AAA and 3560 Switch + CNA

Similar Messages

• Private vlans and 2960 and 3560 switch

  Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

  Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
  Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

• Two 2911 routers and 3560 switches (load balancing and redundancy)

  Good day, Sir !
  I have a model with hierarchical model. Two routers 2911 and two core switches 3560, two providers.
  I want to design redundancy scheme. Can you advice me how is better to do it ? here you can find image with topology, can you say is it good idea to connect with devices in this way ?
  Hope on you help ! Thank you !!!

  Hi,
  If you want to configure redundancy in your network on LAN you can use HSRP and from the WAN side depending on the connection with the provider you can either use BGP or any IGP.
  If you want to have load balancing as well with redundancy you can define differnt  HSRP group for different  vlan and on the wan with BGP you can use multipath option or with IGP you can manipulate the route matric.
  Thanks & Regards
  Sandeep

• Configuration of GBIC on 2950 and 3560 switches

  Can someone please advise how to configure a "GBIC T Base Port" on a 2950 switch. I have 2 off and would like to load share and provide redundacy. All documentation that I am aware of does not indicae that they support etherchannel configuration.

  Step 1
  configure terminal
  Enter global configuration mode.
  Step 2
  interface interface-id
  Specify a physical interface to configure, and enter interface configuration mode.
  Valid interfaces include physical interfaces.
  Up to eight interfaces of the same type and speed can be configured for the same group.
  Step 3
  switchport mode {access | trunk}
  switchport access vlan vlan-id
  Assign all interfaces as static-access ports in the same VLAN, or configure them as trunks.
  If you configure the interface as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
  Step 4
  channel-group channel-group-number mode
  {{auto [non-silent] | desirable [non-silent] | on} | {active | passive}}
  For more detail see Etherchannel configuration Guide:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swethchl.htm

• Setting 3550 and 3560 Switched to Non-Negotiate

  On some of the older models of the 3550 switches I was able to set the SFP interface to non-negotiate. I do not notice that command available in the documentation anymore. Does it still exist?

  Hello,
  Do you have access to any of the switches in question? You can always use the context help under the interface
  (config-if)#switchport ?
  On my 3550 the nonegotiate is an option.
  HTH
  Regards,
  James

• Etherchannel between stack switches[3750] and standalone switch[3560]

  Hi,
  I have 2*3750 switches in stack as core and 1*3560 switch in access layer. I want to enable ether channel between stack switch[3750A & 3750B] and 3560 switches.
  Have connected  2 links from 3560 switch to stack switch, one link to 3750A and other link to 3750B. Will it work in this way as per my requirement? 
  or i should enabled stacking on 3560 switch too and configure cross-stack ether channel between 3750 stack and 3560 stack. i refered few cisco documents, but the cross stack etherchannel configuration example has 3750 at both end stacks.
  Rgds...
  VikramS

  Hi,
   This should work fine as per you set up, the 3750 stack will be acting as one switch, which means that the ether-channel configuration should be straight forward. There is no need to stack the 3560 for this to work, also the 3560 are not stackable.
  Hope this helps.

• Dacl on ACS 5.1 and Catalyst switch 3560

  Dear all
  I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
  This authrization profile is used on access policy.
  I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
  Steps:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
  11003  Returned RADIUS Access-Reject
  DACL:
  deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
  permit ip any any log
  Thanks on advance,

  Dear Tiago
  I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
  Dec 13,10 10:29:00.513 AM
  00-23-AE-7A-58-A6
  00-23-AE-7A-58-A6
  Default Network Access
  Lookup
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  22056 Subject not found in the applicable identity store(s).
  Dec 13,10 10:28:29.186 AM
  #ACSACL#-IP-Guest-4cfcc14d
  Dot1x-3560-Switch
  1.2.3.4
  TESTACS
  Dec 13,10 10:28:28.726 AM
  acstest
  00-23-AE-7A-58-A6
  Default Network Access
  PEAP (EAP-MSCHAPv2)
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  Thanks,

• DHCP and voice vlan on Cisco 3560 switch

  Greetings,
  I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
  1. Using the Cisco 3560 as a DHCP server - Config examples.  Do I need to use different subnets for the voice and data vlans?
  2. Layer 2 CoS QoS  - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
  Your assistance will be appreciated.

  Hi ,
  Cisco recommends that you have a separate vlan for  voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
  Here is the config guide for setting up IOS DHCP server:
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
  Here is the LAN qos recommendations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009

• AAA and ISE

  Hi All,
  Where do I configure primary AAA and secondary AAA at ISE?
  According to deployments guide Fig 1-6. Dispersed Deployment
  http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
  If we are using AD.. then AAA solution is RODC?
  Thanks,
  John

  Hello,
  Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
  Please refer to below link which might help you.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html

• Cable interconnecting Cat. 3550 and 3560

  What would be an appropiate cable connecting the 3550 catalyst and the 3560?
  3550 has 2 gbic ports, while the 3560 has 4 spf module slots.

  . Can the Cisco Catalyst 3560 Series switches support the GigaStack® or StackWise™ technology?
  A. The Cisco Catalyst 3560 switches do not support the Cisco GigaStack Technology on the Catalyst 3550, 2950G, and 3500 XLs or the Cisco StackWise technology available on the Catalyst 3750. However, a cluster of any combination of these platforms can be managed via a single IP address using the Cisco Network Assistant (CAN) software. There are more details on CNA later in this document.

• Daisy chain of 3550 and 3560

  Can we use a mixture of 3550 and 3560 in a daisy chain. What i mean is
  1.if i want to connect 4 switches in a daisy chain can two of them be 3550's and the other two be 3560's.
  2. If i ahve 2 3550's in a daisy chian can i add one more 3560 to the same chain

  it may be more beneficial to aggregate 3 of the switches to one via the GB/SFP ports.
  ie:
  switch1-3560 >> switch2
  switch1-3560 >> switch3
  switch1-3560 >> switch4
  having correctly sized ports for aggregated bandwidth will be required.
  you can also perform daisy chaining as you've asked.

• Embeded Event Manager on cisco 3560 switch

  Can someone help me please? I have EEM configured on cisco 3560 switch. The configuration is below. I want that switch inform me through email when device with particilular IP address become unavailable. For some reason this configuration is not good and I can't tell why. I already try to debug this with debug event manager action mail but didn't see any output .
  ip sla 11
  icmp-echo ip address
  frequency 20
  ip sla schedule 11 life forever start-time now
  event manager applet device-TEST
  event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.6.11 get-type exact entry-op lt entry-val "2" poll-interval 20
  trigger occurs 5 period 120
  action 02.0 mail server "ip address" to "[email protected]" from "[email protected]" subject "device is down"

  The mail part looks good, I'm not sure you are hitting the trigger right.
  Why not do a track on the ip sla instead of the snmp stuff?
  Here's a good example of that.
  https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet

• WLC Flexconnect with AAA and MAC authentication

  hi,
  i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
  my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
  My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
  one more question,
  is it possible to make each AP seperate MAC filters On the WLC.
  thanks
  cyril

  If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
  In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
  Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
  Hope this clears you doubts!!!
  Note: Please do not forget to rate and accept as solution incase the post is valid.

• MAC Addressess not showing on my new 3560 switch

  I have a Cisco 3560 (Switch B) switch I just introduced into my network.  The gigabit ports are trunked from another switch (Switch A) to a Cisco 6509 WS (Main Switch).
  crpf4bsw3#show cdp neighbors
  Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID
  crpf4bsw2.mdch.com
                      Gig 0/1               124            S I      WS-C3560-4Gig 0/4
  crpcorsw1.mdch.com
                      Gig 0/4               127           R S I     WS-C6509-EGig 2/8
  interface GigabitEthernet0/4
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 1,19,124,150,160,164,168,224
   switchport mode trunk
   mls qos trust dscp
   spanning-tree link-type point-to-point
  interface GigabitEthernet0/1
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 1,19,124,150,160,164,168,224
   switchport mode trunk
   mls qos trust dscp
   spanning-tree link-type point-to-point
  The trunk ports are working just fine.  I have configured all necessary remote management with no issues.  However, my access ports are not working.  I have set them up exactly the same as the adjacent switch A and it works just fine, but the same configuration on the new switch has not been able to pull IP information.  I have provided information as to how the switch access ports are configured on both Switch A (working) and Switch B (not working).  I should note that I tried this with a Cisco 7940 phone and it got stuck on "configuring IP" then I tried it with my laptop and it pulled a 169 IP address.  Both were direct connections into switch B.  When I run a show mac-address-table, neither device shows up in the table.  Only the gig port MACs.  Any thoughts? Please let me know if you need any more information.
  interface FastEthernet0/3
   switchport access vlan 124
   switchport mode access
   switchport voice vlan 224
   switchport port-security maximum 3
   switchport port-security
   switchport port-security aging time 2
   switchport port-security violation restrict
   switchport port-security aging type inactivity
   srr-queue bandwidth share 10 10 60 20
   srr-queue bandwidth shape  10  0  0  0
   mls qos trust device cisco-phone
   mls qos trust cos
   auto qos voip cisco-phone
   spanning-tree portfast
   spanning-tree bpduguard enable

  Hi Mike,
  It looks like you're guiding me in the right direction.  I did a "show port security interface fa0/2" on the new switch and nothing was out of the ordinary with the exception of the 0 MAC addresses learned.  But then I did a "show spanning tree vlan 224" Here's what I found:
  Switch A (existing switch):
  crpf4bsw2#show spanning-tree vlan 224
  VLAN0224
    Spanning tree enabled protocol rstp
    Root ID    Priority    4096
               Address     0012.44cc.68e0
               Cost        8
               Port        1 (GigabitEthernet0/1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    32992  (priority 32768 sys-id-ext 224)
               Address     0013.60aa.7400
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time 300
  Interface        Role Sts Cost      Prio.Nbr Type
  Gi0/1            Root FWD 4         128.1    P2p
  Fa0/1            Desg FWD 19        128.3    Edge P2p
  Fa0/2            Desg FWD 19        128.4    Edge P2p
  Fa0/3            Desg FWD 19        128.5    Edge P2p
  Fa0/4            Desg FWD 19        128.6    Edge P2p
  Fa0/5            Desg FWD 19        128.7    Edge P2p
  Fa0/6            Desg FWD 19        128.8    P2p Peer(STP)
  Interface        Role Sts Cost      Prio.Nbr Type
  Fa0/7            Desg FWD 19        128.9    Edge P2p
  Fa0/8            Desg FWD 19        128.10   Edge P2p
  Fa0/9            Desg FWD 19        128.11   Edge P2p
  Fa0/10           Desg FWD 19        128.12   Edge P2p
  Fa0/11           Desg FWD 19        128.13   Edge P2p
  Fa0/12           Desg FWD 19        128.14   Edge P2p
  Fa0/13           Desg FWD 19        128.15   Edge P2p
  Fa0/15           Desg FWD 19        128.17   Edge P2p
  Fa0/19           Desg FWD 19        128.21   Edge P2p
  Fa0/20           Desg FWD 19        128.22   Edge P2p
  Gi0/4            Desg FWD 4         128.28   P2p
  Fa0/29           Desg FWD 19        128.33   Edge P2p
  Fa0/30           Desg FWD 19        128.34   Edge P2p
  Fa0/31           Desg FWD 19        128.35   Edge P2p
  Fa0/32           Desg FWD 19        128.36   Edge P2p
  Fa0/33           Desg FWD 19        128.37   Edge P2p
  Fa0/34           Desg FWD 19        128.38   Edge P2p
  Fa0/35           Desg FWD 19        128.39   Edge P2p
  Fa0/37           Desg FWD 19        128.41   Edge P2p
  Fa0/38           Desg FWD 19        128.42   Edge P2p
  Fa0/39           Desg FWD 19        128.43   Edge P2p
  Fa0/40           Desg FWD 19        128.44   Edge P2p
  Fa0/41           Desg FWD 19        128.45   Edge P2p
  Interface        Role Sts Cost      Prio.Nbr Type
  Fa0/42           Desg FWD 19        128.46   Edge P2p
  Fa0/43           Desg FWD 19        128.47   Edge P2p
  Fa0/44           Desg FWD 19        128.48   Edge P2p
  Fa0/45           Desg FWD 19        128.49   Edge P2p
  Fa0/46           Desg FWD 19        128.50   Edge P2p
  Switch B (new switch):
  Spanning tree instance(s) for vlan 224 does not exist.
  So with this new information, and with my trunk configurations above, what did you mean by a disconnect on the trunk?

• AAA configuration on switches 2960

  Hi
  I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
  but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
  Is needed some additional configuration of AAA in switches 2960?
  Thanks.
  tacacs-server host y.y.y.y
  tacacs-server key xxxxx
  aaa new-model
  aaa authentication login acceso-consola group tacacs+ line
  aaa authentication login acceso-telnet group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  line con 0
  exec-timeout 0 0
  login authentication acceso-consola
  line vty 0 4
  login authentication acceso-telnet

  Maria
  Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.
  Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?
  I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.
  If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.
  HTH
  Rick