cisco digital building solution deployment guide · gateway for the lighting network (a cisco...
TRANSCRIPT
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 24
Ordering Guide
Cisco Digital Building Solution Deployment Guide
This document provides detailed guidelines for deploying the Cisco® Digital Building
Solution with Cisco Catalyst® Digital Building Series Switches and enterprise
Internet of Things (IoT) endpoints, such as LED lighting fixtures that use Power
over Ethernet (PoE). It includes information about the system's architecture, possible
deployment models, and configuration required on the Cisco network nodes. It also
recommends best practices and potential issues to be aware of when deploying
the solution. Vendor-specific information and implementation details are not covered
here. Besides lighting fixtures, the deployment models and configuration
recommendations provided in this document are applicable to other types of PoE-
powered enterprise IoT endpoints.
Audience
The audience for this document comprises system architects, network/computer/IT design engineers, systems
engineers, field consultants, and customers who want to understand how to deploy an indoor IoT infrastructure.
This document is written with the assumption that the reader is familiar with the basic concepts of IP protocols,
switching, routing, and security.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 24
Contents
Introduction .............................................................................................................................................................. 3
Network topology .................................................................................................................................................... 3 Daisy chain topology ............................................................................................................................................. 4 Ring topology ........................................................................................................................................................ 5 Star topology ......................................................................................................................................................... 5
System components ................................................................................................................................................ 6
Cisco Digital Building Series Switch features ....................................................................................................... 7
Day-0 provisioning of Cisco Digital Building Series Switches ............................................................................ 8
Configuring the aggregation switch (Layer 3) ....................................................................................................... 9
Digital Building Series upgrades using Cisco Smart Install .............................................................................. 12
Configuring the Digital Building Series switches ............................................................................................... 13
Validating the deployment .................................................................................................................................... 15
Security ................................................................................................................................................................... 19 Port security ........................................................................................................................................................ 19 IPv6 first-hop security ......................................................................................................................................... 20
Summary ................................................................................................................................................................ 23
Additional resources ............................................................................................................................................. 23
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 24
Introduction
The Cisco Digital Building Solution helps different building systems converge on a single IP network. When the
lighting and other building systems are connected via Cisco Catalyst Digital Building Series Switches, they can be
monitored and managed together by the enterprise network management system. The Digital Building Series
switch ideally sits in the plenum area, powering endpoints in spaces such as audio privacy rooms, conference
rooms, team rooms, sections of a floor, etc. Each Digital Building Series switch can power up to eight PoE+ or
Cisco Universal Power over Ethernet (Cisco UPOE®) endpoints, depending on the switch model deployed.
Two deployment models are typically used (Figure 1). In the distributed model, the IoT endpoints such as lights
connect directly to the Digital Building Series switches deployed in the plenum space. In this model, the Digital
Building Series switches further connect to enterprise access switches stacked in the wiring closet. The second
model is the centralized deployment, wherein the IoT endpoints connect directly to the access switch residing in
the wiring closet. This document focuses on the distributed deployment model.
Figure 1. Comparison of the distributed and centralized deployment models
Following are some important considerations for the distributed deployment model:
● Cable runs are shorter and cheaper.
● Each IoT endpoint connects to a Digital Building Series switch for power and data, and only one cable runs
from the wiring closet to the switch.
● Heat dissipation is distributed, since the AC-to-DC conversion happens at the Digital Building Series switch
at various deployment points.
Network topology
There are multiple ways in which the Digital Building Series switches can connect to each other or the upstream
access switch. These are:
● Daisy chain topology
● Ring topology
● Star topology
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 24
Note: Cisco Catalyst 9300 Series Switches are used as the platform for the aggregation layer in this document.
The 9300 Series is Cisco’s lead stackable enterprise switch, built for security, IoT, mobility, and cloud, and hence
it is the recommended platform here. Cisco Software-Defined Access (SD-Access) Extension for IoT is also
supported on the Cisco Catalyst 9300 Series. Other enterprise-class switches from the Cisco Catalyst family,
such as the 2960-X, 2960-XR, 3650, and 3850 Series, can optionally be used instead, depending on the feature
requirements for the solution (as described in this document). Appropriate license levels should be purchased for
the platforms before the solution is deployed.
Daisy chain topology
The Digital Building Series switches can be daisy-chained together. The first switch has the uplink connectivity to
the Cisco Catalyst 9300 Series stack, which in turn has connectivity to a data center. Such a topology alleviates the
need for long cable runs to provide connectivity from the aggregation switch to the individual Digital Building Series
switches. Only the first Digital Building Series switch in a chain connects to the aggregation switch in the wiring
closet, and all others in the same chain directly connect to each other, with much shorter Ethernet cabling. Since
there is a 1 Gigabit Ethernet (1G) uplink connection from the first Digital Building Series switch in the chain to the
Cisco Catalyst 9300 Series stack, and all the traffic from the downstream Digital Building Series switches goes
through this 1G link, the number of switches in a single chain should be planned carefully so that the link is not
oversubscribed. Cisco recommends limiting the number of Digital Building Series switches in a daisy chain to five.
Figure 2 shows a daisy chain topology.
Figure 2. Daisy chain topology
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 24
Ring topology
Digital Building Series switches can connect to each other in a closed ring fashion. The first and last switches have
the uplink connectivity to the Cisco Catalyst 9300 Series stack, which in turn has connectivity to a data center. Like
the daisy chain topology, the ring topology alleviates the need for long cable runs from aggregation to individual
Digital Building Series switches. Only two switches in a ring connect to the aggregation switch in the wiring closet;
all others connect directly to each other, with much shorter Ethernet cabling. The closed ring deployment provides
redundancy and protection from switch failures, since two paths are always available for data traffic flow. If one of
the Digital Building Series switches in the ring fails, the lights connected to all other switches continue to receive
power as well as data connectivity. The ring topology works with Spanning Tree Protocol STP) and Cisco Resilient
Ethernet Protocol (REP) enabled in the network. Cisco recommends limiting the number of Digital Building Series
switches in the ring to five for STP and twelve for REP configurations. Figure 3 shows a ring topology.
Figure 3. Ring topology
Star topology
In the star topology, all Digital Building Series switches have upstream network connectivity to the Cisco Catalyst
9300 Series stack. The 9300 Series stack connects to an aggregation switch in the campus network’s collapsed
core/distribution layer, which connects to the data center. The star topology may entail longer cabling requirements
compared to the daisy chain and ring topologies, since each Digital Building Series switch in this topology connects
to the access switch residing in the wiring closet. In the star topology, every Digital Building Series switch has an
independent data traffic path for its connected endpoints, and any failure of a switch does not affect the
connectivity for endpoints on other Digital Building Series switches. Figure 4 shows a star topology.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 24
Figure 4. Star topology
Recommendation: In any of the topologies described above, we recommend distributing the endpoints in a given
area between adjacent Digital Building Series switches (that is, connecting half the endpoints in a given area to
one Digital Building Series switch and the other half to its adjacent switch) to avoid a complete service outage in
the area if a switch fails. This is especially applicable to lighting deployments.
For larger-scale deployments, an additional layer of Layer 2 switches can be added to aggregate the endpoint
traffic.
System components
The components of the three topologies just described are a mix of Cisco products and LED lighting endpoints
from third-party vendors. Table 1 lists these components.
Table 1. System components
Cisco product Software release Description
Cisco CDB-8P or CDB-8U Switch
15.2(6)E1 The CDB-8U model provides up to 480W of PoE power. Eight ports connect to eight light fixtures, and each port supports up to 60W of PoE power.
Cisco Catalyst 9300 Series aggregation switch
Cisco IOS® XE 16.6.3 Wiring closet routing switch.
PoE LED lights Vendor specific PoE-powered LED lighting endpoints from different lighting vendors.
Management and control software
Vendor specific Third-party lighting management and control software.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 24
VLANs
Two separate VLANs should be configured for this network: one for management connectivity to the Digital
Building Series switches and the other for the IoT endpoints such as lights. The management control software
connects to the network in the VLAN designated for the endpoints. We also recommended keeping the Layer 2
broadcast domain for the Digital Building Series switches limited. In larger deployments, different VLANs should be
chosen per ring or daisy chain, if feasible.
IP addressing
Dynamic Host Configuration Protocol (DHCP) pools for lights are created on the Layer 3 switch that is acting as the
gateway for the lighting network (a Cisco Catalyst 9300 Series Switch in the example above). This is applicable to
both IPv4 and IPv6, depending on the IP protocol implementation preferred by the lighting endpoints. In the case of
IPv6, Stateless Address Auto Configuration (SLAAC) can also be used. This document shows examples of both
cases.
Configurations for each of these IP addressing schemes are provided in later sections of this document.
Cisco Digital Building Series Switch features
Day-0 provisioning app: The day-0 provisioning Digital Building–Installer app helps deployment personnel deploy
the switch easily, even when there is no uplink connectivity, alleviating the need for the deployment personnel to be
network savvy.
Two-event classification: This feature allocates 30W of power to class 4 powered devices on the hardware level
without waiting for any Cisco Discovery Protocol or Link Layer Discovery Protocol (LLDP) packet exchange. It is
beneficial in cases where PoE devices do not support LLDP for PoE negotiation or for devices where LLDP
negotiation takes too long.
Perpetual PoE: Perpetual PoE allows a Digital Building Series switch to provide uninterrupted power to a PoE-
powered endpoint, even when the switch goes through a reboot. The PoE-powered device continues to work and
get the last negotiated power as long as the switch continues to receive power from its source. With this feature,
maintenance upgrades and software reloads do not cause power disruption to the endpoints. It is very effective in
deployments where temporary loss of data connectivity is not as critical as power to the end devices, as in digital
buildings.
Fast PoE: Fast PoE enables provisioning of prenegotiated PoE or Cisco UPOE power to PoE endpoints within 5
seconds of switch reboot due to a power failure. This helps ensure minimum downtime for the PoE endpoints in the
event of a power outage. In this feature, the PoE subsystem gets initialized and starts to provision power to the
connected endpoints without waiting for the Cisco IOS Software daemon to come up. Fast PoE is very helpful in
digital building lighting use cases.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 24
Day-0 provisioning of Cisco Digital Building Series Switches
When a new switch arrives, it comes preloaded with minimal configurations. By default, the switch starts in
standalone mode. This mode is used to perform initial setup when the switch is disconnected from the network.
There are a number of ways of accessing the switch to perform the initial provisioning:
● Using the Digital Building–Installer mobile app via a Bluetooth connection
● Using Cisco Configuration Professional for Catalyst via a Bluetooth connection
● Using the switch Command-Line Interface (CLI) via a Bluetooth connection
● Using the switch CLI via a console cable connection
Using Cisco’s Digital Building–Installer mobile app
The Cisco Digital Building–Installer mobile app digitizes and simplifies installation of Digital Building Series
switches. It enables the lighting installer or electrician to validate, configure, diagnose, and verify the day-0
installation of a Cisco Digital Ceiling solution. It provides multiple functions, such as performing TDR cable checks;
verifying IoT endpoint connectivity, power, and status; pushing custom configurations to and upgrading the
firmware of the switch; taking snapshots; and generating reports, among other capabilities.
1. Install the Cisco Digital Building—Installer app from the Google Play Store (for Android devices) or the Apple
App Store (for iOS devices).
2. Connect a Bluetooth dongle to the USB port and power on the switch.
3. Turn on Bluetooth on your smartphone.
4. Open the Cisco Digital Building—Installer app, go to Settings, and connect to the switch via Bluetooth.
For app screenshots, refer to the Digital Building Network Architecture white paper. For more details on app
operation and capabilities, refer to the Cisco Digital Building–Installer app (Android/iOS) guides for Android and
iOS.
Using Cisco Configuration Professional for Catalyst or the switch command line via a Bluetooth
connection
To connect to the switch from a computer:
1. Connect a Bluetooth dongle to the USB port and power on the switch.
2. Turn on Bluetooth on your computer and discover the switch.
3. Pair the computer to the switch.
4. Connect to the switch as an access point. The computer will then get the IP address of the switch.
5. If you are connecting from a Windows computer, go to Devices & Printers, select the switch, click the Connect
Using tab, and select Access Point.
If you are connecting from a Mac computer, on the menu bar, click the Bluetooth icon, hover over the switch
name, and click Connect to Network.
6. Once a connection is established, configure the switch from Cisco Configuration Professional by entering the
switch IP address in a browser window. By default, the IP address of the switch is 172.16.0.1.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 24
Using the switch CLI via a Bluetooth connection
Connect your computer to the switch via Bluetooth as described in the previous section. Once done, use Telnet to
connect to the switch’s IP address to get CLI access.
Configuring the aggregation switch (Layer 3)
This section details the Layer 2 and Layer 3 configuration implemented on the Cisco Catalyst 9300 Series Switch.
For the purpose of this document, we assume that a single 9300 Series switch is acting as a combined aggregation
and core platform. At a minimum, the following need to be enabled on this switch:
● Management and lighting VLANs
● Management and lighting VLAN Switch Virtual Interfaces (SVIs)
● DHCP pools for lights
● IPv6 on the lighting SVI
● Neighbor Discovery (ND) inspection and device tracking
● Trunk configurations for ports (downlink) connecting to Digital Building Series switches
● Access configurations for ports (downlink) connecting to a server running management and control software
● Spanning Tree
1. Configure the management VLAN for Digital Building Series connectivity:
9300-24U#conf t
Enter configuration commands, one per line. End with CNTL/Z.
9300-24U(config)#vlan 2
9300-24U(config-vlan)#name MGMT-VLAN
9300-24U(config-vlan)#end
2. Configure the lighting VLAN:
9300-24U#conf t
Enter configuration commands, one per line. End with CNTL/Z.
9300-24U(config)#vlan 3
9300-24U(config-vlan)#name LIGHTING-VLAN
9300-24U(config-vlan)#end
3. Create SVIs for the management and lighting VLANs:
!
interface Vlan2
ip address 2.2.2.1 255.255.255.0
!
interface Vlan3
ip address 3.3.3.1 255.255.255.0
ipv6 address 2003:DB8:0:900::1/64
ipv6 enable
ipv6 nd ra interval msec 1000
end
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 24
Note: If the endpoints work on IPv6, configure an IPv6 address in the lighting VLAN SVI and enable IPv6 on it,
as shown above. This will also allow for the use of SLAAC for endpoint IP addressing. Alternatively, an IPv6
DHCP pool can be configured for the IPv6 endpoints. For IPv4 connectivity, provide an IPv4 address to the SVI
as well.
4. Enable IPv4 DHCP for IPv4 lights:
!
ip dhcp excluded-address 3.3.3.1 3.3.3.100
!
ip dhcp pool lights
network 3.3.3.0 255.255.255.0
default-router 3.3.3.1
!
5. Configure IPv4 and IPv6 unicast routing on the switch:
!
ip routing
!
ipv6 unicast-routing
!
6. For an IPv6 endpoint deployment, IPv6 Neighbor Discovery (ND) inspection and device tracking features
can optionally be enabled to keep track of endpoints as well as to implement IPv6 first-hop security features
(covered in more detail later in this document). Create different IPv6 ND inspection policies for switches and
hosts. The IPv6 ND inspection policy for switches and device tracking is attached to the ports connecting to
the Digital Building Series switches, and the IPv6 ND inspection policy for hosts is attached to the
management server and lighting gateway ports.
IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor
tables. IPv6 ND inspection analyzes ND messages in order to build a trusted binding table database, and IPv6
ND messages that do not have valid bindings are dropped. This feature mitigates some of the inherent
vulnerabilities of the ND mechanism, such as attacks on Duplicate Address Detection (DAD), address resolution,
device discovery, and the neighbor cache.
ipv6 nd inspection policy nd_host
!
ipv6 nd inspection policy nd_switch
device-role switch
The device tracking feature provides IPv6 host liveness. It tracks the liveness of the neighbors connected
through the Layer 2 device on a regular basis in order to revoke network access privileges as they become
inactive. If the “device-tracking” CLI does not exist on the software version being run, use the “ipv6 snooping” CLI
instead.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 24
device-tracking tracking
!
device-tracking policy snooping_cdb
no protocol udp
tracking enable
!
7. Configure downlink interfaces toward the Digital Building Series switches as trunk ports, allowing both the
management and lighting VLANs, and attach applicable policies:
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 2,3
switchport mode trunk
device-tracking attach-policy snooping_cdb
ipv6 nd inspection attach-policy nd_switch
end
8. Configure the downlink interface toward the management and control server or other end hosts that need to be
on the lighting network (such as the lighting gateway) as access ports on the lighting VLAN, and attach
applicable policies:
!
interface GigabitEthernet1/0/24
switchport access vlan 3
switchport mode access
ipv6 nd inspection attach-policy nd_host
end
9. Configure Rapid per-VLAN Spanning Tree:
!
spanning-tree extend system-id
spanning-tree vlan 2-3 priority 0
!
Important note for ring topology deployments. Enable Rapid per-VLAN Spanning Tree (Rapid PVST) to achieve
faster convergence in the event of a failure in the ring topology. Rapid PVST is enabled by default on the CDB-8P
and CDB-8U switches. Priority 0 is provided on this switch to ensure that it remains the STP root bridge. This is a
general recommendation for a Digital Building Series ring topology.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 24
Digital Building Series upgrades using Cisco Smart Install
Cisco Smart Install is a transparent plug-and-play technology that can configure the Cisco IOS Software image and
switch without user intervention. Smart Install uses dynamic IP address allocation and the assistance of other
switches to facilitate installation. The Cisco Smart Install feature can be used for day-0 provisioning for the Digital
Building Series switches. In this case, the upstream aggregation switch is configured as the Smart Install Director
with all the TFTP file server information and Digital Building Series image details. Digital Building Series switches
act as Smart Install clients out of the box. The following is a sample Smart Install Director configuration used for
day-0 image upgrades of the Digital Building Series:
!
vlan 1
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no shutdown
vlan 100
interface Vlan100
ip address 192.168.100.1 255.255.255.0
no shutdown
!
! vstack relevant config starts here
!
vstack vlan 1
vstack group custom CDB-8U product-id
image tftp://192.168.100.100/cdb-universalk9-tar.152-6.E1.tar
match CDB-8U
vstack group custom CDB-8P product-id
image tftp://192.168.100.100/cdb-universalk9-tar.152-6.E1.tar
match CDB-8P
vstack dhcp-localserver SMART_INSTALL
address-pool 192.168.1.0 255.255.255.0
file-server 192.168.100.100
default-router 192.168.1.1
vstack director 192.168.1.1
vstack basic
vstack startup-vlan 1
no vstack backup
vstack
!
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 24
Configuring the Digital Building Series switches
Depending on the preferred deployment type, the Digital Building Series switches will physically connect to the
aggregation switch (Cisco Catalyst 9300 Series) in a daisy chain, ring, or star topology. We recommend that ring or
daisy chain topologies not exceed five switches.
The following features are enabled by default on the Cisco CDB-8U and CDB-8P switches:
● Link Layer Discovery Protocol (LLDP)
● 2-event classification
● Fast PoE and Perpetual PoE
1. If not using the Cisco Smart Install feature for day-0 provisioning of the Digital Building Series switches
(possibly since no backbone network is in place), we recommend disabling this feature:
CDB-8U-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CDB-8U-1(config)#no vstack
CDB-8U-1(config)#end
2. Configure the management VLAN:
CDB-8U-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CDB-8U-1(config)#vlan 2
CDB-8U-1(config-vlan)#name MGMT-VLAN
CDB-8U-1(config-vlan)#end
3. Configure the lighting VLAN:
CDB-8U-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CDB-8U-1(config)#vlan 3
CDB-8U-1(config-vlan)#name LIGHTING-VLAN
CDB-8U-1(config-vlan)#end
4. Create an SVI for the management VLAN:
!
interface Vlan2
ip address 2.2.2.11 255.255.255.0
!
5. Configure Rapid PVST:
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 24
6. Configure the uplink interfaces of the Digital Building Series as trunk ports, allowing both management and
lighting VLANs:
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 2,3
switchport mode trunk
!
!
interface GigabitEthernet1/0/2
switchport trunk allowed vlan 2,3
switchport mode trunk
!
Note: For daisy chain and ring topologies, the Digital Building Series switches connect to each other via the two
uplink interfaces. The first and last (in the case of a ring topology) switches also connect to the aggregation switch
using the second uplink interface. For a star topology, the Digital Building Series uplinks connect to the
aggregation switch individually. In this case, the switch uplinks can be bundled using EtherChannel for greater
data redundancy.
7. Configure the downlink interfaces toward the lighting endpoints as access ports on the lighting VLAN. In
addition, enable the following features on these ports:
Storm control: Configure storm control for broadcast, multicast, and unicast traffic according to the maximum
and minimum allowable threshold percentages of line rates on light fixture access ports.
PortFast and Bridge Protocol Data Unit (BPDU) guard: These features prevent loops by moving a
nontrunking port into an errdisable state when a BPDU is received on that port. When BPDU guard is enabled
on the switch, Spanning Tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting
them into the Spanning Tree blocking state. The ports connected to lights don't have to do a BPDU check for
Spanning Tree, and therefore those ports can be configured for PortFast BPDU guard:
!
interface FastEthernet1/0/1
switchport access vlan 3
switchport mode access
storm-control broadcast level 50.00
storm-control multicast level 50.00
storm-control unicast level 50.00
spanning-tree portfast edge
spanning-tree bpduguard enable
end
Note: By default, storm control, PortFast, and BPDU guard are enabled on the downlink interfaces of the Digital
Building Series switches. Only the access VLAN number needs to be additionally configured.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 24
Validating the deployment
Verifying network connectivity
9300-24U#show ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up down
Vlan2 2.2.2.1 YES NVRAM up up
Vlan3 3.3.3.1 YES manual up up
GigabitEthernet0/0 10.104.55.70 YES NVRAM up up
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
GigabitEthernet1/0/3 unassigned YES unset up up
GigabitEthernet1/0/4 unassigned YES unset up up
GigabitEthernet1/0/5 unassigned YES unset up up
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset down down
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
CDB-8U-1#show ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan2 2.2.2.11 YES NVRAM up up
FastEthernet1/0/1 unassigned YES unset up up
FastEthernet1/0/2 unassigned YES unset up up
FastEthernet1/0/3 unassigned YES unset up up
FastEthernet1/0/4 unassigned YES unset down down
FastEthernet1/0/5 unassigned YES unset down down
FastEthernet1/0/6 unassigned YES unset down down
FastEthernet1/0/7 unassigned YES unset down down
FastEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
Bluetooth0 172.16.0.1 YES NVRAM down down
Verifying endpoint connectivity
CDB-8U-1#show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Transcend Fa1/0/3 121 O POE PD
e00d.b903.663c Fa1/0/2 121 POE PD
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 24
Total entries displayed: 2
Verifying power to endpoints
CDB-8U-1#show power inline
Available:480.0(w) Used:126.8(w) Remaining:353.2(w)
Interface Admin Oper Power Device Class Max
(Watts)
--------- ------ ---------- ------- ------------------- ----- ----
Fa1/0/1 auto on 30.0 Ieee PD 4 60.0
Fa1/0/2 auto on 37.8 Ieee PD 4 60.0
Fa1/0/3 auto on 59.0 Ieee PD 4 60.0
Fa1/0/4 auto off 0.0 n/a n/a 60.0
Fa1/0/5 auto off 0.0 n/a n/a 60.0
Fa1/0/6 auto off 0.0 n/a n/a 60.0
Fa1/0/7 auto off 0.0 n/a n/a 60.0
Fa1/0/8 auto off 0.0 n/a n/a 60.0
CDB-8U-1#show power inline fastEthernet 1/0/3 detail
Available:480.0(w) Used:126.8(w) Remaining:353.2(w)
Interface: Fa1/0/3
Inline Power Mode: auto
Operational status: on
Device Detected: yes
Device Type: Ieee PD
IEEE Class: 4
Discovery mechanism used/configured: Unknown
Police: off
Power Allocated
Admin Value: 60.0
Power drawn from the source: 59.0
Power available to the device: 59.0
Actual consumption
Measured at the port: 24.6
Maximum Power drawn by the device since powered on: 24.7
Absent Counter: 0
Over Current Counter: 0
Short Current Counter: 0
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 24
Invalid Signature Counter: 0
Power Denied Counter: 0
Power Negotiation Used: IEEE 802.3at LLDP
LLDP Power Negotiation --Sent to PD-- --Rcvd from PD--
Power Type: Type 2 PSE Type 2 PD
Power Source: Primary PSE
Power Priority: low critical
Requested Power(W): 50.0 50.0
Allocated Power(W): 50.0 50.0
Four-Pair PoE Supported: Yes
Spare Pair Power Enabled: Yes
Four-Pair PD Architecture: Shared
CDB-8U-1#show power inline police
Available:480.0(w) Used:126.8(w) Remaining:353.2(w)
Interface Admin Oper Admin Oper Cutoff Oper
State State Police Police Power Power
--------- ------ ---------- ---------- ---------- ------ -----
Fa1/0/1 auto on none n/a n/a 22.3
Fa1/0/2 auto on none n/a n/a 18.5
Fa1/0/3 auto on none n/a n/a 24.6
Fa1/0/4 auto off none n/a n/a n/a
Fa1/0/5 auto off none n/a n/a n/a
Fa1/0/6 auto off none n/a n/a n/a
Fa1/0/7 auto off none n/a n/a n/a
Fa1/0/8 auto off none n/a n/a n/a
--------- ------ ---------- ---------- ---------- ------ -----
Totals: 65.4
Verifying endpoint reachability
9300-24U#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State
Interface
Hardware address/
User name
3.3.3.101 5410.ec10.99ff Mar 03 2018 09:43 AM Automatic Active
Vlan3
3.3.3.102 e00d.b903.5c53 Mar 03 2018 09:43 AM Automatic Active
Vlan3
3.3.3.103 e00d.b903.663c Mar 03 2018 09:43 AM Automatic Active
Vlan3
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 24
3.3.3.104 5410.ec01.cd4a Mar 03 2018 09:43 AM Automatic Active
Vlan3
3.3.3.105 e00d.b903.5b9d Mar 03 2018 09:43 AM Automatic Active
Vlan3
3.3.3.106 5410.ec12.3820 Mar 03 2018 09:43 AM Automatic Active
Vlan3
3.3.3.107 e00d.b903.5a82 Mar 03 2018 09:43 AM Automatic Active
Vlan3
9300-24U#ping 3.3.3.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
9300-24U#show device-tracking database
Binding Table has 32 entries, 29 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution
Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan
prlvl age state Time left
<truncated>
ND FE80::217:88FF:FE0C:36A6 0017.880c.36a6 Gi1/0/2 3
0005 79s REACHABLE 224 s try 0
ND FE80::217:88FF:FE0C:3647 0017.880c.3647 Gi1/0/5 3
0005 57s REACHABLE 250 s try 0
ND FE80::217:88FF:FE0C:3645 0017.880c.3645 Gi1/0/4 3
0005 3mn REACHABLE 134 s try 0
ND 2003:DB8:0:900:D9F0:2083:4FAE:1982 507b.9d99.e616 Gi1/0/23 3
0005 74s REACHABLE 229 s try 0
ND 2003:DB8:0:900:88D7:39F6:7265:3BB 507b.9d99.e616 Gi1/0/23 3
0005 64s REACHABLE 239 s
ND 2003:DB8:0:900:217:88FF:FE0C:612C 0017.880c.612c Gi1/0/3 3
0005 156s REACHABLE 158 s try 0
ND 2003:DB8:0:900:217:88FF:FE0C:6128 0017.880c.6128 Gi1/0/1 3
0005 3mn REACHABLE 104 s try 0
ND 2003:DB8:0:900:217:88FF:FE0C:36A6 0017.880c.36a6 Gi1/0/2 3
0005 94s REACHABLE 219 s try 0
ND 2003:DB8:0:900:217:88FF:FE0C:3647 0017.880c.3647 Gi1/0/5 3
0005 72s REACHABLE 240 s try 0
ND 2003:DB8:0:900:217:88FF:FE0C:3645 0017.880c.3645 Gi1/0/4 3
0005 3mn REACHABLE 114 s try 0
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 24
L 2003:DB8:0:900::1 cc98.911b.a8e7 Vl3 3
0100 2887mn REACHABLE
9300-24U#ping ipv6 2003:DB8:0:900:217:88FF:FE0C:6128
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2003:DB8:0:900:217:88FF:FE0C:6128, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/7 ms
Verifying management control
Log in to the management control software and discover the lighting endpoints. Once the endpoints are
discovered, you can test the different control options.
Security
Port security
Switch port security stops MAC table flooding and other attack variants. You can use port security with dynamically
learned luminaire MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed
to send traffic into the port. Cisco recommends setting PoE switch port security as follows: only one MAC address
per port, sticky without aging, and violation action: restrict with the following:
● switchport port-security (interface).
● switchport port-security maximum 1: When only a single device exists on the end of any port.
● switchport port-security violation restrict: This allows the current address to continue to communicate, but
causes all other sourced traffic to be dropped.
● switchport port-security mac-address sticky: When sticky learning is enabled, the interface adds all secure
MAC addresses that are dynamically learned to the running configuration and converts these addresses to
sticky secure MAC addresses.
● switchport port-security aging time 0: Address never times out. It requires one of two things: a manual reset
of the switch (power recycle or warm reboot) or a person logging in and clearing the entry.
interface range FastEthernet1/0/1-8
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security maximum 1
The “mac-address sticky” feature learns the first N (as configured via the “maximum” command) MAC
addresses and allows only those to access the network. Any other MAC addressed trying to get onto the network
via the port are disallowed, and the port is put into the configured violation policy state, such as restrict or
shutdown.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 24
The above CLI commands allow a maximum of one MAC address—that is, one luminaire–on a switch port.
Replacing a luminaire on this port security-enabled switch port triggers a port security violation and Simple Network
Management Protocol (SNMP) trap (if configured). In such scenarios, the sticky MAC address on the switch port
needs to be removed manually for the successful operation of a replaced luminaire on that switch port. For
example, to remove the sticky MAC address of a luminaire, use:
no switchport port-security mac-address sticky <MAC address of old luminaire>
on the interface or:
clear port-security sticky address <MAC address of old luminaire>
on the PoE switch global configuration.
IPv6 first-hop security
The Cisco Catalyst 9300 Series Switches, used as aggregation switches for the Digital Building Series deployment,
provide a broader range of security features to limit access to the network and mitigate threats. IPv6 first-hop
security features, if enabled on the Cisco Catalyst 9300 Series or Layer 3 aggregation switches as applicable,
protect against rogue router advertisements, address spoofing, fake DHCP replies, and other risks introduced by
the IPv6 technology. This helps ensure that any IPv6 attack originating from an unknown source attached to a
Digital Building Series switch gets contained within the domain of that particular switch (the lights attached to the
switch) and does not propagate to other Digital Building Series switches and lights connected on the network.
For detailed information on IPv6 first-hop security on the Cisco Catalyst 9300 Series, refer to the following guide:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-
6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ipv6_first_hop_security.pdf
IPV6 router advertisement guard
The IPv6 Router Advertisement (RA) guard feature allows the network administrator to block or reject unwanted or
rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce
themselves on the link. The IPv6 RA guard feature analyzes these RAs and filters out ones that are sent by
unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port.
Create an IPv6 RA guard host policy to be applied to downlink interfaces connecting to the Digital Building Series
switches:
!
ipv6 nd raguard policy host-policy
!
Apply the RA guard "host-policy" policy on the downlink interfaces connecting to the Digital Building Series
switches:
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 2,3
switchport mode trunk
device-tracking attach-policy snooping_cdb
ipv6 nd inspection attach-policy nd_switch
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 24
ipv6 nd raguard attach-policy host-policy
end
9300-24U#show ipv6 nd raguard policy
Policy host-policy configuration:
device-role host
Policy host-policy is applied on the following targets:
Target Type Policy Feature Target range
Gi1/0/1 PORT host-policy RA guard vlan all
Gi1/0/2 PORT host-policy RA guard vlan all
Gi1/0/3 PORT host-policy RA guard vlan all
Gi1/0/4 PORT host-policy RA guard vlan all
Gi1/0/5 PORT host-policy RA guard vlan all
With the RA guard policy in place, if a rogue router physically connects to any of the Digital Building Series
switches and sends out RA messages on the lighting VLAN, these messages are received by the lights connected
to that switch but are dropped on the 9300 Series port, and so are not allowed to propagate further to any other
Digital Building Series switches and lights.
IPv6 source and prefix guard
IPv6 source guard validates the source address or prefix to prevent source address spoofing. It enables the device
to deny traffic when it originates from an address that is not stored in the binding table. It works in conjunction with
IPv6 Neighbor Discovery (ND) inspection and IPv6 address glean, both of which detect existing addresses on the
link and store them in the binding table. IPv6 source guard can deny traffic from unknown sources or unallocated
addresses, such as traffic from sources not assigned by a DHCP server.
Define an IPv6 source guard policy name and enter the switch’s source guard policy configuration mode:
ipv6 source-guard policy sg_cdb
permit link-local
validate address
!
Apply the IPv6 source guard policy on the downlink interfaces connecting to the Digital Building Series switches:
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 2,3
switchport mode trunk
device-tracking attach-policy snooping_cdb
ipv6 nd inspection attach-policy nd_switch
ipv6 nd raguard attach-policy host-policy
ipv6 source-guard attach-policy sg_cdb
end
9300-24U#show ipv6 source-guard policy
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 24
Policy sg_cdb configuration:
validate address
permit link-local
Policy sg_cdb is applied on the following targets:
Target Type Policy Feature Target range
Gi1/0/1 PORT sg_cdb Source guard vlan all
Gi1/0/2 PORT sg_cdb Source guard vlan all
Gi1/0/3 PORT sg_cdb Source guard vlan all
Gi1/0/4 PORT sg_cdb Source guard vlan all
Gi1/0/5 PORT sg_cdb Source guard vlan all
The IPv6 prefix guard feature works within the IPv6 source guard feature to enable the device to deny traffic that
originates from non-topologically correct addresses. IPv6 prefix guard is often used when IPv6 prefixes are
delegated to devices (for example, home gateways) using DHCP prefix delegation. The feature discovers the
range of addresses assigned to the link and blocks any traffic sourced with an address outside this range.
For prefix guard, define an IPv6 source guard policy with option to validate the prefix instead of the address:
ipv6 source-guard policy pg_cdb
permit link-local
validate prefix
!
Apply the IPv6 source guard policy on the downlink interfaces connecting to the Digital Building Series switches:
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 2,3
switchport mode trunk
device-tracking attach-policy snooping_cdb
ipv6 source-guard attach-policy pg_cdb
end
IPv6 destination guard
The IPv6 destination guard feature works with IPv6 neighbor discovery to ensure that the device performs address
resolution only for those addresses that are known to be active on the link.
!
ipv6 destination-guard policy dg_policy
!
!
interface GigabitEthernet1/0/1
switchport trunk allowed vlan 2,3
switchport mode trunk
device-tracking attach-policy snooping_cdb
ipv6 destination-guard attach-policy dg_policy
end
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 24
Neighbor Discovery (ND) inspection: Limiting the address count
The ND inspection feature is used to avoid and block Distributed Denial-Of-Service (DDOS) attacks that spoof
multiple addresses. It limits the number of addresses permitted to participate in the ND process on a particular port.
In a lighting deployment using Digital Building Series switches, a maximum of eight legitimate lights would be
expected on a single port of the Cisco Catalyst 9300 Series via an individual Digital Building Series switch, so the
address count can be set to 8.
!
ipv6 nd inspection policy nd_switch
limit address-count 8
device-role switch
!
Neighbor Discovery (ND) inspection: Drop unsecure
This feature drops Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages with no or invalid
options or an invalid signature. If the lighting endpoints support a cryptographic version of neighbor discovery, this
feature can be used to ensure that only authentic NS and NA messages are processed.
!
ipv6 nd inspection policy nd_switch
drop-unsecure
device-role switch
!
Summary
In summary, the Cisco Digital Building Solution can be deployed securely in various topologies, depending on your
needs. Cisco Catalyst Digital Building Series Switches come with a range of options designed to provide ease of
management. The deployment configuration to get an enterprise IoT network up and running is relatively simple, as
described in this document. Digital Building Solution deployments can be secured against a number of IPv6-related
vulnerabilities and threats arising due to the possible accessible nature of the Digital Building Series switches by
enabling IPv6 first-hop security features on Cisco’s enterprise-class switches, such as the Cisco Catalyst 9300
Series, used as the aggregation point.
Additional resources
Cisco Digital Building Solution
Digital Building Series Switches
Digital Building Series Switches Data Sheet
Digital Building Series Q&A
Digital Building Series Configuration Guides
Digital Building Series Switch Release Notes
Digital Building Series Switch Hardware Installation Guide
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 24
Printed in USA C07-740588-00 04/18