4500 Series Switches and 802.1x MAB

Similar Messages

• Macs joined to AD Domain, and 802.1x/mab authentication problems

  Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

  hello,
  in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
  the interfaces have the following config:
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer restart 120
   authentication timer reauthenticate server
   authentication timer inactivity 600
   mab
   dot1x pae authenticator
  Good luck

• Cisco 4500 series switch

  Dear support taem, in cisco 4500 series switch i am getting error interface TenGigabitethernet 1/14 utlization threshold violated.current in traffic 705.228 (70.52 %) and out traffic 707.462 ( 70.75 %) whereas configured threshold is 30 %.
  i have checked on switch but qos is there in configuration.
  where i need to check if any restriction is there for incoming and outgoing traffic.
  and what necassery troubleshooting i need to be done.

  This looks like a policy shaping.

• 4500 series switches crashing when under load

  Dear support community,
  We are a small group of network managers and we recently came across a problem in our planned network upgrade considering the 4500 series switches. Six of these switches are configured as VSS redundancy resulting in 3 VSS units connected over double-link fiberoptic port-channels (1+1) building a ring topology.
  As soon as we put load (3,5Gbit/s) on one of the port-channels between two VSS, one unit (both main and stdby switches) crashes almost immediately and then reboots. This first happened a few weeks ago, yesterday when testing it happened again but on another VSS connected to the first one. I was able to recover the crashinfo files from both units, they are are attached to this post aswell as the show tech_support output from the one that crashed yesterday.
  Unfortunately we don't have the tools and knowledge for analyzing the files and we would appreciate your help. Thank you in advance.
  Max S.    

  Wow.  You're running a very old IOS.  
  If you need to stay with 3.4.X then go with 3.4.5, which is a maintenance release (fixes a few bugs).  Read the Release Notes for more information.

• Cisco 300 series switches with 802.3at standard

  I'm a bit confused as to which of the 300 series switches supports the 802.3at standard. According to the website, the SG300-28P supports it. But in the quick start guide for the 300 series, only the MP models (excluding the SF302-08MP and SG300-10MP) including the SG300-52P has it. Can someone give me a difinitive answer to this? Thanks!

  LJ,
  P    = PoE capable. On the 300 series, half of the ports can provide 15.4W, or all can provide half that.
  PoE+ is NOT SUPPORTED.
  MP = Maximum Power. This means that all ports can provide up to 15.4W. PoE+ is supported on some models only.
  PP = PoE Plus. Can provide up to 30W on a single port. Note the maximum PoE budget for each switch. Also,
  half of the ports can provide 15.4W, or all can provide half that - any extra power used by PoE+
  MPP = Maximum Power and PoE Plus. This means that all ports can provide up to 15.4W - any extra power used by PoE+
  According to the Data Sheet:
  "Switches support 802.3at PoE+, 802.3af, and Cisco pre-standard (legacy) PoE. Maximum power of 30.0W to any 10/100 or Gigabit Ethernet port for PoE+ supported devices and 15.4W for PoE supported devices, until the PoE budget for the switch is reached"
  The PoE+ models are brand new and are not widey available yet. I did a web search for SG300-28PP and found that at least a few online resellers have it in stock.
  - Marty
  Message was edited by: Martin Pyhala

• HT4356 I have an Ipad air and an HP 4500 series printer and get anything to print.  Any suggestions on how I can print?

  My Ipad Air will not print to my HP 4500 series printer.  Any suggestions?

  iOS AirPrint Printers  http://support.apple.com/kb/HT4356
  How to Print from Your iPad: Summary of Printer and Printing Options
  http://ipadacademy.com/2012/03/how-to-print-from-your-ipad-summary-of-printer-an d-printing-options
  Print from iPad / iPhone without AirPrint
  http://ipadhelp.com/ipad-help/print-from-ipad-iphone-without-airprint/
  How to Enable AirPrint on a Mac and Use Any Printer
  http://ipadhelp.com/ipad-help/how-to-use-airprint-with-any-printer/
  iPad Power: How to Print
  http://www.macworld.com/article/1160312/ipad_printing.html
  Check out these print apps for the iPad.
  Print Utility for iPad  ($3.99) http://itunes.apple.com/us/app/print-utility-for-ipad/id422858586?mt=8
  Print Agent Pro for iPad ($5.99) http://itunes.apple.com/us/app/print-agent-pro-for-ipad/id421782942?mt=8   Print Agent Pro can print to many non-AirPrint and non-wireless printers on your network, even if they are only connected to a Mac or PC via USB.
  FingerPrint turns any printer into an AirPrint printer
  http://reviews.cnet.com/8301-19512_7-57368414-233/fingerprint-turns-any-printer- into-an-airprint-printer/
   Cheers, Tom

• Cisco switches and 802.1.x

  Hi, there !
  I have a question for you.
  Cisco all switches, is it impossible to present for 802.1x ?
  I try to put a network access server in our network to authenticate.
  Thanks.
  I will wait your answer.
  Regards.

  Most Cisco switches will handle 802.1x, but it depends on the switch and the OS. Which specific ones are you considering?
  Wes

• Cisco CSS 11150 Series switch and DNS Sticky

  Hi,
  I have currently have two internet independent facing CSS11154 switches with two web server farm environment across both of them.
  I have a single URL that round robins between my internet facing links for these server farms.
  The application is based on ssl connectivity to a web farm, because of the application and need to maintain session transactions, I have needed to use “advanced-balance stick-srcip”.
  When using one leg (internet link) it works fine, no problem and visa versa.
  However, when I turn both of them on my application fails.
  Would I need to incorporate DNS Sticky to resolve my issue ?
  This is one of the configs from one of the CSS Switches, the other has a similar config different servers.
  !*************************** GLOBAL ***************************
  acl enable
  date european-date
  dns-server
  app
  app session 10.1.1.1 14 authChallenge ebe encryptMd5hash
  !************************** SERVICE **************************
  service Server01
  ip address 10.140.80.45
  port 443
  protocol tcp
  active
  service Server02
  port 443
  protocol tcp
  ip address 10.140.80.47
  active
  service Server03
  port 443
  protocol tcp
  ip address 10.140.80.53
  active
  service Server04
  ip address 10.140.80.54
  port 443
  protocol tcp
  active
  !*************************** OWNER ***************************
  owner HOME
  dns both
  content www-home.com
  vip address 192.168.0.1
  add dns www.home.com
  add service Server01
  add service Server02
  add service Server03
  add service Server04
  advanced-balance sticky-srcip
  active
  Many Thanks !
  Any view would be most helpful

  looks like you will need dns sticky indeed.
  To be 100% sure you should capture a sniffer trace of a failure.
  But most probably this is a dns sticky problem.
  Follow this link for sample configuration of dns sticky.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_guide_chapter09186a0080176f6f.html
  Regards,
  Gilles.

• Cisco 4500 series switch-Supervisor Engine.

  Is it possible to add two different supervisor engine module in a chassis(WS-C4507R+E Chassis)? (WS-X45-SUP7E in slot 3 and WS-X45-SUP6E-
  Redundancy in slot number 4)

  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/RPR.html
  Redundancy requires both supervisor engines in the  chassis to be of the same supervisor engine model (same model, same  memory, NFL daughter card and so on), and to use the same Cisco IOS  software image.
  Thanks
  Hari.Sivaji

• CAT 4500 Series switches Supervisor 6 -E

  How is the 320 Gbps Switching Capacity Calculated?
  If find this cisco site FAQs
  but I have still confusion how it work if someone have very simple and clear connecpt please share
  Thanks

  Hello Muhammad,
  real performance depends from all of the following:
  chassis model
  supervisor model
  linecard types
  total figure change widely
  see
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_data_sheet09186a008033a3bd.html
  a comparison of supervisors
  http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_models_comparison.html
  so 64 Gbps can represent a backplane capacity (equivalent to 32 GE full rate they count twice input/output)
  48 Mpps stand for 48 millions of packets per second processed.
  2)
  you need to take in account preamble and interframe gap:
  given an IP packet of size S the line usage is given by:
  S+18B = L2 frame
  total usage = S+18B +20,2B
  minimum size is 64 bytes padding is added if necessary
  3) traditional linecards connect at 6 Gbps to the backplane but groups of 8 ports share a 1Gbps ASIC this is true up to WS-X4548-GB-RJ45 included
  E modules have more performances
  The choice of supervisor is dependent on the features you need to run be aware that last supervisors 6E 6LE can have more performance and less features then previous ones.
  Hope to help
  Giuseppe

• Advantages of 10/100 Management port on 6500/4500 series

  Hi mates,
  There is a common port called "10/100 MGT" (next to console port) on the supervisor engines of 6500 and 4500 series switch.
  Why would I need that port since I can telnet through Layer2 10/100 ports??
  Is that port doing the same job as console port? in addition allows longer distances over cat 5 cables??
  Do we need to assign IP address on that mangement port?
  Thanks for helping :)

  Hi,
  The 6500 supervisors do not have a 10/100 MGT port. The cat4000 supervisors do, however.
  On the supI and supII, the Ethernet management ports are for network management only. These ports do not support network switching. See:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/inst_gd/05modins.htm#xtocid184774
  On the SupII+, SupIII, and higher, the Ethernet management port is used (in ROMMON mode only) to recover a switch software image that has been corrupted or destroyed due to a network catastrophe. This port is not active while the switch is operating normally.
  See:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/hw_doc/78_13686.htm#wp32993
  HTH,
  Bobby
  *please rate helpful posts

• 4500-Sup7; SSH and admin VRF only

  Hello all.
  I may be blind but I've not seen this topic in the documentation; I refer to "Catalyst 4500 Series Switch Software Configuration Guide, Release IOS XE 3.3.0SG and IOS 15.1(1)SG"
  The Sup7 has a dedicated FastEthernet port which is automatically put into a vrf named "mgmtvrf".
  What I want to do is to permit inbound ssh only on this interface (vrf) and not on any other IP owned by the switch...
  How can I do that ? By default any feature enabled on the switch is bound to all IP addresses defined in the switch belonging to all vrf...
  Technically I want the ssh process to listen only in the admin vrf.

  Finally; I couldn't find the way to implement Management Plane Protection in the parser; the following commands doesn't do the job :
  control-plane hostmanagement-interface Fa0/1 allow ssh telnet
  the "control plane host" doesn't work and there is no "management-interface" subcommand into the "control plane" section.
  Has anybody succeeded to implement MPP for the admin port of a SUP7-E in a 4500 ?
  I'm running the last version : IOS 15.1 / IOS XE 3.3.0 SG
  It seems that it's not documented in the configuration guide.
  And the feature navigator seems to be clear : only supported in IOS XR and standard IOS for routers but not switches ??? Even with IOS XE / 15.1 train ?

• Vss quad sup support for 4500 series

  Hi all
  I'm looking at at 4507r+e with dual supervisor 7
  I want to run vss, however does it support quad supervisors?
  I hear the second one will have to be in rommon?
  In a failover how would I get the 2nd supervisor working ?
  Would you need to manually boot it?

  Have a look at the config guide:
  Quad-Supervisor (In-chassis Standby Supervisor Engine) Support
  The Catalyst 4500 series switches support dual supervisors in a redundant chassis, which can be configured for SSO or RPR mode. However, when a chassis is running in VSS mode, it supports a second supervisor engine, but only in rommon mode. In-Chassis-Standby (ICS) can not participate in control, management, or forwarding plane functioning. This makes ports on the supervisor engine in rommon mode available for forwarding although it neither participates in any switchover nor provides protection against any failure. In VSS mode, an In-Chassis-Active (ICA) supervisor engine participates in VSS control/ management operation and manages ports on the supervisor engine in rommon mode.
  If the second supervisor engine is inserted in a redundant chassis, the following information applies:
  •It must also be manually configured for VSS mode, i.e., it must have been converted from standalone to VSS mode previously. If you insert a supervisor engine that was not configured for VSS mode, it will disrupt the operation of the ICA supervisor engine. If it was previously configured, automatic boot must be disabled (i.e., to boot only to ROM Monitor) with the confreg command in rommon.
  The supervisor engine does not takeover or boot automatically when the ICA supervisor engine fails. A manual boot up is required to make it participate in VSS; it then functions as an ICA supervisor engine.
  More details on rommon commands are found at this URL:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1.2/XE_340/configuration/guide/rommon.html#wp1013959
  •A supervisor engine's conversion from standalone to VSS occurs per engine. If two supervisor engines exist in a chassis, one should be retained in rommon or removed, before conversion occurs. You can convert the second supervisor to VSS mode while the first supervisor is removed or in rommon, with the additional step of setting it to "boot only to ROM Monitor." When both engines are converted to VSS, they can be inserted into the chassis together and re-booted.
  •Booting a chassis with two supervisor engines configured for VSS causes one of the engines to become the ICA and participate in VSS. The other engine, which becomes the ICS, will continuously reload. The secondary supervisor (the ICS) must be configured to "boot only to ROM Monitor" with automatic boot disabled.
  •When the ICA fails, the ICS doesn't take over because ICS support of SSO or RPR mode is unavailable. ICS (the secondary supervisor) must be booted manually to become the ICA and manage the VSS operations. For this to happen, the former active supervisor engine must remain in rommon mode.
  •ISSU support requires ICA supervisor engines on both chassis. The ICS supervisor engine does not participate in upgrade or any forwarding operations.
  •Because ICS supervisor engines do not communicate with ICA supervisors, VSS and other configurations must be done at conversion time on the ICS. If not done or the configurations do not match the necessary VSS parameters (like, SwitchId, Domain, and VSL configurations), it cannot form a VSS when ICA goes down and ICS is booted manually. You can, however, enter these "bootup" commands to make it join an existing VSS domain.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1.2/XE_340/configuration/guide/vss.html#wp1204229
  HTH

• HOW CAN I DOUBLE SIDED PRINTING ON MY HP ENVY 4500 SERIES PRINTER

  I  recently bought my HP ENVY 4500 series printer and love it.  The only problem I have is I can seem to work out how to do double sided printing, cant see any options and the booklet doesnt tell me...maybe  I am missing something. Please help! I hate wasting paper

  have you already installed the software for the MAC?
  what is the OSX version of your MAC?

• 3750 metro series switch does not support dot1q trunking?

  Folks,
  I have a 3750 metro series switch and i am trying to use it to do inter vlan routing. I do not see an option for "encapsulation dot1q" under sub interface?? why is it not supported??
  Thanks

  Narvin,
  if you want inter-vlan routing, the interface Vlan nn itself specify vlan.I think you confuse with router subinterface where you must specify what Vlan a subinterface must use ( and encaps type ). Encaps type ( dot1q or ISL ) is used at trunk level, and whatever trunk use you can do intervlan routing using vlan interface.
  maurizio