, and applications even if a personal firewall is installed and running.
If NAC is implemented as part of the Schools SRA it is recommended that the CAA be used.
Cisco NAC Web Agent
The Cisco NAC Web Agent provides temporal posture assessment for client machines. Users launch the
Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the
client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the
Web Agent logs the user off of the network and their user ID disappears from the Online Users list.
Clean Access Policy Updates
Regular updates of prepackaged policies/rules that can be used to check the up-to-date status of
operating systems, antivirus (AV), antispyware (AS), and other client software. Provides built-in
support for 24 AV vendors and 17 AS vendors.
9-6
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
NAC Appliance Modes and Positioning
NAC Appliance allows multiple deployment options and may be placed at different points in the
network. The modes of operation can be generally defined as follows:
Out-of-band (OOB) virtual gateway
OOB IP gateway
In-band (IB) virtual gateway
IB real IP gateway
OOB Modes
OOB deployments require user traffic to traverse through the NAC Appliance only during
authentication, posture assessment, and remediation. When a user is authenticated and passes all policy
checks, their traffic is switched normally through the network and bypasses the appliance. See
Figure 9-3.
Figure 9-3 Layer-2 OOB Topology
To deploy the NAC Appliance in this manner, the client device must be directly connected to the
network via a Catalyst switch port. After the user is authenticated and passes posture assessment, the
Clean Access Manager (CAM) instructs the switch to map the user port from an unauthenticated VLAN
(which switches or routes user traffic to the NAC) to an authenticated (authorized) VLAN that offers full
access privileges. For example, as shown in Figure 9-3, the client PC is connected through VLAN 110
to the NAC Clean Access Server for the authentication and posture assessment, and is moved to VLAN
10 once it successfully completes the authentication and authorize, and scan and evaluation phases of
the NAC framework.
In-Band Modes
When the NAC Appliance is deployed in-band, all user traffic, both unauthenticated and authenticated,
passes through the NAC Appliance, which may be positioned logically or physically between end users
and the network(s) being protected. See Figure 9-4 for a logical in-band topology example and
Figure 9-5 for a physical in-band topology example.
MGR
VLAN 900
802.1q Trunk
VLANs 110 and 10
VLAN 10
Authenticated
Network Access
VLAN 10
VLAN 110
Authentication and
Posture Assessment
VLAN 10
VLAN 110
2
2
1
2
9
7
9-7
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-4 In-Band Virtual Gateway Topology
Figure 9-5 Physical In-Band Topology
In-Band Virtual Gateway
When the NAC Appliance is configured as a virtual gateway, it acts as a bridge between end users and
the default gateway (router) for the client subnet being managed. The following two bridging options
are supported by the NAC Appliance:
TransparentFor a given client VLAN, the NAC Appliance bridges traffic from its untrusted
interface to its trusted interface. Because the appliance is aware of upper layer protocols, by
default it blocks all traffic except for Bridge Protocol Data Unit (BPDU) frames (spanning tree) and
MGR
VLAN 900
VLAN 110
VLAN 10
VLAN 110
Posture Assessment
Authenticated Access
VLAN 10
VLAN 110
2
2
1
2
9
8
MGR
VLAN 900
VLAN 10
VLAN 110
Posture Assessment
Authenticated Access
VLAN 10
2
2
1
2
9
9
9-8
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
those protocols explicitly permitted in the unauthorized role; for example, DNS and DHCP. In
other words, it permits those protocols that are necessary for a client to connect to the network,
authenticate, undergo posture assessment, and remediation. This option is viable when the NAC
Appliance is positioned physically in-band between end users and the upstream network(s) being
protected, as shown in Figure 5.
VLAN mappingThis is similar in behavior to the transparent method except that rather than
bridging the same VLAN from the untrusted side to the trusted side of the appliance, two VLANs
are used. For example, Client VLAN 131 is defined for the untrusted interface of the NAC
Appliance. There is no routed interface or switched virtual interface (SVI) associated with VLAN
131. VLAN 31 is configured between the trusted interface of the NAC Appliance and the next-hop
router interface/SVI for the client subnet. A mapping rule is made in the NAC Appliance that
forwards packets arriving on VLAN 131 and forwards them out VLAN 31 by swapping VLAN tag
information. The process is reversed for packets returning to the client. Note that in this mode,
BPDUs are not passed from the untrusted-side VLANs to their trusted-side counterparts.
The VLAN mapping option is usually selected when the NAC Appliance is positioned logically in-band
between clients and the networks being protected. This is the bridging option that should be used if the
NAC Appliance is going to be deployed in the virtual gateway mode.
In-Band Real IP Gateway
When the NAC Appliance is configured as a real IP gateway, it behaves like a router and forwards
packets between its interfaces. In this scenario, one or more client VLAN/subnets reside behind the
untrusted interface. The NAC Appliance acts as a default gateway for all clients residing on those
networks. Conversely, a single VLAN/subnet is defined on the trusted interface, which represents the
path to the protected upstream network(s).
After successful client authentication and posture assessment, the NAC Appliance by default routes
traffic from the untrusted networks to the trusted interface, where it is then forwarded based on the
routing topology of the network.
The NAC Appliance is not currently able to support dynamic routing protocols. As such, static routes
must be configured within the trusted side of the Layer 3 network for each client subnet terminating on
or residing behind the untrusted interface. These static routes should reference, as a next hop, the IP
address of the trusted interface of the NAC.
If one or more Layer-3 hops exist between the untrusted NAC interface and the end-client subnets, static
routes to the client networks must be configured in the NAC Appliance. Likewise, a static default route
(0/0) is required within the downstream Layer 3 network (referencing the IP address of the untrusted
NAC interface) to facilitate default routing behavior from the client networks to the NAC Appliance.
Depending on the topology, multiple options exist to facilitate routing to and from the NAC Appliance,
including static routes, VRF-Lite, MPLS VPN, and other segmentation techniques. It is beyond the
scope of this design guide to examine all possible methods.
In-Band Versus Out-of-Band
Table 9-1 summarizes different characteristics of each type of deployment.
9-9
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Out-of-Band Requirements
OOB implementation of Cisco NAC Appliance requires the switches and Wireless LAN Controllers be
supported by the Cisco NAC Appliance software. All the switches tested as part of the development of
the Schools SRA, apart from the Cisco Catalyst 2975, are supported by the Cisco NAC OOB, and the
Wireless LAN Controllers are also supported by the NAC Appliance software used in this design guide.
If the Catalyst 2975 is to be used as an access switch with the Cisco NAC Appliance, the NAC solution
must be an in-band solution.
Note To obtain the latest list of supported devices, check the latest version of the Cisco NAC Appliance-Clean
Access Manager Installation and Administration Guide at the following URL:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/45cam-book.ht
ml
Out-Of-Band, Layer 2 and Layer 3
The proposed design for the Schools SRA is an OOB design, in order the highest possible performance
and scalability for traffic that has passed through the authentication, posture assessment, and
remediation stages of NAC. The Schools SRA offers two different access layer options, a Layer-2 access
layer for smaller schools and a hybrid Layer-2/Layer-3 access layer for larger schools. This means that
either a Layer-2 OOB solution or a Layer-3 OOB NAC solution may be deployed.
NAC Deployment in the Schools SRA
The Schools SRA provides for a Cisco NAC Appliance solution at each site type, District Office, School
Site 1, and School Site 2, with a CAM at the District Office, and a CAS at the District Office and Schools
Sites. In each of the different site types the CAS is directly connected to the core/distribution.
Table 9-1 In-Band Versus Out-of-Band Deployment Characteristics
In-Band Deployment Characteristics Out-of-Band Deployment Characteristics
The Clean Access Server (CAS) is always inline with
user traffic (both before and following authentication,
posture assessment and remediation). Enforcement is
achieved through being inline with traffic.
The Clean Access Server (CAS) is inline with user traffic only
during the process of authentication, assessment and remediation.
Following that, user traffic does not come to the CAS.
Enforcement is achieved through the use of SNMP to control
switches and VLAN assignments to ports.
The CAS can be used to securely control authenticated
and unauthenticated user traffic by using traffic policies
(based on port, protocol, subnet), bandwidth policies,
and so on.
The CAS can control user traffic during the authentication,
assessment and remediation phase, but cannot do so
post-remediation since the traffic is out-of-band.
Does not provide switch port level control Provides port-level control by assigning ports to specific VLANs
as necessary
In-Band deployment is supported when deploying for
wireless networks
Wireless OOB requires a specific network topology and
configuration.
Cisco NAC Appliance In-Band deployment with
supported Cisco switches is compatible with 802.1x
Cisco does not recommend using 802.1x in an OOB deployment,
as conflicts will likely exist between Cisco NAC Appliance OOB
and 802.1x to set the VLAN on the switch interfaces/ports.
9-10
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
The simple topology used in the Schools SRA sites means that a VLAN from an access layer to the
untrusted interface of the NAC Appliance is always available as a standard component of the design, and
untrusted traffic should never need to be tunneled to the CAS. This allows a common the network
configuration, to support NAC at any of the School sites, regardless of whether the client devices are
using a Layer-2 or Layer-3 access model. As the client can use a Layer-2 connection to the untrusted
interface of the NAS in either Layer 2 or Layer 3 access mode (this requires a trunk between the Layer-3
access switch and the core/distribution. One VLAN of the trunk would carry the untrusted VLAN, and
the other VLAN the IP routing for all other traffic), and the VLAN used once the client is trusted will
be either be a Layer-2 access VLAN from the core/distribution switch or a Layer-3 access switch VLAN
depending upon the site requirements.
This is illustrated in Figure 9-6 and Figure 9-7. In Figure 9-6, there is a simple Layer-2 NAC OOB
connection where a client device upon initial connection to the network is given VLAN 264, which
connects them directly to the untrusted interface of the NAS. The mapping of this interface through the
NAC VLAN 64 trusted interface allows the client to obtain an IP address that belongs on VLAN 64. To
perform any action permitted by an untrusted client, upon success completion of the NAC function, the
access switch is instructed, via SNMP, to change the client VLAN to VLAN 64. Even though the client
has changed Layer-2 VLANs its Layer-3 network connections are unchanged.
In Figure 9-7, the same processes are followed when the client is untrusted, but once the client has
successfully completed its NAC functions the access switch is instructed via SNMP to change the client
VLAN to VLAN 67a subnet local to the access switch. As the Layer-3 information for the client has
changed the switch is also instructed to bounce the client switch port to initiate a new DHCP request
for an IP address appropriate to VLAN 67.
Figure 9-6 Layer 2 OOB topology
L2 Untrusted
VLAN 264
L2 Trusted
VLAN 64
2
2
7
4
9
9
9-11
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-7 Layer 3 OOB Topology
Configuring the CAS and CAM
The initial CAS and CAM configuration are done via directly on the server interface, and this is
described in the installation guide, Cisco NAC Appliance Hardware Installation, Release 4.1. During the
configuration stage the multiple steps must be followed in configuring the NAC Appliance with IP
addresses, VLANs. passwords, etc. The installation guide contains worksheets assist in the gathering
and preparation of this information for both the CAM and CAS.
Once the CAM(s) and CAS(s) are configured they can be configured by their web interfaces. Almost all
of the NAC Appliance solution can be configured through the CAM, and it have be access via HTTPS
to the IP address assigned during the appliance configuration stages.
The first task on the CAM before beginning configuration is the installation the licenses for the solution.
A license must be installed for the CAM, and the CAS servers that the CAM control. The Cisco NAC
Appliance Ordering Guide, provides information on the ordering options.
Licenses can be entered via the CAM web interface, as show in Figure 9-8.
L2 Untrusted
VLAN 264
L2 Trusted
VLAN 64
L3 Trusted
VLAN 67
2
2
7
5
0
0
9-12
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-8 NAC Appliance Licensing
Adding a CAS to the CAM
For a CAS server to be managed by the CAM, it must be added to the list of managed servers on the
CAM. To do this the CAM needs to know the IP address of the CAS, and the Server Type (its role in the
network) of the CAS. In addition to this the CAS and the CAM must have the same shared secret. The
shared secret is configured during the server installation. An example of adding a CAS to the CAM, is
shown in Figure 9-9.
9-13
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-9 Adding a new CAS to the CAM
Once the CAS has been added to the CAM, it appears in the list of servers on the CAM. From this point,
it can be managed directly from the CAM for almost all tasks. An example of a list of servers is shown
in Figure 9-10.
Figure 9-10 List of CAS Servers
Managing the CAS
Once the CAS is in the list of servers managed by the CAM, it can be configured further for its role in
the network. To manage the server click the icon under the Manage heading in the server list, this will
connect you to the CAS server and present you with the summary menu shown in Figure 9-11.
9-14
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-11 CAS Management Menu
Under the CAS Network setting tab, shown in Figure 9-12. the basic network settings for the CAS can
be seen and altered, if needed. In this example, we are keeping the network configuration performed
during the server installation. The primary dialog under the Network Tab is the IP dialog, shown in
Figure 9-12, the other dialogs allow the DHCP options to the configuredour example uses the default
of DHCP passthrough and the DNS options where host name, domain name, and DNS server
information is added, as shown in Figure 9-13.
Figure 9-12 CAS Network Settings
9-15
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-13 CAS DNS Settings
The next tab in the CAS configuration is the Filter tab (see Figure 9-14), for the purposes of our example
the important dialog is the Roles where network traffic filters may be applied to different user Roles.
The Role of interest at this moment is the default Unauthenticated Role. By default the Unauthenticated
Role blocks all traffic. In this example we are allowing the Unauthenticated Role to pass Active
Directory client authentication traffic to pass to the Active Directory Sever. This will allow a windows
client to join the active Directory Domain, and windows users to authenticate to the domain although
they have not been through the NAC process. This is often important to allow printer and drive mapping
information to be sent to the winders users. As the user has already authenticated to the Active Directory
Domain the user authentication information maybe learned from Active Directory, and the user does not
have to reauthenticate for the NAC server.
Note The creation of Roles and their associated filters is performed in the CAM User Management -> User
Roles menu.
Figure 9-14 CAS Filter Settings
9-16
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
The next tab that requires configuration is the Advanced tab. This has multiple dialogs that require
configuration. The first of these is the Managed Subnet dialog, where each of the trusted VLAN subnets
is added to the CAS for management. An example of this shown in Figure 9-15.
Figure 9-15 CAS Managed Subnet
The next dialog of the Advanced Tab is the VLAN Mapping dialog, which tells the CAS which trusted
VLAN to be mapped to an untrusted VLAN, an example of this is shown in Figure 9-16. In our example
VLAN Prunning and VLAN Mapping is also enabled.
Figure 9-16 VLAN Mapping
9-17
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
The next tab of interest is the Authentication Tab (see Figure 9-17), this tab has multiple dialogs for
configuring different authentication options. The first dialog is the Login Page Dialog. This allows the
configuration of different web login pages depending upon the untrusted subnet being used for
authenticating client.
Figure 9-17 Authentication Login Page
The other Authentication dialog of interest in this example is the Windows Auth dialog, as Windows
Single Sign On (SSO) is used in this example. To perform Windows SSO the CAS needs to be able to
communicate with Active Directory to determine the authentication state of the windows user. If Active
Directory confirms that the user has authenticated to Active Directory the user doesn't need to perform
additional authentication to the CAS. An example of this configuration is shown in Figure 9-18. There
are a number of steps required configure Active Directory SSO, as these are described in the Cisco NAC
Appliance Clean Access Server Installation and Configuration Guide. The key components in this
configuration are:
The creation of a Active Directory client account for the CAS
Using the KTPass Application on Active Directory to convert the account encryption to DES
encryption
9-18
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-18 CAS Windows Authentication
Clean Access Roles
The unauthenticated role is common to all clients, but once the client has been authenticated a different
role may be applied based upon the identity of the client, different roles may be assigned for admin staff,
teachers, or students.
User roles allow you to aggregate various policies into a user role. These policies include:
Traffic policies
Bandwidth policies
Note If bandwidth policies are to be enforced by the Clean Access Server it must be operating in band.
VLAN ID retagging
Clean Access network port scanning plugins
Clean Access Agent/Cisco NAC Web Agent client system requirements
For example, an Admin, Teacher and Student roles could each have different traffic polices and VLANs,
in addition the Student Role may enforce bandwidth policies by keeping the Student Traffic In band.
For more information on roles, refer to the Cisco NAC Appliance - Clean Access Manager Installation
and Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/45cam-book.ht
ml
Layer 2 OOB Example
Figure 9-19 shows an example of a Layer-2 OOB deployment. Where a wired client connected to an
access switch is originally on the untrusted VLAN 264 and is switched to a trusted VLAN 64 once it has
completed the NAC functions. The first NAC function is the authentication and authorization function,
and this is the first design decision in implementing the NAC solution. That is, how will authentication
and authorization be achieved, and what will the user experience be.
9-19
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
This example is focused upon the virtual gateway example, as virtual gateway provides the simplest
deployment. In the virtual gateway example the original IP addressing, interfaces, and VLANs are
maintained, and normal traffic flows are maintained. The only changes are the addition of the untrusted
VLANs that carry client traffic during the NAC Authentication and Authorization, Scanning and
evaluation, remediation, and quarantine modes.
Figure 9-19 Layer 2 OOB Example
NAC Authentication Options
The authentication option in the NAC solution can be broadly categorized as NAC Authentication or
NAC Single Sign On
NAC AuthenticationNAC authentication gives the NAC system the role of authenticating users, a
user database, either local to the NAC system or a separate system such as RADIUS, or LDAP
NAC Single Sign OnNAC SSO, addresses systems that already perform authentication as part of
their normal operation. For example 802.1X, VPN access, or Active Directory. NAC SSO learns the
authentication state of clients through RADIUS accounting, or Active Director and therefore doesn't
require the user to reenter authentication.
Topology Considerations
The Layer-2 OOB solution relies upon their being a Layer-2 network connection available between the
the client devices and the Cisco CAS, in figure 5 a trunk connects the access switch to the
core/distribution switch. The Cisco CAS is connected to the core/distribution switch through two
L2 Untrusted
VLAN 264
VLAN 64 VLAN 264
CAS
CAM
10.40.94.15
AD
L2 Trusted
VLAN 64
2
2
7
5
1
2
MetroE
School District Network
9-20
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
interfacestrusted and untrusted. In such a simple network it is relatively easy to provide a Layer-2
connection between the client and the Cisco CAS, for larger networks Layer-3 OOB, which is discussed
later in this section, may be a better choice.
The roles of the untrusted and trusted interfaces:
Untrusted InterfaceThe untrusted interface connects the client to the to the Cisco CAS during the
NAC Authentication and Authorization, Scanning and Evaluation, Remediation, and Quarantine
modes
Trusted InterfaceThe trusted interface connects the NAC CAS to the normal network interface.
This makes a network connection available to the CAS while it is sitting between the client and the
network, thus allowing client access to services such as DHCP and DNS -and user defined services.
Once a client has successfully completed its authentication and scanning phases, the CAM uses
SNMP to change the client VLAN, on the access switch, from the untrusted VLAN to the trusted
VLAN. Thus providing a direct connection to the network that was on the other side of the CAS (the
trusted network).
Availability Considerations
Both the CAS and CAM are both highly involved in client network access, and consideration must be
given to the impact on clients if either a CAS or CAM should fail or need to be taken out of service for
a period of time.
The CAS is inline with client devices during the authentication, authorization, and posture assessment
phases of NAC, and if In Band NAC is being used it may be inline at all times. A CAS outage in an
OOB deployment would not impact already connected clients but would prevent network access for new
clients. A CAS outage for In Line clients prevents access for all clients.
In situations where availability of a CAS is critical an HA CAS solution may be implemented where a
pair of CAS servers are installed using a primary CAS, and a secondary in hot standby. For more
information refer to the Cisco NAC Appliance - Clean Access Server Installation and Configuration
Guide.
The CAM is also a critical part of the authentication, authorization, and posture assessment phases of
NAC, although it doesn't pass client traffic, it the impact of its availability needs to be considered in the
network design as well. Like the CAS the CAM has a HA solution that provides for a primary server and
a hot standby secondary server. In addition, each CAS may be configured with a fallback option (as
shown in Figure 9-20) that defines how it will manage client traffic in a situation where the CAM is
unavailable.
In both HA CAM, and HA CAS, HA licenses are use that address the HA role of the server.
The use of the HA features will be dependent upon a Schools requirements, but CAS fallback should
always configured to ensure that critical network services are available in even of a network outage.
9-21
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Figure 9-20 CAS Fallback
Basic Clean Access switch Configuration
For OOB-based Clean Access some simple configuration must be performed on the switches
implementing NAC This configuration is primarily to enable SNMP communication between the
switches and the CAM. Table 9-2 shows a simple SNMP v1 configuration (SNMPv2c and SNMPv3 are
supported).
In addition to the switch SNMP configuration, the required trusted and untrusted VLANs must exist and
be operational on the switch. If a switch has more than one IP address the snmp-server source interface
must be specified, as the CAM must be configured with the source IP address that OOB SNMP messages
will originate from, alternatively all IP addresses of interfaces on the switch can be added to the CAM.
If SNMP access filtering is applied on the switch (as recommended as a best practice) the CAM must be
added as a trusted address.
Basic Clean Access Out of Band Switch configuration
Table 9-2 SNMPv1 Configuration
Switch Port Configuration Global Switch Configuration
snmp trap mac-notification
change added
snmp-server enable traps mac-notification
snmp-server enable traps snmp linkup linkdown
mac-address-table aging-time 3600
snmp-server host 172.16.1.61 traps version 1 cam_v1
udp-port 162 mac-notification snmp
9-22
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
802.1X Protected Ports
The best and most secure solution to vulnerability at the access edge is to leverage the intelligence of
the network. The Cisco IBNS solution is a set of Cisco IOS software services designed to enable secure
user and host access to enterprise networks powered by Cisco Catalyst switches and wireless LANs. It
provides standards-based network access control at the access layer by using the 802.1X protocol to
secure the physical ports where end users connect. 802.1X is an IEEE standard for media-level (Layer
2) access control, offering the capability to permit or deny network connectivity based on the identity of
the end user or device. 802.1X is well-known as a way to secure wireless network access. It is equally
essential in securing wired network access.
What is 802.1X?
The IEEE 802.1X protocol allows Cisco Catalyst switches to offer network access control at the port
level. Every port on the switch is individually enabled or disabled based on the identity of the user or
device connecting to it. When 802.1X is first enabled on a port, the switch automatically drops all traffic
received on that port. There is one exception to this rule. The only traffic a switch will accept is a request
to start 802.1X authentication. Only after the 802.1X authentication has successfully completed will the
switch accept any other kind of traffic on the port.
The high-level message exchange in Figure 9-21 illustrates how port-based access control works within
an identity-based system. First, a client, such as a laptop equipped with an 802.1X supplicant, connects
to an IEEE 802.1X-enabled network and sends a start message to the LAN switch the authenticator.
Once the start message is received, the LAN switch sends a login request to the client and the client
replies with a login response. The switch forwards the response to the policy database authentication
server which authenticates the user. After the user identity is confirmed, the policy database authorizes
network access for the user and informs the LAN switch. The LAN switch then enables the port
connected to the client.
Figure 9-21 Port-Based Access Control
2
2
7
5
1
5
EAPOL Start
1
Login Request
2
Login Response
3
Check with Policy DB
4
Switch Enables Port
7
Policy DB Confirms
ID and Grants Access
5
Policy DB Informs Switch
6
Authentication
Server
Authenticator
9-23
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
User or device credentials are processed by a AAA server. The AAA server is able to reference user or
device policy profile information either internally, using the integrated user database, or externally,
using database sources such as Microsoft Active Directory, LDAP, Novell NDS or Oracle databases.
This enables the integration of the system into exiting user management structures and schemes, thereby
simplifying overall deployment.
802.1X and EAP
When authenticating users for the purposes of network access control, the system must provide user
and/or device identification using strong authentication technologies known to be secure and reliable.
IEEE 802.1X does not by itself dictate how this is achieved. Rather, the 802.1X protocol defines an
encapsulation for the transport of the Extensible Authentication Protocol (EAP) from the client to the
switch. The 802.1X encapsulation is sometimes referred to as EAP over LAN (EAPoL). The switch in
turn relays the EAP information to the authentication server using the RADIUS protocol (EAP over
RADIUS).
EAP, which is defined by RFC 3748, is itself a framework---not a specific authentication method. EAP
provides a way for the client and the authentication server to negotiate an authentication method that
they both support. There are many EAP methods but the ones used more frequently for 802.1X wired
authentication include EAP-TLS, EAP-PEAP, and EAP-FAST.
How 802.1X Impacts the Network
Before enabling 802.1X in the network, it is essential to review the default security posture of a port
enabled for 802.1X authentication: all traffic is dropped except 802.1X EAPoL packets. This is a
fundamental change from the traditional model in which the port is enabled and all traffic is allowed
from the moment that a device plugs into the port. Ports that were traditionally open will now be closed
by default. This is one of the cornerstones of the strong security and network access control provided by
802.1X. However, this change in the default network access model can have a profound impact on
network devices and applications. Understanding and providing for the impacts of this change will make
for a smooth deployment of 802.1X network access control.
Non-802.1X-Enabled Devices
802.1X must be enabled on both the host device and on the switch to which the device connects. If a
device without an 802.1X supplicant attempts to connect to a port that is enabled for 802.1X, it will be
subjected to the default security policy. The default security policy says that 802.1X authentication must
succeed before access to the network is granted. Therefore, by default, non-802.1X-capable devices
cannot get access to an 802.1X-protected network.
Although many devices increasingly support 802.1X, there will always be devices that require network
connectivity but do not and/or cannot support 802.1X. Examples of such devices include network
printers, badge readers, legacy servers, and PXE boot machines. Some provision must be made for these
devices.
Cisco provides two features to accommodate non-802.1X devices. These are MAC Authentication
Bypass (MAB) and the Guest VLAN. These features provide fallback mechanisms when there is no
802.1X supplicant. After 802.1X times out on a port, the port can move to an open state if MAB succeeds
or if the Guest VLAN is configured. Judicious application of either or both of these features will be
required for a successful 802.1X deployment.
9-24
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Note Network-specific testing will be required to determine the optimal values for 802.1X timers to
accommodate the various non-802.1X-capable devices on your network.
802.1X in Schools
As mentioned above on the requirement for 802.1X authentication is the requirement for a supplicant.
This has typically been a challenge in the schools environment with a wide range of the devices and
limited or no management of many of these devices. In many schools this is still the case, and this makes
a district wide 802.1X very challenging. At the same time there are pockets of a school network where
802.1X may be a good choice.
For example 802.1X protected ports may be a good choice for the network ports in the District Office,
and the school administrator office, as these locations are more likely to have managed PCs.
Other locations in the schools network still need protection, but student network access may be better
served by a NAC Appliance solution. Network access ports in open areas such as classrooms may use
802.1X or Cisco Clean Access NAC to protect these ports.
When considering the 802.1X deployment, there are four main 802.1X authentication options to
consider.
Basic 802.1X AuthenticationAn 802.1X controlled port with an 802.1X client directly connected
IP Phone PortsAn IP Phone and an 802.1X controlled port with an 802.1X client connected to the
phone
MAC Auth By-PassUsing the MAC address of the client to provide authentication and bypass the
802.1X authentication process. Printer and legacy device support are typical applications
Web AuthAllowing a user to authenticate by entering username and passwords in a web page.
Legacy device support and guest access are typical deployment applications
Basic 802.1X Switch Configuration
The basic 802.1X configuration controls access to an access VLAN depending upon the success or
failure of the an 802.1X authentication. If the 802.1X authentication is successful, there are three basic
options:
Access to the VLAN configured on the switch port
Access to the VLAN configured on the switch port an controlled by a access list downloaded from
the AAA server
Access to a VLAN passed to the switch by the AAA server
Table 9-3 shows example 802.1X configurations.
9-25
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
For more information upon the 3750 802.1X configuration refer to the following documents:
Catalyst 3750-E and 3560-E Switch Software Configuration Guide, 12.2(50)SE ->Configuring IEEE
802.1x Port-Based Authentication
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/con
figuration/guide/sw8021x.html
Catalyst 2960 Switch Software Configuration Guide, Rel. 12.2(50)SE Configuring IEEE 802.1x
Port-Based Authentication
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuratio
n/guide/sw8021x.html
NAC 802.1X and CISF in Combination
The three key access security features discussed above have been discussed in isolation, but can be
combined. In particular, the CISF features should be considered baseline features that are applied on
all access ports, and either NAC or 802.1X maybe overlaid on top of the CiSF configuration.
The Cisco Clean Access and 802.1X configuration are also compatible (although they are not often
combined in wired networks), the key consideration in combining the two is how to give the appearance
of a SSO for the end user. Both 802.1X and NAC require authentication, as 802.1X authenticates the
client initially, a mechanism of communicating the 802.1X authentication result to the Cisco Clean
Access system is required.
If the authenticating clients join an Windows Active Directory network, the Cisco Clean Access Active
Directory SSO feature allows the clients to authenticate to active directory once they have performed
there 802.1X authentication. The CAM, when a client is detected, checks Active Directory to see if the
client has authenticated; this allows a SSO experience for client devices that are using 802.1X and NAC.
DMP Ports
A DMP connection to the network is like that of a typical IP client. There should only be one MAC
address and one IP address on that port. This means that typical PC client port security settings will
work.
An DMP is primarily are receiver for packets, but if traffic classification from the DMP is important the
DSCP from the DMP should trusted
Table 9-3 802.1X Switch Configuration
Example 3750 802.1X PC Port Configuration Example 3750 Global Configuration
authentication port-control auto
authentication periodic
dot1x pae authenticator
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
ip radius source-interface Vlan300
radius-server host 10.40.62.9 auth-port 1812 acct-port 1813
key cisco
radius-server host 10.40.94.9 auth-port 1812 acct-port 1813
key cisco
9-26
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
Surveillance Camera Port
An the Surveillance Camera connection to the network is like that of a typical IP client. There should
only be one MAC address and one IP address on that port. This means that typical PC client port security
settings will work.
An the camera marks packets with DSCP marking based upon its configured QoS policies. Therefore,
to ensure that the QoS policy is effective the network must trust the DSCP Markings from the camera.
Power-over-Ethernet
The APs in the Schools SRA are 802.11n APs, and can provide greater than 100Mbps throughput, and
therefore they should use 1-Gigabit Ethernet.
An LWAPP AP connection to the network is like that of a typical IP client. There should only be one
MAC address and one IP address on that port. This means that typical PC client port security settings
will work. If 802.1X is used on the network the APs are able to act as 802.1X supplicants and
authenticate to the network. An LWAPP AP marks the LWAPP packets with DSCP marking based upon
the CUWN QoS policies. Therefore to ensure that the QoS policy is effective the network must trust the
DSCP Markings from the AP.
If the switch or module supports PoE, it may be able to power the APs connected to its ports.
Although the LWAPP APs can connect to the network in the same manner as a trusted PC client, it is
recommend that the LWAPP APs have their own dedicated subnet and VLAN. This makes AP specific
policies easier to implement within the network, and generally make network management tasks easier.
1250 Power-over-Ethernet
Today's PoE standard, 802.3af, peaks at getting 15.4 watts to the devices it powers. Unfortunately, 11n
requires a bit more power in order to realize the new standard's full potential. As a result, the Aironet
1250 Series access point requires 18.5 watts in full operational mode.*Note:*There is no getting around
the higher power requirements of 11n unless you either remove a radio (the Aironet 1250 Series access
point can run with a single radio on 802.3af) or remove valuable 11n functionality. Though others may
opt to do so, Cisco has chosen not to remove 11n's key features (such as spatial division multiplexing
support or multiple transmitters/receivers) in order to allow it to be powered with legacy PoE
infrastructure.How can you still use PoE functionality for a device that requires more wattage than the
current standard delivers? Midspan PoE, in which an injector powers the AP, is the simple answer. Just
make sure you purchase an injector that can support the additional power requirements. These can be
ordered along with the Aironet 1250 or separately; the midspan PoE injector part number is
AIR-PWRINJ4= and the AC adapter is AIR-PWR-SPLY1=). End-span PoE, in which the AP pulls
power from the switch to which it is connected, requires a bit more planning.In 2005, the IEEE came
together to address the issue of increasing power requirements and formed the 802.3at Working Group
to push through a higher power PoE standard. This new standard has yet to be ratified, which would
make it a full, industry-accepted protocol, but it does provide an archetype by which up to 30 watts may
be delivered to a device across existing Cat5 cabling. While 802.3at makes its way through the approval
process, Cisco provides an enhanced PoE (often called PoE Plus) option available in some of its flagship
switching products.Using Cisco Discover Protocol (CDP) and robust power subsystem engineering,
Cisco offers the Cisco Catalyst3560E and 3750E with additional support (beyond the 802.3af
specification) for customers who wish to fully power a dual-radio Aironet 1250 Series access point.If
you decide that powering an Aironet 1250 Series access point via 802.2af is so important that you are
willing to forgo supporting either 2.4 GHz (11b/g/n) or 5 GHz (11a/n), you can use just one RF band. In
9-27
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
such cases, plan to support a 2.4-GHz environment (due to the overwhelming majority of clients that
support this spectrum) and upgrade to support 5 GHz when budgetary, infrastructure, and user needs
align.
1140 Power-over-Ethernet (PoE)
The Cisco 1140 access point is 802.3af (15.4 W)-compliant and can be powered by any of the following
802.3af compliant devices: 2106 controller-WS-C3550, WS-C3560, and WS-C3750 switches-C1880
switch-2600, 2610, 2611, 2621, 2650, and 2651 multiservice platforms-2610XM, 2611XM, 2621XM,
2650XM, 2651XM, and 2691 multiservice platforms-2811, 2821, and 2851 integrated services
routers-3620, 3631-telco, 3640, and 3660 multiservice platforms-3725 and 3745 multiservice access
routers-3825 and 3845 integrated services routers-Any 802.3af compliant power injector.
Note The Cisco 1140 Series access point requires a Gigabit Ethernet link to prevent the Ethernet port from
becoming a bottleneck for traffic because wireless traffic speeds exceed transmit speeds of a 10/100
Ethernet port.
Note The Cisco 1250 Series access point can also be powered by a power injector (AIR-PWRINJ4) or local
power (AIR-PWR-SPLY).
IP Phones
The IP phones used in the Schools SRA are all able to use Power-over-Ethernet (PoE) and are able to be
powered by any of the PoE access switches discussed in this guide.
9-28
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 9 Access Layer Security Design
Access Layer Security
C H A P T E R
10-1
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
10
School Site Design
The core/distribution component of the schools SRA is a key element in delivering a resilient network,
while providing a network configuration that is easy to manage and to deploy. This chapter discusses
both core/distribution models, the Cisco 3750 Stack model and the Cisco 4500 Modular switch model
.This chapter summarizes different connection types to the core/distribution models, and the key features
of those connections.
Large SchoolModular Switch Design
The basic modular switch School topology is shown in Figure 10-1.This design is based upon a collapsed
core/distribution mode, and a Layer-2 access distribution model. In this type of design all of the IP
subnets are defined on the 4500 modular switch, and access to these subnets is controlled by the VLANs
that are trunked to the switches.
If desired a Layer-3 access switch model may be implemented, the physical topology does not change,
and centrality of EtherChannel to the design does not change. The simplicity of the network design not
only allows Layer-2 or Layer-3 access layers, it also allows a hybrid deployment. This allows the
majority of clients on the switch use Layer-3 access features, but a group of legacy client are able to
continue to use a Layer-2 network. This can be useful when migrating from clients that do not use IP, or
rely heavily upon locally broadcast information to learn about services or devices on the network.
The 4500 modular core provides resilient connections to the access LAN switches, local server switch,
WLC, and SRST Router through EtherChannel. The NAC Appliance does not support EtherChannel,
and the two connections are used to connect to the trusted and untrusted interfaces of the CAS.
The WAN connection to the 4500 modular is a single connection
10-2
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Large SchoolModular Switch Design
Figure 10-1 Stacked Switch School Schematic
Core/Distribution Virtual Interfaces
The following is an example configuration of the switch virtual interfaces (SVIs) configured on the
core/distribution 4500 modular switch. This SVIs are trunked to the access switches as required, and
access to the VLANs are controlled by the switchport trunk allowed vlan command applied on the port
channels. The same basic configuration is used for the server switch.
interface Vlan101
description Connected to cr35_2960_Dept_1_VLAN
dampening
ip address 10.127.0.1 255.255.255.192
ip helper-address 10.125.31.2
no ip redirects
no ip unreachables
ip pim sparse-mode
load-interval 30
!
interface Vlan102
description Connected to cr35_2960_Dept_2_VLAN
dampening
ip address 10.127.0.65 255.255.255.192
ip helper-address 10.125.31.2
no ip redirects
no ip unreachables
ip pim sparse-mode
load-interval 30
!
...
!
interface Vlan110
description Connected to cr35_2960_Dept_10_VLAN
dampening
ip address 10.127.2.65 255.255.255.192
ip helper-address 10.125.31.2
no ip redirects
no ip unreachables
ip pim sparse-mode
load-interval 30
CAS
SRST
2
2
7
5
2
5
WLC
Access
Switch
Access
Switch
Server
Switch
V
WAN
PSTN
10-3
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Large SchoolModular Switch Design
Example Port Channel Configuration
The following are examples of the port channel configuration on core/distribution 4500 modular switch
and an example access switch. A similar configuration would be applied to each access switch
connection with the same or different VLANs as required. From an IP routing or services level there is
no requirement to span the same VLAN to multiple switches, but if there is a requirement to support
legacy protocols such as AppleTalk at the school these AppleTalk VLANs can be easily spanned to
different access switches as required
Example 4500 Modular Switch Port Channel Configuration
interface Port-channel11
description Connected to cr35-2960-SS1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
qos trust dscp
Example 2960 Port Channel Configuration
interface Port-channel1
description Connected to cr35-4507-SS1
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,201
switchport mode trunk
ip arp inspection trust
load-interval 30
carrier-delay msec 0
hold-queue 2000 in
hold-queue 2000 out
ip dhcp snooping trust
WLC Connection
The WLC Connection to the core/distribution stack is fundamentally the same as an access switch
connection, with different VLANs, and the exception of using a different QoS trust mode, where the CoS
values from the WLC, are trusted. The following is an example 4500 modular switch Port Channel
configuration:
Interface Port-channel12
description Connected to WLC-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 111-120
switchport mode trunk
load-interval 30
carrier-delay msec 0
ip dhcp snooping trust
10-4
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Large SchoolModular Switch Design
NAC CAS Connection
The NAC CAS connection to the core/distribution switch. This is not an EtherChannel connection, but
two switch ports are consumed. The two ports consist of a untrusted port for connecting client VLANs
to the CAS prior to them completing the NAC process, and a trusted port that connects the NAS to the
client VLANs used once clients have successfully completed the NAC process. The two, trusted and
untrusted, ports are required even if OOB NAC is used, as the CAS requires access to the trusted VLANs
during the NAC process. The following is an example of the configuration.
Core/Distribution NAC CAS Configuration
interface GigabitEthernet1/0/4
description NAC Trusted Eth0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 48,57,62
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
description NAC Untrusted Eth1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 61,248,257
switchport mode trunk
spanning-tree portfast trunk
SRST Connection Sample Configuration
The SRST connection to the core/distribution is another EtherChannel connection. The differences
between the SRST connection and the access switch connections are that a trunk connection is not
required, and that the SRST interfaces are router interfaces, requiring a slightly different connection.
The following is an example of the configuration.
10-5
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Large SchoolModular Switch Design
WAN Connection
The WAN connection is a single port connection from the core/distribution switch, and therefore there
is no EtherChannel. The key component in the WAN connection configuration is the QoS
implementation, that provides traffic shaping and limiting on this interface to ensure that the voice and
video are given appropriate priority, but do not starve other applications of the throughput. An example
of the WAN connection configuration is shown below.
WAN Port Sample ConfigurationCore/Distribution
interface GigabitEthernet3/0/52
description Connected to MetroE-Core
switchport trunk encapsulation dot1q
switchport trunk native vlan 801
switchport trunk allowed vlan 650
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth shape 35 15 25 25
srr-queue bandwidth limit 10
priority-queue out
mls qos trust dscp
no cdp enable
spanning-tree portfast trunk
spanning-tree bpdufilter enable
hold-queue 2000 in
hold-queue 2000 out
interface Vlan650
dampening
ip address 10.126.1.99 255.255.255.254
no ip redirects
no ip unreachables
interface Port-channel3
description to isr for simulated PSTN GW for
school2
switchport access vlan 303
switchport mode access
interface GigabitEthernet2/0/20
switchport access vlan 303
switchport mode access
mls qos trust dscp
channel-group 3 mode on
end
interface GigabitEthernet3/0/20
switchport access vlan 303
switchport mode access
mls qos trust dscp
channel-group 3 mode on
end
interface Port-channel3
description port-channel to 4500
ip address 10.40.63.9 255.255.255.252
hold-queue 150 in
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
media-type rj45
no keepalive
channel-group 3
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no keepalive
channel-group 3
10-6
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Small SchoolStacked Switch Design
ip pim sparse-mode
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-key
ip summary-address eigrp 100 10.127.112.0 255.255.248.0 5
load-interval 30
hold-queue 2000 in
hold-queue 2000 out
Small SchoolStacked Switch Design
The basic stacked switch school topology is shown in Figure 10-2.This design is based upon a collapsed
core/distribution mode, and a Layer-2 access distribution model. In this type of design, all of the IP
subnets are defined on the 3750 stacked switch, and access to these subnets is controlled by the VLANs
that are trunked to the switches.
The 3750 stackwise core provides resilient connections to the access LAN switches, local server switch,
WLC, and SRST router through EtherChannel. The NAC Appliance does not support EtherChannel, and
the two connections are used to connect to the trusted and untrusted interfaces of the CAS. The WAN
connection to the 3750 stack is a single Ethernet connection.
Figure 10-2 Stacked Switch School Schematic
Below is an example configuration of the SVIs configured on the core/distribution 3750 stack. These
SVIs are trunked to the access switches as required, and access to the VLANs are controlled by the
switchport trunk allowed vlan command applied on the port channels. The same basic configuration
is used for the server switch.
CAS
SRST
2
2
7
5
2
6
WLC
Access
Switch
Access
Switch
Server
Switch
V
WAN
PSTN
10-7
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Small SchoolStacked Switch Design
Core/Distribution Virtual Interfaces
Example Port Channel Configuration
The following example shows an example of the port channel configuration on core/distribution 3750
stack and an example access switch. A similar configuration would be applied to each access switch
connection with the same or different VLANs as required. From an IP routing or services level there is
no requirement to span the same VLAN to multiple switches, but if there is a requirement to support
legacy protocols such as AppleTalk at the school these AppleTalk VLANs can be easily spanned to
different access switches as required.
Example 3750 Stack Port Channel Configuration Example 2960 Port Channel Configuration
Interface Port-channel11
description Connected to 2960-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
load-interval 30
carrier-delay msec 0
ip dhcp snooping trust
Interface Port-channel1
description Connected to 3750-Core-SS2
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110
switchport mode trunk
ip arp inspection trust
load-interval 30
ip dhcp snooping trust
interface GigabitEthernet1/0/49
description Connected to 2960-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
channel-group 11 mode active
spanning-tree guard root
ip dhcp snooping trust
!
interface GigabitEthernet3/0/49
description Connected to 2960-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
channel-group 11 mode active
spanning-tree guard root
ip dhcp snooping trust
interface GigabitEthernet0/1
description Connected to 3750-Core-SS2
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110
switchport mode trunk
ip arp inspection trust
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol lacp
channel-group 1 mode active
ip dhcp snooping trust
!
interface GigabitEthernet0/2
description Connected to 3750-Core-SS2
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110
switchport mode trunk
ip arp inspection trust
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol lacp
channel-group 1 mode active
ip dhcp snooping trust
10-8
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Small SchoolStacked Switch Design
WLC Connection
The WLC connection to the core/distribution stack is fundamentally the same as an access switch
connection, with different VLANs, and the exception of using a different QoS trust mode, where the CoS
values from the WLC, are trusted. The following is an example of the configuration.
Example 3750 Stack Port Channel Configuration
Interface Port-channel12
description Connected to 2960-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 111-120
switchport mode trunk
load-interval 30
carrier-delay msec 0
ip dhcp snooping trust
interface GigabitEthernet1/0/48
description Connected to WLC-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 110-120
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust coschannel-group 11 mode active
spanning-tree guard root
!
interface GigabitEthernet3/0/48
description Connected to WLC-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 110-110,
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust coschannel-group 11 mode active
spanning-tree guard root
NAC CAS Connection
The NAC CAS connection to the core/distribution switch. This is not an EtherChannel connection, but
two switch ports are consumed. The two ports consist of a untrusted port for connecting client VLANs
to the CAS prior to them completing the NAC process, and a trusted port that connects the NAS to the
client VLANs used once clients have successfully completed the NAC process. The two, trusted and
untrusted, ports are required even if OOB NAC is used, as the CAS requires access to the trusted VLANs
during the NAC process. The following is an example of the configuration.
10-9
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Small SchoolStacked Switch Design
Core/Distribution NAC CAS Configuration
interface GigabitEthernet1/0/4
description NAC Trusted Eth0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 48,57,62
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/8
description NAC Untrusted Eth1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 61,248,257
switchport mode trunk
spanning-tree portfast trunk
SRST Connection
The SRST connection to the core/distribution is another EtherChannel connection. The differences
between the SRST connection and the access switch connections are that a trunk connection is not
required, and that the SRST interfaces are router interfaces, requiring a slightly different connection.
The following is an example of the configuration.
WAN Connection
The WAN connection is a single port connection from the core/distribution switch, and therefore there
is no EtherChannel. The key component in the WAN connection configuration is the QoS
implementation, that provides traffic shaping and limiting on this interface to ensure that the Voice and
Video are given appropriate priority, but do not starve other applications of the throughput. An example
of the WAN connection configuration is shown below.
interface Port-channel3
description to isr for simulated PSTN GW for
school1
switchport access vlan 303
switchport mode access
interface GigabitEthernet2/0/20
switchport access vlan 303
switchport mode access
mls qos trust dscp
channel-group 3 mode on
end
interface GigabitEthernet3/0/20
switchport access vlan 303
switchport mode access
mls qos trust dscp
channel-group 3 mode on
end
interface Port-channel3
description port-channel to core stack
ip address 10.40.63.9 255.255.255.252
hold-queue 150 in
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
media-type rj45
no keepalive
channel-group 3
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no keepalive
channel-group 3
10-10
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 10 School Site Design
Small SchoolStacked Switch Design
interface GigabitEthernet3/0/52
description Connected to MetroE-Core
switchport trunk encapsulation dot1q
switchport trunk native vlan 801
switchport trunk allowed vlan 650
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth shape 35 15 25 25
srr-queue bandwidth limit 10
priority-queue out
mls qos trust dscp
no cdp enable
spanning-tree portfast trunk
spanning-tree bpdufilter enable
hold-queue 2000 in
hold-queue 2000 out
interface Vlan650
dampening
ip address 10.126.1.99 255.255.255.254
no ip redirects
no ip unreachables
ip pim sparse-mode
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-key
ip summary-address eigrp 100 10.127.112.0 255.255.248.0 5
load-interval 30
hold-queue 2000 in
hold-queue 2000 out
C H A P T E R
11-1
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
11
District Office Design
There are four main differences in the district office design:
The use of the Supervisor 6The Supervisor 6 supports hierarchical QoS.
The Metro Ethernet Switch ConnectionThe aggregation and QoS policy enforcement point for the
Metro Ethernet WAN connection to the schools
The Services Block Switch ConnectionThe district office mini-Data Center for the management
and services servers for the district and the schools
The ASA Firewall ConnectionThe firewall connection to the Internet
Figure 11-1 shows a schematic of the district office network. Aside from providing core/distribution
services to the access switches, the Cisco 4500 Modular switch in the district office connects the school
WAN to the district office, the services such as Internet access and the Services Block of the SRA.
Figure 11-1 District Office Partial Schematic
CAS
SRST
2
2
7
5
2
7
WLC
ASA
Firewall
Access
Switch
Access
Switch
Services Block
Switch
Metro
Ethernet
Switch
SRST
V
WAN
Internet
ME
11-2
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
Metro Ethernet Connection Configuration
Metro Ethernet Connection Configuration
Table 11-1 shows an example of the port-channel configuration on the core/distribution 4500 Modular
switch and the 3750 Metro Ethernet switch. This is a Layer-3 connection where both the
core/distribution switch and the Metro Ethernet switch are part of the same EIGRP AS. The most
significant difference in this configuration from the School design using the 4500 Modular switch is the
difference in the QoS configuration on the 4500 interface; this is primarily due to the district office using
hierarchical QoS features of a Supervisor 6 module, rather than the Supervisor 5 used in the School SRA.
Table 11-1 Port-Channel Configuration on the Core/Distribution 4500 Modular Switch and the 3750 Metro Ethernet
Switch
Example 4500 Modular Switch Configuration Example 3750ME Switch Configuraiton
interface Port-channel1
description Connected to 3750ME-DO
dampening
ip address 10.125.32.4 255.255.255.254
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-key
ip pim dr-priority 100
ip pim sparse-mode
ip summary-address eigrp 100 10.125.0.0 255.255.0.0
5
logging event link-status
load-interval 30
carrier-delay msec 0
service-policy output PQ-POLICER
interface Port-channel1
description Connected to 4507-DO
no switchport
dampening
ip address 10.125.32.5 255.255.255.254
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-key
ip pim sparse-mode
ip summary-address eigrp 100 10.127.0.0 255.255.0.0 5
ip summary-address eigrp 100 10.126.0.0 255.255.0.0 5
logging event bundle-status
load-interval 30
carrier-delay msec 0
hold-queue 2000 in
hold-queue 2000 out
11-3
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
ASA Connection
ASA Connection
The ASA firewall connection to the 4500 Modular switch is fundamentally different from the other
network device connections to this switchit uses the redundant interface features of the ASA. The
ASA redundant interface is a logical interface that pairs two physical interfaces, called active and
interface GigabitEthernet3/3
no switchport
no ip address
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 1 mode desirable
service-policy output EGRESS-POLICY
!
interface GigabitEthernet4/3
no switchport
no ip address
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 1 mode desirable
service-policy output EGRESS-POLICY
interface GigabitEthernet1/0/1
description Connected to cr24-4507-DO
no switchport
no ip address
logging event bundle-status
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol pagp
channel-group 1 mode desirable
!
interface GigabitEthernet1/0/2
description Connected to cr24-4507-DO
no switchport
no ip address
logging event bundle-status
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol pagp
channel-group 1 mode desirable
policy-map PQ-POLICER
class PRIORITY-QUEUE
police cir 300000000
conform-action transmit
exceed-action drop policy-map EGRESS-POLICY
class PRIORITY-QUEUE
priority
class CONTROL-MGMT-QUEUE
bandwidth remaining percent 10
class MULTIMEDIA-CONFERENCING-QUEUE
bandwidth remaining percent 10
class MULTIMEDIA-STREAMING-QUEUE
bandwidth remaining percent 10
class TRANSACTIONAL-DATA-QUEUE
bandwidth remaining percent 10
dbl
class BULK-DATA-QUEUE
bandwidth remaining percent 4
dbl
class SCAVENGER-QUEUE
bandwidth remaining percent 1
class class-default
bandwidth remaining percent 25
dbl
Table 11-1 Port-Channel Configuration on the Core/Distribution 4500 Modular Switch and the 3750 Metro Ethernet
Switch (continued)
11-4
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
ASA Connection
standby interfaces. Under normal operation, the active interface is the only one passing traffic. The
active interface uses the IP address defined at the redundant interface, and the MAC address of the first
physical interface associated with the redundant interface. When the active interface fails, the standby
interface becomes active and starts passing traffic. The same IP address and MAC address are
maintained so that traffic is not disrupted. See Table 11-2.
Table 11-2 ASA Connection Configuration
Example 4500 Modular Switch Configuration Example ASA Interface Configuration
11-5
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
ASA Connection
interface GigabitEthernet4/4
<!-- /* Font Definitions */ @font-face
Unknown macro: {font-family}
@font-face
Unknown macro: {font-family}
@font-face
Unknown macro: {font-family}
/* Style Definitions */ p.MsoNormal,
li.MsoNormal, div.MsoNormal
Unknown macro: {mso-style-unhide}
.MsoChpDefault
Unknown macro: {mso-style-type}
@page Section1
Unknown macro: {size}
div.Section1
Unknown macro: {page}
-->description backup link to cr26-asa5520-DO
switchport access vlan 200
switchport mode access
switchport block unicast
load-interval 30
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output EGRESS-POLICY
!
interface GigabitEthernet5/3
<!-- /* Font Definitions */ @font-face
Unknown macro: {font-family}
@font-face
Unknown macro: {font-family}
@font-face
Unknown macro: {font-family}
/* Style Definitions */ p.MsoNormal,
li.MsoNormal, div.MsoNormal
Unknown macro: {mso-style-unhide}
.MsoChpDefault
Unknown macro: {mso-style-type}
@page Section1
Unknown macro: {size}
div.Section1
Unknown macro: {page}
--> description Connected to cr26-asa5520-DO
switchport access vlan 200
switchport mode access
switchport block unicast
load-interval 30
media-type rj45
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output EGRESS-POLICY
!
interface GigabitEthernet0/0
description Connected to cr24-4507-DO
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description backup to cr24-4507-DO
no nameif
no security-level
no ip address
!
! Defines logical redundant interface associated with
physical interfaces. Configures IP and logical interface
parameters.
interface Redundant1
description Connected to cr24-4507-DO
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.125.33.10 255.255.255.0
authentication key eigrp 100 <removed> key-id 1
authentication mode eigrp 100 md5
!
Table 11-2 ASA Connection Configuration (continued)
11-6
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
Services Block Connection
Services Block Connection
The Services Block supports the centralized servers and services for the district. The Cisco 4500
Modular switch connection to the Services Block switch uses EtherChannel, but in this case the
connection between the switches is a Layer-3 connection, allowing the services block switch to keep its
VLANs from stack is fundamentally the same as an access switch connection, with different VLANs.
Table 11-3 provides sample configurations for the Cisco 4500 Modular switch and the Services Block
switch.
interface Vlan200
description cr24_4507_FW_Inside
ip address 10.125.33.9 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100
eigrp-key
ip pim sparse-mode
ip summary-address eigrp 100 10.125.0.0
255.255.0.0 5
logging event link-status
load-interval 30
carrier-delay msec 0
Table 11-2 ASA Connection Configuration (continued)
Table 11-3 Service Block Configuration
Example 4500 Modular Switch Configuration Example Services Block Switch Configuration
11-7
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
Services Block Connection
Core/Distribution Virtual Interfaces
The following is an example configuration of the Switch Virtual Interfaces configured on the
core/distribution 4500 modular switch. This SVIs are trunked to the access switches as required, and
access to the VLANs are controlled by the switchport trunk allowed vlan command applied on the port
channels. The same basic configuration is used for the Server Switch.
interface Vlan101
description Connected to cr24_2960_Dept_1_VLAN
dampening
ip address 10.125.1.1 255.255.255.128
ip helper-address 10.125.31.2
no ip redirects
interface Port-channel17
description Connected to cr26-3750DC-DO
switchport
switchport trunk native vlan 806
switchport trunk allowed vlan 141-150,900
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
service-policy output PQ-POLICER
interface Port-channel1
description Connected to cr24-4507-DO
switchport trunk encapsulation dot1q
switchport trunk native vlan 806
switchport trunk allowed vlan 141-150,900
switchport mode trunk
logging event bundle-status
load-interval 30
carrier-delay msec 0
hold-queue 2000 in
hold-queue 2000 out
interface GigabitEthernet1/1
description Connected to cr24-2960-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 11 mode desirable
spanning-tree guard root
service-policy output EGRESS-POLICY
!
interface GigabitEthernet2/1
description Connected to cr24-2960-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 11 mode desirable
spanning-tree guard root
service-policy output EGRESS-POLICY
interface GigabitEthernet0/1
description Connected to cr24-4507-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,201,900
switchport mode trunk
ip arp inspection trust
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol pagp
channel-group 1 mode desirable
hold-queue 2000 in
hold-queue 2000 out
ip dhcp snooping trust
!
interface GigabitEthernet0/2
description Connected to cr24-4507-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,201,900
switchport mode trunk
ip arp inspection trust
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol pagp
channel-group 1 mode desirable
hold-queue 2000 in
hold-queue 2000 out
ip dhcp snooping trust
Table 11-3 Service Block Configuration
11-8
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
Services Block Connection
no ip unreachables
ip pim sparse-mode
load-interval 30
!
interface Vlan102
description Connected to cr24_2960_Dept_2_VLAN
dampening
ip address 10.125.1.129 255.255.255.128
ip helper-address 10.125.31.2
no ip redirects
no ip unreachables
ip pim sparse-mode
load-interval 30
!
...
interface Vlan110
description Connected to cr24_2960_Dept_10_VLAN
dampening
ip address 10.125.5.129 255.255.255.128
ip helper-address 10.125.31.2
no ip redirects
no ip unreachables
ip pim sparse-mode
load-interval 30
Table 11-4 provides examples of the port-channel configuration on core/distribution 4500 modular
switch and an access switch. A similar configuration would be applied to each access switch connection
with the same or different VLANs as required. From an IP routing or services level there is no
requirement to span the same VLAN to multiple switches, but if there is a requirement to support legacy
protocols such as AppleTalk at the school these AppleTalk VLANs can be easily spanned to different
access switches as required.
Table 11-4 Core/Distribution Virtual Interfaces
Example 4500 Modular switch Port Channel Configuration Example 2960 Port Channel Configuration
11-9
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
WLC Connection
WLC Connection
The WLC Connection to the Core/Distribution Stack is fundamentally the same as an Access Switch
connection, with different VLANs, and the exception of using a different QoS trust mode, where the CoS
values from the WLC, are trusted. Figure 7 shows an example of the configuration.
Interface Port-channel12
description Connected to WLC-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 111-120
switchport mode trunk
load-interval 30
interface Port-channel11
description Connected to cr24-2960-DO
switchport
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
service-policy output PQ-POLICER
interface Port-channel1
description Connected to cr24-4507-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,201,900
switchport mode trunk
ip arp inspection trust
load-interval 30
carrier-delay msec 0
hold-queue 2000 in
hold-queue 2000 out
ip dhcp snooping trust
interface GigabitEthernet1/1
description Connected to cr24-2960-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 11 mode desirable
spanning-tree guard root
service-policy output EGRESS-POLICY
interface GigabitEthernet2/1
description Connected to cr24-2960-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,900
switchport mode trunk
logging event link-status
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 11 mode desirable
spanning-tree guard root
service-policy output EGRESS-POLICY
interface GigabitEthernet0/1
description Connected to cr24-4507-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,201,900
switchport mode trunk
ip arp inspection trust
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol pagp
channel-group 1 mode desirable
hold-queue 2000 in
hold-queue 2000 out
ip dhcp snooping trust
!
interface GigabitEthernet0/2
description Connected to cr24-4507-DO
switchport trunk native vlan 802
switchport trunk allowed vlan 101-110,201,900
switchport mode trunk
ip arp inspection trust
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust dscp
channel-protocol pagp
channel-group 1 mode desirable
hold-queue 2000 in
hold-queue 2000 out
ip dhcp snooping trust
Table 11-4 Core/Distribution Virtual Interfaces (continued)
11-10
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
NAC CAS Connection
carrier-delay msec 0
ip dhcp snooping trust
interface GigabitEthernet1/0/48
description Connected to WLC-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 110-120
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust cos
channel-group 11 mode active
spanning-tree guard root
!
interface GigabitEthernet3/0/48
description Connected to WLC-SS2
switchport trunk encapsulation dot1q
switchport trunk native vlan 802
switchport trunk allowed vlan 110-110,
switchport mode trunk
load-interval 30
carrier-delay msec 0
srr-queue bandwidth share 1 30 35 5
priority-queue out
udld port
mls qos trust cos
channel-group 11 mode active
spanning-tree guard root
NAC CAS Connection
The NAC CAS connection to the core/distribution switch. This is not an EtherChannel connection, but
two switch ports are consumed. The two ports consist of a untrusted port for connecting client VLANs
to the CAS prior to them completing the NAC process, and a trusted port that connects the NAS to the
client VLANs used once clients have successfully completed the NAC process. The two, trusted and
untrusted, ports are required even if OOB NAC is used, as the CAS requires access to the trusted VLANs
during the NAC process. The following is an example of the configuration.
interface GigabitEthernet 3/9
description NAC Trusted Eth0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 48,57,62
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet 4/9
description NAC Untrusted Eth1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 61,248,257
switchport mode trunk
spanning-tree portfast trunk
11-11
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
SRST Connection
SRST Connection
The SRST connection to the core/distribution is another EtherChannel connection. The differences
between the SRST connection and the access switch connections are that a trunk connection is not
required, and that the SRST interfaces are router interfaces, requiring a slightly different connection.
Table 11-5 provides an example of the configuration.
NTP
The use of Network Time Protocol (NTP) to synchronize the clocks of network devices is a well
established best practice, is fundamental for the analysis of logs/events and security, but might not
warrant a mention in a design guide that is focused upon introducing new designs and practices to
support new services in the network.
Given that a number of key components (for example, CUWN and Cisco NAC) of the Schools SRA rely
upon or benefit from time synchronization, it was decided to include a short discussion on Time
Synchronization as part of the Schools SRA.
The preferred mechanism for time synchronization in the network is NTP (other systems may use their
own time synchronization mechanism) and this network NTP discussion is not proposed as a the design
to synchronize all devices (hosts) in the network, its goal is synchronization of the network components
Table 11-5 SRST Connection
Core/Distribution ISR Routers
interface Port-channel1
description Connected to ISR
dampening
ip address 10.125.32.4 255.255.255.254
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 eigrp-key
ip pim dr-priority 100
ip pim sparse-mode
logging event link-status
load-interval 30
carrier-delay msec 0
service-policy output PQ-POLICER
!
interface GigabitEthernet3/10
no switchport
no ip address
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 1 mode desirable
service-policy output EGRESS-POLICY
!
interface GigabitEthernet4/10
no switchport
no ip address
load-interval 30
carrier-delay msec 0
udld port
channel-protocol pagp
channel-group 1 mode desirable
service-policy output EGRESS-POLICY
interface Port-channel3
description port-channel to 4500
ip address 10.125.32.3 255.255.255.254
hold-queue 150 in
Note: Need to add the routing information
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
media-type rj45
no keepalive
channel-group 3
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no keepalive
channel-group 3
11-12
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
NTP
of the Schools SRA. At the same time, whatever alternative times synchronization systems used in other
parts of the network need to have agreement on the time, and should have a common time source at the
beginning of their timing hierarchy. This will allow sufficient synchronization between hosts and
network devices for the solutions deployed in the SRA.
The Schools SRA network has a hierarchy based upon the district office, as hub, and the schools as
spokes. The NTP hierarchy should be the same, with the highest stratum NTP server located at the
district office serving as the time reference for the district network. In order to spread the load, a
hierarchy of NTP servers is used. The district office NTP server acting as the server for the district office
network devices, and for the NTP server at each school, and the NTP Server for each school will act as
the NTP server for network devices in that school.
The preferred network device to act as the NTP server in the schools SRA is the ISR router at each site.
The ISR is the preferred device as routers have a greater CPU capacity than switches used in the Schools
SRA due to many of the general purpose task that a router may be required it perform in CPU, compared
to switches that have been more optimized to perform their more limited number of tasks in ASIC.
Figure 11-2 shows a schematic of the NTP hierarchy in the school district.
For more information upon NTP refer to the Network Time Protocol: Best Practices White Paper at the
following URL:
http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml
11-13
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
NTP
Figure 11-2 NTP School District Hierarchy
When creating the NTP configuration care should be taken to protect the NTP system.
The NTP associations should be limited, and controlled by an access list, to protect against DoS attacks.
The NTP system should also use NTP authentication, where possible, to protected against spoofing
attacks.
School 1
District Office
School 2
CAS
WLC
ASA
Firewall
Access
Switch
Access
Switch
Services Block
Switch
Metro
Ethernet
Switch
SRST
V
Internet
ME
CAS
SRST
2
2
7
5
2
8
WLC
Access
Switch
Access
Switch
Server
Switch
V
CAS
SRST
NTP
NTP
NTP
WLC
Access
Switch
Access
Switch
Server
Switch
V
MAN
Distribution
Switch
DO-ISR NTP School1-ISR
access-list 99 permit x.x.x.x 0.0.0.255
access-list 99 permit y.y.y.y 0.0.0.255
ntp authentication-key 2 md5 Riewoldt
ntp authenticate
ntp source Port-channel3
ntp max-associations 150
ntp server a.a.a.a
ntp access-group serve-only 99
access-list 98 permit z.z.z.z 0.0.0.255
ntp authentication-key 2 md5 Riewoldt
ntp trusted-key 2
ntp clock-period 17179685
ntp max-associations 150
ntp server <DO-ISR> key 2
ntp access-group serve-only 98
11-14
Cisco Service Ready Architecture for Schools Design Guide
OL-21122-01
Chapter 11 District Office Design
NTP
Cisco Validated Design
www.cisco.com/go/designzone
Copyright 2009 Cisco Systems, Inc. All rights reserved. Part Number
Ciscos Service Ready Architecture for Schools
is a well designed and validated network archi-
tecture that is flexible, adaptive and cost effec-
tive to support a wide range of education
services. This architecture provides the ability
to deliver all of the services required of an
enhanced learning environment as well as the
ability to collaborate with the other schools, dis-
trict offices and entities beyond the district. This
Service Ready Architecture for Schools Design
Guide is broken down into modular, interdepen-
dent chapters as shown in Table1-1 on page 2.
.
B
o
o
k
S
p
i
n
e
C
i
s
c
o
V
a
l
i
d
a
t
e
d
D
e
s
i
g
n
S
e
r
v
i
c
e
R
e
a
d
y
A
r
c
h
i
t
e
c
t
u
r
e
f
o
r
S
c
h
o
o
l
s
D
e
s
i
g
n
G
u
i
d
e