cisco digital building solution deployment guide · gateway for the lighting network (a cisco...

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 24

Ordering Guide

Cisco Digital Building Solution Deployment Guide

This document provides detailed guidelines for deploying the Cisco® Digital Building

Solution with Cisco Catalyst® Digital Building Series Switches and enterprise

Internet of Things (IoT) endpoints, such as LED lighting fixtures that use Power

over Ethernet (PoE). It includes information about the system's architecture, possible

deployment models, and configuration required on the Cisco network nodes. It also

recommends best practices and potential issues to be aware of when deploying

the solution. Vendor-specific information and implementation details are not covered

here. Besides lighting fixtures, the deployment models and configuration

recommendations provided in this document are applicable to other types of PoE-

powered enterprise IoT endpoints.

Audience

The audience for this document comprises system architects, network/computer/IT design engineers, systems

engineers, field consultants, and customers who want to understand how to deploy an indoor IoT infrastructure.

This document is written with the assumption that the reader is familiar with the basic concepts of IP protocols,

switching, routing, and security.


Contents

Introduction .............................................................................................................................................................. 3

Network topology .................................................................................................................................................... 3 Daisy chain topology ............................................................................................................................................. 4 Ring topology ........................................................................................................................................................ 5 Star topology ......................................................................................................................................................... 5

System components ................................................................................................................................................ 6

Cisco Digital Building Series Switch features ....................................................................................................... 7

Day-0 provisioning of Cisco Digital Building Series Switches ............................................................................ 8

Configuring the aggregation switch (Layer 3) ....................................................................................................... 9

Digital Building Series upgrades using Cisco Smart Install .............................................................................. 12

Configuring the Digital Building Series switches ............................................................................................... 13

Validating the deployment .................................................................................................................................... 15

Security ................................................................................................................................................................... 19 Port security ........................................................................................................................................................ 19 IPv6 first-hop security ......................................................................................................................................... 20

Summary ................................................................................................................................................................ 23

Additional resources ............................................................................................................................................. 23


Introduction

The Cisco Digital Building Solution helps different building systems converge on a single IP network. When the

lighting and other building systems are connected via Cisco Catalyst Digital Building Series Switches, they can be

monitored and managed together by the enterprise network management system. The Digital Building Series

switch ideally sits in the plenum area, powering endpoints in spaces such as audio privacy rooms, conference

rooms, team rooms, sections of a floor, etc. Each Digital Building Series switch can power up to eight PoE+ or

Cisco Universal Power over Ethernet (Cisco UPOE®) endpoints, depending on the switch model deployed.

Two deployment models are typically used (Figure 1). In the distributed model, the IoT endpoints such as lights

connect directly to the Digital Building Series switches deployed in the plenum space. In this model, the Digital

Building Series switches further connect to enterprise access switches stacked in the wiring closet. The second

model is the centralized deployment, wherein the IoT endpoints connect directly to the access switch residing in

the wiring closet. This document focuses on the distributed deployment model.

Figure 1. Comparison of the distributed and centralized deployment models

Following are some important considerations for the distributed deployment model:

● Cable runs are shorter and cheaper.

● Each IoT endpoint connects to a Digital Building Series switch for power and data, and only one cable runs

from the wiring closet to the switch.

● Heat dissipation is distributed, since the AC-to-DC conversion happens at the Digital Building Series switch

at various deployment points.

Network topology

There are multiple ways in which the Digital Building Series switches can connect to each other or the upstream

access switch. These are:

● Daisy chain topology

● Ring topology

● Star topology


Note: Cisco Catalyst 9300 Series Switches are used as the platform for the aggregation layer in this document.

The 9300 Series is Cisco’s lead stackable enterprise switch, built for security, IoT, mobility, and cloud, and hence

it is the recommended platform here. Cisco Software-Defined Access (SD-Access) Extension for IoT is also

supported on the Cisco Catalyst 9300 Series. Other enterprise-class switches from the Cisco Catalyst family,

such as the 2960-X, 2960-XR, 3650, and 3850 Series, can optionally be used instead, depending on the feature

requirements for the solution (as described in this document). Appropriate license levels should be purchased for

the platforms before the solution is deployed.

Daisy chain topology

The Digital Building Series switches can be daisy-chained together. The first switch has the uplink connectivity to

the Cisco Catalyst 9300 Series stack, which in turn has connectivity to a data center. Such a topology alleviates the

need for long cable runs to provide connectivity from the aggregation switch to the individual Digital Building Series

switches. Only the first Digital Building Series switch in a chain connects to the aggregation switch in the wiring

closet, and all others in the same chain directly connect to each other, with much shorter Ethernet cabling. Since

there is a 1 Gigabit Ethernet (1G) uplink connection from the first Digital Building Series switch in the chain to the

Cisco Catalyst 9300 Series stack, and all the traffic from the downstream Digital Building Series switches goes

through this 1G link, the number of switches in a single chain should be planned carefully so that the link is not

oversubscribed. Cisco recommends limiting the number of Digital Building Series switches in a daisy chain to five.

Figure 2 shows a daisy chain topology.

Figure 2. Daisy chain topology


Ring topology

Digital Building Series switches can connect to each other in a closed ring fashion. The first and last switches have

the uplink connectivity to the Cisco Catalyst 9300 Series stack, which in turn has connectivity to a data center. Like

the daisy chain topology, the ring topology alleviates the need for long cable runs from aggregation to individual

Digital Building Series switches. Only two switches in a ring connect to the aggregation switch in the wiring closet;

all others connect directly to each other, with much shorter Ethernet cabling. The closed ring deployment provides

redundancy and protection from switch failures, since two paths are always available for data traffic flow. If one of

the Digital Building Series switches in the ring fails, the lights connected to all other switches continue to receive

power as well as data connectivity. The ring topology works with Spanning Tree Protocol STP) and Cisco Resilient

Ethernet Protocol (REP) enabled in the network. Cisco recommends limiting the number of Digital Building Series

switches in the ring to five for STP and twelve for REP configurations. Figure 3 shows a ring topology.

Figure 3. Ring topology

Star topology

In the star topology, all Digital Building Series switches have upstream network connectivity to the Cisco Catalyst

9300 Series stack. The 9300 Series stack connects to an aggregation switch in the campus network’s collapsed

core/distribution layer, which connects to the data center. The star topology may entail longer cabling requirements

compared to the daisy chain and ring topologies, since each Digital Building Series switch in this topology connects

to the access switch residing in the wiring closet. In the star topology, every Digital Building Series switch has an

independent data traffic path for its connected endpoints, and any failure of a switch does not affect the

connectivity for endpoints on other Digital Building Series switches. Figure 4 shows a star topology.


Figure 4. Star topology

Recommendation: In any of the topologies described above, we recommend distributing the endpoints in a given

area between adjacent Digital Building Series switches (that is, connecting half the endpoints in a given area to

one Digital Building Series switch and the other half to its adjacent switch) to avoid a complete service outage in

the area if a switch fails. This is especially applicable to lighting deployments.

For larger-scale deployments, an additional layer of Layer 2 switches can be added to aggregate the endpoint

traffic.

System components

The components of the three topologies just described are a mix of Cisco products and LED lighting endpoints

from third-party vendors. Table 1 lists these components.

Table 1. System components

Cisco product Software release Description

Cisco CDB-8P or CDB-8U Switch

15.2(6)E1 The CDB-8U model provides up to 480W of PoE power. Eight ports connect to eight light fixtures, and each port supports up to 60W of PoE power.

Cisco Catalyst 9300 Series aggregation switch

Cisco IOS® XE 16.6.3 Wiring closet routing switch.

PoE LED lights Vendor specific PoE-powered LED lighting endpoints from different lighting vendors.

Management and control software

Vendor specific Third-party lighting management and control software.


VLANs

Two separate VLANs should be configured for this network: one for management connectivity to the Digital

Building Series switches and the other for the IoT endpoints such as lights. The management control software

connects to the network in the VLAN designated for the endpoints. We also recommended keeping the Layer 2

broadcast domain for the Digital Building Series switches limited. In larger deployments, different VLANs should be

chosen per ring or daisy chain, if feasible.

IP addressing

Dynamic Host Configuration Protocol (DHCP) pools for lights are created on the Layer 3 switch that is acting as the

gateway for the lighting network (a Cisco Catalyst 9300 Series Switch in the example above). This is applicable to

both IPv4 and IPv6, depending on the IP protocol implementation preferred by the lighting endpoints. In the case of

IPv6, Stateless Address Auto Configuration (SLAAC) can also be used. This document shows examples of both

cases.

Configurations for each of these IP addressing schemes are provided in later sections of this document.

Cisco Digital Building Series Switch features

Day-0 provisioning app: The day-0 provisioning Digital Building–Installer app helps deployment personnel deploy

the switch easily, even when there is no uplink connectivity, alleviating the need for the deployment personnel to be

network savvy.

Two-event classification: This feature allocates 30W of power to class 4 powered devices on the hardware level

without waiting for any Cisco Discovery Protocol or Link Layer Discovery Protocol (LLDP) packet exchange. It is

beneficial in cases where PoE devices do not support LLDP for PoE negotiation or for devices where LLDP

negotiation takes too long.

Perpetual PoE: Perpetual PoE allows a Digital Building Series switch to provide uninterrupted power to a PoE-

powered endpoint, even when the switch goes through a reboot. The PoE-powered device continues to work and

get the last negotiated power as long as the switch continues to receive power from its source. With this feature,

maintenance upgrades and software reloads do not cause power disruption to the endpoints. It is very effective in

deployments where temporary loss of data connectivity is not as critical as power to the end devices, as in digital

buildings.

Fast PoE: Fast PoE enables provisioning of prenegotiated PoE or Cisco UPOE power to PoE endpoints within 5

seconds of switch reboot due to a power failure. This helps ensure minimum downtime for the PoE endpoints in the

event of a power outage. In this feature, the PoE subsystem gets initialized and starts to provision power to the

connected endpoints without waiting for the Cisco IOS Software daemon to come up. Fast PoE is very helpful in

digital building lighting use cases.


Day-0 provisioning of Cisco Digital Building Series Switches

When a new switch arrives, it comes preloaded with minimal configurations. By default, the switch starts in

standalone mode. This mode is used to perform initial setup when the switch is disconnected from the network.

There are a number of ways of accessing the switch to perform the initial provisioning:

● Using the Digital Building–Installer mobile app via a Bluetooth connection

● Using Cisco Configuration Professional for Catalyst via a Bluetooth connection

● Using the switch Command-Line Interface (CLI) via a Bluetooth connection

● Using the switch CLI via a console cable connection

Using Cisco’s Digital Building–Installer mobile app

The Cisco Digital Building–Installer mobile app digitizes and simplifies installation of Digital Building Series

switches. It enables the lighting installer or electrician to validate, configure, diagnose, and verify the day-0

installation of a Cisco Digital Ceiling solution. It provides multiple functions, such as performing TDR cable checks;

verifying IoT endpoint connectivity, power, and status; pushing custom configurations to and upgrading the

firmware of the switch; taking snapshots; and generating reports, among other capabilities.

1. Install the Cisco Digital Building—Installer app from the Google Play Store (for Android devices) or the Apple

App Store (for iOS devices).

2. Connect a Bluetooth dongle to the USB port and power on the switch.

3. Turn on Bluetooth on your smartphone.

4. Open the Cisco Digital Building—Installer app, go to Settings, and connect to the switch via Bluetooth.

For app screenshots, refer to the Digital Building Network Architecture white paper. For more details on app

operation and capabilities, refer to the Cisco Digital Building–Installer app (Android/iOS) guides for Android and

iOS.

Using Cisco Configuration Professional for Catalyst or the switch command line via a Bluetooth

connection

To connect to the switch from a computer:

1. Connect a Bluetooth dongle to the USB port and power on the switch.

2. Turn on Bluetooth on your computer and discover the switch.

3. Pair the computer to the switch.

4. Connect to the switch as an access point. The computer will then get the IP address of the switch.

5. If you are connecting from a Windows computer, go to Devices & Printers, select the switch, click the Connect

Using tab, and select Access Point.

If you are connecting from a Mac computer, on the menu bar, click the Bluetooth icon, hover over the switch

name, and click Connect to Network.

6. Once a connection is established, configure the switch from Cisco Configuration Professional by entering the

switch IP address in a browser window. By default, the IP address of the switch is 172.16.0.1.

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/configuration-professional-catalyst/datasheet-c78-739734.html

https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-digital-building-series-switches/white-paper-c11-739009.pdf

https://play.google.com/store/apps/details?id=com.cisco.lighting&hl=en

https://itunes.apple.com/us/app/digital-building-installer/id1171242299?mt=8

https://supportforums.cisco.com/t5/network-infrastructure-documents/cisco-catalyst-digital-building-app-android-guide/ta-p/3292476?attachment-id=124001

https://supportforums.cisco.com/t5/network-infrastructure-documents/cisco-catalyst-digital-building-app-ios-guide/ta-p/3292470?attachment-id=124002


Using the switch CLI via a Bluetooth connection

Connect your computer to the switch via Bluetooth as described in the previous section. Once done, use Telnet to

connect to the switch’s IP address to get CLI access.

Configuring the aggregation switch (Layer 3)

This section details the Layer 2 and Layer 3 configuration implemented on the Cisco Catalyst 9300 Series Switch.

For the purpose of this document, we assume that a single 9300 Series switch is acting as a combined aggregation

and core platform. At a minimum, the following need to be enabled on this switch:

● Management and lighting VLANs

● Management and lighting VLAN Switch Virtual Interfaces (SVIs)

● DHCP pools for lights

● IPv6 on the lighting SVI

● Neighbor Discovery (ND) inspection and device tracking

● Trunk configurations for ports (downlink) connecting to Digital Building Series switches

● Access configurations for ports (downlink) connecting to a server running management and control software

● Spanning Tree

1. Configure the management VLAN for Digital Building Series connectivity:

9300-24U#conf t

Enter configuration commands, one per line. End with CNTL/Z.

9300-24U(config)#vlan 2

9300-24U(config-vlan)#name MGMT-VLAN

9300-24U(config-vlan)#end

2. Configure the lighting VLAN:

9300-24U#conf t


9300-24U(config)#vlan 3

9300-24U(config-vlan)#name LIGHTING-VLAN

9300-24U(config-vlan)#end

3. Create SVIs for the management and lighting VLANs:

!

interface Vlan2

ip address 2.2.2.1 255.255.255.0

!

interface Vlan3

ip address 3.3.3.1 255.255.255.0

ipv6 address 2003:DB8:0:900::1/64

ipv6 enable

ipv6 nd ra interval msec 1000

end


Note: If the endpoints work on IPv6, configure an IPv6 address in the lighting VLAN SVI and enable IPv6 on it,

as shown above. This will also allow for the use of SLAAC for endpoint IP addressing. Alternatively, an IPv6

DHCP pool can be configured for the IPv6 endpoints. For IPv4 connectivity, provide an IPv4 address to the SVI

as well.

4. Enable IPv4 DHCP for IPv4 lights:

!

ip dhcp excluded-address 3.3.3.1 3.3.3.100

!

ip dhcp pool lights

network 3.3.3.0 255.255.255.0

default-router 3.3.3.1

!

5. Configure IPv4 and IPv6 unicast routing on the switch:

!

ip routing

!

ipv6 unicast-routing

!

6. For an IPv6 endpoint deployment, IPv6 Neighbor Discovery (ND) inspection and device tracking features

can optionally be enabled to keep track of endpoints as well as to implement IPv6 first-hop security features

(covered in more detail later in this document). Create different IPv6 ND inspection policies for switches and

hosts. The IPv6 ND inspection policy for switches and device tracking is attached to the ports connecting to

the Digital Building Series switches, and the IPv6 ND inspection policy for hosts is attached to the

management server and lighting gateway ports.

IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor

tables. IPv6 ND inspection analyzes ND messages in order to build a trusted binding table database, and IPv6

ND messages that do not have valid bindings are dropped. This feature mitigates some of the inherent

vulnerabilities of the ND mechanism, such as attacks on Duplicate Address Detection (DAD), address resolution,

device discovery, and the neighbor cache.

ipv6 nd inspection policy nd_host

!

ipv6 nd inspection policy nd_switch

device-role switch

The device tracking feature provides IPv6 host liveness. It tracks the liveness of the neighbors connected

through the Layer 2 device on a regular basis in order to revoke network access privileges as they become

inactive. If the “device-tracking” CLI does not exist on the software version being run, use the “ipv6 snooping” CLI

instead.


device-tracking tracking

!

device-tracking policy snooping_cdb

no protocol udp

tracking enable

!

7. Configure downlink interfaces toward the Digital Building Series switches as trunk ports, allowing both the

management and lighting VLANs, and attach applicable policies:

!

interface GigabitEthernet1/0/1

switchport trunk allowed vlan 2,3

switchport mode trunk

device-tracking attach-policy snooping_cdb

ipv6 nd inspection attach-policy nd_switch

end

8. Configure the downlink interface toward the management and control server or other end hosts that need to be

on the lighting network (such as the lighting gateway) as access ports on the lighting VLAN, and attach

applicable policies:

!


switchport access vlan 3

switchport mode access

ipv6 nd inspection attach-policy nd_host

end

9. Configure Rapid per-VLAN Spanning Tree:

!

spanning-tree extend system-id

spanning-tree vlan 2-3 priority 0

!

Important note for ring topology deployments. Enable Rapid per-VLAN Spanning Tree (Rapid PVST) to achieve

faster convergence in the event of a failure in the ring topology. Rapid PVST is enabled by default on the CDB-8P

and CDB-8U switches. Priority 0 is provided on this switch to ensure that it remains the STP root bridge. This is a

general recommendation for a Digital Building Series ring topology.


Digital Building Series upgrades using Cisco Smart Install

Cisco Smart Install is a transparent plug-and-play technology that can configure the Cisco IOS Software image and

switch without user intervention. Smart Install uses dynamic IP address allocation and the assistance of other

switches to facilitate installation. The Cisco Smart Install feature can be used for day-0 provisioning for the Digital

Building Series switches. In this case, the upstream aggregation switch is configured as the Smart Install Director

with all the TFTP file server information and Digital Building Series image details. Digital Building Series switches

act as Smart Install clients out of the box. The following is a sample Smart Install Director configuration used for

day-0 image upgrades of the Digital Building Series:

!

vlan 1

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no shutdown

vlan 100

interface Vlan100

ip address 192.168.100.1 255.255.255.0

no shutdown

!

! vstack relevant config starts here

!

vstack vlan 1

vstack group custom CDB-8U product-id

image tftp://192.168.100.100/cdb-universalk9-tar.152-6.E1.tar

match CDB-8U

vstack group custom CDB-8P product-id

image tftp://192.168.100.100/cdb-universalk9-tar.152-6.E1.tar

match CDB-8P

vstack dhcp-localserver SMART_INSTALL

address-pool 192.168.1.0 255.255.255.0

file-server 192.168.100.100

default-router 192.168.1.1

vstack director 192.168.1.1

vstack basic

vstack startup-vlan 1

no vstack backup

vstack

!


Configuring the Digital Building Series switches

Depending on the preferred deployment type, the Digital Building Series switches will physically connect to the

aggregation switch (Cisco Catalyst 9300 Series) in a daisy chain, ring, or star topology. We recommend that ring or

daisy chain topologies not exceed five switches.

The following features are enabled by default on the Cisco CDB-8U and CDB-8P switches:

● Link Layer Discovery Protocol (LLDP)

● 2-event classification

● Fast PoE and Perpetual PoE

1. If not using the Cisco Smart Install feature for day-0 provisioning of the Digital Building Series switches

(possibly since no backbone network is in place), we recommend disabling this feature:

CDB-8U-1#conf t


CDB-8U-1(config)#no vstack

CDB-8U-1(config)#end

2. Configure the management VLAN:

CDB-8U-1#conf t


CDB-8U-1(config)#vlan 2

CDB-8U-1(config-vlan)#name MGMT-VLAN

CDB-8U-1(config-vlan)#end

3. Configure the lighting VLAN:

CDB-8U-1#conf t


CDB-8U-1(config)#vlan 3

CDB-8U-1(config-vlan)#name LIGHTING-VLAN

CDB-8U-1(config-vlan)#end

4. Create an SVI for the management VLAN:

!

interface Vlan2

ip address 2.2.2.11 255.255.255.0

!

5. Configure Rapid PVST:

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!


6. Configure the uplink interfaces of the Digital Building Series as trunk ports, allowing both management and

lighting VLANs:

!




!

!




!

Note: For daisy chain and ring topologies, the Digital Building Series switches connect to each other via the two

uplink interfaces. The first and last (in the case of a ring topology) switches also connect to the aggregation switch

using the second uplink interface. For a star topology, the Digital Building Series uplinks connect to the

aggregation switch individually. In this case, the switch uplinks can be bundled using EtherChannel for greater

data redundancy.

7. Configure the downlink interfaces toward the lighting endpoints as access ports on the lighting VLAN. In

addition, enable the following features on these ports:

Storm control: Configure storm control for broadcast, multicast, and unicast traffic according to the maximum

and minimum allowable threshold percentages of line rates on light fixture access ports.

PortFast and Bridge Protocol Data Unit (BPDU) guard: These features prevent loops by moving a

nontrunking port into an errdisable state when a BPDU is received on that port. When BPDU guard is enabled

on the switch, Spanning Tree shuts down PortFast-configured interfaces that receive BPDUs instead of putting

them into the Spanning Tree blocking state. The ports connected to lights don't have to do a BPDU check for

Spanning Tree, and therefore those ports can be configured for PortFast BPDU guard:

!

interface FastEthernet1/0/1

switchport access vlan 3

switchport mode access

storm-control broadcast level 50.00

storm-control multicast level 50.00

storm-control unicast level 50.00

spanning-tree portfast edge

spanning-tree bpduguard enable

end

Note: By default, storm control, PortFast, and BPDU guard are enabled on the downlink interfaces of the Digital

Building Series switches. Only the access VLAN number needs to be additionally configured.


Validating the deployment

Verifying network connectivity

9300-24U#show ip int br

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM up down

Vlan2 2.2.2.1 YES NVRAM up up

Vlan3 3.3.3.1 YES manual up up

GigabitEthernet0/0 10.104.55.70 YES NVRAM up up

GigabitEthernet1/0/1 unassigned YES unset up up





GigabitEthernet1/0/6 unassigned YES unset down down




CDB-8U-1#show ip int br

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan2 2.2.2.11 YES NVRAM up up

FastEthernet1/0/1 unassigned YES unset up up



FastEthernet1/0/4 unassigned YES unset down down







Bluetooth0 172.16.0.1 YES NVRAM down down

Verifying endpoint connectivity

CDB-8U-1#show lldp neighbors

Capability codes:

(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device

(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID Local Intf Hold-time Capability Port ID

Transcend Fa1/0/3 121 O POE PD

e00d.b903.663c Fa1/0/2 121 POE PD


Total entries displayed: 2

Verifying power to endpoints

CDB-8U-1#show power inline

Available:480.0(w) Used:126.8(w) Remaining:353.2(w)

Interface Admin Oper Power Device Class Max

(Watts)

--------- ------ ---------- ------- ------------------- ----- ----

Fa1/0/1 auto on 30.0 Ieee PD 4 60.0



Fa1/0/4 auto off 0.0 n/a n/a 60.0

Fa1/0/5 auto off 0.0 n/a n/a 60.0

Fa1/0/6 auto off 0.0 n/a n/a 60.0

Fa1/0/7 auto off 0.0 n/a n/a 60.0

Fa1/0/8 auto off 0.0 n/a n/a 60.0

CDB-8U-1#show power inline fastEthernet 1/0/3 detail


Interface: Fa1/0/3

Inline Power Mode: auto

Operational status: on

Device Detected: yes

Device Type: Ieee PD

IEEE Class: 4

Discovery mechanism used/configured: Unknown

Police: off

Power Allocated

Admin Value: 60.0

Power drawn from the source: 59.0

Power available to the device: 59.0

Actual consumption

Measured at the port: 24.6

Maximum Power drawn by the device since powered on: 24.7

Absent Counter: 0

Over Current Counter: 0

Short Current Counter: 0


Invalid Signature Counter: 0

Power Denied Counter: 0

Power Negotiation Used: IEEE 802.3at LLDP

LLDP Power Negotiation --Sent to PD-- --Rcvd from PD--

Power Type: Type 2 PSE Type 2 PD

Power Source: Primary PSE

Power Priority: low critical

Requested Power(W): 50.0 50.0

Allocated Power(W): 50.0 50.0

Four-Pair PoE Supported: Yes

Spare Pair Power Enabled: Yes

Four-Pair PD Architecture: Shared

CDB-8U-1#show power inline police


Interface Admin Oper Admin Oper Cutoff Oper

State State Police Police Power Power

--------- ------ ---------- ---------- ---------- ------ -----

Fa1/0/1 auto on none n/a n/a 22.3



Fa1/0/4 auto off none n/a n/a n/a





--------- ------ ---------- ---------- ---------- ------ -----

Totals: 65.4

Verifying endpoint reachability

9300-24U#show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type State

Interface

Hardware address/

User name

3.3.3.101 5410.ec10.99ff Mar 03 2018 09:43 AM Automatic Active

Vlan3

3.3.3.102 e00d.b903.5c53 Mar 03 2018 09:43 AM Automatic Active

Vlan3

3.3.3.103 e00d.b903.663c Mar 03 2018 09:43 AM Automatic Active

Vlan3


3.3.3.104 5410.ec01.cd4a Mar 03 2018 09:43 AM Automatic Active

Vlan3

3.3.3.105 e00d.b903.5b9d Mar 03 2018 09:43 AM Automatic Active

Vlan3

3.3.3.106 5410.ec12.3820 Mar 03 2018 09:43 AM Automatic Active

Vlan3

3.3.3.107 e00d.b903.5a82 Mar 03 2018 09:43 AM Automatic Active

Vlan3

9300-24U#ping 3.3.3.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.101, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

9300-24U#show device-tracking database

Binding Table has 32 entries, 29 dynamic (limit 100000)

Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution

Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created

Preflevel flags (prlvl):

0001:MAC and LLA match 0002:Orig trunk 0004:Orig access

0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned

0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned

Network Layer Address Link Layer Address Interface vlan

prlvl age state Time left

<truncated>

ND FE80::217:88FF:FE0C:36A6 0017.880c.36a6 Gi1/0/2 3

0005 79s REACHABLE 224 s try 0

ND FE80::217:88FF:FE0C:3647 0017.880c.3647 Gi1/0/5 3


ND FE80::217:88FF:FE0C:3645 0017.880c.3645 Gi1/0/4 3

0005 3mn REACHABLE 134 s try 0

ND 2003:DB8:0:900:D9F0:2083:4FAE:1982 507b.9d99.e616 Gi1/0/23 3


ND 2003:DB8:0:900:88D7:39F6:7265:3BB 507b.9d99.e616 Gi1/0/23 3

0005 64s REACHABLE 239 s

ND 2003:DB8:0:900:217:88FF:FE0C:612C 0017.880c.612c Gi1/0/3 3


ND 2003:DB8:0:900:217:88FF:FE0C:6128 0017.880c.6128 Gi1/0/1 3


ND 2003:DB8:0:900:217:88FF:FE0C:36A6 0017.880c.36a6 Gi1/0/2 3


ND 2003:DB8:0:900:217:88FF:FE0C:3647 0017.880c.3647 Gi1/0/5 3


ND 2003:DB8:0:900:217:88FF:FE0C:3645 0017.880c.3645 Gi1/0/4 3



L 2003:DB8:0:900::1 cc98.911b.a8e7 Vl3 3

0100 2887mn REACHABLE

9300-24U#ping ipv6 2003:DB8:0:900:217:88FF:FE0C:6128

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2003:DB8:0:900:217:88FF:FE0C:6128, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/7 ms

Verifying management control

Log in to the management control software and discover the lighting endpoints. Once the endpoints are

discovered, you can test the different control options.

Security

Port security

Switch port security stops MAC table flooding and other attack variants. You can use port security with dynamically

learned luminaire MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed

to send traffic into the port. Cisco recommends setting PoE switch port security as follows: only one MAC address

per port, sticky without aging, and violation action: restrict with the following:

● switchport port-security (interface).

● switchport port-security maximum 1: When only a single device exists on the end of any port.

● switchport port-security violation restrict: This allows the current address to continue to communicate, but

causes all other sourced traffic to be dropped.

● switchport port-security mac-address sticky: When sticky learning is enabled, the interface adds all secure

MAC addresses that are dynamically learned to the running configuration and converts these addresses to

sticky secure MAC addresses.

● switchport port-security aging time 0: Address never times out. It requires one of two things: a manual reset

of the switch (power recycle or warm reboot) or a person logging in and clearing the entry.

interface range FastEthernet1/0/1-8

switchport port-security

switchport port-security violation protect

switchport port-security mac-address sticky

switchport port-security maximum 1

The “mac-address sticky” feature learns the first N (as configured via the “maximum” command) MAC

addresses and allows only those to access the network. Any other MAC addressed trying to get onto the network

via the port are disallowed, and the port is put into the configured violation policy state, such as restrict or

shutdown.


The above CLI commands allow a maximum of one MAC address—that is, one luminaire–on a switch port.

Replacing a luminaire on this port security-enabled switch port triggers a port security violation and Simple Network

Management Protocol (SNMP) trap (if configured). In such scenarios, the sticky MAC address on the switch port

needs to be removed manually for the successful operation of a replaced luminaire on that switch port. For

example, to remove the sticky MAC address of a luminaire, use:

no switchport port-security mac-address sticky <MAC address of old luminaire>

on the interface or:

clear port-security sticky address <MAC address of old luminaire>

on the PoE switch global configuration.

IPv6 first-hop security

The Cisco Catalyst 9300 Series Switches, used as aggregation switches for the Digital Building Series deployment,

provide a broader range of security features to limit access to the network and mitigate threats. IPv6 first-hop

security features, if enabled on the Cisco Catalyst 9300 Series or Layer 3 aggregation switches as applicable,

protect against rogue router advertisements, address spoofing, fake DHCP replies, and other risks introduced by

the IPv6 technology. This helps ensure that any IPv6 attack originating from an unknown source attached to a

Digital Building Series switch gets contained within the domain of that particular switch (the lights attached to the

switch) and does not propagate to other Digital Building Series switches and lights connected on the network.

For detailed information on IPv6 first-hop security on the Cisco Catalyst 9300 Series, refer to the following guide:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-

6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ipv6_first_hop_security.pdf

IPV6 router advertisement guard

The IPv6 Router Advertisement (RA) guard feature allows the network administrator to block or reject unwanted or

rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce

themselves on the link. The IPv6 RA guard feature analyzes these RAs and filters out ones that are sent by

unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port.

Create an IPv6 RA guard host policy to be applied to downlink interfaces connecting to the Digital Building Series

switches:

!

ipv6 nd raguard policy host-policy

!

Apply the RA guard "host-policy" policy on the downlink interfaces connecting to the Digital Building Series

switches:

!






https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ipv6_first_hop_security.pdf

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ipv6_first_hop_security.pdf


ipv6 nd raguard attach-policy host-policy

end

9300-24U#show ipv6 nd raguard policy

Policy host-policy configuration:

device-role host

Policy host-policy is applied on the following targets:

Target Type Policy Feature Target range

Gi1/0/1 PORT host-policy RA guard vlan all





With the RA guard policy in place, if a rogue router physically connects to any of the Digital Building Series

switches and sends out RA messages on the lighting VLAN, these messages are received by the lights connected

to that switch but are dropped on the 9300 Series port, and so are not allowed to propagate further to any other

Digital Building Series switches and lights.

IPv6 source and prefix guard

IPv6 source guard validates the source address or prefix to prevent source address spoofing. It enables the device

to deny traffic when it originates from an address that is not stored in the binding table. It works in conjunction with

IPv6 Neighbor Discovery (ND) inspection and IPv6 address glean, both of which detect existing addresses on the

link and store them in the binding table. IPv6 source guard can deny traffic from unknown sources or unallocated

addresses, such as traffic from sources not assigned by a DHCP server.

Define an IPv6 source guard policy name and enter the switch’s source guard policy configuration mode:

ipv6 source-guard policy sg_cdb

permit link-local

validate address

!

Apply the IPv6 source guard policy on the downlink interfaces connecting to the Digital Building Series switches:

!






ipv6 nd raguard attach-policy host-policy

ipv6 source-guard attach-policy sg_cdb

end

9300-24U#show ipv6 source-guard policy


Policy sg_cdb configuration:

validate address

permit link-local

Policy sg_cdb is applied on the following targets:

Target Type Policy Feature Target range

Gi1/0/1 PORT sg_cdb Source guard vlan all





The IPv6 prefix guard feature works within the IPv6 source guard feature to enable the device to deny traffic that

originates from non-topologically correct addresses. IPv6 prefix guard is often used when IPv6 prefixes are

delegated to devices (for example, home gateways) using DHCP prefix delegation. The feature discovers the

range of addresses assigned to the link and blocks any traffic sourced with an address outside this range.

For prefix guard, define an IPv6 source guard policy with option to validate the prefix instead of the address:

ipv6 source-guard policy pg_cdb

permit link-local

validate prefix

!

Apply the IPv6 source guard policy on the downlink interfaces connecting to the Digital Building Series switches:

!





ipv6 source-guard attach-policy pg_cdb

end

IPv6 destination guard

The IPv6 destination guard feature works with IPv6 neighbor discovery to ensure that the device performs address

resolution only for those addresses that are known to be active on the link.

!

ipv6 destination-guard policy dg_policy

!

!





ipv6 destination-guard attach-policy dg_policy

end


Neighbor Discovery (ND) inspection: Limiting the address count

The ND inspection feature is used to avoid and block Distributed Denial-Of-Service (DDOS) attacks that spoof

multiple addresses. It limits the number of addresses permitted to participate in the ND process on a particular port.

In a lighting deployment using Digital Building Series switches, a maximum of eight legitimate lights would be

expected on a single port of the Cisco Catalyst 9300 Series via an individual Digital Building Series switch, so the

address count can be set to 8.

!


limit address-count 8

device-role switch

!

Neighbor Discovery (ND) inspection: Drop unsecure

This feature drops Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages with no or invalid

options or an invalid signature. If the lighting endpoints support a cryptographic version of neighbor discovery, this

feature can be used to ensure that only authentic NS and NA messages are processed.

!


drop-unsecure

device-role switch

!

Summary

In summary, the Cisco Digital Building Solution can be deployed securely in various topologies, depending on your

needs. Cisco Catalyst Digital Building Series Switches come with a range of options designed to provide ease of

management. The deployment configuration to get an enterprise IoT network up and running is relatively simple, as

described in this document. Digital Building Solution deployments can be secured against a number of IPv6-related

vulnerabilities and threats arising due to the possible accessible nature of the Digital Building Series switches by

enabling IPv6 first-hop security features on Cisco’s enterprise-class switches, such as the Cisco Catalyst 9300

Series, used as the aggregation point.

Additional resources

Cisco Digital Building Solution

Digital Building Series Switches

Digital Building Series Switches Data Sheet

Digital Building Series Q&A

Digital Building Series Configuration Guides

Digital Building Series Switch Release Notes

Digital Building Series Switch Hardware Installation Guide

https://www.cisco.com/c/en_in/solutions/workforce-experience/digital-building/index.html

https://www.cisco.com/c/en/us/products/switches/catalyst-digital-building-series-switches/index.html

https://www.cisco.com/c/en/us/solutions/collateral/workforce-experience/digital-building/datasheet-c78-738206.html

https://www.cisco.com/c/en/us/products/switches/catalyst-digital-building-series-switches/q-and-a-listing.html

https://www.cisco.com/c/en/us/support/switches/catalyst-digital-building-series-switches/products-installation-and-configuration-guides-list.html

https://www.cisco.com/c/en/us/support/switches/catalyst-digital-building-series-switches/products-release-notes-list.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_digital_building_series_switches/hardware/install/b-cdb-hig.html


Printed in USA C07-740588-00 04/18

cisco digital building solution deployment guide · gateway for the lighting network (a cisco...

Documents