- Preface
- Cisco Pulse Overview
- Planning the Cisco Pulse Deployment
- Setting Up the Pulse Appliances
- Installing Cisco Pulse Application Software
- Installing the Cisco Pulse Software License
- Configuring and Maintaining Cisco Pulse
- Creating and Maintaining Vocabularies
- Monitoring Cisco Pulse
- Customizing and Maintaining Cisco Pulse Using the Command-Line Interface
- Backing Up Cisco Pulse Data
- Developing a Gadget for the Home Page
- Viewing Business Data
- Network Configuration Requirements
- Allowing Pulse Locator Access to Anonymous Users
- Reinstalling the Operating System on the Pulse Appliances
- Recovering the Pulse Appliances
- Glossary
- Index
Cisco Pulse Administrator Guide, Release 1.0.5
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Chapter: Network Configuration Requirements
Network Configuration Requirements
Note 
This topic is intended for the network administrator who is responsible for deploying the Pulse Collect and Connect Appliances in the existing IP network and for configuring the existing Cisco switches with features in support of these appliances.
A Pulse Collect Appliance relies on these traffic-capturing features that are available on Cisco switches to observe network traffic for analysis:
•Switched Port Analyzer (SPAN)
•Remote Switched Port Analyzer (RSPAN) with VLAN Access Control Lists (VACLs)
We recommend using RSPAN with VACLs because they support packet filtering via access lists, which optimize the amount of traffic a switch forwards to a Pulse Collect Appliance.
Traffic that is captured and forwarded to the Pulse Collect Appliance should not include 802.1q encapsulation. You must ensure that the SPAN/VACL capture destination port is not configured as a trunk port. That is, the VACL capture of traffic from multiple VLANs to a capture trunk port on a switch cannot be processed by the Pulse Collector Appliance because of the 802.1q encapsulation of the packets forwarded to the appliance.
These topics provide configuration samples that illustrate how to configure RSPAN with VACLs:
•Sample Configuration 1: Cisco Switches Running IOS Software
•Sample Configuration 2: Cisco Switches in Mixed Software Environment
For complete information on setting up the RSPAN with VACLs features on your Cisco switch, see the documentation that accompanies the switch.
Sample Configuration 1: Cisco Switches Running IOS Software
In the sample Pulse topology shown in Figure A-1, the XYZ business unit of Company ABC is deploying Cisco Pulse for users in a campus composed of two buildings. Switch 1 handles traffic generated by users in building 1, while switch 2 handles traffic generated by users in building 2.
A Pulse Collect and Connect Appliance are deployed in this topology. The Pulse Collect Appliance has one RSPAN connection to switch 1 and another RSPAN connection to switch 2. The Pulse Collect Appliance forwards web and email content to the Pulse Connect Appliance by way of the Pulse management port (port 0) on each appliance.
Figure A-1 Sample Pulse Topology 1
This sample configuration shows only the software features that are configured in support of Cisco Pulse on switches 1, 2, and 3; it does not show all features configured on each switch. All switches in this sample configuration run IOS software.
Switch 1
Creates VACL named XYZ-VACL
vlan access-map XYZ-VACL 10
Specifies match condition in extended access list XYZ-TRAFFIC
match ip address XYZ-TRAFFIC
Specifies action to be taken when a match occurs
action forward
Applies XYZ-VACL to VLAN 100
vlan filter XYZ-VACL vlan-list 100
Creates ACL, which permits web and email traffic
ip access-list extended XYZ-TRAFFIC
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq 88
permit tcp any eq 88 any
permit tcp any any eq 135
permit tcp any eq 135 any
permit tcp any any eq 445
permit tcp any eq 445 any
permit tcp any any eq 8080
permit tcp any eq 8080 any
List of email servers
permit ip any 172.16.113.0 0.0.0.255
permit ip any 172.16.121.0 0.0.0.255
permit ip 172.16.113.0 0.0.0.255 any
permit ip 172.16.121.0 0.0.0.255 any
Defines RSPAN source as port Te2/1
monitor session 1 source interface Te2/1
Defines RSPAN source as port Te4/1
monitor session 1 source interface Te4/1
Defines RSPAN destination as VLAN 100
monitor session 1 destination remote vlan 100
Defines RSPAN source as VLAN 100
monitor session 2 source remote vlan 100
Switch 2
Creates VACL named XYZ-VACL
vlan access-map XYZ-VACL 10
Specifies match condition in extended access list XYZ-TRAFFIC
match ip address XYZ-TRAFFIC
Specifies action to be taken when a match occurs
action forward
Applies XYZ-VACL to VLAN 100
vlan filter XYZ-VACL vlan-list 100
Creates ACL, which permits web and email traffic
ip access-list extended XYZ-TRAFFIC
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq 88
permit tcp any eq 88 any
permit tcp any any eq 135
permit tcp any eq 135 any
permit tcp any any eq 445
permit tcp any eq 445 any
permit tcp any any eq 8080
permit tcp any eq 8080 any
remark Exchange hosts
permit ip any 172.16.113.0 0.0.0.255
permit ip any 172.16.121.0 0.0.0.255
permit ip 172.16.113.0 0.0.0.255 any
permit ip 172.16.121.0 0.0.0.255 any
Defines RSPAN source as port Te2/1
monitor session 1 source interface Te2/1
Defines RSPAN source as port Te4/1
monitor session 1 source interface Te4/1
Specifies RSPAN destination as VLAN 100
monitor session 1 destination remote vlan 100
Specifies RSPAN destination as port Gi3/7
monitor session 2 destination interface Gi3/7
Specifies RSPAN source as VLAN 100
monitor session 2 source remote vlan 100
Switch 3
Specifies RSPAN destination as port Gi1/0/1
monitor session 1 destination interface Gi1/0/1
Specifies RSPAN source as VLAN 100
monitor session 1 source remote vlan 100
Related Topics
•Connecting a Pulse Collect Appliance, page 3-4
•Connecting the Pulse Collect Appliance to a Cisco Switch, page 3-5
Sample Configuration 2: Cisco Switches in Mixed Software Environment
In the sample Pulse topology shown in Figure A-2, Company 123 has deployed a Pulse Collect and Connect Appliance. The Pulse Collect Appliance has one RSPAN connection to switch 1, and one RSPAN connection to switch 2. The Pulse Collect Appliance forwards web and email content to the Pulse Connect Appliance by way of the Pulse management port (port 0) on each appliance.
Figure A-2 Sample Pulse Topology 2
This topology uses these VLANs to segment the various types of traffic:
•VLAN 20 - email traffic
•VLAN 30 - web traffic
•VLAN 40 - Active Directory traffic
•VLAN 111 - RSPAN traffic for switch 1
•VLAN 222 - RSPAN traffic for switch 2
This sample configuration shows only the software features that are configured in support of Cisco Pulse on switches 1 and 2; it does not show all features configured on each switch. Some of the switches in this sample configuration run IOS software, while others run the Catalyst operating system.
Switch 1
Creates VLAN111 for RSPAN traffic
set vlan 111 rspan name VLAN111 state active
Creates VACL MYLABEL that matches the specified ports and email server addresses
set security acl ip mylabel permit arp
set security acl ip mylabel permit tcp any any eq 80 statistics
set security acl ip mylabel permit tcp any eq 80 any statistics
set security acl ip mylabel permit tcp any any eq 88 statistics
set security acl ip mylabel permit tcp any eq 88 any statistics
set security acl ip mylabel permit tcp any any eq 25 statistics
set security acl ip mylabel permit tcp any eq 25 any statistics
set security acl ip mylabel permit ip any 172.16.5.11 0.0.0.0 statistics
set security acl ip mylabel permit ip 172.16.5.11 0.0.0.0 any statistics
Commits VACL MYLABEL to the hardware
commit security acl mylabel
Maps VACL MYLABEL to RSPAN VLAN111
set security acl map mylabel 111
Defines the RSPAN source as bidirectional traffic in VLANs 20 and 30
set rspan source 1/2,2/12 111 both multicast enable create
Defines the RSPAN destination as port 3/15
set rspan destination 3/15 111 inpkts disable learning enable create
Switch 2
Creates VLAN 222 for RSPAN traffic
set vlan 222 rspan name VLAN222 state active
Creates VACL MYLABEL that matches the specified ports and email server addresses
set security acl ip mylabel permit arp
set security acl ip mylabel permit tcp any any eq 80 statistics
set security acl ip mylabel permit tcp any eq 80 any statistics
set security acl ip mylabel permit tcp any any eq 88 statistics
set security acl ip mylabel permit tcp any eq 88 any statistics
set security acl ip mylabel permit tcp any any eq 25 statistics
set security acl ip mylabel permit tcp any eq 25 any statistics
set security acl ip mylabel permit ip any 172.16.5.10 0.0.0.0 statistics
set security acl ip mylabel permit ip 172.16.5.10 0.0.0.0 any statistics
set security acl ip mylabel permit ip any 172.16.5.9 0.0.0.0 statistics
set security acl ip mylabel permit ip 172.16.5.9 0.0.0.0 any statistics
Commits VACL MYLABEL to the hardware
commit security acl mylabel
Maps the VACL to RSPAN VLAN 222
set security acl map mylabel 222
Defines the RSPAN source as bidirectional traffic on VLANs 20, 30, and 40
set rspan source 3/3, 3/6, 2/1 222 both multicast enable create
Defines the RSPAN destination as port 3/19
set rspan destination 3/19 222 inpkts disable learning enable create
Related Topics
•Connecting a Pulse Collect Appliance, page 3-4
•Connecting the Pulse Collect Appliance to a Cisco Switch, page 3-5
Feedback