Authenticating Trunk Ports - VLAN list
I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
cisp enable
interface FastEthernet0/2
description *** Client Device ***
switchport access vlan 2
switchport mode access
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 3
authentication event server alive action reinitialize
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication fallback GUEST_FALLBACK
mab eap
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
dot1x timeout auth-period 600
no cdp enable
spanning-tree portfast
Any help will be greatly appreciated.
Thanks
John
Hello
I would suggest the following:
>> Arrange for some physical enclosure (locked) or any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
>> Change the NATIVE VLAN from the default (VLAN 1)
>> Disable Trunk negotiation (ON mode)
Regards
Farrukh
Similar Messages
-
Unable to add allowed VLANs to TenGig trunk port
Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
endSteve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed! -
Manipulating allowed VLAN list on trunks
I am in the process of restricting some of my VLANs so that they can be accessed only on the switches that actually need them. I have a VTP domain, so I am doing it by manipulating the "allowed" lists on the trunks. I have a mixed environment of IOS 4500, CatOS 4000, CatOS 5500, and IOS 29xx.
So, I have a number of questions and observations:
1. There are some special default VLANs, 1002-1005, which are designated fddi-default, token-ring-default etc. In an Ethernet-only environment, is there any harm if I clear these from all the trunks?
2. I do not use the extended VLAN range 1025-4095. Is there any harm if I clear these from all trunks?
3. Just out of academic interest, what ever happened to VLANs 1006 to 1024? They do not appear in any of the default "allowed" lists. Are they reserved for something?
4. Suppose my native VLAN for my trunks is not 1, let us say 99. And my management is on yet another VLAN, say 98. What happens if I try and clear the native VLAN 99 from the trunks? (Yes, I know I should try this in a lab, but does anyone know the answer to save me the effort of setting it up?)
5. Suppose I have a VLAN, say 50, that is only needed in two switches, so I clear it from all trunks except the one between those two switches. But all the switches know about it cos it is in the VTP list. I notice that in the IOS switches, the PVST+ instance for that VLAN get shut down. In the CatOS switches, the STP seems to continue to run, but the root bridge is designated as 00-00-00-00-00-00. Are these two behaviors consistent, i.e. what is actually going on in the CatOS case? (AAMOF, in the IOS switches, it is enough that none of the ports has an "up" presence in the VLAN, and the PVST+ instance shuts down, even if there are "down" ports configured to use it.
6. Is there any way to set a global default "allowed" list in a switch, so that any new trunks only allow those VLANs, regardless of what is in the VTP list? (That is, apart from setting it to "transparent", which have other unwanted side effects such as not being aware of the creation of new VLANs.)
That's a lot of questions. The new edition of the Clarke/Hamilton book is well overdue!
Kevin Dorrell
LuxembourgGlen,
Thanks for the responses.
1. I shall clear them out immediately.
2. I shall clear them out immediately.
3. It's a mystery. Anyone?
4. It was 99 because that VLAN was created specifically to accommodate the trunks. Unfortunately, in that particular network, VLAN 1 was still in use as an access VLAN. It is recommended not to have any access ports on the VLAN that is used as the native on the trunks, to prevent VLAN-hopping. Most NetAdmins do this by putting all the access ports anywhere but VLAN 1, and keeping VLAN 1 for trunk natives and/or management. This network did it the other way round, by shifting the native of the trunks off onto an unused VLAN. But I don't know what would happen if I cleared the native VLAN off the trunk.
5. I think here we need to distinguish between VTP and STP, and between allowed lists and pruning. I am not pruning here, I am actually clearing the VLANs from the trunks. In the case of pruning, the VTP declines to send the broadcasts down the trunk if they are not useful at the access layer switch, but the Spanning Tree topology is not affected. In the case of clearing, the Spanning Tree topology of the VLAN is actually modified, as if the trunk did not exist for that VLAN. OTOH, the VTP VLAN list is propagated to all switches, regardless of whether they have any presence on each VLAN. So according to the VTP server and all clients, there is a load of VLANs active in the domain. But if you have an allowed list on all the trunks, it could well be that the access switch knows about a VLAN, but does not have any presence on it. That is when the IOS shuts down the PVST+ STP for that VLAN, and a CatOS switch registers the root bridge as 00-00-00-00-00-00. As opposed to the case where the VTP domain does not have a VLAN in its database, so the CatOS has no STP instance for it.
6. Anyone else?
Thanks for the responses.
Kevin Dorrell
Luxembourg -
Hello, I recently purchased a 3560 switch and I am relatively new with VLANs.
What I need to do is quite simple:
I need multiple fastethernet ports into multiple VLANs on a single switch. For that, I need to trunk these ports but nothing seems to work properly.
I created multiple VLANs (vlan 100, 200 and 300), but by default each VLAN can see each other (my allowed vlan list is set to ALL on each port).
When I setup the restrictions of that allowed vlan list, the problem is each port see each other. Example: Port 0/22 is set allowed vlan 100,200 .. but that port still can see vlan 300. I configured Native VLAN on VLAN50 (empty VLAN) for each port on the switch.
I tried on a 3560 and a 2950, but exactly the same problem occurs.
The problem is really basic but I'm on it since 1 week. Is there anyone who could help me please?Check below link for detail configuration & information.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html
If you want to remove the vlan from the trunk, you can simply use below command :
switchport trunk allowed vlan remove 300
Hope this helps. -
Switch Port Trunk allowed Vlan
Hi Guys
Request your help on my query :
I have a distribution switch and access switch and port channel between them.
Dist switch is the VTP server
lets assum I have 25 vlan
when I do show vlan brief on the access switch I can see all 25 vlans listed now
no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
Dist switch po1 -- connecting to - po Access switch
Dist switch #
int po1
switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
Thanks in advanceHi,
John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
Best regards,
Peter -
How to add VLAN to trunk port on Cisco SF200-24
Hello All,
I have question want to ask:
I have Cisco switch SF200-24 I want to configuration VLAN as below:
Port 1 to 10 = Vlan 100
Port 11 to 21 = Vlan 200
Port 22 to 24 = Vlan 300
Port GE1 = Trunking (Primary)
Port GE2 = Trunking (Secondary)
How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
Which port can I connect for management switch?
Thanks> How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
firstly set those ports as trunks via "VLAN Management" -> "Interface settings" - click on corresponding port, click on "edit.." button and select "Trunk" from list.
Once those ports (GE1 and GE2) are as trunks, you can now assign them all desired VLANs via "VLAN Management" -> "Port VLAN Membership". Select first port (GE1), click "join VLAN" and select all desired VLANs from left list and put them to right list.
and you are done.
> Which port can I connect for management switch?
by default, switch management IP is a part of default VLAN1. If you wanted to keep access to your switch, assign "VLAN1" to one of access ports, or change management VLAN to different number than 1 - but in this case dont forget to apply correct IP settings in order to meet subnet assigned in new VLAN. -
Maybe there's an obvious answer, but I have this strange thing;
Switchport config
interface GigabitEthernet0/2
description Trunk to CORE02
switchport mode trunk
shutdown
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
sh vlan brie
VLAN Name Status Ports
1 default active Gi0/2
Why is it that this port, which is configured as a trunk port, shows up as active in vlan1? Also when I do a show interfaces trunk, this specific port is not listed as a trunked port. By the way I had to shutdown the port because it was causing issues. It's a redundant link, when enabled I would expect spanning tree to do it's magic, but somehow it does not and instead causes half of our lan to become unreachable. Not sure why.in my switch I can not delete it
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48TS-L 12.2(58)SE2 C2960S-UNIVERSALK9-M
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport mode trunk
spanning-tree portfast
_Cat_2960s_5_1#sh vla br
VLAN Name Status Ports
1 default active Gi1/0/41,
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
switchport port-security maximum 1
no switchport port-security
_Cat_2960s_5_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
_Cat_2960s_5_1(config)#interface GigabitEthernet1/0/41
_Cat_2960s_5_1(config-if)#no switchport access vlan 1
_Cat_2960s_5_1(config-if)#^Z
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#
_Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
interface GigabitEthernet1/0/41
description 2960_24_POE_5_24
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode trunk
another trunk port with native vlan configured is not in vlan 1 -
Trunk port changes assigned VLANs spontaneously
Hello,
I have problem with GE2 port VLAN membership in trunk mode.
When I set GE2 port as a trunk for VLAN 11 tagged, VLAN 48 tagged
and VLAN 666 untagged+PVID, it stays so only untill reboot.
After reboot there are 11, 48 and 666 tagged, while VLAN 1
untagged+PVID. Everything works somehow, but there are warnings.
Default VLAN 11. The other side is 2960G with no vtp on port
and vtp is globally off.
Thank you
SF 200-24 24-Port 10/100 Smart Switch
Model Description: 24-Port 10/100 Smart Switch Firmware Version: 1.1.1.8
Serial Number: DNI15330085 Firmware MD5 Checksum: 0b73c744e12a6f93c711867b1188736e
PID VID: SLM224GT V01 Boot Version: 1.0.0.1
Boot MD5 Checksum: 81359f6e6c7e640b53df27c4f05b8d60
Locale: en-US
Language Version: 1.1.1.6
Language MD5 Checksum: N/AHi Igor
Just out of interest, I see no mention that you saved the configuration in your problem description.
As the administrators guide says on page 30, Configurations will be lost if not saved.
Just in case you didn't save your configuration, here is a 6 minute video that shows, in the last minute, how to save the configuration of a 300 series switch, but it should be identical for a 200 series product..
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=56220782&rKey=5fc47a1c7b566b8c
or try from the GUI
Click Administration > File Management > Copy/Save Configuration
Copy the running configuration to the startup configuration.
If you have saved your configuration but still lose VLAN assignment, yes please follow the advice in the previous posting.
regards Dave -
VTP Pruning vs Allowing VLANs on Trunk ports
We would like to know best approach to reduce VLAN traffic on our network. We are currently trunking all fiber ports 802.1q.
We have about 73 VLANs across the network. We have done a lot of research and there seem to be a lot of theoretical answers but no one who uses it in practice.
Here is our current configs for fiber ports between closets:
Cisco WMH6509
interface GigabitEthernet2/8
description Fiber To STB Lab 3850
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
no snmp trap link-status
end
Cisco STB Lab 3850
interface GigabitEthernet1/1/1
description Fiber To WMH6509
switchport mode trunk
end
We are considering:
VTP Pruning Enable
or
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 26,99,109,188
switchport mode trunk
Thanks,
TomDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As I have some years (cough - decades) software development experience, I lean toward automation solutions, so, for example, I often prefer dynamic routing over static routing, and so likewise, I prefer VTP over manual configuration on multiple devices.
However, VTP does have some "quirks". For example, this year I ran into an issue where an edge switch had a new VLAN defined to a port which wasn't in use on a transit switch, so VTP auto pruning, pruned it off the transit's uplink trunk. (I was a bit of a pain to find the cause as VTP doesn't prune right away - edge worked for a bit and then it stopped working. One fix would have been to stop using VTP auto-pruning, across the whole VTP domain, but instead, configured VTP to not auto-prune the needed VLAN across the needed trunk.)
So, as Paul notes, VTP auto pruning might be easier to get going, but be prepared for unexpected incidents (again, not saying you'll have any, just be prepared). So, if you're prepared, I would go with VTP auto pruning, but if you want to "play safe", go with Paul's recommendation. -
Hi,
Is posible to configure a Switchport like dynamic vlan port and in the same time to be trunk port?Hi,
Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk port before changing it from static to dynamic.
You can find more info here.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2ec.html
HTH,
Sundar -
Private VLAN Promiscuous Trunk Port - Switches which support this function
Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks
4500x Yes
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
Nexus 5k Yes
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
3850s
They dont support pvs at all yet
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
Restrictions for VLANs
The following are restrictions for VLANs:
The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
Private VLANs are not supported on the switch.
You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches. -
Dedicated VLAN ID's on trunk ports
I was reading the SAFE:Security Blueprint for Enterprise Networks. This document addresses in its "Switches are targets" section on Page 6 that "Always use a dedicated VLAN ID for all trunk ports"...
I am trying to understand this concept fully.
If I consider my trunk ports, most are physical fiber "links" that interconnect the switches. Some trunk links connect Distribution L to Access L; some Distribution to Core.
Where do I put the VLAN ID on thes?? Should I translate this to mean that on Gig0/0 on SW.1 i place this interface in VLAN 23 and on the switch on the other end of the link I also place the Gig0/0 in VLAN 23 as well??
Also I am not sure why this helps secure the switch. Can someone pls assist. I am grateful.Hi,
This is not actually the VLAN pruning.This is just specifically allowing some vlans on the trunk ports and removing other unwanted vlans.
Prunning works in a diff way and it will save the bandwidth on the trunk links by prunning the unwanted broadcast on the trunks for a particular vlan if no host is active on that vlan on a particular switch. I.e If you dont have any active host on a vlan on a particular switch and if there is a broadcast on that vlan which will come over the trunk so if no host is active that broadcast is prunned on the trunk where no host is active on the switch.
HTH,
-amit singh -
SG300: MAC authentication with Radius VLAN assignment problems
Hi,
I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
Here's the final switch config:
config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
interface gigabitethernet6
switchport mode access
switchport access vlan 110
interface gigabitethernet9
switchport mode access
switchport access vlan 12
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
exit
ip default-gateway 192.168.99.1
On the switch side I would expect VLAN 666 to be set but it's not there:
switchf460dc#show dot1x users
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
gi5 0090dca15880 00:90:dc:a1:58:80 MAC Remote 01:09:25
This is the radius users file. It's a simple file for test.
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 666
I am attaching a screenshot of the Radius reply sent by the server.
I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
It may be that the tag is missing in the Radius reply? If yes, how do I add it?
Any ideas?
Thanks.
Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too. -
SG-300 CLI How to display trunk ports
Hello
I have a very simple question about CLI on SG-300. How to display trunk ports via cli? I have switch with 28 ports and I wanted to see what switchport mode is applied to every port - or simply we can just focus on trunk ports. On Cisco Catalysts there is "show trunk" command in order to get list of ports in Trunk mode. Is there any way to do it on SG-300?
srv-sw-1#show version
SW version 1.3.0.62 ( date 02-May-2013 time 14:55:01 )
Boot version 1.1.0.6 ( date 11-May-2011 time 18:31:00 )
HW version V02
thank you
michalHi,
I remember something at least that works port by port:
>#sh int switchport fa 1
Port : fa1
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
Port is member in:
Vlan Name Egress rule Port Membership Type
1 1 Untagged System
Displays detailed info about each port, range command will not work, but it's something.
You can check for vlans and or tags with:
sh vlan
sh vlan tag 1.
NTex -
Does it need add the native vlan to allowed vlan list ?
If I confiured the port like this "
switchport trunk native vlan 10
switchport trunk allowed vlan 11,12"
does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,12"
ThanksYes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
Kevin Dorrell
Luxembourg
Maybe you are looking for
-
Chinese characters are displayed as blank box on the TextField in Taiwan Android 4.4.2/AIR4.0, such as Nexus7, HTC One, but in mainland China Nexus7(Android 4.4.2/AIR4.0) showed normal AIR SDK is 4.0.0.1628. Hope it can be fixed as soon as possible.
-
Can I Encode to These Settings with Compressor??
Greetings, I need some help from you good people. I have been tasked with preparing our video program for an SD Television Broadcast. In my many years of using Final Cut, I have never had to export for an official SD Broadcast. So I declare up front
-
IPhone Liquid Submersion Sensor and Dead Pixels
Today I went down to my carrier HQ. (Singtel, Singapore). I went to spoke to the person at the iPhone servicing counter. He told me that my iPhone Liquid Submersion Sensor has been triggered and it's now out of warranty. And my purpose is there, to h
-
Adobe Captivate Help | Slide notes
This question was posted in response to the following article: http://helpx.adobe.com/captivate/using/slide-notes.html
-
Unable to Start DEFAULT CONSOLE
I want to work on J2EE platform. I have JDK1.3.0_02, J2EE 1.3.1, ANT in my path & classpath. Now, I installed Weblogic 6.0. While, verifing, I was able to start Default SERVER successfully as follows:- . Starting WebLogic Server .... <Dec 11, 2000 2: