Add Cisco Switch into a configuration

Similar Messages

• Firewall Ports Required for NAC manager to manage/add Cisco switch

  Hi,
  I am trying to add cisco switches to the NAM, however i am not able to add the switch as I am getting the error "unable to control switch" I have tried to open ports 161-162 on the firwall; if i was to allow any traffic between the NAM and switch, the cisco NAM is able to add/manage the switch.
  Not sure what other ports may be required for cisco NAM to manage the switch?
  Thanks.

  Hi,
  AFAIK, only the UDP ports 161-162 for the SNMP communication need to be open.
  Please make sure you have configured the correct port on the switch:
  (config)# snmp-server host 172.16.1.61 traps version 2c cam_v2 udp-port 162 mac-notification snmp
  If still not working i would check the logs on the firewall for any blocked traffic between the CAM and the switch.
  HTH,
  Tiago
  If  this helps you and/or  answers your question please mark the question  as "answered" and/or rate  it, so other users can easily find it.

• Cisco SG300 Network Expansion (Configure 2 Switches)

  I’m currently in the process of expanding my network having bought a second Cisco SG300-20 which is now sitting in my lab, my current setup is described below
  Internet
  ^
  |
  Draytek Router 192.168.1.1
  ^
  |
  Cisco SG300-20 192.168.1.2
  ^
  |
  VLAN 12 Workstations interface 10.0.12.1 
  VLAN 13 Management interface 10.0.13.1
  VLAN 14 Pubic interface 10.0.14.1
  VLAN 15 Private interface 10.0.15.1
  VLAN 20 Storage interface 10.0.20.1
  I then have a number of servers with multiple nics that run on the various VLANS attached to certain ports in the Cisco Switch
  VLAN 12 and 14 have been given access to the internet with routes added to Draytek to 10.0.12.1 / 10.0.14.1
  Now what I want to do is to expand the network running a link from my first switch to the new switch.  Ive read a number of notes on this forum but confused as to what I need to do.
  I want the new switch to have access to all the VLANS configured on the first switch and will set the ports access to the various VLANs for each server that is being connected.
  Have read that its best to have any additional switches on the network configured as Layer 2 and leave just one switch to do the routing (is that correct?).  So have left the new switch as Layer 2 and given it an IP of 192.168.1.3
  So the first question is how do I configure the uplink port from switch 1 (Port Gi2) to Switch 2 (Port Gi1).  
  Should I run multiple cables and create a LAG between the two switches?  Allowing for additional bandwidth (I stream a lot of HD movies across the network to the workstations)
  I have attached my running config from switch 1 below.
  Any help would be appreciated, unfortunately networks are not my strong point.
  prcswitch01#show running-config
  config-file-header
  prcswitch01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router 
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end XXXXXX
  vlan database
  vlan 12-15,20
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  ip dhcp server
  ip dhcp pool network Workstations
  address low 10.0.12.20 high 10.0.12.100 255.255.255.0
  lease infinite
  default-router 10.0.12.1
  dns-server 10.0.15.200 8.8.8.8
  exit
  bonjour interface range vlan 1
  hostname prcswitch01
  username cisco password encrypted XXXXXXX privilege 15
  ip ssh server
  interface vlan 1
   ip address 192.168.1.2 255.255.255.0
   no ip address dhcp
  interface vlan 12
   name Workstations
   ip address 10.0.12.1 255.255.255.0
  interface vlan 13
   name Management
   ip address 10.0.13.1 255.255.255.0
  interface vlan 14
   name Public
   ip address 10.0.14.1 255.255.255.0
  interface vlan 15
   name Private
   ip address 10.0.15.1 255.255.255.0
  interface vlan 20
   name Storage
   ip address 10.0.20.1 255.255.255.0
  interface gigabitethernet3
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet4
   switchport mode access                               
   switchport access vlan 12
  interface gigabitethernet5
   switchport mode access
   switchport access vlan 20
  interface gigabitethernet6
   switchport mode access
   switchport access vlan 20
  interface gigabitethernet7
   switchport trunk allowed vlan add 13-15
  interface gigabitethernet8
   switchport trunk allowed vlan add 13,20
   switchport trunk native vlan 12
  interface gigabitethernet9
   switchport trunk allowed vlan add 13-15
  interface gigabitethernet10
   switchport trunk allowed vlan add 13,20              
   switchport trunk native vlan 12
  interface gigabitethernet11
   switchport trunk allowed vlan add 13-15
  interface gigabitethernet12
   switchport trunk allowed vlan add 13,20
   switchport trunk native vlan 12
  interface gigabitethernet13
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet14
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet15
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet16                           
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet17
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet18
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet19
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet20
   switchport mode access
   switchport access vlan 12
  exit
  ip default-gateway 192.168.1.1
  prcswitch01#   

  Hi Aleksandra,
  Im still having issues with my setup.  The servers I have connected have VLAN tagging enabled
  Previously I had my esxi server connected via two nics with ports configured on my Layer 3 switch prcswitch01 as follows
  Port 1 Trunk VLAN 13-15
  Port 2  Trunk VLAN 13,20
  My NAS was configured on a single port on VLAN20
  The ESXI server can only have a single gateway which is used by both interfaces
  ~ # esxcli network ip route ipv4 list
  Network    Netmask        Gateway    Interface  Source
  default    0.0.0.0        10.0.13.1  vmk0       MANUAL
  10.0.13.0  255.255.255.0  0.0.0.0    vmk0       MANUAL
  10.0.20.0  255.255.255.0  0.0.0.0    vmk1       MANUAL
  Traffic was being passed from VLAN13 to VLAN20 to allow connectivity to the NAS on the ESXi server
  This no longer seems to be happening on my Layer 2 switch.
  I have configured the ports the same as previously setup on the Layer 3 switch.
  When I have the esxi server connected I can reach the server on 10.0.13.11 but the server cannot ping the NAS on 10.0.20.196
  Hope that makes sense, I’m confused about setting this new switch up.  Should I configure it as Layer 3 and setup interfaces for the various VLANS.  I was under the impression this would be done by my first switch.
  Thanks
  Paul

• Configuring VLANs on Cisco switches - help on basics please!

  Hi people.
  I'm buying Cisco switches to my home lab to practice VLAN and have some doubts, would someone kindly help me?
  I'm thinking of buying two 300 series switches for the servers (VMware boxes), configure two separate VLANs for VMs and two other VLANs for desktop computers, in order to simulate a small office with a datacenter and two floors (one VLAN for each floor).
  I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct?
  Another question: for the desktop switches, the ports that are going to connect to the desktops (which runs windows with non-vlan tagging aware nic), will be configured with the correct VLAN, and the operating system will just communicate normally as if there was no VLAN tag on the frames?
  Since I need inter-vlan routing only on the core switch (the 300 series), for the desktops switches I can purchase some 200 series, right?
  And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not?
  Thank you!

  Hi! Thanks for the rapid answers!
  I have a couple more based on the same questions:
  I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct? - Yes, trunk links are required to carry multiple vlans.
  So, I could also use multiple links with LAG/LACP carrying all vlans between switches?
  And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not? - Yes, bit make sure that link between these two switches should be an access link, i.e must carry only third vlan.
  So, If I understand correctly, if having one vlan per floor in an office building, for economical reasons you could deploy simple non-managed and non-vlan capable switches, and in the data center, a core switch with the vlans configured for each floor?
  And viewing from a technical perspective, what would be the advantages of deploying in each floor a vlan capable switch configured with the correct vlan?
  And which method mentioned above is more common deployed for endpoint floor switches?
  Thanks!

• What's "SAVE" configuration command for Cisco switch/ router?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
  but so long, any other command that easy to remenber?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
  any other command that easy to remenber?
  yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1

• Configure Domain Controller ( PDC emulator) as NTP source for Cisco switch 6509

  Hi All,
    My Org consists of 2 DC one Physical and One Virtual. All Roles are on Physical machine. I ran a W32tm /Query /Configuration command  on PDC emulator and the results are confusing.My PDC is using time source VMICTimeProvider a syou can see below.
  VMICTimeProvider (Local)
  DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  My first Question is that Is it Ok for PDC emulator to use this time source or should I change to some Other source like pool.ntp.org or time.windows.com,0x1.
  My Second Question is that I  have a core switch cisco 6509 and I want this switch to use my NTP server (PDC emulator ) as NTP source,but at present I cannot as I am getting this error on switch.(no select intersectionTP )
  Can Any one help ... Its is urgent
  Thanks in Advance
  EagleAsh

  You should not make your DCs sync their time with your Hypervisor. This usually ends with time synchronization problem so I would recommend to disable that on your DCs and domain joined VMs and use an external NTP server to sync time on your PDC while using
  your AD forest topology for time sync on other DCs and domain-joined computers.
  I have already started a Wiki article that describes how to configure time sync in an AD domain and you might consider using the GPO configuration option that is stated: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  For the CISCO switch, I would recommend asking them in CISCO forums.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Configuration Cisco switch 802.1x for ISE

  Hi dears,
  I configurated EAP_FAST authentication on Cisco ISE  from Cisco Video material. Now I need full 802.1X configuration in cisco switch  guide or video link.
  Please provide this.
  Thanks.

  See this link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html

• Cisco Network Assistant, unable to add a switch to community

  hello every one,
  i am able to add a switch as individual device but i am not able to add it to community ?
  the switch is WS-C3548-XL
  i attached screenshot 
  thank you

  The switch configurations look pretty straightforward and mostly correct.
  I notice that the problem switch has "ip routing" global command. Why is that necessary? You are only using it as a L2 switch, yes?  If you use "ip routing" and have no routing process (ospf, eigrp, etc.) running you would need to add a static default route (ip route 0.0.0.0 etc.) and not use the "ip default-gateway" command. Otherwise the switch itself (the SVI) does not know how to leave the management VLAN routing-wise since it is the only L3 interface defined.
  (I might also add "ip http authentication local" on each and I'd definitely disable telnet in favor of ssh)

• When i tell my ipod to ask to connect to unknown connections, it doesnt. It switches into manual mode... How is it fixed? If it cant, UPDATE IT!!! JUST ADD AS MANY AS YOU NEED. ATLEAST GET IT TO IOS 7. Pls. I wanna get certain apps, but i cant.

  When i tell my ipod to ask to connect to unknown connections, it doesnt. It switches into manual mode... How is it fixed? If it cant, UPDATE IT!!! JUST ADD AS MANY AS YOU NEED. ATLEAST GET IT TO IOS 7. Pls. I wanna get certain apps, but i cant.

  Well... sheetrock (i cant curse so i put a word that sounds like it)

• Access to Cisco Switch Modbus Register Map? via Modbus TCP or Modbus RTU

  Hello Folks, I have been trying to find out how to access the Modbus Register Map(s) of Cisco switches, of particular interest is that of an IE 3000 as it is din rail mountable (but for models 2960s, 3560s are also of interest).  A google search for: Cisco Switch Modbus TCP results in (if I may) how to configure a Cisco 2520 to do what I am trying to do.  I would be very grateful for any hints anybody might have.  Thanks

  Though I am not familiar with the specific drives in question, I have used Modbus/TCP in LabVIEW a few times recently.
  As the previous posters pointed out, there are a couple of VI libraries available.  LabVIEW 2014 added Modbus VI's with the DSC and LabVIEW Real-Time.  The others you would have to get and add in yourself.
  Another option is to use LabVIEW I/O Servers; as long as you have DSC or Real-Time, you can create Modbus I/O Servers as library items and deploy to a target.  You don't get as much direct control in this way (and may run into difficulties if you need them to be field-configurable and do not have DSC) and use bound network shared variables, but they are very fast and easy to setup and I have yet to have any issues with using them in my applications.
  A tutorial on setting up a Modbus I/O Server: http://www.ni.com/tutorial/13911/en/
  A tidbit on deciding between Modbus VI's and a Modbus I/O Server: http://zone.ni.com/reference/en-XX/help/370622M-01/lvmve/choose_modbus_ioserver_vi/
  As for using an Ethernet switch to connect multiple devices, I have used this approach many times to simultaneously connect and control numerous PC's, real-time controllers, and drives without issue.  I would not expect there to be any problems unless you have extenuating circumstances.  In fact, if you only have one network interface on your device at the moment, I would recommend against adding a second, as this would mean that you / your controller would have to be extra aware of which interface everything is assigned to go through.

• DACL does not get downloaded to Cisco Switch from ISE

  Hello,
  I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
  I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch.   dynamic vlan assignment workds fine, but dACL doesnot apply
  Any instruction plz?

  Hi Jatin,
  ISE is properly configured for dACL,   i think there is some compatibility issue on cisco switch ios.
  following is the debug output>>
  06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
  06:36:43: EAPOL pak dump rx
  06:36:43: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
  06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
  06:36:43:     dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
  06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
  06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
  06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
  06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
  06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
  06:36:43: RADIUS(00000049): sending
  06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
  06:36:43: RADIUS:  authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
  06:36:43: RADIUS:  User-Name           [1]   6   "test"
  06:36:43: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  06:36:43: RADIUS:  Framed-MTU          [12]  6   1500
  06:36:43: RADIUS:  Called-Station-Id   [30]  19  "00-11-5C-6E-5E-0B"
  06:36:43: RADIUS:  Calling-Station-Id  [31]  19  "00-19-B9-81-E8-12"
  06:36:43: RADIUS:  EAP-Message         [79]  8
  06:36:43: RADIUS:   02 7A 00 06 0D 00                 [ z]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0                [ Z6]
  06:36:43: RADIUS:  Vendor, Cisco       [26]  49
  06:36:43: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:43: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:43: RADIUS:  NAS-Port            [5]   6   50011
  06:36:43: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  NAS-IP-Address      [4]   6   192.168.2.250
  06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
  06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
  06:36:43: RADIUS:  authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  EAP-Message         [79]  255
  06:36:43: RADIUS:   4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34  [M]GFbv@wH1k^R3V4]
  06:36:43: RADIUS:   02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30  [29MyJBN\)=Z>u:}0]
  06:36:43: RADIUS:   81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70  [0U0U00UVPp0yUr0p]
  06:36:43: RADIUS:   30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C  [0nlj2http://sysl]
  06:36:43: RADIUS:   6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E  [og-server/CertEn]
  06:36:43: RADIUS:   72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65  [roll/FMFB_Truste]
  06:36:43: RADIUS:   64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C  [dCA.crl4file://\]
  06:36:43: RADIUS:   5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43  [\syslog-server\C]
  06:36:43: RADIUS:   65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54  [ertEnroll\FMFB_T]
  06:36:43: RADIUS:   72 75 73 74 65 64 43 41 2E         [ rustedCA.]
  06:36:43: RADIUS:  EAP-Message         [79]  251
  06:36:43: RADIUS:   63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A  [crl0+70*Hcwl7/6J]
  06:36:43: RADIUS:   74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A  [t3W9Vp"]&m`b$Aqj]
  06:36:43: RADIUS:   EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B  [\-@xTUYx]MDESFL;]
  06:36:43: RADIUS:   D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36  [f~[yS^I}uN2^(SS6]
  06:36:43: RADIUS:   82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4     [ 8>$HDhDo|l{V2]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33            [ ?b*$Y3]
  06:36:44: RADIUS(00000049): Received from id 1645/99
  06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
  06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
  06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
  06:36:44:     dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
  06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
  06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x7B length: 0x03F0 type: 0xD  data: @Cfui[ab2,Jt1){                                                                                                                              2]g&GZ1pIbu;+Ga;iF"jy#
  oohuV.aFZ4_|
  P0`At   )B
  06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:44: RADIUS:  Message-Authenticato[80]  18
  06:36:44: RADIUS:   F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5           [ VnJr[\`]
  06:36:44: RADIUS:  Vendor, Cisco       [26]  49
  06:36:44: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:44: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:44: RADIUS:  NAS-Port            [5]   6   50011
  06:36:44: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:44: RADIUS:  State               [24]  80
  06:36:44: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:44: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
  06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
  06:36:45: EAPOL pak dump Tx
  06:36:45: EAPOL Version: 0x2  type: 0x0  length: 0x0039
  06:36:45: EAP code: 0x1  id: 0x7E length: 0x0039 type: 0xD
  06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
  06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
  06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
  06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  06:36:46: EAPOL pak dump rx
  06:36:46: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:46: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
  06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
  06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.0006
  06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port  Fa0/11 is TRUE

• Introduction of Cisco ASA into Environment

  Hey, 
  I have just introduced a Cisco ASA into my environment but having major issues working out how to fit it in.  I have tried to configure it as per the proposed solution but not really working
  Currently
  2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)
  2960 has an 
  access port (vlan 101) to > 887va (10.10.1.2) > ISP
  Proposed
  2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)
  2960 has an
  access port (vlan 101) to > ASA 5505 (10.10.1.3 (vlan 101) outside/10.10.2.2 (vlan 102) inside) (for packet inspection)
  2960 has an
  access port 101 > 887va (10.10.1.2) > ISP
  essentially, all 3 devices are connected independently to the switch
  In an attempt to get this to work, I changed the default route on the 1921 to the ASA and the ASA's default route to the 887 but when trace routing, it seems to bypass the  ASA altogether...however, when doing this, it does appear that the ASA is doing something as the ip any any ACL on ASA received a number of hits
  I have the following vlans - 
  vlan 101 (10.10.1.0), 102 (10.10.2.0), 105, 106, 107, 108, 109, 110, 111
  i'm running OSPF on all devices - 1921 advertises all vlan interfaces, the 887 advertises 10.10.1.0 and the ASA also advertises 10.10.1.0
  neighbours are forming and routes are exchanged ok.
  Natting on the 887
  Your thoughts and ideas would be grateful; I'm obviously going wrong somewhere
  Many thanks
  Jay

  Hi Jon, 
  Thanks for your prompt response, it is very much appreciated
  it's not a typo i'm afraid although i think i see your point.  My thinking here is/was that i wanted separation between the 'internal' and 'external' elements of my network and creating an inside and outside zone would do this. 10.10.1 would be the 'outside' and all other vlans would be the inside.  (I was halfway though zoning off my 887 before the introduction of the ASA and thought i could apply the same principles here.)
  You are correct re "I am assuming you want traffic from the 1921 to go through the ASA to the 887 ?" and therefore, could you explain why to your comment - "if so you cannot have the outside interface in the same subnet as the 1921 WAN interface"  What is the outside interface on the ASA for then?
  Also, could you confirm why to this one too please? - 
  "If you are running OSPF and the 887 is in the same subnet as the 1921 then it will simply bypass the ASA for return traffic." i'm assuming because the of the routing table pointing to the 1921 and not the ASA? (just clarifying)
  Finally, i'm using a default route for internet access.  i used the default-info originate command on the 887 coinnected to my ISP previously to redistribute the default route to the 1921 but removed that when testing the ASA as i wanted to manually manipulate traffic flow
  Excuse the questions
  Many thanks again
  Jay

• Cisco Switch SG300-20

  I want to know Cisco Switch SG300-20 is Layer 2 or Layer 3 switch.  I Have simple network Layer2 switched, Our Database speed on client is normal. when we add that switch in front of database, it slow the speed of database entry at workstation. Please guide.

  Hello Ross,
  The access port may be a single member of a vlan untag. The trunk port may be a member of multiple vlan. Ingress filtering may NOT be disabled on an access or trunk port.
  The general port is an 802.1 port which may specify tag or untag and the ingress filtering may be disabled.
  Ingress filtering is a feature, that if the ingress port receives an unknown vlan tag, it will discard the packet.
  There is not a guest port, there is a guest VLAN. The smart port for Guest makes the port untag member of the native vlan. The guest vlan does not authenticate against the 802.1x when specified.
  There is a customer port, which is a service provider configuration for QinQ tunneling.
  The port connecting between router and switch should be either trunk or general and all vlan you want to pass between devices should be specified on the ports.
  -Tom

• Integrate Cisco ACE into AAA TACACS+

  Dear Community!
  I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
  But...
  I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
  Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
  I tried upgrading IOS in a router, but no luck...
  Does anybody have any experiance about this "bug"?
  Thanks in advance!
  Regards,
  Belabacsi
  @ Budapest, Hungary

  Hello Bela
  In ACE on every context (including Admin and other) you should have following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+ MYTACACS
    server x.x.x.x
    server x.x.x.x
  aaa authentication login default group MYTACACS local
  aaa authentication login console group MYTACACS local
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network Administrators" you should configure in TACACS settting:
  1. Shell (exec) enable
  2. Privilege level 15
  3. Custom attributes:
            shell:Admin*Admin default-domain
      if you have additional context add next line
            shell:mycontext*Admin default-domain
  After loging to ACE and issuing sh users command you should see following
  User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Regards,
  Stas

• Etherchannel trunk with two cisco switch

  Hi, my company using only one Cisco 3750 switch with VLAN1,2,3,4,5. 
  Now my company bought another cisco switch and we would like to etherchannel trunk between both and create new VLAN in new switch.  We look over from partner, some of them suggested we use LACP, and some of them suggest we use PAgP.  We are so confuse which will be better in our environment.
  Previous: Router <> 3750 switch A (VLAN 1,2,3,4,5)
  Now we bought another Cisco Switch B:  Router <>3750 switch A <> switch B (add more VLAN 6,7,8,9,10)
  Which of below command is the best choice to suit our company ? suppose we use 2 port of gigabitethernet 1/0/1 and 1/0/2 trunk?  All VLAN 1-10 need to communicate with each other.
  interface GigabitEthernet1/0/1
   channel-group 1 mode active  <<< (use "active" or "desirable" is the best choice)
   switchport mode trunk
  interface GigabitEthernet1/0/2
   channel-group 1 mode active
   switchport mode trunk
  interface Port-channel 1
   switchport trunk encapsulation dot1q << (do we need put this? as we think this is by default after trunk?)
   switchport mode trunk
   switchport nonegotiate <<< (do we need "nonegotiate" if both switch setup same configure?)

  Hello
  My understanding is pagp and lacp basically perform the same features - however as PAGP is cisco propriety LACP is IEEE standard which can be used between different route/switch vendor platforms.
  As for disabling DTP ( switchport nonegotiate) - i would agree to do this suggestion, As so not to  have trunks being dynamically created.
  Lastly i would manually prune unused vlans across trunk interfaces, to save on cpu and memory usage because of the stp instances that coild be used ( however such a small vlan database  like yours would not be an issue)
  So to summarise:
  Cisco to Cisco ehterchannels =PAGP
  Cisco to other vendors = LACP
  L2 etherchannel
  ================
  1) default physical interfaces (if possible)
  2) configure port-channel in physical interfaces
  -- port-channel will be created automatically
  3)create trunking encapsulation or access port mode directly in port-channel interface
  4)enable physical interfaces "no shut"
  conf t
  default int ran fa0/1 -3 ( if applicable)
  int ran fa0/1 -3
  shut ( if applicable)
  channel-group 1 mode xxx
  int port-channel 1
  switchport trunk encap dot1q
  switchport- mode trunk
  switchport nonegotiate
  switchport trunk allowed vlan 1-10
  res
  Paul