Add Cisco Switch into a configuration
I have a Dell 6248 switch with three VLANS defined (1,2,10).
I need to expand VLAN 10 (need more ports) on the Dell Switch.
I have downloaded the Cisco CNA.
In the attached screen of the CNA, am I on the correct display to create a new VLAN 10 ?
What is the best way to connect the Dell Switch to the Cisco?
thanks
Yes, so far 21-24 are in VLAN 10, but I will need to set a few more .
This is bit more complicated.
What I am looking at an old test and dev virtual infrastructure configuration that was set up with a 1GB Linksys Switch and a Dell 6248 Switch.
The reason given for the Linksys in the config is it was the only 1GB switch available at the time when the SAN had to be installed and there were no more available ports on the 6248. Running Dell Dpack reports show latency issues when migrating from an EqualLogic Volume to a MD3200 volume and from the MD3200 to Md3200 volumes (on the order of 30-45 minutes for a 20GB VM). Migrating from EqualLogic volumes to EqualLogic volumes is in seconds.
I think the Linksys is the issue as does our Dell reps. We are looking at replacing the Linksys with a Cisco or another L2/L3.
SAN traffic is isolated to VLAN 10 on the Dell Switch. I want to set up a VLAN 10 on the Cisco switch and then want to connect the Md3200 to the Cisco which will be connected to VLAN 10 on the Dell Switch for access to an EqualLogic SAN. I am not sure what will be involved.
Is it as simple as what you are saying,, I config the VLAN10 on the Cisco switch and connect a port from the Cisco to VLAN 10 on the Dell Switch.. .
I have a diagram attached,,,it needs some updates but it is close to the config.
Similar Messages
-
Firewall Ports Required for NAC manager to manage/add Cisco switch
Hi,
I am trying to add cisco switches to the NAM, however i am not able to add the switch as I am getting the error "unable to control switch" I have tried to open ports 161-162 on the firwall; if i was to allow any traffic between the NAM and switch, the cisco NAM is able to add/manage the switch.
Not sure what other ports may be required for cisco NAM to manage the switch?
Thanks.Hi,
AFAIK, only the UDP ports 161-162 for the SNMP communication need to be open.
Please make sure you have configured the correct port on the switch:
(config)# snmp-server host 172.16.1.61 traps version 2c cam_v2 udp-port 162 mac-notification snmp
If still not working i would check the logs on the firewall for any blocked traffic between the CAM and the switch.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Cisco SG300 Network Expansion (Configure 2 Switches)
I’m currently in the process of expanding my network having bought a second Cisco SG300-20 which is now sitting in my lab, my current setup is described below
Internet
^
|
Draytek Router 192.168.1.1
^
|
Cisco SG300-20 192.168.1.2
^
|
VLAN 12 Workstations interface 10.0.12.1
VLAN 13 Management interface 10.0.13.1
VLAN 14 Pubic interface 10.0.14.1
VLAN 15 Private interface 10.0.15.1
VLAN 20 Storage interface 10.0.20.1
I then have a number of servers with multiple nics that run on the various VLANS attached to certain ports in the Cisco Switch
VLAN 12 and 14 have been given access to the internet with routes added to Draytek to 10.0.12.1 / 10.0.14.1
Now what I want to do is to expand the network running a link from my first switch to the new switch. Ive read a number of notes on this forum but confused as to what I need to do.
I want the new switch to have access to all the VLANS configured on the first switch and will set the ports access to the various VLANs for each server that is being connected.
Have read that its best to have any additional switches on the network configured as Layer 2 and leave just one switch to do the routing (is that correct?). So have left the new switch as Layer 2 and given it an IP of 192.168.1.3
So the first question is how do I configure the uplink port from switch 1 (Port Gi2) to Switch 2 (Port Gi1).
Should I run multiple cables and create a LAG between the two switches? Allowing for additional bandwidth (I stream a lot of HD movies across the network to the workstations)
I have attached my running config from switch 1 below.
Any help would be appreciated, unfortunately networks are not my strong point.
prcswitch01#show running-config
config-file-header
prcswitch01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end XXXXXX
vlan database
vlan 12-15,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp pool network Workstations
address low 10.0.12.20 high 10.0.12.100 255.255.255.0
lease infinite
default-router 10.0.12.1
dns-server 10.0.15.200 8.8.8.8
exit
bonjour interface range vlan 1
hostname prcswitch01
username cisco password encrypted XXXXXXX privilege 15
ip ssh server
interface vlan 1
ip address 192.168.1.2 255.255.255.0
no ip address dhcp
interface vlan 12
name Workstations
ip address 10.0.12.1 255.255.255.0
interface vlan 13
name Management
ip address 10.0.13.1 255.255.255.0
interface vlan 14
name Public
ip address 10.0.14.1 255.255.255.0
interface vlan 15
name Private
ip address 10.0.15.1 255.255.255.0
interface vlan 20
name Storage
ip address 10.0.20.1 255.255.255.0
interface gigabitethernet3
switchport mode access
switchport access vlan 12
interface gigabitethernet4
switchport mode access
switchport access vlan 12
interface gigabitethernet5
switchport mode access
switchport access vlan 20
interface gigabitethernet6
switchport mode access
switchport access vlan 20
interface gigabitethernet7
switchport trunk allowed vlan add 13-15
interface gigabitethernet8
switchport trunk allowed vlan add 13,20
switchport trunk native vlan 12
interface gigabitethernet9
switchport trunk allowed vlan add 13-15
interface gigabitethernet10
switchport trunk allowed vlan add 13,20
switchport trunk native vlan 12
interface gigabitethernet11
switchport trunk allowed vlan add 13-15
interface gigabitethernet12
switchport trunk allowed vlan add 13,20
switchport trunk native vlan 12
interface gigabitethernet13
switchport mode access
switchport access vlan 12
interface gigabitethernet14
switchport mode access
switchport access vlan 12
interface gigabitethernet15
switchport mode access
switchport access vlan 12
interface gigabitethernet16
switchport mode access
switchport access vlan 12
interface gigabitethernet17
switchport mode access
switchport access vlan 12
interface gigabitethernet18
switchport mode access
switchport access vlan 12
interface gigabitethernet19
switchport mode access
switchport access vlan 12
interface gigabitethernet20
switchport mode access
switchport access vlan 12
exit
ip default-gateway 192.168.1.1
prcswitch01#Hi Aleksandra,
Im still having issues with my setup. The servers I have connected have VLAN tagging enabled
Previously I had my esxi server connected via two nics with ports configured on my Layer 3 switch prcswitch01 as follows
Port 1 Trunk VLAN 13-15
Port 2 Trunk VLAN 13,20
My NAS was configured on a single port on VLAN20
The ESXI server can only have a single gateway which is used by both interfaces
~ # esxcli network ip route ipv4 list
Network Netmask Gateway Interface Source
default 0.0.0.0 10.0.13.1 vmk0 MANUAL
10.0.13.0 255.255.255.0 0.0.0.0 vmk0 MANUAL
10.0.20.0 255.255.255.0 0.0.0.0 vmk1 MANUAL
Traffic was being passed from VLAN13 to VLAN20 to allow connectivity to the NAS on the ESXi server
This no longer seems to be happening on my Layer 2 switch.
I have configured the ports the same as previously setup on the Layer 3 switch.
When I have the esxi server connected I can reach the server on 10.0.13.11 but the server cannot ping the NAS on 10.0.20.196
Hope that makes sense, I’m confused about setting this new switch up. Should I configure it as Layer 3 and setup interfaces for the various VLANS. I was under the impression this would be done by my first switch.
Thanks
Paul -
Configuring VLANs on Cisco switches - help on basics please!
Hi people.
I'm buying Cisco switches to my home lab to practice VLAN and have some doubts, would someone kindly help me?
I'm thinking of buying two 300 series switches for the servers (VMware boxes), configure two separate VLANs for VMs and two other VLANs for desktop computers, in order to simulate a small office with a datacenter and two floors (one VLAN for each floor).
I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct?
Another question: for the desktop switches, the ports that are going to connect to the desktops (which runs windows with non-vlan tagging aware nic), will be configured with the correct VLAN, and the operating system will just communicate normally as if there was no VLAN tag on the frames?
Since I need inter-vlan routing only on the core switch (the 300 series), for the desktops switches I can purchase some 200 series, right?
And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not?
Thank you!Hi! Thanks for the rapid answers!
I have a couple more based on the same questions:
I presume that the connection between each floor switch and the 300 series core switch will be via trunk mode on both, not access port mode, is that correct? - Yes, trunk links are required to carry multiple vlans.
So, I could also use multiple links with LAG/LACP carrying all vlans between switches?
And the last question: presuming that I configure a third VLAN and add a third floor switch, but this time a 100 series switch that is not VLAN capable, so connecting this switch to the 300 switch, will it work, or not? - Yes, bit make sure that link between these two switches should be an access link, i.e must carry only third vlan.
So, If I understand correctly, if having one vlan per floor in an office building, for economical reasons you could deploy simple non-managed and non-vlan capable switches, and in the data center, a core switch with the vlans configured for each floor?
And viewing from a technical perspective, what would be the advantages of deploying in each floor a vlan capable switch configured with the correct vlan?
And which method mentioned above is more common deployed for endpoint floor switches?
Thanks! -
What's "SAVE" configuration command for Cisco switch/ router?
What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
but so long, any other command that easy to remenber?What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
any other command that easy to remenber?
yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1 -
Configure Domain Controller ( PDC emulator) as NTP source for Cisco switch 6509
Hi All,
My Org consists of 2 DC one Physical and One Virtual. All Roles are on Physical machine. I ran a W32tm /Query /Configuration command on PDC emulator and the results are confusing.My PDC is using time source VMICTimeProvider a syou can see below.
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
My first Question is that Is it Ok for PDC emulator to use this time source or should I change to some Other source like pool.ntp.org or time.windows.com,0x1.
My Second Question is that I have a core switch cisco 6509 and I want this switch to use my NTP server (PDC emulator ) as NTP source,but at present I cannot as I am getting this error on switch.(no select intersectionTP )
Can Any one help ... Its is urgent
Thanks in Advance
EagleAshYou should not make your DCs sync their time with your Hypervisor. This usually ends with time synchronization problem so I would recommend to disable that on your DCs and domain joined VMs and use an external NTP server to sync time on your PDC while using
your AD forest topology for time sync on other DCs and domain-joined computers.
I have already started a Wiki article that describes how to configure time sync in an AD domain and you might consider using the GPO configuration option that is stated: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
For the CISCO switch, I would recommend asking them in CISCO forums.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Configuration Cisco switch 802.1x for ISE
Hi dears,
I configurated EAP_FAST authentication on Cisco ISE from Cisco Video material. Now I need full 802.1X configuration in cisco switch guide or video link.
Please provide this.
Thanks.See this link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html -
Cisco Network Assistant, unable to add a switch to community
hello every one,
i am able to add a switch as individual device but i am not able to add it to community ?
the switch is WS-C3548-XL
i attached screenshot
thank youThe switch configurations look pretty straightforward and mostly correct.
I notice that the problem switch has "ip routing" global command. Why is that necessary? You are only using it as a L2 switch, yes? If you use "ip routing" and have no routing process (ospf, eigrp, etc.) running you would need to add a static default route (ip route 0.0.0.0 etc.) and not use the "ip default-gateway" command. Otherwise the switch itself (the SVI) does not know how to leave the management VLAN routing-wise since it is the only L3 interface defined.
(I might also add "ip http authentication local" on each and I'd definitely disable telnet in favor of ssh) -
When i tell my ipod to ask to connect to unknown connections, it doesnt. It switches into manual mode... How is it fixed? If it cant, UPDATE IT!!! JUST ADD AS MANY AS YOU NEED. ATLEAST GET IT TO IOS 7. Pls. I wanna get certain apps, but i cant.
Well... sheetrock (i cant curse so i put a word that sounds like it)
-
Access to Cisco Switch Modbus Register Map? via Modbus TCP or Modbus RTU
Hello Folks, I have been trying to find out how to access the Modbus Register Map(s) of Cisco switches, of particular interest is that of an IE 3000 as it is din rail mountable (but for models 2960s, 3560s are also of interest). A google search for: Cisco Switch Modbus TCP results in (if I may) how to configure a Cisco 2520 to do what I am trying to do. I would be very grateful for any hints anybody might have. Thanks
Though I am not familiar with the specific drives in question, I have used Modbus/TCP in LabVIEW a few times recently.
As the previous posters pointed out, there are a couple of VI libraries available. LabVIEW 2014 added Modbus VI's with the DSC and LabVIEW Real-Time. The others you would have to get and add in yourself.
Another option is to use LabVIEW I/O Servers; as long as you have DSC or Real-Time, you can create Modbus I/O Servers as library items and deploy to a target. You don't get as much direct control in this way (and may run into difficulties if you need them to be field-configurable and do not have DSC) and use bound network shared variables, but they are very fast and easy to setup and I have yet to have any issues with using them in my applications.
A tutorial on setting up a Modbus I/O Server: http://www.ni.com/tutorial/13911/en/
A tidbit on deciding between Modbus VI's and a Modbus I/O Server: http://zone.ni.com/reference/en-XX/help/370622M-01/lvmve/choose_modbus_ioserver_vi/
As for using an Ethernet switch to connect multiple devices, I have used this approach many times to simultaneously connect and control numerous PC's, real-time controllers, and drives without issue. I would not expect there to be any problems unless you have extenuating circumstances. In fact, if you only have one network interface on your device at the moment, I would recommend against adding a second, as this would mean that you / your controller would have to be extra aware of which interface everything is assigned to go through. -
DACL does not get downloaded to Cisco Switch from ISE
Hello,
I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch. dynamic vlan assignment workds fine, but dACL doesnot apply
Any instruction plz?Hi Jatin,
ISE is properly configured for dACL, i think there is some compatibility issue on cisco switch ios.
following is the debug output>>
06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
06:36:43: EAPOL pak dump rx
06:36:43: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
06:36:43: dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
06:36:43: RADIUS(00000049): sending
06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
06:36:43: RADIUS: authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
06:36:43: RADIUS: User-Name [1] 6 "test"
06:36:43: RADIUS: Service-Type [6] 6 Framed [2]
06:36:43: RADIUS: Framed-MTU [12] 6 1500
06:36:43: RADIUS: Called-Station-Id [30] 19 "00-11-5C-6E-5E-0B"
06:36:43: RADIUS: Calling-Station-Id [31] 19 "00-19-B9-81-E8-12"
06:36:43: RADIUS: EAP-Message [79] 8
06:36:43: RADIUS: 02 7A 00 06 0D 00 [ z]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0 [ Z6]
06:36:43: RADIUS: Vendor, Cisco [26] 49
06:36:43: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:43: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:43: RADIUS: NAS-Port [5] 6 50011
06:36:43: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: NAS-IP-Address [4] 6 192.168.2.250
06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
06:36:43: RADIUS: authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: EAP-Message [79] 255
06:36:43: RADIUS: 4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34 [M]GFbv@wH1k^R3V4]
06:36:43: RADIUS: 02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30 [29MyJBN\)=Z>u:}0]
06:36:43: RADIUS: 81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70 [0U0U00UVPp0yUr0p]
06:36:43: RADIUS: 30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C [0nlj2http://sysl]
06:36:43: RADIUS: 6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E [og-server/CertEn]
06:36:43: RADIUS: 72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65 [roll/FMFB_Truste]
06:36:43: RADIUS: 64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C [dCA.crl4file://\]
06:36:43: RADIUS: 5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43 [\syslog-server\C]
06:36:43: RADIUS: 65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54 [ertEnroll\FMFB_T]
06:36:43: RADIUS: 72 75 73 74 65 64 43 41 2E [ rustedCA.]
06:36:43: RADIUS: EAP-Message [79] 251
06:36:43: RADIUS: 63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A [crl0+70*Hcwl7/6J]
06:36:43: RADIUS: 74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A [t3W9Vp"]&m`b$Aqj]
06:36:43: RADIUS: EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B [\-@xTUYx]MDESFL;]
06:36:43: RADIUS: D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36 [f~[yS^I}uN2^(SS6]
06:36:43: RADIUS: 82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4 [ 8>$HDhDo|l{V2]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33 [ ?b*$Y3]
06:36:44: RADIUS(00000049): Received from id 1645/99
06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
06:36:44: dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x7B length: 0x03F0 type: 0xD data: @Cfui[ab2,Jt1){ 2]g&GZ1pIbu;+Ga;iF"jy#
oohuV.aFZ4_|
P0`At )B
06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:44: RADIUS: Message-Authenticato[80] 18
06:36:44: RADIUS: F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5 [ VnJr[\`]
06:36:44: RADIUS: Vendor, Cisco [26] 49
06:36:44: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:44: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:44: RADIUS: NAS-Port [5] 6 50011
06:36:44: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:44: RADIUS: State [24] 80
06:36:44: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:44: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
06:36:45: EAPOL pak dump Tx
06:36:45: EAPOL Version: 0x2 type: 0x0 length: 0x0039
06:36:45: EAP code: 0x1 id: 0x7E length: 0x0039 type: 0xD
06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
06:36:46: EAPOL pak dump rx
06:36:46: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:46: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa0/11 is TRUE -
Introduction of Cisco ASA into Environment
Hey,
I have just introduced a Cisco ASA into my environment but having major issues working out how to fit it in. I have tried to configure it as per the proposed solution but not really working
Currently
2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)
2960 has an
access port (vlan 101) to > 887va (10.10.1.2) > ISP
Proposed
2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)
2960 has an
access port (vlan 101) to > ASA 5505 (10.10.1.3 (vlan 101) outside/10.10.2.2 (vlan 102) inside) (for packet inspection)
2960 has an
access port 101 > 887va (10.10.1.2) > ISP
essentially, all 3 devices are connected independently to the switch
In an attempt to get this to work, I changed the default route on the 1921 to the ASA and the ASA's default route to the 887 but when trace routing, it seems to bypass the ASA altogether...however, when doing this, it does appear that the ASA is doing something as the ip any any ACL on ASA received a number of hits
I have the following vlans -
vlan 101 (10.10.1.0), 102 (10.10.2.0), 105, 106, 107, 108, 109, 110, 111
i'm running OSPF on all devices - 1921 advertises all vlan interfaces, the 887 advertises 10.10.1.0 and the ASA also advertises 10.10.1.0
neighbours are forming and routes are exchanged ok.
Natting on the 887
Your thoughts and ideas would be grateful; I'm obviously going wrong somewhere
Many thanks
JayHi Jon,
Thanks for your prompt response, it is very much appreciated
it's not a typo i'm afraid although i think i see your point. My thinking here is/was that i wanted separation between the 'internal' and 'external' elements of my network and creating an inside and outside zone would do this. 10.10.1 would be the 'outside' and all other vlans would be the inside. (I was halfway though zoning off my 887 before the introduction of the ASA and thought i could apply the same principles here.)
You are correct re "I am assuming you want traffic from the 1921 to go through the ASA to the 887 ?" and therefore, could you explain why to your comment - "if so you cannot have the outside interface in the same subnet as the 1921 WAN interface" What is the outside interface on the ASA for then?
Also, could you confirm why to this one too please? -
"If you are running OSPF and the 887 is in the same subnet as the 1921 then it will simply bypass the ASA for return traffic." i'm assuming because the of the routing table pointing to the 1921 and not the ASA? (just clarifying)
Finally, i'm using a default route for internet access. i used the default-info originate command on the 887 coinnected to my ISP previously to redistribute the default route to the 1921 but removed that when testing the ASA as i wanted to manually manipulate traffic flow
Excuse the questions
Many thanks again
Jay -
I want to know Cisco Switch SG300-20 is Layer 2 or Layer 3 switch. I Have simple network Layer2 switched, Our Database speed on client is normal. when we add that switch in front of database, it slow the speed of database entry at workstation. Please guide.
Hello Ross,
The access port may be a single member of a vlan untag. The trunk port may be a member of multiple vlan. Ingress filtering may NOT be disabled on an access or trunk port.
The general port is an 802.1 port which may specify tag or untag and the ingress filtering may be disabled.
Ingress filtering is a feature, that if the ingress port receives an unknown vlan tag, it will discard the packet.
There is not a guest port, there is a guest VLAN. The smart port for Guest makes the port untag member of the native vlan. The guest vlan does not authenticate against the 802.1x when specified.
There is a customer port, which is a service provider configuration for QinQ tunneling.
The port connecting between router and switch should be either trunk or general and all vlan you want to pass between devices should be specified on the ports.
-Tom -
Integrate Cisco ACE into AAA TACACS+
Dear Community!
I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
But...
I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
I tried upgrading IOS in a router, but no luck...
Does anybody have any experiance about this "bug"?
Thanks in advance!
Regards,
Belabacsi
@ Budapest, HungaryHello Bela
In ACE on every context (including Admin and other) you should have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
server x.x.x.x
server x.x.x.x
aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Regards,
Stas -
Etherchannel trunk with two cisco switch
Hi, my company using only one Cisco 3750 switch with VLAN1,2,3,4,5.
Now my company bought another cisco switch and we would like to etherchannel trunk between both and create new VLAN in new switch. We look over from partner, some of them suggested we use LACP, and some of them suggest we use PAgP. We are so confuse which will be better in our environment.
Previous: Router <> 3750 switch A (VLAN 1,2,3,4,5)
Now we bought another Cisco Switch B: Router <>3750 switch A <> switch B (add more VLAN 6,7,8,9,10)
Which of below command is the best choice to suit our company ? suppose we use 2 port of gigabitethernet 1/0/1 and 1/0/2 trunk? All VLAN 1-10 need to communicate with each other.
interface GigabitEthernet1/0/1
channel-group 1 mode active <<< (use "active" or "desirable" is the best choice)
switchport mode trunk
interface GigabitEthernet1/0/2
channel-group 1 mode active
switchport mode trunk
interface Port-channel 1
switchport trunk encapsulation dot1q << (do we need put this? as we think this is by default after trunk?)
switchport mode trunk
switchport nonegotiate <<< (do we need "nonegotiate" if both switch setup same configure?)Hello
My understanding is pagp and lacp basically perform the same features - however as PAGP is cisco propriety LACP is IEEE standard which can be used between different route/switch vendor platforms.
As for disabling DTP ( switchport nonegotiate) - i would agree to do this suggestion, As so not to have trunks being dynamically created.
Lastly i would manually prune unused vlans across trunk interfaces, to save on cpu and memory usage because of the stp instances that coild be used ( however such a small vlan database like yours would not be an issue)
So to summarise:
Cisco to Cisco ehterchannels =PAGP
Cisco to other vendors = LACP
L2 etherchannel
================
1) default physical interfaces (if possible)
2) configure port-channel in physical interfaces
-- port-channel will be created automatically
3)create trunking encapsulation or access port mode directly in port-channel interface
4)enable physical interfaces "no shut"
conf t
default int ran fa0/1 -3 ( if applicable)
int ran fa0/1 -3
shut ( if applicable)
channel-group 1 mode xxx
int port-channel 1
switchport trunk encap dot1q
switchport- mode trunk
switchport nonegotiate
switchport trunk allowed vlan 1-10
res
Paul
Maybe you are looking for
-
Creating view to get first row for each table !!
I am having tables(more than 10) which are related using foreign key and primary key relationship. Example: Table1: T1Prim T1Col1 T1Col2 Table2 T2For T2Prim T2Col1 T2Col2 T2Col3 (here T2For will have value same as T1Prim and in my design it has same
-
My MBP won't sleep HD, and I have tried every solution already posted.
This is a persistent problem that began over 1 year ago, so information about how this unit might have been configured when it began is no longer available, but I have scoured this and google in general, using all search terms I can think of and stil
-
ABAP HR: Program that will compare HR Data from System GH* and GO*
Hi ABAP Gurus, Good day. I have a requirement wherein I need to create an HR Report Program (using logical database PNP) and RFC FM wherin I will select and then compare HR Data in GH* and GO* system. This enhancement will be done in the GH* system.
-
Itunes 7 installed, but won't open
Hi! I had an older version of itunes (not 6.5, prior to that) and I decided to upgrade to itunes 7. I downloaded it and all was fine, I did not get any error message and it said the installation was successfully completed. However, now my itunes will
-
Itunes won't load without my E USB flash drive being plugged in....
I have a problem with my Itunes, and it's driving me nuts. When I open Itunes, it will not open/work, UNLESS I have my USB flash drive in my pc. This USB flash drive is my E drive. I also have another external USB drive, which is where all my music i