2960S Switch with a UC520
We have a UC520 but it is esentially maxed out with the 8 port switch as well as an additional 8 port switch. I would like to upgrade to a 24 port switch at a minimum. I was looking at the 2960S-24PD-L for about $1300 at Newegg. How difficult will it be do add this switch to the UC520. I've worked with CLI before, but am by no means great at it.
Thanks!
Hello Reid,
I recommend that you use the SF300-24P or SG300-28P depending on whether you want gigabit or not. (SG or SF). This switch is web gui based. When using with the UC500 there is next to no setup as default settings will be more than fine. I do recommend that you upgrade the switch to the latest Cisco Firmware available from Cisco.com after buying it. You will find the hardware is very reliable and much more affordable for small business than the 2960.
** Please note that the SG300/SF300 switches support 802.3af PoE standard. They will not power old, pre-standard Cisco IP Phones. Check your phone models to ensure they support 802.3af.
Similar Messages
-
Half Duplex/100M problem on 2960 switch with GLC-GE-100FX
We have a 2960-24TC switch with GLC-GE-100FX SFP interface converter. We connected the switch to another switch through fiber, one end was GLC-GE-100FX and the other end was a 100/FULL ATI media converter. Both switches could talk to each other. The problem was the GLC-GE-100FX interface running at 100M/half duplex status and we couldn't change the port configuration. Is there a way to fix this problem? Your help would be much appreciated.
Using show interface command. It shows half duplex. It's a new design on Cisco 2960-24TC switches, the Giga uplink ports are dual purposed. When I plugged GLC-GE-100FX SFP interface converter and connected it to a media converter, it showed half duplex. There's no way I could change the speed and duplex under that configuration.
-
Power up cisco 2960 switch with 12V DC Power
hi all ,
I have some issue with supply power to cisco 2960-24TT-L switch. In my server farm rack is having DC current of -48V. But however cisco switch require 12V DC current.
Cisco Spec.
Cisco Catalyst 2960-24TT-L
12V at 5 A
5 A
How can I power on the switch using DC current ? Is there any power converter which I can purchase ? your responses are very much.
ThanksYou may also go here:
https://supportforums.cisco.com/community/netpro/small-business
The Search Function is your friend.... and Google too.
How to Secure your Network
How to Upgrade Routers Firmware
Setting-Up a Router with DSL Internet Service
Setting-Up a Router with Cable Internet Service
How to Hard Reset or 30/30/30 your Router -
2960 switch fiber connection over 40km single strand SM fiber
Hello everyone,
We are having an issue with the connection in the subject. We just gost dark fiber for connecting 2 2960 switches with single strand single mode fiber over more than 10Km.
Looking at the compatibility matrix and the SFP gigabit applications the 1000BASE-BX10 is the best I could find but cannot reach more than 10Km.
Can anyone please propose a solution? If media converters are the only way to go can please sugest manufacturer/model (even with SC connector) since Cisco does not make Media converters.
Thank you
MarioA 40 km link is usually run using 1550nm wavelength due to lower light loss on the fiber at this wavelength. The 1000BaseEX module is spec'd to 40km and runs at 1310 nm wavelength, but you will lose light through a WDM filter (which is integrated in the single fiber SFP) which would reduce the link's length. I would check with some of the 3rd party media converter manufactures to see if any of them have a lower cost solution that operates over a single fiber at >40km.
Sorry... a link loss budget is the sum of:
Fiber cable loss + fiber connector losses + fiber splice losses + impairment losses (dispersion or PMD) + aging losses (safety margin).
If the transceiver's Loss Budget is greater than the Link Loss Budget, then the link should operate.
www.thefoa.org has some good videos for understanding fiber terminology at an easy to understand level. -
Cisco 2960S FPS-L PoE switch with Avaya 9811g VOIP setup
Hello,
I am connecting a setup for data/voice connecting Catalyst 2960S-FPS-L PoE switch with Avaya 9811g series VOIP phone. As per my knowledge cisco switch works well with Cisco phone as it has got some builtin "Macros" and Intelligent PoE recognition when we connect device getting the details of another device through CDP. I understand I have to create data and voice vlan with QOS then enable trunking on the interface to other switch that is also 2960. Little confuse if is there any compatibility issues with Switch and Avaya phone regarding protocol/data/voice...?
Do I have to do PoE config for each port on the each interface?
any help or detail config will help.
Thanks in advance.Hi I am back after good research. created two vlan data and voice with trunk on interface1/0/48 given below config..
connection b/w 2960s FPS Switch and Avaya 9611g IP Phone.
lldp/cdp is enable on switch
So I created this config if some one can take a look .
expert advise if something wrong?..
I am only concern with Voice and PoE as voice is my priority. do i have to map something for voice quality?
also if i create another Trunk port one allow voice other allow data both cable will go to switch will that be issue?
interface....
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport voice vlan xx
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
interface ........
switchport trunk allowed vlan x,x
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust -
Connecting 2 3750 Switches in Stack with 2 2960 switches in full Mesh
Hi Friends,
I have attached a pics which DC design of one of our customer , as network engineer i have design this , so i am responsible for implementing it, now request you all to kindly guide me what would be technical problem i have to face in achieving this and how can i over come .Please be in detail. Waiting for your response .
Regards
Amit KulshresthaI have attached modified diagram , please suggest.
The major issue I see is that you have not mentioned whether the 2960's are stacked? For the design to work, they need to be stacked because you cannot create port-channels between them and the Core switches unless then 2960's are stacked.
==> You are right , surely 2960 Switch need to be in stack form.
Personally I would look at more powerful switches than the 2960's, something along the lines of the 3750x range or probably now the 3850's.
==> This is constrain of customer, not our responsibility.
The second issue I see is that your servers are connected to the WAN switches. Is there a reason for this? Usually they would be connected to the core switches.
==> For this If 1 separate 2960 series switch can be used ?.
The final point is that you only have single connections from each of your WAN connections which begs the question as to the purpose of having two WAN switches?
==> Customer is having 1900 series of router , only two ports one used for WAN and other used for LAN.
The objective of having two switches is to provide redundancy/resiliency. If you have only one connection from each WAN then why do you need two switches as there is no redundancy?
==> Customer has agreed to have manual change at the time of failure. -
Can not administer Catalyst 2960 switch via console
Hello,
I want to configure my switch via console cable, the switch boots up normally, and there are no configurations present on the switch. However, anything I type does not appear on the terminal client. I used several terminal clients (TeraTerm, PuTTY, HyperTerminal), all latest versions as well as different PCs. I even forced the switch to rommon mode, still, anything I type does not appear on the terminal client.
Here's the output of TeraTerm:
Boot Sector Filesystem (bs) installed, fsid: 2
Base ethernet MAC Address: e8:40:40:06:f0:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
flashfs[0]: 542 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 11565056
flashfs[0]: Bytes available: 20948992
flashfs[0]: flashfs fsck took 11 seconds.
...done Initializing Flash.
done.
Loading "flash:/c2960-lanbasek9-mz.122-50.SE5/c2960-lanbasek9-mz.122-50.SE5.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:/c2960-lanbasek9-mz.122-50.SE5/c2960-lanbasek9-mz.122-50.SE5.bin" uncompressed and installed, entry point: 0x3000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(50)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 28-Sep-10 13:44 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x01400000
Initializing flashfs...
fsck: Disable shadow buffering due to heap fragmentation.
flashfs[1]: 542 files, 19 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32514048
flashfs[1]: Bytes used: 11565056
flashfs[1]: Bytes available: 20948992
flashfs[1]: flashfs fsck took 2 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.
Checking for Bootloader upgrade.. not needed
POST: CPU MIC register Tests : Begin
POST: CPU MIC register Tests : End, Status Passed
POST: PortASIC Memory Tests : Begin
POST: PortASIC Memory Tests : End, Status Passed
POST: CPU MIC interface Loopback Tests : Begin
POST: CPU MIC interface Loopback Tests : End, Status Passed
POST: PortASIC RingLoopback Tests : Begin
POST: PortASIC RingLoopback Tests : End, Status Passed
POST: PortASIC CAM Subsystem Tests : Begin
POST: PortASIC CAM Subsystem Tests : End, Status Passed
POST: PortASIC Port Loopback Tests : Begin
POST: PortASIC Port Loopback Tests : End, Status Passed
Waiting for Port download...Complete
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco WS-C2960-24TT-L (PowerPC405) processor (revision J0) with 65536K bytes of memory.
Processor board ID FOC1510X4ZQ
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : E8:40:40:06:F0:80
Motherboard assembly number : 73-12600-05
Power supply part number : 341-0097-03
Motherboard serial number : FOC15094MZG
Power supply serial number : DCA150583WQ
Model revision number : J0
Motherboard revision number : A0
Model number : WS-C2960-24TT-L
System serial number : FOC1510X4ZQ
Top Assembly Part Number : 800-32797-01
Top Assembly Revision Number : F0
Version ID : V09
CLEI Code Number : COM3L00BRE
Hardware Board Revision Number : 0x0A
Switch Ports Model SW Version SW Image
* 1 26 WS-C2960-24TT-L 12.2(50)SE5 C2960-LANBASEK9-M
Press RETURN to get started!
*Mar 1 00:00:31.381: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:00:32.556: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
*Mar 1 00:00:35.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to down
*Mar 1 00:00:35.861: %SYS-5-CONFIG_I: Configured from memory by console
*Mar 1 00:00:36.012: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(50)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 28-Sep-10 13:44 by prod_rel_team
*Mar 1 00:00:36.037: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 1 00:00:37.060: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down
*Mar 1 00:00:37.094: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down
*Mar 1 00:00:37.127: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
*Mar 1 00:00:37.161: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down
*Mar 1 00:00:37.195: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down
*Mar 1 00:00:37.228: %LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down
*Mar 1 00:00:37.262: %LINK-5-CHANGED: Interface FastEthernet0/12, changed state to administratively down
*Mar 1 00:00:37.362: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
*Mar 1 00:00:37.362: %LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down
*Mar 1 00:00:37.362: %LINK-5-CHANGED: Interface FastEthernet0/15, changed state to administratively down
*Mar 1 00:00:37.404: %LINK-5-CHANGED: Interface FastEthernet0/16, changed state to administratively down
*Mar 1 00:00:37.446: %LINK-5-CHANGED: Interface FastEthernet0/17, changed state to administratively down
*Mar 1 00:00:37.488: %LINK-5-CHANGED: Interface FastEthernet0/18, changed state to administratively down
*Mar 1 00:00:37.497: %LINK-5-CHANGED: Interface FastEthernet0/19, changed state to administratively down
*Mar 1 00:00:37.539: %LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down
*Mar 1 00:00:37.572: %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down
*Mar 1 00:00:37.606: %LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down
*Mar 1 00:00:37.639: %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down
*Mar 1 00:00:37.673: %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down
*Mar 1 00:00:37.690: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
*Mar 1 00:00:37.715: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
After the last line, I can not type any command at all. I encountered this on three 2960 switches that we have here in our laboratory. Can anybody help me on how I can get access to the switch via console?
Thanks in advance.Have You Check your console Cable.
also
If u are using USB to Serial check driver are properly installed.
else
See Helpful Cisco Documentation
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010ff7a.shtml
Do Rate Helpful Posts -
Catalyst 2960 Problem with Cisco SPA512
Hi there,
I hope someone can help me.
I don't have much experience with switches, I'm doing the desktop support in our company.
We have Catalyst 4510 R+E to 2 Catalyst 2960 switches and seperate VLAN's for IP Phones and for Internet in one part of our office.
Now I'm running into trouble with some IP Phones that are connected to the 2960 switches. It appears only to happen with Cisco's SPA-512. I've tried FW 7.5.2, 7.5.5 and 7.5.5b. These phones sporadically drop the call / connection, with the red MIC button blinking. Based on my research this means that it looses Internet connection. I have 1 SPA512 with FW 7.5.1 that does not show these symptoms.
I have other phones SPA942 and Polycom IP335 in the same area behind the same switches and no issues.
We've tried to disable auto negotiate and set a fixed transmition rate or either 1Gbps and 100Mbps, both without success.
I also have SPA512 in other areas of the office just connected to our Catalyst 4510 R+E and they work just fine. That's why I don't believe it has anything to do with the 4510, but I can be wrong.
That's all I have for you guys. Hope someone can help me to fix / troubleshoot this..
FrankSSwitch3#test cable-diagnostics tdr int g1/0/16
TDR test started on interface Gi1/0/16
A TDR test can take a few seconds to run on an interface
Use 'show cable-diagnostics tdr' to read the TDR results.
SSwitch3#show cable-diagnostics tdr int g1/0/16
TDR test last run on: June 27 13:39:21
Interface Speed Local pair Pair length Remote pair Pair status
Gi1/0/16 1000M Pair A 52 +/- 10 meters Pair A Normal
Pair B 52 +/- 10 meters Pair B Normal
Pair C 52 +/- 10 meters Pair C Normal
Pair D 52 +/- 10 meters Pair D Normal
SSwitch3# -
Etherchannel between 2960 switches
Hello All,
I configured etherchannel between two 2960 switches.
Both the switches have SVI with subnet 192.168.2.3 and 192.168.2.4
I have another vlan3 on one of the switch.
so when i created etherchannel between two Gig ports and allowed both the vlans,it gave me an error messg,
Nov 3 12:41:07.332 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/19 is not compatible with Gi1/0/20 and will be suspended (vlan mask is different)
Nov 3 12:41:07.339 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/19 is not compatible with Po1 and will be suspended (vlan mask is different)
Nov 3 12:41:07.339 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/19 is not compatible with Po1 and will be suspended (vlan mask is different)
Nov 3 12:41:07.339 KSA: %EC-5-CANNOT_BUNDLE2: Gi1/0/20 is not compatible with Po1 and will be suspended (vlan m
May i know why....
ThanksHello Mudasir
This will be a problem of allowed vlan mismatch. All the interfaces which are going to add in the etherchannel must have same allowed vlan on both sides.
You can check for the allowed vlan on all the interfaces as well as on Port-channel.
You can see the below forum having the same problem:
https://supportforums.cisco.com/discussion/9757346/etherchannel-prob
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services -
How i can calculate the backplane speed & throughput of cisco 48 1G 2960S switch?
How i can calculate the backplane speed & throughput of cisco 48 1G 2960S switch?
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Calculate? Calculate for wirespeed/line-rate? If the latter, take all the port bandwidths, and assuming they are duplex, double for necessary fabric bandwidth. I.e. 48 gig ports would need a 96 Gbps fabric. Take all your port bandwidths, and allow 1.448 Mpps per gig (for minimum size Ethernet packets), i.e. 48 gig ports would need 69.5 Mpps. Once you have required fabric bandwidth and PPS, you can compare to vendor's specs. -
Why is 2960 switch blocking one pc?
I have port security configured on the switch with no STICKY mode. Many computers can connect on that switch and DHCP works well, but a particular win8 laptop gets blocked immediately when I connect to that 2960. I have a second 2960 and the same pc can connect with DHCP no problem.
JasonYes, I have the same Port Security setting across the entire switch except the router on a stick line. I have each port with max 5 Mac addresses except cascade line to switch 2.
-
Aironet 1142 as supplicant to 2960 switch (NEAT/CISP/MAB)
Hello!
First, my configuration, (then the problem down below):
I have an Aironet 1142 with mulitple SSIDs [mapped to VLANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is uplinked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator swtich; it just has a manually-configured trunk port to the user-area 2960 [for now; i'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native VLAN, and all is well [so it seems]. The Aironet's dot11Radio is configured for two SSIDs and mapped to VLANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for VLAN 1 [but NOT the wireless user VLANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID VLANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong].
Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but i'm willing to be persuaded otherwise, based on sound advice].
Ok, now the problem:
Users on the guest wireless SSID (Vlan 20) say they cannot connect. Yep, classic. VLAN 20 is trunked and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that VLAN.
I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (VLAN 10) has full access. Am I running into a problem with "multi-host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a VLAN 20 host on this SSID, but no unicast traffic! Argh!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping
#sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is operational on following VLANs:
1
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: ccd5.3947.7980 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
GigabitEthernet1/0/46 no no 15
Custom circuit-ids:
GigabitEthernet1/0/48 yes yes unlimited
Custom circuit-ids:
GigabitEthernet1/0/52 yes yes unlimited
Custom circuit-ids:
#sh run br | incl aaa auth
aaa authentication login default local group rad_eap
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default local group rad_eap
aaa authorization network default group rad_eap local
#sh run int gi1/0/2
interface GigabitEthernet1/0/2
description Wireless Access Points
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth limit 50
priority-queue out
authentication host-mode multi-host
authentication order mab dot1x
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
macro description CISCO_WIRELESS_AP_EVENT
auto qos trust
spanning-tree portfast
#sh int gi1/0/2 sw
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
#sh auth sess int gi1/0/2
Interface: GigabitEthernet1/0/2
MAC Address: acf2.c5f2.8e27
IP Address: 10.100.32.42
User-Name: acf2c5f28e27
Status: Authz Success
Domain: DATA
Oper host mode: multi-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A64200B00000CDA41AFBEDF
Acct Session ID: 0x00000D00
Handle: 0xDE000CDA
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
#sh mab int gi1/0/2
MAB details for GigabitEthernet1/0/2
Mac-Auth-Bypass = Enabled
#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 1
Gi1/0/2 on 802.1q trunking 1
Gi1/0/48 on 802.1q trunking 1
Gi1/0/52 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/1 1-4094
Gi1/0/2 1-4094
Gi1/0/48 1-2,10,20
Gi1/0/52 1-2,10,20
Port Vlans allowed and active in management domain
Gi1/0/1 1-2,10,20
Gi1/0/2 1-2,10,20
Gi1/0/48 1-2,10,20
Gi1/0/52 1-2,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1-2,10,20
Gi1/0/2 1-2,10,20
Gi1/0/48 2
Gi1/0/52 1-2,10,20
Ok, what am I missing??The problem lies in the wired Ethernet port on the Aironet. I did not submit that configuration because I thought it was simple and unrelated. Here is what I had:
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
The correct configuration should have been:
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
The line "no bridge-group 20 unicast-flooding" should not be applied to the wired port. That's stupid. With that erroneous command, the wired port will forward only broadcast and multicast traffic! Unicast traffic will be dropped. Oops.
However, I do not understand why applying this to the radio interfaces has no effect there. I have yet to find any conclusive detailed answers, either. Regardless, my original problem is fixed. -
I am having issues with Catalyst 2960 Switch Console. Switch boots up fine and the process shows up on the console. But after the boot-up, console stops responding. It also does not respond to Break sequence at the boot-up. Any solutions? I am using Putty with 9600 8n1 settings.
Thanks
HassanCheck the settings:
Please confirm if it helps
Parvesh
Remember marking helpful posts. -
L2 or l3 switch with NAC appliance
Hi,
I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
Regards,
MladenThanks.
The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
"In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
Regards,
Mladen -
2960 switch SNMP packet errors vs Device Manager Errors
So we use the 2960 switches and monitor the in and out packet errors with snmp. The numbers are not the same in the device manager as the numbers we get from snmp. does anyone know a reason why this would be?
SSL3.0 is disabled in A5(3.1b) and A5(3.2) A5(3.1b) was released in late November 2014 and A5(3.2) was released in April 2015
https://software.cisco.com/download/release.html?mdfid=281222179&flowid=151&softwareid=282775307&release=A5(3.1b)&relind=AVAILABLE&rellifecycle=&reltype=latest
Maybe you are looking for
-
How can i start Terminal in a specific folder
how can i start Terminal in a specific folder
-
I want to create a Pdf file - do i misunderstand the product? I thought i could create a PDF similar to excel or word file or do i have to create there and convert to PDF? I bought the pack for $89.PDF Pack!
-
Tax classification for sales order before ECC
Hi expert, We have recently upgraded from 4.6C to ECC6.0 and noticed the following issue, please kindly advise. Thanks. The tax classification for one of the regular customer has always been maintained as '0' (Tax Exempt). In 4.6C, in the sales order
-
I have problems with the update of my 3gs from 4.2.1 to 4.3.3.
can't I carry out the update of 2-4-1 on 3-4-3 about itunes. the fault name "timeout" comes after the download? how do I come to an update still?
-
Hi, i know this has been asked loads, but i just wanna make sure this will work before i spend the money on it. i've got a dual 1.8 g5 with an ati 9600. i want to watch movies from my mac on a tv in another room. i was going to buy a adc to vga adapt