Assign VLAN from freeradius to Cisco 3550 Switch

Similar Messages

• Packet loss when pinging from/to a cisco 3560e switch

  I see Packet loss when pinging from/to a cisco 3560e switch. CPU utilization is normal.
  Switches are running with IOS c3560e-universalk9-mz.122-35.SE5.bin.
  Packet loss is observed for all the devices irrespective of directly connected or remote devices.
  If i do self pinging, there are no packet loss.
  I don't see any error on interface.
  Can anyone please help me in resolving this issue.

  TCB       Local Address           Foreign Address        (state)
  03737C48  10.47.0.229.60053       10.41.81.55.49         CLOSEWAIT
  039ACDC4  10.47.0.229.61929       10.41.35.250.49        CLOSEWAIT
  03B316C0  10.47.0.229.27544       10.41.81.55.49         CLOSEWAIT
  038228F0  10.47.0.229.16506       10.41.35.250.49        CLOSEWAIT
  039C3D04  10.47.0.229.15207       10.41.81.55.49         CLOSEWAIT
  039A9BD0  10.47.0.229.52983       10.41.81.55.49         CLOSEWAIT
  0394152C  10.47.0.229.22425       161.61.35.250.49       CLOSEWAIT
  037D811C  10.47.0.229.21117       10.41.81.55.49         CLOSEWAIT
  039C12BC  10.47.0.229.37437       10.41.81.55.49         CLOSEWAIT
  03933B84  10.47.0.229.34085       161.61.35.250.49       TIMEWAIT
  03B32340  10.47.0.229.45729       10.41.81.55.49         CLOSEWAIT
  038247D0  10.47.0.229.32816       10.41.81.55.49         CLOSEWAIT
  039A92D8  10.47.0.229.38680       161.61.35.250.49       CLOSEWAIT
  037370F0  10.47.0.229.13212       10.41.81.55.49         CLOSEWAIT
  037D85F0  10.47.0.229.38728       10.41.81.55.49         CLOSEWAIT
  03B2B284  10.47.0.229.23428       10.41.81.55.49         CLOSEWAIT
  03B2ADB0  10.47.0.229.56836       10.41.81.55.49         CLOSEWAIT
  0394BFF0  10.47.0.229.23257       161.61.35.250.49       CLOSEWAIT
  036604DC  10.47.0.229.44437       10.41.81.55.49         CLOSEWAIT
  0394C700  10.47.0.229.22          192.37.184.211.61639   ESTAB
  039B9A68  10.47.0.229.20543       10.41.81.55.49         CLOSEWAIT
  03739B28  10.47.0.229.15392       10.41.81.55.49         CLOSEWAIT
  TCB       Local Address           Foreign Address        (state)
  0392EA48  10.47.0.229.13862       10.41.81.55.49         CLOSEWAIT
  0365E23C  10.47.0.229.27856       10.41.81.55.49         CLOSEWAIT
  03817C0C  10.47.0.229.64929       10.41.81.55.49         CLOSEWAIT
  039357C8  10.47.0.229.22088       10.41.81.55.49         CLOSEWAIT
  037375C4  10.47.0.229.21832       10.41.81.55.49         CLOSEWAIT
  039C20E8  10.47.0.229.18169       10.41.81.55.49         CLOSEWAIT
  03716D08  10.47.0.229.61993       10.41.81.55.49         CLOSEWAIT
  039A74E4  10.47.0.229.62948       10.41.81.55.49         CLOSEWAIT
  03655480  10.47.0.229.14052       10.41.81.55.49         CLOSEWAIT
  039407F0  10.47.0.229.49643       161.61.35.250.49       CLOSEWAIT
  039A53AC  10.47.0.229.13233       10.41.81.55.49         CLOSEWAIT
  03739FFC  10.47.0.229.16605       10.41.81.55.49         CLOSEWAIT
  039B82B8  10.47.0.229.16458       10.41.35.250.49        CLOSEWAIT
  039BEBA4  10.47.0.229.64377       10.41.81.55.49         CLOSEWAIT
  03741980  10.47.0.229.13866       10.41.81.55.49         CLOSEWAIT
  03B3ABF8  10.47.0.229.19365       10.41.81.55.49         CLOSEWAIT
  039B5810  10.47.0.229.24768       10.41.81.55.49         CLOSEWAIT
  03956E48  10.47.0.229.55980       161.61.35.250.49       CLOSEWAIT
  03946820  10.47.0.229.65053       161.61.35.250.49       CLOSEWAIT
  037DBE94  10.47.0.229.15283       10.41.81.55.49         CLOSEWAIT
  039A4854  10.47.0.229.48562       10.41.81.55.49         CLOSEWAIT
  TCB       Local Address           Foreign Address        (state)
  03B33320  10.47.0.229.29803       10.41.81.55.49         CLOSEWAIT
  03B3B79C  10.47.0.229.12142       10.41.81.55.49         CLOSEWAIT
  03713C9C  10.47.0.229.63799       10.41.81.55.49         CLOSEWAIT
  039BBECC  10.47.0.229.14763       10.41.81.55.49         CLOSEWAIT
  03656E40  10.47.0.229.16357       10.41.81.55.49         CLOSEWAIT
  0362A73C  10.47.0.229.62450       10.41.81.55.49         CLOSEWAIT
  039B878C  10.47.0.229.64402       161.61.35.250.49       CLOSEWAIT
  03826CFC  10.47.0.229.16108       10.41.81.55.49         CLOSEWAIT
  03B2CA34  10.47.0.229.17634       10.41.81.55.49         CLOSEWAIT
  03AD78D0  10.47.0.229.15249       161.61.35.250.49       CLOSEWAIT
  03AD967C  10.47.0.229.20389       161.61.35.250.49       CLOSEWAIT
  03B2C560  10.47.0.229.37079       10.41.81.55.49         CLOSEWAIT
  039C5128  10.47.0.229.24711       10.41.81.55.49         CLOSEWAIT
  03822F74  10.47.0.229.54866       10.41.81.55.49         CLOSEWAIT
  0372C5FC  10.47.0.229.13298       10.41.81.55.49         CLOSEWAIT
  0372D278  10.47.0.229.12407       10.41.81.55.49         CLOSEWAIT
  039A33D0  10.47.0.229.36573       10.41.81.55.49         CLOSEWAIT
  039BCEF8  10.47.0.229.53853       10.41.81.55.49         CLOSEWAIT
  039C02D8  10.47.0.229.53725       10.41.81.55.49         CLOSEWAIT
  039B5CE4  10.47.0.229.58027       10.41.81.55.49         CLOSEWAIT
  0381866C  10.47.0.229.17100       10.41.81.55.49         CLOSEWAIT
  TCB       Local Address           Foreign Address        (state)
  039BB374  10.47.0.229.53148       10.41.81.55.49         CLOSEWAIT
  03AD3634  10.47.0.229.19716       161.61.35.250.49       CLOSEWAIT
  0362DAA4  10.47.0.229.19479       10.41.81.55.49         CLOSEWAIT
  0365AE60  10.47.0.229.62209       10.41.81.55.49         CLOSEWAIT
  0362D5D0  10.47.0.229.41327       10.41.81.55.49         CLOSEWAIT
  037D7C48  10.47.0.229.58283       10.41.81.55.49         CLOSEWAIT
  03955474  10.47.0.229.33810       161.61.35.250.49       CLOSEWAIT
  0373B15C  10.47.0.229.23331       10.41.81.55.49         CLOSEWAIT
  036628D0  10.47.0.229.46856       10.41.81.55.49         CLOSEWAIT
  03819584  10.47.0.229.19861       10.41.81.55.49         CLOSEWAIT
  0394D000  10.47.0.229.64732       10.41.35.250.49        CLOSEWAIT
  0394B760  10.47.0.229.19967       161.61.35.250.49       CLOSEWAIT
  039B6BD4  10.47.0.229.40096       10.41.81.55.49         CLOSEWAIT
  03AD7150  10.47.0.229.65184       10.41.35.250.49        CLOSEWAIT
  039BC3A0  10.47.0.229.64702       10.41.81.55.49         CLOSEWAIT
  03B3A724  10.47.0.229.60399       10.41.81.55.49         CLOSEWAIT
  037145E0  10.47.0.229.43951       10.41.81.55.49         CLOSEWAIT
  03955EDC  10.47.0.229.29015       161.61.35.250.49       TIMEWAIT
  0365FB34  10.47.0.229.13961       10.41.81.55.49         CLOSEWAIT
  03828D54  10.47.0.229.12743       10.41.81.55.49         CLOSEWAIT
  037DB40C  10.47.0.229.23708       10.41.81.55.49         CLOSEWAIT
  TCB       Local Address           Foreign Address        (state)
  039AF814  10.47.0.229.15100       10.41.81.55.49         CLOSEWAIT
  0392E344  10.47.0.229.23399       10.41.35.250.49        CLOSEWAIT
  0393DC3C  10.47.0.229.15393       161.61.35.250.49       CLOSEWAIT
  03AD85D0  10.47.0.229.40932       161.61.35.250.49       TIMEWAIT
  039574CC  10.47.0.229.25935       10.41.35.250.49        CLOSEWAIT
  03738B74  10.47.0.229.58656       10.41.81.55.49         CLOSEWAIT
  039AD91C  10.47.0.229.56760       10.41.81.55.49         CLOSEWAIT
  03B3BC70  10.47.0.229.15058       10.41.81.55.49         CLOSEWAIT
  03B2DC54  10.47.0.229.51131       161.61.35.250.49       CLOSEWAIT
  03B393F0  10.47.0.229.11957       10.41.35.250.49        CLOSEWAIT
  039B2610  10.47.0.229.33728       10.41.81.55.49         CLOSEWAIT
  03B311EC  10.47.0.229.18047       10.41.81.55.49         CLOSEWAIT
  039A8E04  10.47.0.229.52022       161.61.35.250.49       CLOSEWAIT
  0365D460  10.47.0.229.12241       10.41.81.55.49         CLOSEWAIT
  03B33E78  10.47.0.229.47640       10.41.81.55.49         CLOSEWAIT
  0372C128  10.47.0.229.60323       10.41.81.55.49         CLOSEWAIT
  03661CD8  10.47.0.229.39923       10.41.81.55.49         CLOSEWAIT
  0393C73C  10.47.0.229.41864       10.41.35.250.49        CLOSEWAIT
  03829584  10.47.0.229.56673       161.61.35.55.49        CLOSEWAIT
  0362AC10  10.47.0.229.31952       10.41.81.55.49         CLOSEWAIT
  039BF078  10.47.0.229.22636       10.41.81.55.49         CLOSEWAIT
  TCB       Local Address           Foreign Address        (state)
  0365CF8C  10.47.0.229.14476       10.41.81.55.49         CLOSEWAIT
  039B443C  10.47.0.229.59226       10.41.81.55.49         CLOSEWAIT
  0393E794  10.47.0.229.56282       10.41.35.250.49        CLOSEWAIT
  03657740  10.47.0.229.25769       10.41.81.55.49         CLOSEWAIT
  03B2F6E8  10.47.0.229.19328       10.41.81.55.49         CLOSEWAIT
  0373AC88  10.47.0.229.25766       10.41.81.55.49         CLOSEWAIT
  039B213C  10.47.0.229.28882       10.41.81.55.49         CLOSEWAIT
  039C07AC  10.47.0.229.38201       10.41.81.55.49         CLOSEWAIT
  03AD8DD0  10.47.0.229.23002       10.41.35.250.49        CLOSEWAIT
  03739048  10.47.0.229.29572       10.41.35.250.49        CLOSEWAIT
  039BA464  10.47.0.229.32273       10.41.81.55.49         CLOSEWAIT
  03B31E6C  10.47.0.229.32521       10.41.81.55.49         CLOSEWAIT
  0365EBE0  10.47.0.229.41319       10.41.81.55.49         CLOSEWAIT
  03938804  10.47.0.229.62841       10.41.35.250.49        CLOSEWAIT
  039A1AF8  10.47.0.229.12758       10.41.81.55.49         CLOSEWAIT
  039B7DE4  10.47.0.229.20921       10.41.81.55.49         CLOSEWAIT
  036549F8  10.47.0.229.51903       10.41.81.55.49         CLOSEWAIT
  03714CC8  10.47.0.229.45145       10.41.81.55.49         CLOSEWAIT
  037425F8  10.47.0.229.56492       10.41.81.55.49         CLOSEWAIT
  03B39D74  10.47.0.229.18174       10.41.81.55.49         CLOSEWAIT

• VoIp settings for replacing a Cisco 3550 switch with a SF300-24P

  I am adding the SF300-24P to an existing set of switches.  My backbone switch is a 3560.
  The 3550 I am replacing has this config for each port that supports a Shoretel phone
  switchport trunk encapsulation dot1q
  switchport mode trunk
  mls qos trust dscp
  global settings include
  spaning-tree mode pvst
  spanning-tree extend system-id
  spanning-tree vlan 1,200 priority 28762
  vlan internal allocation policy ascending
  all other settings are at default
  Any ideas how to replicate this on this new switch?  I added the Shoretel mac address range (00-10-49) into the Telephone OUI.  The phone gets power, I think it gets a 192.168.6.x address (local subnet), but then it should get an IP 10.6.0.xx on its VLAN - but it doesn't.
  Some configs from the backbone are attached.  I did not need to configure any of this in the 3550.
  Any ideas?
  Fred

  Hi fred,
  The shoretel phone sounds like it is not attaching to tagged  vlan 200 on my switch, the shortel voice vlan as per your screen captures.
  The Voice VLAN should be tagged on my switch so that phones attach to a Voice VLAN and PC's connected on the back of the VoIP phones attach to  the Data Vlan .
  I scoped out, excuse the pun, the shoretel site and have attached a white paper on setting vlans and shoretel.
  They mention setting option 156 on the DHCP server, so the phone can get vendor specific information etc...  But the phones are not attached to the voice vlan , but the untagged data vlan.  You gotta figure how to get the shortel phones to attach to vlan 200, or if you are not daisy chaining PC on the back of the phone, make vlan 200 untagged on these FastEthernet switch ports..
  I have attached my SF300-48P version of my configuration and some configuration screen shots i took along the way.
  Please review carefully that attached shortel document and my screen  shots and a real configuration done on my SF300-48P.  The configuration should be almost identical to your configuration.
  I added vlan 200. and made sure that all ports were in trunk mode, even the Gigabit uplink ports.
  All ports by default are in VLAN1  as you can see below
  I then added all ports as tagged ports to vlan 200 as you can see below.
  For the sake of Spanning tree, I then made all fast ethernet (phone or PC) ports  fastports except for the uplink Gigabit ports.
  If you are not sure what portfast does , here's a little tutorial I grabbed from cisco.com
  Spanning-tree PortFast causes a port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch ports connected to a single workstation or server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
  Caution PortFast should be used only when connecting a single end station to a switch port. If you enable PortFast on a port connected to another networking device, such as a switch, you can create network loops.
  When the switch powers up, or when a device is connected to a port, the port normally enters the spanning-tree listening state. When the forward delay timer expires, the port enters the learning state. When the forward delay timer expires a second time, the port is transitioned to the forwarding or blocking state.
  When you enable PortFast on a port, the port is immediately and permanently transitioned to the spanning-tree forwarding state.
  Your tasks I guess should be , making sure that vendor specific options for the shoretel phones are included in the DHCP configuration and that you somehow attach the shortel phones (even manually) to vlan 200.
  For some reason this site adds a zip extension to the end of my running configuration.  I used wordpad to look at the file 
  I am using firmware version 1.0.0.27 on my unit and the userid=admin  password i used was admin
  I hope this helps.
  regards Dave

• Is it possible to get logs from a 3850 Cisco member switch in a stack?

  %STACKMGR-1-STACK_LINK_CHANGE: MEMBER: 4 stack-mgr:  Stack port 2 on switch 4 is down
  %STACKMGR-1-STACK_LINK_CHANGE: STANDBY:2 stack-mgr:  Stack port 1 on switch 2 is down  (OC-SWTCH)
  %STACKMGR-6-SWITCH_REMOVED: STANDBY:2 stack-mgr:  Switch 3 has been removed from the stack.
  I recieved errors on a 3850 switch 3 in my stack, it's removed from my stack and after 5 minutes it comes back up. I want to know what the switch was doing for those 5 minutes, is it possible to get the log files for only switch 3? Telneting to the switch stack or connecting a console cable directly to switch 3 only gives me the logs for master switch logs. Ideally when a switch reconnects to a stack, the master switch should ask the joining switch for it's logs, and merge them into it's own logs so it has a record of the switch did when it wasn't communitating.

  HI,
  create a internal with type of the structure and populate values into that n do wat ever u want.
  ex:
  data: itab type zstruct occurs 0 with header line. // where zstruct is a structure in a database.
  select * from .............. into table itab where ...............
  loop at itab.
  write:/10 itab-fld1,
            20    itab-fld2,
  endloop.
  if helpful reward some points.
  with regards,
  suresh aluri.

• 3550 Switch -Fiber interface VLAN question

  Hello,
  I will deploying two Cisco 3550 Switches and connecting them via a ordinary multimode fiber with GBIC 1000BASE-SX - transceivers installed on each switch. Here is my question: I will be configureing about half of the ports on each of the switches to be in one of two VLANS. I would like to configure the two vlans to run over the single fiber line. Is is possible to configure one fiber port, with the GBIC 1000BASE-SX - transceiver installed, with two vlans and/or subinterfaces each with half of the 1000mb of bandwidth, or will I need to run an additional fiber line connected to the second fiber interface on the 3550 to accomplish this. I really hope not to as I don't have the funds to run a second line at this time. If this configuration is possible could someone please point me to documentation on how to configure this and\or give some advice. Thank you.
  Regards,
  JPS

  Just set up the link as a trunk , this allows you to send as many vlans across that link as you want . On each side just do the following.
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk mode dynamic desirable
  Verify trunk status with the "show int trunk " command.
  More info at http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00803a9af5.html#wp1200245

• Using Catalyst 3550 Switch with Linksys Home Router and Cable Internet

  I've about pulled what little hair I have out of my head on this one, and need some configuration help.
  I have a Cisco Catalyst 3550 switch with five Windows 7 desktops, an Avaya PBX and five Avaya IP phones attached.  All of these devices are on a 192.168.0.0/24 subnet, and are communicating properly.  I will refer to this as network # 1. I also have SEPARATE network, we'll call network # 2, using AT&T ADSL service and a Netgear 4-port/wireless router/ADSL modem combo device, which is functioning properly with a couple of other Windows 7 desktops over its own wired Ethernet network, using DHCP, and also on a 192.168.0.0/24 subnet.  I thought it would be a simple integration, just plugging one of the 3550's ports to one of the DSL router's ports, in order to give the five Windows 7 desktop computers on network # 1 internet access via the DSL modem. Guess I was wrong.  When I connect the two switches together, although I get a good connectivity (green lights on both ports) and am able to ping the DSL router's gateway address (192.168.0.252) from network # 1's computers, the computers on network # 1 cannot access the internet. Also, the working computers on network # 2 lose their internet access as long as the two switches are connected together. I am not a Cisco guru, but there's got to be a way to make this scenario work.  Can someone provide me with a 3550 configuration that will allow me to extend my internet service from network # 2 on the DSL router to my 3550 switch and their computers?  Here's what I am looking for:
  INTERNET ---> ADSL MODEM ---> NETGEAR ROUTER ---> CISCO 3550 SWITCH ---> NETWORK DEVICES WITH INTERNET ACCESS

  The Netgear router is probably what's doing the natting. Is the 3550 configured for routing or is it straight L2? If you have the 3550 configured as L3, then it's going to be easy to do what you want. Just add a static route on the Netgear to point the subnet that it doesn't know about to the 3550. For example, if the Netgear is addressed at 192.168.1.1 and the Cisco 3550 is addressed at 192.168.1.2, but it also knows about the 192.168.0.0/24 (separate vlan), then you would put a static route on your Netgear for 192.168.0.0/24 to go to 192.168.1.2.
  The way that I would do it is to create a separate vlan on the 3550 and assign an address to it. Once you do that, make the port that the other switch connects to an access port of that vlan. (It would need to be on the same subnet as the existing equipment.) All of your devices would use it as a default gateway and then you would do the rest as above. You could also use RIP between the Netgear and Cisco if you can't do static routing.
  HTH,
  John

• Routing Issue with 3550 Switch

  I am having an issue with routing with one of my Cisco 3550 switches.  I know the 3550s are EoL but some of us have to work with what we have.
  I am using a 3550 on either side of a Layer 2 link.  The Layer 2 link is 2 Extreme Summit X-440 switches with Microwave between the switches.  I have a VLAN configured on both switches and tagged on the ports connected to the Microwave.  The 3550 switch on each end is configured for IP routing but I cannot pass traffic between the switches.  If I unplug the switch on the local end and plug in a laptop, I can ping the switch on the remote end and access devices at the remote end. 
  I know this should work because I am doing the same thing over another Microwave link and Layer 2 link using another 3550 and a HP ProCurve at the remote end.
  Here are the configs for each 3550:
  Local end;  Port Fa0/23 goes to the Remote Side.  Port Fa0/24 goes to the rest of the network
  Current configuration : 5417 bytes
  ! No configuration change since last restart
  version 12.2
  no service pad
  service timestamps debug datetime localtime show-timezone
  service timestamps log datetime localtime show-timezone
  no service password-encryption
  service sequence-numbers
  hostname Brindley3550
  enable secret 5 $1$3A.n$lzBUQg.fn4hJ7f0jEOqe71
  no aaa new-model
  clock timezone UTC -6
  clock summer-time UTC recurring 1 Sun Apr 2:00 1 Sun Nov 2:00
  mls qos map cos-dscp 0 8 16 26 32 46 48 56
  mls qos min-reserve 5 170
  mls qos min-reserve 6 10
  mls qos min-reserve 7 65
  mls qos min-reserve 8 26
  mls qos
  ip subnet-zero
  ip routing
  ip domain-name morgan911.net
  ip name-server 1.2.150.11
  ip name-server 1.2.150.5
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet0/1
   switchport access vlan 18
   switchport mode dynamic desirable
   spanning-tree portfast
  {Removed for Brevity}
  |
  interface FastEthernet0/7
   switchport access vlan 13
   switchport mode dynamic desirable
   spanning-tree portfast
  interface FastEthernet0/8
   switchport access vlan 13
   switchport mode dynamic desirable
   spanning-tree portfast
  {Removed for Brevity}
  interface FastEthernet0/23
   description To Gum Springs via Extreme P10
   no switchport
   ip address 1.2.147.1 255.255.255.252
   speed 100
   duplex full
  interface FastEthernet0/24
   description To Flint via Ceragon Eth 2
   switchport trunk encapsulation dot1q
   switchport mode trunk
   speed 100
   duplex full
   mls qos trust cos
   auto qos voip trust
   wrr-queue bandwidth 20 1 80 1
   wrr-queue min-reserve 1 5
   wrr-queue min-reserve 2 6
   wrr-queue min-reserve 3 7
   wrr-queue min-reserve 4 8
   wrr-queue cos-map 1 0 1 2 4
   wrr-queue cos-map 3 3 6 7
   wrr-queue cos-map 4 5
   priority-queue out
   spanning-tree link-type point-to-point
  interface GigabitEthernet0/1
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet0/2
   switchport access vlan 10
   switchport trunk native vlan 50
   switchport mode dynamic desirable
   spanning-tree portfast trunk
  interface Vlan1
   ip address 1.2.145.2 255.255.255.0
  ip default-gateway 1.2.145.1
  ip classless
  ip route 0.0.0.0 0.0.0.0 1.2.145.1
  ip route 1.2.165.0 255.255.255.240 1.2.147.2
  ip route 1.2.166.0 255.255.255.240 1.2.147.2
  ip http server
  snmp-server community public RO
  snmp-server community public/RO RO
  snmp-server location Brindlee Mountain Tower Site
  snmp-server contact Jamey Wright
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps envmon fan shutdown supply temperature
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps config
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification
  snmp-server enable traps vlan-membership
  snmp-server host 1.2.150.100 public  tty envmon syslog snmp
  control-plane
  ntp clock-period 17180143
  ntp server 1.2.150.21
  end
  And this is the config for the remote end.  Port Fa0/24 is the port for the link back to the local end.
  Current configuration : 5058 bytes
  version 12.2
  no service pad
  service timestamps debug datetime localtime show-timezone
  service timestamps log datetime localtime show-timezone
  no service password-encryption
  service sequence-numbers
  hostname GS3550
  enable secret 5 $1$3A.n$lzBUQg.fn4hJ7f0jEOqe71
  no aaa new-model
  clock timezone UTC -6
  clock summer-time UTC recurring
  mls qos map cos-dscp 0 8 16 24 32 46 46 56
  udld aggressive
  ip subnet-zero
  ip routing
  ip domain-name morgan911.net
  ip name-server 1.2.150.11
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet0/1
   switchport access vlan 21
   switchport mode dynamic desirable
   spanning-tree portfast
  interface FastEthernet0/2
   switchport access vlan 21
   switchport mode dynamic desirable
   power inline delay shutdown 20 initial 300
   spanning-tree portfast
  {Removed for Brevity}
  interface FastEthernet0/23
   switchport access vlan 22
   switchport trunk encapsulation dot1q
   switchport mode trunk
   speed 100
   duplex full
   spanning-tree portfast
  interface FastEthernet0/24
   description To Brindlee via Extreme P10
   switchport mode dynamic desirable
  (Is a member of VLAN 1)
   speed 100
   spanning-tree portfast
  interface GigabitEthernet0/1
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet0/2
   switchport mode dynamic desirable
   spanning-tree portfast
  interface Vlan1
   ip address 1.2.147.2 255.255.255.252
  interface Vlan21
   ip address 1.2.165.1 255.255.255.240
   ip helper-address 1.2.150.11
   ip helper-address 1.2.150.5
  interface Vlan22
   ip address 1.2.166.1 255.255.255.240
   ip helper-address 1.2.150.5
   ip helper-address 1.2.150.11
  ip default-gateway 1.2.147.1
  ip classless
  ip route 0.0.0.0 0.0.0.0 1.2.147.1 10
  ip http server
  snmp-server community public RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps cluster
  snmp-server enable traps entity
  snmp-server enable traps envmon fan shutdown supply temperature
  snmp-server enable traps vtp
  snmp-server enable traps vlancreate
  snmp-server enable traps vlandelete
  snmp-server enable traps flash insertion removal
  snmp-server enable traps port-security
  snmp-server enable traps config
  snmp-server enable traps hsrp
  snmp-server enable traps bridge newroot topologychange
  snmp-server enable traps syslog
  snmp-server enable traps mac-notification
  snmp-server enable traps vlan-membership
  snmp-server host 1.2.150.100 public  envmon syslog snmp
  control-plane
  ntp clock-period 17180192
  ntp server 1.2.150.21 key 0 prefer
  Ideas?  Anything stand out as grossly wrong?  I have worked on this for 2 days and am at a loss.
  Thanks
  Jamey

  Sorry for the delay in replying.  Other items at the office took priority over this project.  I tried that and no change.  I pulled the switch from the remote site and took it back to the local end and connected the switches with a crossover cable and everything works fine.  I have pretty much determined that it is an issue with the config in one of the Extreme switches.  The config in those look pretty normal but there are a few things I am unsure of.  Guess I'll see if there is a similar site for Extreme gear.
  Thanks
  Jamey

• Cisco 3550 IP Routing

  Hi,
  I am unable to run IP Routing command on my Cisco 3550 switch . Do upgrading of IOS will help me ?
  regards
  Neo

  Hi ,
  here is the output
  Switch-1#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC13, RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2005 by cisco Systems, Inc.
  Compiled Tue 20-Sep-05 10:05 by antonino
  Image text-base: 0x00003000, data-base: 0x00351FFC
  ROM: Bootstrap program is C3500XL boot loader
  Switch-1 uptime is 1 minute
  System returned to ROM by power-on
  System image file is "flash:c3500xl-c3h2s-mz.120-5.WC13.bin"
  cisco WS-C3548-XL (PowerPC403) processor (revision 0x01) with 16384K/1024K bytes of memory.
  Processor board ID FAA0428Y13Q, with hardware revision 0x00
  Last reset from power-on
  Processor is running Enterprise Edition Software
  Cluster command switch capable
  Cluster member switch capable
  48 FastEthernet/IEEE 802.3 interface(s)
  2 Gigabit Ethernet/IEEE 802.3 interface(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:02:B9:9C:23:00
  Motherboard assembly number: 73-3903-04
  Power supply part number: 34-0971-01
  Motherboard serial number: FAA04299A9E
  Power supply serial number: PAC042800LS
  Model revision number: A0
  Motherboard revision number: B0
  Model number: WS-C3548-XL-EN
  System serial number: FAA0428Y13Q
  Configuration register is 0xF
  Switch-1#
  Switch-1#
  Switch-1#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  Switch-1(config)#ip routing
  ^
  % Invalid input detected at '^' marker.
  Switch-1(config)#ip r?
  radius rcmd
  Switch-1(config)#
  regards
  Neo

• Hooking up a cisco 3550 48 port switch to my E2500 router

  I am trying to assign an IP to my 3550 switch so I can telnet into it from my computers upstairs but, when I assign the IP to a vlan on the switch and set the port going to the router to access that vlan I still can't see anything pull in the DHCP table on the E2500. The other thing I am not sure about is what I should be setting my default route to is it the 192.168.1.1 or is that just the management IP for the E2500 router? I am pretty sure this is just a case of the E2500 can't deal with the Vlans but with it being set to access it doesn't seem like it should matter it should just live in that Vlan. I can always put a 2600 in front of the switch but I rather not put in a 3rd piece of equipment if I can help it. Any advanced routing information would be appreciated.

  If the swtich is a managed switch, it maybe in compatible with the LAN switch on the router as most "home" class routers do not have manged LAN switched for connectors. 
  I recommend that you contact Cisco about this and see if they have any help and information regarding this. If the management or "smart" features can be disabled on this switch if the has these features, it maybe still usable with the router. 
  Let us now how it goes. 

• Cisco 3550 SMI switch for security setup ?

  I have a 3550 SMI IOS 12.2 switch, I want to setup http, https, dns services for internet. I do not need to set up any mail or web server.
   The connection as follows:
  Internet ---------Modem----------3550-----------Computer
  Modem has no security function, all the security setting will be on 3550 switch. So what is the best approach ?
  Is it layer 2 or layer 3 security ? and can I run VPN for the internet surf ? Please kindly advise.
  Thanks,
  Susan

  Thanks for the Reply.
  When I config the switch I find out some interesting things, I am no sure if the
  configuration is correct or I miss something ? Please help take a look.
  access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 101 deny   ip host 0.0.0.0 any
  access-list 101 deny   ip host 255.255.255.255 any
  access-list 101 deny   tcp any any eq bgp
  access-list 101 deny   eigrp any any
  access-list 101 permit udp any any eq domain
  access-list 101 permit tcp any any eq www log
  access-list 101 permit tcp any any eq 443 log
  access-list 101 deny   ip any any log
  int fa0/1
  switchport
  switchport access v 10
  switchport mode access
  access group 101 in
  int vlan 1
  no ip add
  That work normal
  But if when I put access list 101 to vlan interface 10, my computer can access the internet. ???
  access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 101 deny   ip host 0.0.0.0 any
  access-list 101 deny   ip host 255.255.255.255 any
  access-list 101 deny   tcp any any eq bgp
  access-list 101 deny   eigrp any any
  access-list 101 deny   ip any any log
  int vlan 10
  ip add 192.168.1.1 255.255.255.0
  access group 101 in
  int fa0/1
  switchport
  switchport access v 10
  switchport mode access
  int vlan 1
  no ip add
  For both case, Vlan 1 is down, I connect nothing and assign nothing to vlan 1.
  So is the configuration has problem ? or
  Something to do with vlan 1 ?
  or something I miss ? 
  Thanks

• Cisco 3550 ACL on VLAN

  i hav got Cisco 3550-12T, in that i hav created VLAN 2,3,4 & 5. now my requirement is VLAN 2 can communicate all VLAN's, where VLAN 5 should only communicate VLAN 2 & vice versa & VLAN 3,4 should only communicate VLAN 2 & vice versa. how do i proceed, by default if i enable "ip routing" i can able to communicate, but i do i filter the packetz as i said above?

  Hi,
  You can do it using extended acl's fro denying traffic from Vlan 3,4 to vlan 5. This can also be done using Vlan MAPS. Please go through the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swacl.htm#wp1082557
  regards,
  -amit singh

• Passing Voice VLAN through a non-Cisco switch

  Hi All,
  Will a non-Cisco switch (no 802.1q support) that is putted beetween Cisco IP Telephone and Cisco Catalyst switch (which is configured with auxilary Voice Vlan) pass voice vlan frames and CDP?

  Any switch should pass on either ISL(which is cisco properitary and hence not supported on non-Cisco) or IEEE 802.1Q frames or else it cannot support voice vlan support . And non-Cisco switches do not support CDP as it is once again Cisco proprietary protocol.

• DHCP and voice vlan on Cisco 3560 switch

  Greetings,
  I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
  1. Using the Cisco 3560 as a DHCP server - Config examples.  Do I need to use different subnets for the voice and data vlans?
  2. Layer 2 CoS QoS  - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
  Your assistance will be appreciated.

  Hi ,
  Cisco recommends that you have a separate vlan for  voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
  Here is the config guide for setting up IOS DHCP server:
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
  Here is the LAN qos recommendations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009

• UPDATE: Deal of the Week - Cisco 3550 24 port PoE Switch

  Well that didn't last long...our "Deal of the Week" this week sold out in 1 day, so we figured we better do another deal for everyone. - - - Cisco 3550 24 Port PoE Switch - $65.00 --- www.cablesandkits.com/DOW

  How might you use PowerShell Direct, the latest addition to the PowerShell family that's coming with Windows 10 and Windows Server 2016? Consider this:Have you ever tried to make a configuration changeon a Friday afternoon, right before beer o’clock, and you couldn’t get access to the machine you needed to change? This problem might be caused by out-of-datesecurity settings, a network change, or something else.PowerShell Direct will work, even when otherwise things would stand in your way.According to Petri, the new software will change the way you operate "between hypervisorhost and guest virtual machine in a secure way." No more "faffing about to get security settings configured, holes poked in firewalls," or remoting in – PowerShell Direct gives you a direct way to open a session on any guest computer in seconds.
  If you have Windows...

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe