- Preface
- Using the Command-Line Interface
-
- IP Multicast Routing Technology Overview
- Configuring IGMP
- Configuring IGMP Proxy
- Constraining IP Multicast in Switched Ethernet
- Configuring PIM
- Configuring PIM MIB Extension for IP Multicast
- Configuring MSDP
- Configuring Wireless Multicast
- Configuring SSM
- Configuring Basic IP Multicast Routing
- Configuring Multicast Routing over GRE Tunnel
- Configuring the Service Discovery Gateway
- IP Multicast Optimization: Optimizing PIM Sparse Mode in a Large IP Multicast Deployment
- IP Multicast Optimization: Multicast Subsecond Convergence
- IP Multicast Optimization: IP Multicast Load Splitting across Equal-Cost Paths
- IP Multicast Optimization: SSM Channel Based Filtering for Multicast
- IP Multicast Optimization: PIM Dense Mode State Refresh
- IP Multicast Optimization: IGMP State Limit
-
- Configuring the Device for Access Point Discovery
- Configuring Data Encryption
- Configuring Retransmission Interval and Retry Count
- Configuring Adaptive Wireless Intrusion Prevention System
- Configuring Authentication for Access Points
- Converting Autonomous Access Points to Lightweight Mode
- Using Cisco Workgroup Bridges
- Configuring Probe Request Forwarding
- Optimizing RFID Tracking
- Configuring Country Codes
- Configuring Link Latency
- Configuring Power over Ethernet
-
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- MACsec Encryption
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- X.509v3 Certificates for SSH Authentication
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring Control Plane Policing
- Configuring Wireless Guest Access
- Managing Rogue Devices
- Classifying Rogue Access Points
- Configuring wIPS
- Configuring Intrusion Detection System
-
- Administering the Switch
- Boot Integrity Visibility
- Performing Device Setup Configuration
- Configuring Autonomic Networking
- Configuring Right-To-Use Licenses
- Configuring Administrator Usernames and Passwords
- Configuring 802.11 parameters and Band Selection
- Configuring Aggressive Load Balancing
- Configuring Client Roaming
- Configuring Application Visibility and Control
- Configuring Application Visibility and Control
- Configuring Location Settings
- Configuring Voice and Video Parameters
- Configuring RFID Tag Tracking
- Configuring Location Settings
- Cisco Hyperlocation
- Monitoring Flow Control
- Configuring SDM Templates
- Configuring System Message Logs
- Configuring Online Diagnostics
- Managing Configuration Files
- Configuration Replace and Configuration Rollback
- Working with the Flash File System
- Upgrading the Switch Software
- Conditional Debug and Radioactive Tracing
- Troubleshooting the Software Configuration
- Index
Configuring COAP
Proxy Server
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information about COAP Proxy Server
The COAP protocol is designed for use with constrained devices. COAP works in the same way on constrained devices as HTTP works on servers in accessing information.
The comparison of COAP and HTTP is shown below:
- In the case of a webserver: HTTP is the protocol; TCP is the transport; and HTML is the most common information format transported.
- In case of a constrained device: COAP is the protocol; UDP is the transport; and JSON/link-format/CBOR is the popular information format.
COAP provides a means to access and control device using a similar GET/POST metaphor and restful API as in HTTP.
Restrictions for COAP
The following restrictions apply to COAP proxy server:
-
Switch cannot advertise itself as CoAP client using ipv6 broadcast (CSCuw26467).
-
Support for Observe Not Implemented.
-
Blockwise requests are not supported. We handle block-wise responses and can generate block-wise responses.
-
DTLS Support is for the following modes only RawPublicKey and Certificate Based.
-
IPv6 DTLS is not supported on the 3850 Platform.
-
Switch does not act as DTLS client. DTLS for endpoints only.
-
Endpoints are expected to handle and respond with CBOR payloads.
-
Client side requests are expected to be in JSON.
-
Switch cannot advertise itself to other Resource Directories as IPv6, due to an IPv6 broadcast issue.
-
Configuration of Fast PoE, Perpetual PoE or 2-event classification has to be done before physically connecting any endpoint. Alternatively do a manual shut/no-shut of the ports drawing power.
-
Power to the ports will be interrupted in case of MCU firmware upgrade and ports will be back up immediately after the upgrade.
Supported Hardware for COAP Proxy Server
COAP Proxy Server is supported on the following Catalyst 3850 Switch Models:
|
Switch Model |
Cisco IOS Image |
Description |
|---|---|---|
|
WS-C3850-24T-S |
IP Base |
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Base feature set |
|
WS-C3850-48T-S |
IP Base |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Base feature set |
|
WS-C3850-24P-S |
IP Base |
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Base feature set |
|
WS-C3850-48P-S |
IP Base |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Base feature set |
|
WS-C3850-48F-S |
IP Base |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 1100-WAC power supply 1 RU, IP Base feature set |
|
WS-C3850-24U-S |
IP Base |
Stackable 24 10/100/1000 Cisco UPOE ports, 1 network module slot, 1100 W power supply |
|
WS-C3850-48U-S |
IP Base |
Stackable 48 10/100/1000 Cisco UPOE ports, 1 network module slot, 1100 W power supply |
|
WS-C3850-12S-S |
IP Base |
Stackable 12 SFP module slots, 1 network module slot, 350-W power supply |
|
WS-C3850-24S-S |
IP Base |
Stackable 24 SFP module slots, 1 network module slot, 350-W power supply |
|
WS-C3850-12XS-S |
IP Base |
Catalyst 3850 12-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 350 W power supply |
|
WS-C3850-16XS-S |
IP Base |
Catalyst 3850 16-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 350 W power supply. 16 ports are available when the C3850-NM-4-10G network module is plugged into the WS-C3850-12XS-S switch. |
|
WS-C3850-24XS-S |
IP Base |
Catalyst 3850 24-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 715 W power supply. |
|
WS-C3850-32XS-S |
IP Base |
Catalyst 3850 32-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 715 W power supply. 32 ports are available when the C3850-NM-8-10G network module is plugged into the WS-C3850-24XS-S switch. |
|
WS-C3850-48XS-S |
IP Base |
Stackable, with SFP+ transceivers, 48 ports that support up to 10 G, and 4 ports that support up to 40 G. 750 W power supply. |
|
WS-C3850-48XS-F-S |
IP Base |
Stackable, with SFP+ transceivers, 48 ports that support up to 10 G, and 4 ports that support up to 40 G. 750 W power supply. |
|
WS-C3850-24XU-S |
IP Base |
Stackable 24 100M/1G/2.5G/5G/10G UPoE ports, 1 network module slot, 1100-W power supply. |
|
WS-C3850-24T-E |
IP Services |
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Services feature set |
|
WS-C3850-48T-E |
IP Services |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Services feature set |
|
WS-C3850-24P-E |
IP Services |
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Services feature set |
|
WS-C3850-48P-E |
IP Services |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Services feature set |
|
WS-C3850-48F-E |
IP Services |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 1100-WAC power supply 1 RU, IP Services feature set |
|
WS-3850-24U-E |
IP Services |
Cisco Catalyst 3850 Stackable 24 10/100/1000 Cisco UPOE ports,1 network module slot, 1100-W power supply |
|
WS-3850-48U-E |
IP Services |
Cisco Catalyst 3850 Stackable 48 10/100/1000 Cisco UPOE ports,1 network module slot, 1100-W power supply |
|
WS-C3850-12S-E |
IP Services |
Stackable, 2 SFP module slots, 1 network module slot, 350-W power supply |
|
WS-C3850-24S-E |
IP Services |
Stackable, 24 SFP module slots, 1 network module slot, 350-W power supply |
|
WS-C3850-12XS-E |
IP Services |
Catalyst 3850 12-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 350 -W power supply. |
|
WS-C3850-16XS-E |
IP Services |
Catalyst 3850 16-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 350 W power supply. 16 ports are available when the C3850-NM-4-10G network module is plugged into the WS-C3850-12XS-E switch. |
|
WS-C3850-24XS-E |
IP Services |
Catalyst 3850 24-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 715 W power supply. |
|
WS-C3850-32XS-E |
IP Services |
Catalyst 3850 32-port SFP+ transceiver, 1 network module slot, support for up to 10 G SFP+, 715 W power supply. 32 ports are available when the C3850-NM-8-10G network module is plugged into the WS-C3850-24XS-E switch. |
|
WS-C3850-48XS-E |
IP Services |
Stackable, SFP+ transceivers, 48 ports that support up to 10 G, and 4 ports that support up to 40 G. 750 W power supply. |
|
WS-C3850-48XS-F-E |
IP Services |
Stackable, SFP+ transceivers, 48 ports that support up to 10 G, and 4 ports that support up to 40 G. 750 W power supply. |
|
WS-C3850-24XU-E |
IP Services |
Stackable 24 100M/1G/2.5G/5G/10G UPoE ports, 1 network module slot, 1100-W power supply. |
Configuring COAP Proxy Server
To configure the COAP proxy server, you can configure the COAP Proxy and COAP Endpoints in the Configuration mode.
The commands are: coap [proxy | endpoints].
Configuring COAP Proxy
To start or stop the COAP proxy on the switch, perform the steps given below:
1.
enable
3.
coap proxy
4. security [none [[ ipv4 | ipv6 ] {ip-address ip-mask/prefix} | list {ipv4-list name | ipv6-list-name}] | dtls [id-trustpoint {identity-trustpoint label}] [verification-trustpoint {verification-trustpoint} | [ ipv4 | ipv6 {ip-address ip-mask/prefix}] | list {ipv4-list name | ipv6-list-name}]]
5. max-endpoints {number}
6. port-unsecure {port-num}
7. port-dtls {port-num}
8. resource-directory [ ipv4 | ipv6 ] {ip-address} ]
9. list [ ipv4 | ipv6 ] {list-name}
10.
start
11.
stop
12.
exit
DETAILED STEPS
Configuring COAP Endpoints
To configure the COAP Proxy to support multiple IPv4/IPv6 static-endpoints, perform the steps given below:
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable
Example:
Device> enable
|
Enables privileged EXEC mode. Enter your password if prompted. | ||
| Step 2 | configure
terminal
Example: Device# configure terminal | |||
| Step 3 | coap endpoint [
ipv4 |
ipv6 ] {ip-address}
Example: Device(config)#coap endpoint ipv4 1.1.1.1 Device(config)#coap endpoint ipv6 2001::1 |
| ||
| Step 4 | exit
Example:
Device(config-coap-endpoint)# exit
|
Exits the COAP endpoint sub mode. | ||
| Step 5 | end
Example: Device(config)# end |
Monitoring COAP Proxy Server
|
show coap version |
Shows the IOS COAP version and the RFC information. |
|
show coap resources |
Shows the resources of the switch and those learnt by it. |
|
show coap endpoints |
Shows the endpoints which are discovered and learnt. |
|
show coap globals |
Shows the timer values and end point values. |
|
show coap stats |
Shows the message counts for endpoints, requests and external queries. |
|
show coap dtls-endpoints |
Shows the dtls endpoint status. |
|
clear coap database |
Clears the COAP learnt on the switch, and the internal database of endpoint information. |
|
debug coap database |
Debugs the COAP database output. |
|
debug coap errors |
Debugs the COAP errors output. |
|
debug coap events |
Debugs the COAP events output. |
|
debug coap packets |
Debugs the COAP packets output. |
|
debug coap trace |
Debugs the COAP traces output. |
|
debug coap warnings |
Debugs the COAP warnings output. |
|
debug coap all |
Debugs all the COAP output. |
 Note | If you wish to disable the debugs, prepend the command with a "no" keyword. |
Examples: COAP Proxy Server
This example shows how you can configure the port number 5683 to support a maximum of 10 endpoints.
Device#coap proxy security none ipv4 2.2.2.2 255.255.255.0 port 5683 max-endpoints 10
------------------------------------------------------------------------------------------------
This example shows how to configure COAP proxy on ipv4 1.1.0.0 255.255.0.0 with no security settings.
Device(config-coap-proxy)# security ? dtls dtls none no security Device(config-coap-proxy)#security none ? ipv4 IP address range on which to learn lights ipv6 IPv6 address range on which to learn lights list IP address range on which to learn lights Device(config-coap-proxy)#security none ipv4 ? A.B.C.D {/nn || A.B.C.D} IP address range on which to learn lights Device(config-coap-proxy)#security none ipv4 1.1.0.0 255.255.0.0
------------------------------------------------------------------------------------------------
This example shows how to configure COAP proxy on ipv4 1.1.0.0 255.255.0.0 with dtls id trustpoint security settings.
Device(config-coap-proxy)#security dtls ? id-trustpoint DTLS RSA and X.509 Trustpoint Labels ipv4 IP address range on which to learn lights ipv6 IPv6 address range on which to learn lights list IP address range on which to learn lights Device(config-coap-proxy)#security dtls id-trustpoint ? WORD Identity TrustPoint Label Device(config-coap-proxy)#security dtls id-trustpoint RSA-TRUSTPOINT ? verification-trustpoint Certificate Verification Label <cr> Device(config-coap-proxy)#security dtls id-trustpoint RSA-TRUSTPOINT Device(config-coap-proxy)#security dtls ? id-trustpoint DTLS RSA and X.509 Trustpoint Labels ipv4 IP address range on which to learn lights ipv6 IPv6 address range on which to learn lights list IP address range on which to learn lights Device(config-coap-proxy)# security dtls ipv4 1.1.0.0 255.255.0.0
Note | For configuring ipv4 / ipv6 / list, the id-trustpoint and (optional) verification-trustpoint, should be pre-configured, else the system shows an error. |
------------------------------------------------------------------------------------------------
This example shows how to configure a Trustpoint. This is a pre-requisite for COAP security dtls with id trustpoint configurations.
ip domain-name myDomain crypto key generate rsa general-keys exportable label MyLabel modulus 2048 Device(config)#crypto pki trustpoint MY_TRUSTPOINT Device(ca-trustpoint)#rsakeypair MyLabel 2048 Device(ca-trustpoint)#enrollment selfsigned Device(ca-trustpoint)#exit Device(config)#crypto pki enroll MY_TRUSTPOINT % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes
------------------------------------------------------------------------------------------------
This example shows how to configure COAP proxy on ipv4 1.1.0.0 255.255.0.0 with dtls verification trustpoint (DTLS with certificates or verification trustpoints)
Device(config-coap-proxy)#security dtls ? id-trustpoint DTLS RSA and X.509 Trustpoint Labels ipv4 IP address range on which to learn lights ipv6 IPv6 address range on which to learn lights list IP address range on which to learn lights Device(config-coap-proxy)#security dtls id-trustpoint ? WORD Identity TrustPoint Label Device(config-coap-proxy)#security dtls id-trustpoint RSA-TRUSTPOINT ? verification-trustpoint Certificate Verification Label <cr> Device(config-coap-proxy)#security dtls id-trustpoint RSA-TRUSTPOINT verification-trustpoint ? WORD Identity TrustPoint Label Device(config-coap-proxy)#security dtls id-trustpoint RSA-TRUSTPOINT verification-trustpoint CA-TRUSTPOINT ? <cr>
------------------------------------------------------------------------------------------------
This example shows how to configure Verification Trustpoint. This is a pre-requisite for COAP security dtls with verification trustpoint configurations.
Device(config)#crypto pki import CA-TRUSTPOINT pkcs12 flash:hostA.p12 password cisco123
% Importing pkcs12...
Source filename [hostA.p12]?
Reading file from flash:hostA.p12
CRYPTO_PKI: Imported PKCS12 file successfully.
------------------------------------------------------------------------------------------------
This example shows how to create a list named trial-list, to be used in the security [ none | dtls ] command options.
Device(config-coap-proxy)#list ipv4 trial_list Device (config-coap-proxy-iplist)#1.1.0.0 255.255.255.0 Device (config-coap-proxy-iplist)#2.2.0.0 255.255.255.0 Device (config-coap-proxy-iplist)#3.3.0.0 255.255.255.0 Device (config-coap-proxy-iplist)#exit Device (config-coap-proxy)#security none list trial_list
------------------------------------------------------------------------------------------------
This example shows all the negation commands available in the coap-proxy sub mode.
Device(config-coap-proxy)#no ?
ip-list Configure IP-List
max-endpoints maximum number of endpoints supported
port-unsecure Specify a port number to use
port-dtls Specify a dtls-port number to use
resource-discovery Resource Discovery Server
security CoAP Security features
------------------------------------------------------------------------------------------------
This example shows how you can configure multiple IPv4/IPv6 static-endpoints on the coap proxy.
Device (config)# coap endpoint ipv4 1.1.1.1 Device (config)# coap endpoint ipv4 2.1.1.1 Device (config)# coap endpoint ipv6 2001::1
------------------------------------------------------------------------------------------------
Device#show coap version
CoAP version 1.0.0
RFC 7252
------------------------------------------------------------------------------------------------
Device#show coap resources
Link format data =
</>
</1.1.1.6/cisco/context>
</1.1.1.6/cisco/actuator>
</1.1.1.6/cisco/sensor>
</1.1.1.6/cisco/lldp>
</1.1.1.5/cisco/context>
</1.1.1.5/cisco/actuator>
</1.1.1.5/cisco/sensor>
</1.1.1.5/cisco/lldp>
</cisco/flood>
</cisco/context>
</cisco/showtech>
</cisco/lldp>
------------------------------------------------------------------------------------------------
Device#show coap globals
Coap System Timer Values :
Discovery : 120 sec
Cache Exp : 5 sec
Keep Alive : 120 sec
Client DB : 60 sec
Query Queue: 500 ms
Ack delay : 500 ms
Timeout : 5 sec
Max Endpoints : 10
Resource Disc Mode : POST
------------------------------------------------------------------------------------------------
Device#show coap stats
Coap Stats :
Endpoints : 2
Requests : 20
Ext Queries : 0
------------------------------------------------------------------------------------------------
Device#show coap endpoints
List of all endpoints :
Code : D - Discovered , N - New
# Status Age(s) LastWKC(s) IP
-------------------------------------------------------------------------
1 D 10 94 1.1.1.6
2 D 6 34 1.1.1.5
Endpoints - Total : 2 Discovered : 2 New : 0
------------------------------------------------------------------------------------------------
Device#show coap dtls-endpoints
# Index State String State Value Port IP
---------------------------------------------------------------
1 3 SSLOK 3 48969 20.1.1.30
2 2 SSLOK 3 53430 20.1.1.31
3 4 SSLOK 3 54133 20.1.1.32
4 7 SSLOK 3 48236 20.1.1.33
------------------------------------------------------------------------------------------------
This example shows all options available to debug the COAP protocol.
Device#debug coap ?
all Debug CoAP all
database Debug CoAP Database
errors Debug CoAP errors
events Debug CoAP events
packet Debug CoAP packet
trace Debug CoAP Trace
warnings Debug CoAP warnings
Feedback