ACS 4.2 and dACL on Catalyst switches

Similar Messages

• Differences between MSFC1 and MSFC2 in Catalyst switches

  Hi,
  Want to know the differences between MSFC1 and MSFC2 in Catalyst switches.

  Hi,
  There is not much difference between MSFC1 and MSFC2, the main difference is how the MSFCs send the hardware programming to the PFC. The MSFC1 uses MLS to program the hardware by using the first packet of the traffic. While the MSFC2 uses CEF-based MLS to program the PFC so that the supervisor can make the hardware switching of the packet. NOtice the difference if the MSFC1 needs to see the first packet while the MSFC2, in theory will not need to see a first packet as it uses the CEF routing table to program the PFC2. Now, the kicker, if MSFC2 in sup1A , all this CEF-based MLS is not used since it needs PFC2 to be able to do this. Sup1A does not come with PFC2 only Sup2 comes with PFC2. The MSFCs gives the Cat6K a L3 ability and it's important but the switching performance of the switch depends on the PFC.
  Here is a link on MSFC2 data sheet:
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet09186a00800887fd.html
  Please rate helpful posts.

• Dacl on ACS 5.1 and Catalyst switch 3560

  Dear all
  I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
  This authrization profile is used on access policy.
  I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
  Steps:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
  11003  Returned RADIUS Access-Reject
  DACL:
  deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
  permit ip any any log
  Thanks on advance,

  Dear Tiago
  I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
  Dec 13,10 10:29:00.513 AM
  00-23-AE-7A-58-A6
  00-23-AE-7A-58-A6
  Default Network Access
  Lookup
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  22056 Subject not found in the applicable identity store(s).
  Dec 13,10 10:28:29.186 AM
  #ACSACL#-IP-Guest-4cfcc14d
  Dot1x-3560-Switch
  1.2.3.4
  TESTACS
  Dec 13,10 10:28:28.726 AM
  acstest
  00-23-AE-7A-58-A6
  Default Network Access
  PEAP (EAP-MSCHAPv2)
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  Thanks,

• I don't understand correlation between ACL and dACL. If dACL is downloaded to the Catalyst switch what is the status of the ACL

  Understanding  ISE and dACL.
   I don't understand correlation between ACL and dACL.
   If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
   Regards,
  Vice

  Hi,
  Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies.  It overrides any standard interface ACL.
  Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
  When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication.

• The difference between VTP server and transparent mode on Catalyst Switch.

  Hello 
  I have a question about the difference between VTP server mode and VTP transparent mode on general catalyst switch.
  Basically VTP server mode can create and modify VLAN configuration but  actually there is not any VLAN configuration through running-config, is it true?  When I checked it on Cat3550, certainly there is not VLAN configuration on VTP server mode. But VTP transparent can create VLAN and configuration but does not synchronize with other switch VLAN status. I appreciate any related information and reason of the VTP server mode specification, thank you very much.
  [VTP Transparent mode]
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Transparent
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *omit
  vlan 99
   name TEST-VLAN
  [VTP Server mode]
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Server
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *no VLAN like above configuration on VTP transparent mode.
  Best Regards,
  Masanobu Hiyoshi

  Hi mhiyoshi,
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Transparent
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *omit
  vlan 99
   name TEST-VLAN
  The above out put indicates that Vlan is created and then mode changed to transparent. i.e why revision no is 0.
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Server
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *no VLAN like above configuration on VTP transparent mode.
  This indicates that vlan never created in server mode nor learnt from another switch as revision no is 0

• The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

  Hello
  I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
  Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
  PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
  Is it possible to integrate into Cisco Router such as Cisco 891F ?
  In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
  I think there might be any unsupported feature on Cisco 891F.
  I appreciate any information. thank you very much in advance.
  Best Regards,
  Masanobu Hiyoshi

  Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
  Ummmm ... The most common question I get is "what is the difference between a router and a switch".
  However, if you get a question like this, then my impression to this line of questioning are:
  1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
  2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question. 

• Does Cisco ISE 1.2 support Catalyst SRW224G4P and Small business ESW520 Switches?

  Hello all,
  Does Cisco ISE 1.2 support Catalyst SRW224G4P and Small business ESW520 Switches?
  Best regards.

  Hi there, the link below outlines the ISE supported Cisco hardware:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
  Thank you for rating helpful posts!

• Cannot Establish Gigabit Link Between Catalyst Switches and GSR Router

  The GSR Gigabit interface is configured for no negotiation auto and the line protocol goes up when connected to the Catalyst switch.
  The Catalyst switch port remains unconnected even when it is physically attached to the GSR router.

  The flow control settings must match on both sides for the link to come up. It is highly recommended that you configure auto-negotiation to on for both devices. (Auto-negotiation is enabled by default on all Catalyst switches.) Otherwise, if you have a layer 1 problem, the link remains up and a unidirectional link will result.
  The initial software releases that support Gigabit Ethernet on the GSR router do not support gigabit auto-negotiation.
  The following command configures gigabit auto-negotiation on the Catalyst 6000/6500:
  set port negotiation module/port disable|enable

• VLAN's, subinterface, access-lists and 3560 catalyst switch?

  Hi,
  How can I isolate VLAN 121 from all others?
  I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
  The following VLANs configured on the switch:
  VLAN 0 192.168.132.0 /24
  VLAN 135 ..135.0 /24
  VLAN 137 ..137.0 /24
  VLAN 139 ..139.0.24 and lastly,
  VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
  I need some advice please. Here is my plan:  to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
  Thank you!

  I will have to assume VLAN 0 is the native VLAN / default interface on the router?  All VLANs are numbered native or not.  Just ensure the VLAN numbering matches between the router and the trunking on the switch.
  Yes, you could create a sub interface on the 2811 and use the router to route the VLAN.  Apply an access list on the other interfaces to block access to the VLAN you want to protect.  If you have routing enabled on the 3560 as well you would complicate the situation a bit more. 
  Please rate helpful posts! :-)

• TCP delay on catalyst switch

  i experienced a TCP delay on catalyst 4506, avoid the problem when i replaced 4506's with dummy unmanaged switches.
  i used two PCs(PC 1 and PC 2) and two 4506 switches (S1 and S2)
  PC 1 is connected to S1 (fast ethernet port)
  PC 2 is connected to S2 (fast ethernet port)
  S1 is connected to S2 (SFP gigabit ethernet port)
  -I started continuous UDP,TCP,MULTICAST and PING from PC1 to PC2
  -I unplugged link between Switch 1 and Switch 2
  all communication stopped.
  -I plugged link between Switch 1 and Switch 2
  -UDP,MULTICAST and PING started immediately but TCP started with approximately 15 seconds delay. :-(
  I repeated same procedure with unmanaged dummy switches instead of 4506, there wasnt 15 seconds delay. TCP showed up in 1 second.
  How can I avoid TCP delay on catalyst switches? Probably some tuning with configuration would do the job?
  tx for helping

  hi gp and thank you very much for responding to this unusual problem.
  - switch ports to the PCs are configured as portfast.
  - switch ports between two catalyst switches are not configured (default)
  - i didnt use the 'switchport access' command since they are default layer 2 interfaces. would 'switchport access vlan 1' command make any difference?
  - i looked at the port status and confirmed connection is 100 mbps full duplex.
  unusual issue is; ping, udp, multicast shows up in a very short time after I re-plug the uplink. that proves all ports are in forwarding state. only TCP shows up with delay, which doesnt occur on 200 $ unmanaged switch??
  thanks in advance for any suggestions

• Can a Catalyst switch terminate a QinQ (double vlan tagged) connection on an SVI?

  Can a Catalyst switch terminate a QinQ connection on an SVI?  Is anything similar possible?
  I know I can pass through QinQ traffic through a switch at L2, but can I take it in at L2 with double tags and terminate it on a L3 SVI somehow?
  Im looking for a simple way of making a WAN lab environment.
  IE I want to do the equivalent of this on a Catalyst such as a 3560/3750:
  interface GigabitEthernet0/0.1
   encapsulation dot1Q 101 second-dot1q 1
   ip vrf forwarding 100101
   ip address 1.1.1.1/24
  interface GigabitEthernet0/0.2
   encapsulation dot1Q 101 second-dot1q 2
   ip vrf forwarding 100102
   ip address 2.2.2.2/24
  thanks in advance.

  Can a Catalyst switch terminate a QinQ connection on an SVI?  Is anything similar possible?
  I know I can pass through QinQ traffic through a switch at L2, but can I take it in at L2 with double tags and terminate it on a L3 SVI somehow?
  Im looking for a simple way of making a WAN lab environment.
  IE I want to do the equivalent of this on a Catalyst such as a 3560/3750:
  interface GigabitEthernet0/0.1
   encapsulation dot1Q 101 second-dot1q 1
   ip vrf forwarding 100101
   ip address 1.1.1.1/24
  interface GigabitEthernet0/0.2
   encapsulation dot1Q 101 second-dot1q 2
   ip vrf forwarding 100102
   ip address 2.2.2.2/24
  thanks in advance.

• CiscoSecure ACS 3.3 and MS Active Directory ?

  We just got and installed CiscoSecure ACS 3.3 on a domain controller for our MS active directory domain.
  ACS seems to work with AD in the sense that it uses the usernames and passwords contained in AD for users. However I noticed it does not seem to popluate ACS with the users, instead you have to go in to ACS and add each user with the username from AD, and then just tell it to use the windows database for password authentication.
  Is this correct or am I missing something in my setup that is preventing users from being populated in ACS?
  Also, can you not use AD groups for ACS permissions? For example one of the things we are doing is defining certain groups for access to routers, switches and firewall commands. I have been able to do this manually in ACS by defining a group and setting the permissions as well as the command authorization set. However it does not seem very practical to have to go in manually to ACS to add a user to an ACS group. I thought since ACS works with active directory it would also use AD groups. So we could assign a user to a group in AD and it would then utilize the defined ACS permissions for that group.

  I think you are a victim of the AD Aware as opposed to AD Integrated. CiscoSecure is AD Aware, it can use the AD database for Password authentication (a very simple implementation of single sign-on). But the local database is used for everything else. From my point of view this is a good thing.
  If the AD Admin, Network Admin and Security officer are all the same person, then I agree with you.
  From your message you seem to be using ACS to secure your Cisco devices (routers/switches), I would not want people who manage AD to be able to give network device access to anyone they choose. Nore do I trust AD admins to understand network security. Normally the network people are very small subset of IT organization, so this should not be a big problem. Also, the real component that you are using to secure the devices is TACACS+ (hopefully) or RADIUS because the devices are not AD Aware themselves.
  If you need for every user that is in AD to be a user in ACS, there is import/export support for both for inital setup, after that it is up to you to keep the databases synchronized. You can do this with routine import/exports, but I advise against it.
  If you are using ACS to manage a Dial or IPSec environment, I agree this is a pain, but do you really want everyone to be able to dial-in or VPN into your network without coming to you for access? Don't you want to be able to disable/expire peoples access for devices and remote access without calling the AD admin?
  For the kind of things you want, you need an AD Integrated product like Exchange or you can try some of the vendors at listed at http://www.microsoft.com/windows2000/partners/adall.asp
  FYI - This is my understanding of the product, I'm sure there are a lot of people out there that know more then me, so feel free to correct me.

• Cryptographic IOS versions on Catalyst Switches

  1. Where can one find the differences between Catalyst switch IOS with cryptographic features and without cryptographic features?
  2. In order to access Cat switches over SSH and HTTPS, do we require Cryptographic versions of the Cat IOS?
  3. What does "k9" stands for in IOS names? e.g. "3560-ipservicesk9"
  Thanks

  Hi
  Answer to Q1 :
  Best plase to compare the Catos and IOS is
  www.cisco.com/go/fn
  there you can search by ios names or platforms or features and compare images.
  Answer to Q2 :
  Yes you need Cryptographic version
  Answer to Q3 :
  K9 stand for Cryptographic version if you have ipservicesk9 you can do SSH in the feature navigator if you search the ios without K9 you will find this :
  IP SERVICES W/O Crypto
  that means this catos does not support Cryptographic.
  Best Regards Bahman Mozaffari.
  Please Rate if Helpful.

• Catalyst switch hangs when connecting via console port

  Hi,
  I've just started work for a company - they have no network documentation or knowledge of their current set-up whatsoever.
  For the LAN in the office they have Cisco Catalyst WS-C3524-XL switches. But it doesn't seem like these are even configured with an IP address for management purposes.
  So, I thought I would connect via a console cable to have a look at their configurations and also to investigate some performance problems some users were having on the LAN.
  BUT - when I connected to the console cable, all the switch LEDs stopped flickering happily and went solid and everyone in the office lost their network connectivity! (I wasn't popular!)
  Rebooting the switch with the console port still connected had no effect - the LEDs remained solid and there was no network connectivity. However, when I removed my console cable, everything started working again!
  Does anyone have any ideas a) what can have caused this and b) how I can resolve this problem and connect to the switches without disrupting all the other users!
  Note: I subsequently connected to a spare WS-C3524-XL switch using the same laptop and same console cable without any problems.

  Hi,
  thanks for the response.
  no, I can't login to the switch(es) at all. There seems to be no response from hyperterminal at all. (Then I noticed that the LEDs had gone "solid" and that everyone started to complain they had lost network connection!)
  Even when I powered off and powered on the switch with the console port still connected, nothing appeared on the hyperterminal screen.
  However, as mentioned, I'm able to connect to one of our spare switches using the same settings, same laptop, and same console cable - so I guess that would rule these things out as being the cause?
  Its definitely a strange one, especially as it seems to be affecting all 3 of the live switches!

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts