Access to Cisco Switch Modbus Register Map? via Modbus TCP or Modbus RTU
Hello Folks, I have been trying to find out how to access the Modbus Register Map(s) of Cisco switches, of particular interest is that of an IE 3000 as it is din rail mountable (but for models 2960s, 3560s are also of interest). A google search for: Cisco Switch Modbus TCP results in (if I may) how to configure a Cisco 2520 to do what I am trying to do. I would be very grateful for any hints anybody might have. Thanks
Though I am not familiar with the specific drives in question, I have used Modbus/TCP in LabVIEW a few times recently.
As the previous posters pointed out, there are a couple of VI libraries available. LabVIEW 2014 added Modbus VI's with the DSC and LabVIEW Real-Time. The others you would have to get and add in yourself.
Another option is to use LabVIEW I/O Servers; as long as you have DSC or Real-Time, you can create Modbus I/O Servers as library items and deploy to a target. You don't get as much direct control in this way (and may run into difficulties if you need them to be field-configurable and do not have DSC) and use bound network shared variables, but they are very fast and easy to setup and I have yet to have any issues with using them in my applications.
A tutorial on setting up a Modbus I/O Server: http://www.ni.com/tutorial/13911/en/
A tidbit on deciding between Modbus VI's and a Modbus I/O Server: http://zone.ni.com/reference/en-XX/help/370622M-01/lvmve/choose_modbus_ioserver_vi/
As for using an Ethernet switch to connect multiple devices, I have used this approach many times to simultaneously connect and control numerous PC's, real-time controllers, and drives without issue. I would not expect there to be any problems unless you have extenuating circumstances. In fact, if you only have one network interface on your device at the moment, I would recommend against adding a second, as this would mean that you / your controller would have to be extra aware of which interface everything is assigned to go through.
Similar Messages
-
Cisco switches and virtual ip address(load balancing address) on xenapp portals
Hi I am quite new in configuring cisco switches and stumble across an issue after installing xenapp7.6 with load balanced portal to the ddc`s
It seems i only can ping or get access to portal if using real ip address behind cisco switch from other subnets in my network.
I can ping ddc01 and ddc02 and connect to the portal with http without problem. However when i triy to access the load balancing address of the ddc`s
it wont answer to ping or http
In same subnett it is no problem connecting to the load balancing address of the ddc`s, but in loactions on other subnets i only can access real server ip
eks
dd01 192.168.1.4 ok ping and access behind cisco switch from subnets
ddc02 192.168.1.5 ok to ping access behind cisco switch from subnets
load balancing for both ddc 192.168.1.6 not able to get answer og access from subnets, only in same subnett
Is there any way to configure switch to access the load balancing address of the ddc`s ?
Regards
Pål Arne RøbergWrong forum. This forum is dedicated to feedback related to CSC framework itself. You should not wish for response here.
Moved by moderator, no longer apply. -
How to map one modbus register to another modbus register in labview?
How to map one modbus register to another modbus register in labview? For example, let 40001 equal to 30001. Thank you.
StevenHello Steven,
Sorry, I was under the impression that you were using the complete Lookout development software (as opposed to just the Lookout Protocol Drivers). You cannot do any development (connections, mapping, etc.) with the Lookout Protocol Drivers (LPD). So, you were right. We have to do this in LabVIEW.
I ain't sure how exactly the Modicon floats work, but assuming what you're saying is correct, in your LabVIEW VI(s) you would read the DataSocket item corresponding to 40yyy+1 first, and then write this value back to the DataSocket item corresponding to 40xxx. Similarly, you would read the DataSocket item corresponding to 40yyy and then write the value read back to the DataSocket item corresponding to 40xxx+1.
A tip: I wou
ld at first make sure I have the OPC communication between LabVIEW and LPD working. Make sure you can read and write to the LPD registers via their DataSocket/OPC equivalents in LabVIEW. You can then implement the mapping as described above.
Hope this helps,
Khalid -
Can't get read-only access to my switches via http
I set up a couple of users for read-only access to our switches via their web browsers. I set this up in Network Assistant. However when we try to log in, only a level 15 user is allowed to log in and there doesn't seem to be any way change this.
I know in Network Assistant, you can choose which user level you want, but I don't see any way to do it via the web interface.
What am I missing here?Implementing security within a switching environment is less intuitive than in a router. Switches, by design, tend to recognize only two levels of administrative access - user exec mode or privileged exec mode. Implementation of security at different access levels, level 15, etc, can be tricky and should be done at the command prompt, not in the GUI.
You should reset your config and do not use Network Assistant for this purpose; it is "buggy." -
Cisco switches 3560 need manual reboot after power outages
Hi everyone,
In africa we have lot of power outages.
Working at a very big company with more than 300 switches can be challenging if you have to bring them up by manually rebooting few of them on the property.
The switches are directly connect via fiber using LH/LX SFP connector to a 4500 Core switch which is on a UPS and does not go down during the outage; only the access layer switches will then need manual reboot....
Please assist in having a permanent fix on this issue.
Thank you very much in advance.@hdussa:
Here is the output :
sh boot
BOOT path-list : flash:c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
===================================================================================================
SW1#sh dir flash:
Directory of flash:/
2 -rwx 5436 Nov 21 2013 13:08:49 +00:00 vlan.dat
3 -rwx 4749 Oct 10 2013 09:08:45 +00:00 config.text
4 -rwx 5 Oct 10 2013 09:08:45 +00:00 private-config.text
5 drwx 512 Mar 1 1993 00:10:16 +00:00 c3560-ipbase-mz.122-35.SE5
27998208 bytes total (18636800 bytes free)
===================================================================================================
SW1#sh ver
Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 18:15 by nachen
Image text-base: 0x00003000, data-base: 0x01100000
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(35r)SE2, RELEASE SOFTWARE (fc1)
SW1 uptime is 1 week, 1 day, 8 hours, 42 minutes
System returned to ROM by power-on
System restarted at 09:58:40 UTC Mon Feb 10 2014
System image file is "flash:c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin"
cisco WS-C3560-8PC (PowerPC405) processor (revision A0) with 122880K/8184K bytes of memory.
Processor board ID FOC1315V4LS
Last reset from power-on
3 Virtual Ethernet interfaces
8 FastEthernet interfaces
1 Gigabit Ethernet interface
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:25:46:DE:1F:00
Motherboard assembly number : 73-10612-07
Power supply part number : 341-0207-01
Motherboard serial number : FOC13152YLK
Power supply serial number : LIT13060H65
Model revision number : A0
Motherboard revision number : C0
Model number : WS-C3560-8PC-S
System serial number : FOC1315V4LS
Top Assembly Part Number : 800-28131-01
Top Assembly Revision Number : E0
Version ID : V01
CLEI Code Number : COM8C00ARA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
* 1 9 WS-C3560-8PC 12.2(35)SE5 C3560-IPBASE-M
Configuration register is 0xF
SW1#
Please let me know if you need same output for another switch posing the same problem.
Thank you very much. -
Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide.
Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hi Marcelo,
Yes, there are some requirements for certificates in Expressway.
Expressway Core (Exp-C)
- Can be signed by either External or Internal CA
- Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
- Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
- If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
- The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
- For TLS b/w CUCM, IM-P & Exp-C
+ If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
+ If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
+ Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
+ Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
Expressway Edge (Exp-E)
- Signed by External CA
- Configured Unified Communications domain as Subject Alternate Name
- If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
- If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
- Aashish -
Web Authentication with RSA SecureID on a Cisco Switch
Hi,
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switch
I think this is because we're using "single use" tokens for maximum security with RSA SecureID
and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
(okay on the first authentication, but each time after it's going to want a different token code)
I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2Hello Chris,
Can you test the following configuration?
aaa group server radius webtac_grp
server
cache expiry 1
cache authorization profile httpauth
cache authentication profile httpauth
aaa authentication login httpauth cache webtac_grp group webtac_grp
aaa authorization exec httpauth cache webtac_grp group webtac_grp
aaa authorization network httpauth cache webtac_grp group webtac_grp
aaa cache profile httpauth
all
ip http server
ip http authentication aaa login-authentication httpauth
ip http authentication aaa exec-authorization httpauth
radius-server host key ******
I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
If this was helpful please rate.
Regards. -
Slow connection in one server if accessing through Cisco ACE
Hi,
Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
What need to do in my configuration? Below is my configuration
logging enable
logging timestamp
logging trap 7
logging buffered 7
logging monitor 7
logging host 167.81.126.5 udp/514
logging host 137.55.152.147 udp/514
resource-class SG_01
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_0.bin
login timeout 30
peer hostname singapore-ace2
hostname singapore-ace1
interface gigabitEthernet 1/1
channel-group 14
no shutdown
interface gigabitEthernet 1/2
channel-group 14
no shutdown
interface gigabitEthernet 1/3
channel-group 14
no shutdown
interface gigabitEthernet 1/4
channel-group 14
no shutdown
interface port-channel 14
description ISOLAN-ACE-TRUNK
ft-port vlan 99
switchport trunk native vlan 1
switchport trunk allowed vlan 12,14,112
no shutdown
clock timezone SGT 8 0
ntp server 137.55.152.1
context Admin
member SG_01
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
ip domain-name ysn.psg.philips.com
probe http singapore_01
description This probe used to monitor application url-app-script
interval 5
passdetect interval 5
request method get url /insiteserverstatus/insiteserverstatus.aspx
expect status 200 200
open 1
probe http singapore_02
description This probe used to monitor IIS-login-page
interval 5
passdetect interval 5
request method get url /InSiteLumiledsApplication/
expect status 200 200
open 1
probe icmp uplink
description This probe used in conjunction with ft track host
interval 2
faildetect 2
passdetect interval 3
parameter-map type connection PARAM_L4STICKY-IP
exceed-mss allow
rserver host sggysnysn1ms013
ip address 137.55.152.135
inservice
rserver host sggysnysn1ms014
ip address 137.55.152.136
inservice
rserver host sggysnysn1ms018
ip address 137.55.152.145
inservice
serverfarm host PLI9058
probe singapore_01
probe singapore_02
rserver sggysnysn1ms013
inservice
rserver sggysnysn1ms014
inservice
rserver sggysnysn1ms018
inservice
sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
timeout 720
replicate sticky
serverfarm PLI9058
class-map type management match-any HTTPS-ALLOW_CLASS
class-map match-all L4STICKY-IP_141:ANY_CLASS
2 match virtual-address 137.55.152.141 any
class-map type http loadbalance match-any NO_MS018
50 match source-address 137.55.155.31 255.255.254.0
class-map type management match-any SSH-ALLOW_CLASS
2 match protocol ssh source-address 167.81.124.0 255.255.255.192
3 match protocol ssh source-address 167.81.126.0 255.255.255.192
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm SG_GROUP_01
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match PLI9058-VIPs_POLICY
class L4STICKY-IP_141:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply
connection advanced-options PARAM_L4STICKY-IP
interface vlan 12
description Client-side vlan
bridge-group 1
no normalization
mac-sticky enable
access-group input ALL
access-group output ALL
service-policy input PLI9058-VIPs_POLICY
no shutdown
interface vlan 14
ip address 137.55.152.236 255.255.255.248
peer ip address 137.55.152.237 255.255.255.248
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 112
description Server-side vlan
bridge-group 1
no normalization
access-group input ALL
access-group output ALL
nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
no shutdown
interface bvi 1
ip address 137.55.152.189 255.255.255.192
alias 137.55.152.188 255.255.255.192
peer ip address 137.55.152.190 255.255.255.192
description Bridge-Group 1 Virtual Interface
no shutdown
ft interface vlan 99
ip address 192.168.1.1 255.255.255.252
peer ip address 192.168.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 99
ft group 1
peer 1
priority 150
peer priority 50
associate-context Admin
inservice
ft track host test1
track-host 137.55.152.234
peer track-host 137.55.152.235
peer probe uplink priority 50
probe uplink priority 50
ip route 0.0.0.0 0.0.0.0 137.55.152.233Hi Earsdale,
All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
If you need help with this troubleshooting, you can always open a TAC service request
Regards
Daniel -
Unable to Telnet / SSH to a particular cisco switch
Hello,
I have an unusual issue that I just can't seem to track down. We have a Windows Server 2008 R2 box that is unable to telnet or ssh to one switch in our network.
Server IP: 10.0.0.74
Cisco Switch IP: 10.1.0.7
I am able to access all other switches/routers on the 10.1.0.x network, but not this one. I ping and tracert by ip address and name.
We have a number other servers on our network and they all can access this switch
Example:
a. 10.0.0.73 can telnet/ssh to 10.1.0.7
b. 10.0.0.72 can telnet/ssh to 10.1.0.7
c. 10.0.0.50 can telnet/ssh to 10.1.0.7
d. My workstation (10.0.250.213) can telnet/ssh to 10.1.0.7
If anyone can help with troubleshooting further, I would greatly appreciate it.Thanks for the reply Philippe! Here is the route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.2 10.0.0.74 266
10.0.0.0 255.255.0.0 On-link 10.0.0.74 266
10.0.0.74 255.255.255.255 On-link 10.0.0.74 266
10.0.255.255 255.255.255.255 On-link 10.0.0.74 266
10.10.0.0 255.255.0.0 On-link 10.0.0.74 266
10.10.0.74 255.255.255.255 On-link 10.0.0.74 266
10.10.255.255 255.255.255.255 On-link 10.0.0.74 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.74 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.74 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.0.0.2 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Firewall is disabled and there is no active antivirus. Im pretty sure port blocking is not the issue. I am able to ssh and telnet from this box to every other switch/router in our network.
This server has Solarwinds on it and tracks the health of our network (servers, routers, switches, ups, ect.). The only reason we noticed an issue is because it stopped backing up the config for this particular switch. All other switchs/routers
config is backed up to this server every morning at 2:00AM.
With solarwinds, this server is also able to communicate with this switch via snmp / icmp and ping.
Thanks again for the help! -
Good day,
Has anyone experienced this before? I am using Cisco ACS 5.2. I have a very simple word (no, not cisco ) for my tacacs-server key. I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied. Using keyboard-interactive authentication."
I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
Any other possible ideas anyone can suggest?
Cliffs:
-tacacs-server key is a simple key and is the same for every switch and within ACS
-AAA config is the same on every switch, so I do not believe it to be a AAA config issue
-Running config on switch that is not working is pretty much the same as the other two working switches
Any advice is greatly appreciated.
Thanks,
YHi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.
-
Management port in Cisco Switches (are they really physical port)
Hi all,
I have been taught to console into my cisco switch for configurations through console cable + putty (serial terminal).
Then I have been taught to configure a management ip and gateway on the cisco switch.
Switch# conf t
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.11 255.255.255.0
Switch(config-if)# no shut
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.1.1
All the while, i thought this is the way to remote in to the switch via putty/telnet through the network to configure the switch, until i saw the picture below (cisco catalyst 2960)
=======================================
There is a physical port call ethernet management port. What is it ? What is the difference between this port and the earlier example of setting a management ip in VLAN 1 ?
If i set an IP on this particular interface and I ssh in, will i see the same screen/display/console from the earlier example in which i set a management ip in VLAN1 and I ssh in ?
Regards,
NoobHi Leo,
Sorry if you find it hard to explain to me.
I have understood to think of the ethernet management port as a separate entity from the original switch.
Maybe with the help of the diagram below, can you let me know if i have understood correctly ?
*please assume connected port is a management port separated from the normal switch ports
q1) does the ethernet management port need to be connected to another switch ?
I have thought of it as a device on the network and it is mentioned by you previously that it will be connected to a switch
"he traffic goes up the cable connected to the Management port and up a switch. Now that switch holds all the information because it is a switch. "
q2) In the current setup then, terminal B will be able to access the management port - am i right ?
q3) you mentioned that the management port is not able to set any gateway, (which is the router fe0/5 - 192.168.0.3 in my illustration), in that case do you mean that terminal A will not be able to access the management port remotely and it can only be accessible locally ?
Please do correct me if my understanding is wrong.
Thank you so much for your advices.
Regards,
Noob -
Configuring VLANs on Cisco switches - help on basics please!
Hi people.
I'm buying Cisco switches to my home lab to practice VLAN and have some doubts, would someone kindly help me?
I'm thinking of buying two 300 series switches for the servers (VMware boxes), configure two separate VLANs for VMs and two other VLANs for desktop computers, in order to simulate a small office with a datacenter and two floors (one VLAN for each floor).
I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct?
Another question: for the desktop switches, the ports that are going to connect to the desktops (which runs windows with non-vlan tagging aware nic), will be configured with the correct VLAN, and the operating system will just communicate normally as if there was no VLAN tag on the frames?
Since I need inter-vlan routing only on the core switch (the 300 series), for the desktops switches I can purchase some 200 series, right?
And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not?
Thank you!Hi! Thanks for the rapid answers!
I have a couple more based on the same questions:
I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct? - Yes, trunk links are required to carry multiple vlans.
So, I could also use multiple links with LAG/LACP carrying all vlans between switches?
And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not? - Yes, bit make sure that link between these two switches should be an access link, i.e must carry only third vlan.
So, If I understand correctly, if having one vlan per floor in an office building, for economical reasons you could deploy simple non-managed and non-vlan capable switches, and in the data center, a core switch with the vlans configured for each floor?
And viewing from a technical perspective, what would be the advantages of deploying in each floor a vlan capable switch configured with the correct vlan?
And which method mentioned above is more common deployed for endpoint floor switches?
Thanks! -
Linksys SRW 224G4, Cisco Catalyst 3650G and management via trunk
I have couple of Linksys SRW 224G4 and SRW 2024 connected together with Cisco C3650 switches. For my part of network VLAN100 is used as administrative vlan and VLAN1 as defult (on trunks or unused ports).
Altrough most of switches work fine, on all older models of SRW224G4 (hw 1.0, various firmware versions) there is no connectivity to management utilities (also ping won't work) via trunk (where of course VLAN100 is present). At the same time there is no problem with access on "local" ports (assigned to VLAN100) and there are no problems with traffic on VLAN 100 along the network.
For example:
Two computers (A and B), two switches (sw1 - old SRW224G4 and sw2 - Cisco switch), are connected as follow:
A--VLAN100--sw1--TRUNK--sw2--VLAN100--B
Swicthes have VLAN100 as management VLAN, computers are connected to access ports (untagged).
A has access to management on sw1 and sw2 and connectivity with B
B has access to management on sw2 and connectivity with B but has no access to management on sw1...
If sw1 and sw2 are same, old SRW224G4 - everything works fine.
Newer versions of SRW224G4, SRW2024 and SLM2024 works OK.
Why it doesn't work?
Thank for your attention.I don’t thing there is difference with the old and new versions of the SRW224G4 unless there is a reported case of firmware problem with the said switch. As what you have said you also tested the new version of SRW224G4 and other models of these manage switches and seemed to work. I suggest totally resetting the said switch, making sure you updated the latest firmware version and making the necessary VLAN configurations.
Other than these, I suggest contacting Cisco Tech support to further look into your concern. I believe this unit belongs to the business series devices that Cisco is now supporting. Try to go to this link for the other business series devices and the site where you can get hold of Cisco for support:
http://www.cisco.com/web/products/linksys/index.html -
Dear All,
I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html
-
NPS Discarding RADIUS request from Cisco switch (802.1x)
Last few weeks I've been busy to get the following to work:
- Cisco 2960 switch as the suppliant
- Another Cisco 2960 as the authenticator switch
- The supplicant is only able to send MS-EAP MS-ChapV2 requests
- The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
but I'd like to get it to work with Windows NPS.
Within NPS I've setup the following Connection Request policy:
- NAS Port Type: Ethernet
I'm using the following Network Policy:
- User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
- NAS Port Type: Ethernet
- Autehntcation Type: EAP
Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
User:
Account Name: Rotterdam-Switch-8-1
Account Domain: DOMAIN
Authentication Details:
Connection Request Policy Name: Secure Wired Connections
Network Policy Name: Switches Allowed
Authentication Provider: Windows
Authentication Server: SERVER.DOMAIN.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Wireshark on the NPS server shows:
1. The RADIUS Access-Request (1) being received by the NPS Server
2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
3. Another RADIUS Access-Request (1) is beging received by the NPS Server
Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
I've also tried the following:
- I've also tested with an invalid username/password. The request is correctly denied
- I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
Any help would be greatly appriciated ofcourse.
Kind regards,
PeterIt only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
authentication.
End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
http://support.microsoft.com/kb/922574/en-us
Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
http://support.microsoft.com/kb/981190"
Please note that you'll have to enable 'Store password using reversible encryption’ on the accounts that will be used for NEAT authentication.
All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
could be sniffer using a hub/repeater/etc.
Kind regards,
Peter
Maybe you are looking for
-
How do I make my personal "reminders" seperate from my work Outlook email account?
I will ask Siri to "Remind me to clean the guest bathroom tub when I get home". I get the reminder, but then when I get into the office the next morning, they pop up on my Outlook as outdated reminders. Very embarrasing to have one of my coworkers s
-
Swf flash files are not displaying neatly within table cells.
The latest version of Firefox (3.6.12) The website I have design now shows thick lines underneath the flash files. URL Below. The table of pictures should be neat, instead the cells in which the flash files are contained are increasing in height and
-
Came across these today - thought they were pretty great. See the rest here - http://veryfunnypics.eu/2015/06/23/what-if-the-heroes-we-love-had-different-jobs-20-pictures/What would your super-power be, and what's the most mundane, boring way you cou
-
How come if you burn to disk photos that say you've edited for size or red eye or whatever it burns each copy of them instead of just the one final copy? Is there a setting im missing? Because if I edited a picture 10 times when I burn it all 10 vers
-
IPad 2 keeps saying "Application cannot be downloaded at this time" when I try to update GarageBand
I'm trying to update GarageBand on my iPad 2 and I keep getting an error message saying that the "Application cannot be downloaded at this time." It's been saying that for nearly a week. I have 4.8GB of free space. And I just updated to the most curr