Access to Cisco Switch Modbus Register Map? via Modbus TCP or Modbus RTU

Similar Messages

• Cisco switches and virtual ip address(load balancing address) on xenapp portals

  Hi I am quite new in configuring cisco switches and stumble across an issue after installing xenapp7.6 with load balanced portal to the ddc`s
  It seems i only can ping or get access to portal if using real ip address behind cisco switch from other subnets in my network.
  I can ping ddc01 and ddc02 and connect to the portal with http without problem. However when i triy to access the load balancing address of the ddc`s
  it wont answer to ping or http
  In same subnett it is no problem connecting to the load balancing address of the ddc`s, but in loactions on other subnets i only can access real server ip
  eks
  dd01   192.168.1.4    ok ping and access behind cisco switch from subnets
  ddc02 192.168.1.5   ok to ping  access behind cisco switch from subnets
  load balancing for both ddc 192.168.1.6 not able to get answer og access from subnets, only in same subnett
  Is there any way to configure switch to access the load balancing address of the ddc`s ?
  Regards
  Pål Arne Røberg

  Wrong forum. This forum is dedicated to feedback related to CSC framework itself. You should not wish for response here.
  Moved by moderator, no longer apply.

• How to map one modbus register to another modbus register in labview?

  How to map one modbus register to another modbus register in labview? For example, let 40001 equal to 30001. Thank you.
  Steven

  Hello Steven,
  Sorry, I was under the impression that you were using the complete Lookout development software (as opposed to just the Lookout Protocol Drivers). You cannot do any development (connections, mapping, etc.) with the Lookout Protocol Drivers (LPD). So, you were right. We have to do this in LabVIEW.
  I ain't sure how exactly the Modicon floats work, but assuming what you're saying is correct, in your LabVIEW VI(s) you would read the DataSocket item corresponding to 40yyy+1 first, and then write this value back to the DataSocket item corresponding to 40xxx. Similarly, you would read the DataSocket item corresponding to 40yyy and then write the value read back to the DataSocket item corresponding to 40xxx+1.
  A tip: I wou
  ld at first make sure I have the OPC communication between LabVIEW and LPD working. Make sure you can read and write to the LPD registers via their DataSocket/OPC equivalents in LabVIEW. You can then implement the mapping as described above.
  Hope this helps,
  Khalid

• Can't get read-only access to my switches via http

  I set up a couple of users for read-only access to our switches via their web browsers. I set this up in Network Assistant. However when we try to log in, only a level 15 user is allowed to log in and there doesn't seem to be any way change this.
  I know in Network Assistant, you can choose which user level you want, but I don't see any way to do it via the web interface.
  What am I missing here?

  Implementing security within a switching environment is less intuitive than in a router. Switches, by design, tend to recognize only two levels of administrative access - user exec mode or privileged exec mode. Implementation of security at different access levels, level 15, etc, can be tricky and should be done at the command prompt, not in the GUI.
  You should reset your config and do not use Network Assistant for this purpose; it is "buggy."

• Cisco switches 3560 need manual reboot after power outages

  Hi everyone,
  In africa we have lot of power outages.
  Working at a very big company with more than 300 switches can be challenging if you have to bring them up by manually rebooting few of them on the property.
  The switches are directly connect via fiber using LH/LX SFP connector to a 4500 Core switch which is on a UPS and does not go down during the outage; only the access layer switches will then need manual reboot....
  Please assist in having a permanent fix on this issue.
  Thank you very much in advance.

  @hdussa:
  Here is the output :
  sh boot
  BOOT path-list      : flash:c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin
  Config file         : flash:/config.text
  Private Config file : flash:/private-config.text
  Enable Break        : no
  Manual Boot         : no
  HELPER path-list    :
  Auto upgrade        : yes
  Auto upgrade path   :
  ===================================================================================================
  SW1#sh  dir flash:
  Directory of flash:/
      2  -rwx        5436  Nov 21 2013 13:08:49 +00:00  vlan.dat
      3  -rwx        4749  Oct 10 2013 09:08:45 +00:00  config.text
      4  -rwx           5  Oct 10 2013 09:08:45 +00:00  private-config.text
      5  drwx         512   Mar 1 1993 00:10:16 +00:00  c3560-ipbase-mz.122-35.SE5
  27998208 bytes total (18636800 bytes free)
  ===================================================================================================
  SW1#sh ver
  Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Thu 19-Jul-07 18:15 by nachen
  Image text-base: 0x00003000, data-base: 0x01100000
  ROM: Bootstrap program is C3560 boot loader
  BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(35r)SE2, RELEASE SOFTWARE (fc1)
  SW1 uptime is 1 week, 1 day, 8 hours, 42 minutes
  System returned to ROM by power-on
  System restarted at 09:58:40 UTC Mon Feb 10 2014
  System image file is "flash:c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin"
  cisco WS-C3560-8PC (PowerPC405) processor (revision A0) with 122880K/8184K bytes of memory.
  Processor board ID FOC1315V4LS
  Last reset from power-on
  3 Virtual Ethernet interfaces
  8 FastEthernet interfaces
  1 Gigabit Ethernet interface
  The password-recovery mechanism is enabled.
  512K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address       : 00:25:46:DE:1F:00
  Motherboard assembly number     : 73-10612-07
  Power supply part number        : 341-0207-01
  Motherboard serial number       : FOC13152YLK
  Power supply serial number      : LIT13060H65
  Model revision number           : A0
  Motherboard revision number     : C0
  Model number                    : WS-C3560-8PC-S
  System serial number            : FOC1315V4LS
  Top Assembly Part Number        : 800-28131-01
  Top Assembly Revision Number    : E0
  Version ID                      : V01
  CLEI Code Number                : COM8C00ARA
  Hardware Board Revision Number  : 0x01
  Switch   Ports  Model              SW Version              SW Image           
  *    1   9      WS-C3560-8PC       12.2(35)SE5             C3560-IPBASE-M     
  Configuration register is 0xF
  SW1#
  Please let me know if you need same output for another switch posing the same problem.
  Thank you very much.

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Web Authentication with RSA SecureID on a Cisco Switch

  Hi,
  I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
  I've already managed to link it in for ssh access
  but I've not managed to get it working for http / web access to the switch
  I think this is because we're using "single use" tokens for maximum security with RSA SecureID
  and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
  (okay on the first authentication, but each time after it's going to want a different token code)
  I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
  For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

  Hello Chris,
  Can you test the following configuration?
  aaa group server radius webtac_grp
  server
  cache expiry 1
  cache authorization profile httpauth
  cache authentication profile httpauth
  aaa authentication login httpauth cache webtac_grp group webtac_grp
  aaa authorization exec httpauth cache webtac_grp group webtac_grp
  aaa authorization network httpauth cache webtac_grp group webtac_grp
  aaa cache profile httpauth
  all
  ip http server
  ip http authentication aaa login-authentication httpauth
  ip http authentication aaa exec-authorization httpauth
  radius-server host key ******
  I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
  NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
  If this was helpful please rate.
  Regards.

• Slow connection in one server if accessing through Cisco ACE

  Hi,
  Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
  What need to do in my configuration? Below is my configuration
  logging enable
  logging timestamp
  logging trap 7
  logging buffered 7
  logging monitor 7
  logging host 167.81.126.5 udp/514
  logging host 137.55.152.147 udp/514
  resource-class SG_01
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 10.00 maximum equal-to-min
  boot system image:c4710ace-mz.A3_2_0.bin
  login timeout 30
  peer hostname singapore-ace2
  hostname singapore-ace1
  interface gigabitEthernet 1/1
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/2
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/3
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/4
    channel-group 14
    no shutdown
  interface port-channel 14
    description ISOLAN-ACE-TRUNK
    ft-port vlan 99
    switchport trunk native vlan 1
    switchport trunk allowed vlan 12,14,112
    no shutdown
  clock timezone SGT 8 0
  ntp server 137.55.152.1
  context Admin
    member SG_01
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 9 extended permit icmp any any
  ip domain-name ysn.psg.philips.com
  probe http singapore_01
    description This probe used to monitor application url-app-script
    interval 5
    passdetect interval 5
    request method get url /insiteserverstatus/insiteserverstatus.aspx
    expect status 200 200
    open 1
  probe http singapore_02
    description This probe used to monitor IIS-login-page
    interval 5
    passdetect interval 5
    request method get url /InSiteLumiledsApplication/
    expect status 200 200
    open 1
  probe icmp uplink
    description This probe used in conjunction with ft track host
    interval 2
    faildetect 2
    passdetect interval 3
  parameter-map type connection PARAM_L4STICKY-IP
    exceed-mss allow
  rserver host sggysnysn1ms013
    ip address 137.55.152.135
    inservice
  rserver host sggysnysn1ms014
    ip address 137.55.152.136
    inservice
  rserver host sggysnysn1ms018
    ip address 137.55.152.145
    inservice
  serverfarm host PLI9058
    probe singapore_01
    probe singapore_02
    rserver sggysnysn1ms013
      inservice
    rserver sggysnysn1ms014
      inservice
    rserver sggysnysn1ms018
      inservice
  sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
    timeout 720
    replicate sticky
    serverfarm PLI9058
  class-map type management match-any HTTPS-ALLOW_CLASS
  class-map match-all L4STICKY-IP_141:ANY_CLASS
    2 match virtual-address 137.55.152.141 any
  class-map type http loadbalance match-any NO_MS018
    50 match source-address 137.55.155.31 255.255.254.0
  class-map type management match-any SSH-ALLOW_CLASS
    2 match protocol ssh source-address 167.81.124.0 255.255.255.192
    3 match protocol ssh source-address 167.81.126.0 255.255.255.192
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
    class class-default
      sticky-serverfarm SG_GROUP_01
      insert-http X-Forwarded-For header-value "%is"
  policy-map multi-match PLI9058-VIPs_POLICY
    class L4STICKY-IP_141:ANY_CLASS
      loadbalance vip inservice
      loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
      loadbalance vip icmp-reply
      connection advanced-options PARAM_L4STICKY-IP
  interface vlan 12
    description Client-side vlan
    bridge-group 1
    no normalization
    mac-sticky enable
    access-group input ALL
    access-group output ALL
    service-policy input PLI9058-VIPs_POLICY
    no shutdown
  interface vlan 14
    ip address 137.55.152.236 255.255.255.248
    peer ip address 137.55.152.237 255.255.255.248
    service-policy input remote_mgmt_allow_policy
    no shutdown
  interface vlan 112
    description Server-side vlan
    bridge-group 1
    no normalization
    access-group input ALL
    access-group output ALL
    nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
    no shutdown
  interface bvi 1
    ip address 137.55.152.189 255.255.255.192
    alias 137.55.152.188 255.255.255.192
    peer ip address 137.55.152.190 255.255.255.192
    description Bridge-Group 1 Virtual Interface
    no shutdown
  ft interface vlan 99
    ip address 192.168.1.1 255.255.255.252
    peer ip address 192.168.1.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 100
    heartbeat count 10
    ft-interface vlan 99
  ft group 1
    peer 1
    priority 150
    peer priority 50
    associate-context Admin
    inservice
  ft track host test1
    track-host 137.55.152.234
    peer track-host 137.55.152.235
    peer probe uplink priority 50
    probe uplink priority 50
  ip route 0.0.0.0 0.0.0.0 137.55.152.233

  Hi Earsdale,
  All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
  I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
  Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
  If you need help with this troubleshooting, you can always open a TAC service request
  Regards
  Daniel

• Unable to Telnet / SSH to a particular cisco switch

  Hello,
  I have an unusual issue that I just can't seem to track down.  We have a Windows Server 2008 R2 box that is unable to telnet or ssh to one switch in our network.
  Server IP:  10.0.0.74
  Cisco Switch IP:  10.1.0.7
  I am able to access all other switches/routers on the 10.1.0.x network, but not this one.  I ping and tracert by ip address and name.
  We have a number other servers on our network and they all can access this switch
  Example:  
  a.  10.0.0.73 can telnet/ssh to 10.1.0.7
  b.  10.0.0.72  can telnet/ssh to 10.1.0.7
  c.  10.0.0.50  can telnet/ssh to 10.1.0.7
  d.  My workstation (10.0.250.213) can telnet/ssh to 10.1.0.7
  If anyone can help with troubleshooting further, I would greatly appreciate it.

  Thanks for the reply Philippe!  Here is the route print
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0         10.0.0.2        10.0.0.74    266
           10.0.0.0      255.255.0.0         On-link         10.0.0.74    266
          10.0.0.74  255.255.255.255         On-link         10.0.0.74    266
       10.0.255.255  255.255.255.255         On-link         10.0.0.74    266
          10.10.0.0      255.255.0.0         On-link         10.0.0.74    266
         10.10.0.74  255.255.255.255         On-link         10.0.0.74    266
      10.10.255.255  255.255.255.255         On-link         10.0.0.74    266
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link         10.0.0.74    266
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link         10.0.0.74    266
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0         10.0.0.2  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination      Gateway
    1    306 ::1/128                  On-link
    1    306 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
    None
  Firewall is disabled and there is no active antivirus.  Im pretty sure port blocking is not the issue.  I am able to ssh and telnet from this box to every other switch/router in our network.
  This server has Solarwinds on it and tracks the health of our network (servers, routers, switches, ups, ect.).  The only reason we noticed an issue is because it stopped backing up the config for this particular switch.  All other switchs/routers
  config is backed up to this server every morning at 2:00AM.  
  With solarwinds, this server is also able to communicate with this switch via snmp / icmp and ping.
  Thanks again for the help!

• Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

  Good day,
  Has anyone experienced this before?  I am using Cisco ACS 5.2.  I have a very simple word (no, not cisco ) for my tacacs-server key.  I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied.  Using keyboard-interactive authentication."
  I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
  I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
  Any other possible ideas anyone can suggest? 
  Cliffs:
  -tacacs-server key is a  simple key and is the same for every switch and within ACS
  -AAA config is the same on every switch, so I do not believe it to be a AAA config issue
  -Running config on switch that is not working is pretty much the same as the other two working switches
  Any advice is greatly appreciated.
  Thanks,
  Y

  Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

• Management port in Cisco Switches (are they really physical port)

  Hi all,
  I have been taught to console into my cisco switch for configurations through console cable + putty (serial terminal).
  Then I have been taught to configure a management ip and gateway on the cisco switch.
  Switch# conf t
  Switch(config)# interface vlan 1
  Switch(config-if)# ip address 192.168.1.11 255.255.255.0
  Switch(config-if)# no shut
  Switch(config-if)# exit
  Switch(config)# ip default-gateway 192.168.1.1
  All the while, i thought this is the way to remote in to the switch via putty/telnet through the network to configure the switch, until i saw the picture below (cisco catalyst 2960)
  =======================================
  There is a physical port call ethernet management port.  What is it ?   What is the difference between this port and the earlier example of setting a management ip in VLAN 1 ?
  If i set an IP on this particular interface and I ssh in, will i see the same screen/display/console from the earlier example in which i set a management ip in VLAN1 and I ssh in ?
  Regards,
  Noob

  Hi Leo,
  Sorry if you find it hard to explain to me.
  I have understood to think of the ethernet management port as a separate entity from the original switch.
  Maybe with the help of the diagram below, can you let me know if i have understood correctly ?
  *please assume connected port is a management port separated from the normal switch ports
  q1) does the ethernet management port need to be connected to another switch ?
  I have thought of it as a device on the network and it is mentioned by you previously that it will be connected to a switch
  "he traffic goes up the cable connected to the Management port and up a switch.  Now that switch holds all the information because it is a switch.  "
  q2) In the current setup then, terminal B will be able to access the management port - am i right ?
  q3) you mentioned that the management port is not able to set any gateway, (which is the router fe0/5 - 192.168.0.3 in my illustration), in that case do you mean that terminal A will not be able to access the management port remotely and it can only be accessible locally ?
  Please do correct me if my understanding is wrong.
  Thank you so much for your advices.
  Regards,
  Noob

• Configuring VLANs on Cisco switches - help on basics please!

  Hi people.
  I'm buying Cisco switches to my home lab to practice VLAN and have some doubts, would someone kindly help me?
  I'm thinking of buying two 300 series switches for the servers (VMware boxes), configure two separate VLANs for VMs and two other VLANs for desktop computers, in order to simulate a small office with a datacenter and two floors (one VLAN for each floor).
  I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct?
  Another question: for the desktop switches, the ports that are going to connect to the desktops (which runs windows with non-vlan tagging aware nic), will be configured with the correct VLAN, and the operating system will just communicate normally as if there was no VLAN tag on the frames?
  Since I need inter-vlan routing only on the core switch (the 300 series), for the desktops switches I can purchase some 200 series, right?
  And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not?
  Thank you!

  Hi! Thanks for the rapid answers!
  I have a couple more based on the same questions:
  I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct? - Yes, trunk links are required to carry multiple vlans.
  So, I could also use multiple links with LAG/LACP carrying all vlans between switches?
  And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not? - Yes, bit make sure that link between these two switches should be an access link, i.e must carry only third vlan.
  So, If I understand correctly, if having one vlan per floor in an office building, for economical reasons you could deploy simple non-managed and non-vlan capable switches, and in the data center, a core switch with the vlans configured for each floor?
  And viewing from a technical perspective, what would be the advantages of deploying in each floor a vlan capable switch configured with the correct vlan?
  And which method mentioned above is more common deployed for endpoint floor switches?
  Thanks!

• Linksys SRW 224G4, Cisco Catalyst 3650G and management via trunk

  I have couple of Linksys SRW 224G4 and SRW 2024 connected together with Cisco C3650 switches. For my part of network VLAN100 is used as administrative vlan and VLAN1 as defult (on trunks or unused ports).
  Altrough most of switches work fine, on all older models of SRW224G4 (hw 1.0, various firmware versions) there is no connectivity to management utilities (also ping won't work) via trunk (where of course VLAN100 is present). At the same time there is no problem with access on "local" ports (assigned to VLAN100) and there are no problems with traffic on VLAN 100 along the network.
  For example:
  Two computers (A and B), two switches (sw1 - old SRW224G4 and sw2 - Cisco switch), are connected as follow:
  A--VLAN100--sw1--TRUNK--sw2--VLAN100--B
  Swicthes have VLAN100 as management VLAN, computers are connected to access ports (untagged).
  A has access to management on sw1 and sw2 and connectivity with B
  B has access to management on sw2 and connectivity with B but has no access to management on sw1...
  If sw1 and sw2 are same, old SRW224G4 - everything works fine.
  Newer versions of SRW224G4, SRW2024 and SLM2024 works OK.
  Why it doesn't work?
  Thank for your attention.

  I don’t thing there is difference with the old and new versions of the SRW224G4 unless there is a reported case of firmware problem with the said switch. As what you have said you also tested the new version of SRW224G4 and other models of these manage switches and seemed to work. I suggest totally resetting the said switch, making sure you updated the latest firmware version and making the necessary VLAN configurations.  
  Other than these, I suggest contacting Cisco Tech support to further look into your concern. I believe this unit belongs to the business series devices that Cisco is now supporting. Try to go to this link for the other business series devices and the site where you can get hold of Cisco for support: 
  http://www.cisco.com/web/products/linksys/index.html

• Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp

  Dear All,
  I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

• NPS Discarding RADIUS request from Cisco switch (802.1x)

  Last few weeks I've been busy to get the following to work:
  - Cisco 2960 switch as the suppliant
  - Another Cisco 2960 as the authenticator switch
  - The supplicant is only able to send MS-EAP MS-ChapV2 requests
  - The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
  This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
  but I'd like to get it to work with Windows NPS.
  Within NPS I've setup the following Connection Request policy:
  - NAS Port Type: Ethernet
  I'm using the following Network Policy:
  - User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
  - NAS Port Type: Ethernet
  - Autehntcation Type: EAP
  Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
  User:
  Account Name: Rotterdam-Switch-8-1
  Account Domain: DOMAIN
  Authentication Details:
  Connection Request Policy Name: Secure Wired Connections
  Network Policy Name: Switches Allowed
  Authentication Provider: Windows
  Authentication Server: SERVER.DOMAIN.local
  Authentication Type: EAP
  EAP Type: -
  Account Session Identifier: -
  Reason Code: 1
  Reason: An internal error occurred. Check the system event log for additional information.
  Wireshark on the NPS server shows:
  1. The RADIUS Access-Request (1) being received by the NPS Server
  2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
  3. Another RADIUS Access-Request (1) is beging received by the NPS Server
  Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
  Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
  I've also tried the following:
  - I've also tested with an invalid username/password. The request is correctly denied
  - I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
  Any help would be greatly appriciated ofcourse.
  Kind regards,
  Peter

  It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
  Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
  authentication.
  End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
  Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
  http://support.microsoft.com/kb/922574/en-us
  Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
  http://support.microsoft.com/kb/981190"
  Please note that you'll have to enable 'Store password using reversible encryption’  on the accounts that will be used for NEAT authentication.
  All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
  could be sniffer using a hub/repeater/etc.
  Kind regards,
  Peter