Catalyst 3750 , ACS and Downloadable IP ACL

Similar Messages

• Catalyst 3560 vs. Catalyst 3750 - 24 and 48p. 10/100/1000

  I need some help in positioning the Catalyst 3560 against the Catalyst 3750 - (only 24 and 48p. 10/100/1000) Switches.
  Under which circumstances should our customer buy 3560 and what are the arguments for the 3750 solution ?
  What are the major differences ?
  Thank you very much for your help !
  Regards,
  Cope

  CAT3750 series support stackwise technology while 3560s do not. This is the main difference between 3560s and 3750s. The switching architecture between the two is very similar. Stackwise comes with lot of advantages. You can find more on CCO at
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_white_paper09186a00801b096a.shtml

• 802.1x MDA with Cisco 3750, ACS and Avaya phones

  Hello,
  What is the minimum software level on the C3750 to support the 'device type class=voice' AV-pair returned by ACS?  I found 12.2(35) introduced MDA, but also I found 12.2(40) required for dynamic voice VLAN on MDA ports. 
  What i observe is :
  - phone connects
  - phone is dot1x authenticated in data VLAN and gets its DHCP address there
  - DHCP advertises (option 242) the voice vlan id
  - phone reauthenticates in voice vlan
  - phone reacquires a new DHCP address, now in voice VLAN
  so far so good ... and we start using the phone
  - pc behind phone starts and enters credentials
  - pc authenticates ok (in data vlan)
  but 3750 shuts the port down per security violation ("new mac-address found").
  The mac-address of the phone stays in the data vlan's  mac table, despite the phone moved correctly to the voice vlan.  This macaddress excludes the 'new' pc mac-address, causing a shutdown of the port. 
  NB : "setting port-security max mac-addresses" to say 5 does not change anything to  this behavior.
  Can anybody give some hints?
  Tx.

  Searching further, I found that 12.2(40) requirement for dynamic voice VLAN on MDA ports only applies to dynamically provisioning the voice vlan ID by radius, applying the (65)tunnel (medium) type and (81) tunnel private groupid  attributes.  So, obviously, MDA support with 'static' voice vlan assignment by switchport configuration *should work* with our 12.2(35), *
  So, the question remains : why does the data VLAN keep an entry with the phone's MAC address in its MAC table?
  Tx.

• 802.1x NAC and per-user ACLs

  Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
  Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
  802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
  With per-user ACLs, you'd configure a VSA like:
  ip:inacl#1=deny ip any host 10.1.8.3
  ip:inacl#2=permit ip any any
  The "downloadable IP ACL" config would look like:
  deny ip any host 10.1.8.3
  permit ip any any
  In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
  So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
  Hope this helps,

• I cannot connect by console port to Cisco Catalyst 3750 using ethernet to USB.

  Hello. I have one Cisco Catalyst 3750 switch, and two 2950 switches. I am trying to reset their settings using a console cable with a trendnet Ethernet to USB adapter. When I try loading hyperterm or putty on com3 there is no signal. I have the communication port setting on com3. I don't know what the old settings are, and they can be reset. I get connectivity lights when plugging the cable into the switch ports. What am I missing? 

  Are you definitely using the correct COM Port number? On Windows7 Right Click My Computer > Manage Then select Device Manager and expanPorts (COM & LPT)d  in my case is shows Prolific USB-to-Serial Comm Port (COM5). 
  Once you have the right COM Port number just use the default settings in Putty. You may find the COM Port is locked up which will require a reboot.

• Revised Visio stencils for CRS and Catalyst 3750

  We just submitted the CRS and Catalyst 3750 revisions to the Cisco web team for posting.  They should be available within a day or so.
  Regards,
  Brett Newman
  Cisco Visio Development
  Visimation Inc.

  Hi Kevin,
  We updated the 3750 on 2/23/12 and the CRS on 2/20/12.  Please check the download page.
  Regards,
  Brett Newman
  Cisco Visio Development
  Visimation Inc.

• Catalyst (3750 24 10/100/1000T) and (3750 12 SFP) Stacking Problems

  Dear all
  I'm having a very strange situation here (at least for me)
  we have 4 core switches
  2 x   WS-C3750G-24T-S Catalyst 3750 24 10/100/1000T + IPB Image
  and
  2 x   WS-C3750G-12S-S Catalyst 3750 12 SFP + IPB Image
  Stack configuration is done this way
  when the switches are powered on, the first two SFP core switches are seen as a single stack with the stack master LED turned green on the first switch
  the other two (24 10/100/1000T) switches have the RPS LEDs always green, mode cannot be changed, and cannot be accessed by Console connection
  but when the (24 10/100/1000T) are powered off, the first (SFP) switch in the stack reports that " Switch 3 and 4 has been removed from Stack "
  which means they are stacked but there's something wrong, because
  only the SFP ports are shown in the " Show interfaces status " , the ethernet ports of the bottom switches are not present !!!
  can you please tell me what's the poblem ?

  Dear Daniel
  Sorry for my delayed response but i was actually quite busy
  but the problem was actually in another sense
  the default profile for the Catalyst 3750 SFP is the Aggregate SDM Template
  while the 3750 10/100/1000 ethernet Switch Default SDM profile was Desktop profile
  so i had an SDM mismatch
  DATACENTER#sh switch detail
  Switch/Stack Mac Address : 081f.f3cf.1c80
                                             H/W   Current
  Switch#  Role   Mac Address     Priority Version  State
  *1       Master 081f.f3cf.1c80     1      0       Ready              
  2       Member 081f.f3cf.5900     1      0       Ready              
  3       Member aca0.16ac.0180     1      2       SDM Mismatch       
  4       Member aca0.16a3.bc80     1      2       SDM Mismatch 
           Stack Port Status             Neighbors    
  Switch#  Port 1     Port 2           Port 1   Port 2
    1        Ok         Ok                2        4
    2        Ok         Ok                3        1
    3        Ok         Ok                4        2
    4        Ok         Ok                1        3 
  all i did was changing the default profile of the SFP switches into the Desktop Profile and problem was solved
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  switch 3 provision ws-c3750g-24t
  switch 4 provision ws-c3750g-24t
  system mtu routing 1500
  ip subnet-zero
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/2
  interface GigabitEthernet1/0/3
  interface GigabitEthernet1/0/4
  interface GigabitEthernet1/0/5
  interface GigabitEthernet1/0/6
  interface GigabitEthernet1/0/7
  interface GigabitEthernet1/0/8
  interface GigabitEthernet1/0/9
  interface GigabitEthernet1/0/10
  interface GigabitEthernet1/0/11
  interface GigabitEthernet1/0/12
  interface GigabitEthernet2/0/1
  interface GigabitEthernet2/0/2
  interface GigabitEthernet2/0/3
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface GigabitEthernet2/0/4
  interface GigabitEthernet2/0/5
  interface GigabitEthernet2/0/6
  interface GigabitEthernet2/0/7
  interface GigabitEthernet2/0/8
  interface GigabitEthernet2/0/9
  interface GigabitEthernet2/0/10
  interface GigabitEthernet2/0/11
  interface GigabitEthernet2/0/12
  interface GigabitEthernet3/0/1
  interface GigabitEthernet3/0/2
  interface GigabitEthernet3/0/3
  interface GigabitEthernet3/0/4
  interface GigabitEthernet3/0/5
  interface GigabitEthernet3/0/6
  interface GigabitEthernet3/0/7
  interface GigabitEthernet3/0/8
  interface GigabitEthernet3/0/9
  interface GigabitEthernet3/0/10
  interface GigabitEthernet3/0/11
  interface GigabitEthernet3/0/12
  interface GigabitEthernet3/0/13
  interface GigabitEthernet3/0/14
  interface GigabitEthernet3/0/15
  interface GigabitEthernet3/0/16
  interface GigabitEthernet3/0/17
  interface GigabitEthernet3/0/18
  interface GigabitEthernet3/0/19
  interface GigabitEthernet3/0/20
  interface GigabitEthernet3/0/21
  interface GigabitEthernet3/0/22
  interface GigabitEthernet3/0/23
  interface GigabitEthernet3/0/24
  interface GigabitEthernet4/0/1
  interface GigabitEthernet4/0/2
  interface GigabitEthernet4/0/3
  interface GigabitEthernet4/0/4
  interface GigabitEthernet4/0/5
  interface GigabitEthernet4/0/6
  interface GigabitEthernet4/0/7
  interface GigabitEthernet4/0/8
  interface GigabitEthernet4/0/9
  interface GigabitEthernet4/0/10
  interface GigabitEthernet4/0/11
  interface GigabitEthernet4/0/12
  interface GigabitEthernet4/0/13
  interface GigabitEthernet4/0/14
  interface GigabitEthernet4/0/15
  interface GigabitEthernet4/0/16
  interface GigabitEthernet4/0/17
  interface GigabitEthernet4/0/18
  interface GigabitEthernet4/0/19
  interface GigabitEthernet4/0/20
  interface GigabitEthernet4/0/21
  interface GigabitEthernet4/0/22
  interface GigabitEthernet4/0/23
  interface GigabitEthernet4/0/24
  that's it !
  : D
  cheers

• Alternative switch to Cisco Catalyst 3750v2-24FS and 3750-24FS

  I`m looking for an alternative to these two switches:                 
  1.  WS-C3750V2-24FS-S  Cisco Catalyst 3750V2-24FS Switch with 24 100FX SFP + 2 Gigabit Ethernet SFP Ports
  2. Cisco Catalyst 3750-24FS (WS-C3750-24FS-S 100BASE-FX)
  They are now EOL and not available.
  I have a campus style network and need to be able to connect multiple 100FX fibre switches back to a central switch. The 1st unit uses 100FX SFP modules and the second has in-built 100FX ports. I`m struggling to find anything from Cisco that will give me multiple (i.e 12+) 100FX ports.
  Could anyone please point me in the right direction?
  Many thanks,
  Paul

  Hi Paul ,
  Replacement for both switch is WS-C3650-48TS-S.
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/eos-eol-notice-c51-730227.html
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/end_of_life_c51-687707.html
  Regards
  Don't forget to rate helpful posts
  Sent from Cisco Technical Support iPhone App

• Debian Linux Bonding and Cisco Catalyst 3750 - best practise?

  Hello everybody,
  I would like to know what's best practice to do this:
  The two NICs of a Debian Linux server wants to be connected with two Switchports of a Cisco Catalyst 3750 switch(stack). My goal is to have load-balancing and failover.
  My /etc/network/interfaces looks like this:
  iface bond0 inet static
         address 192.168.0.30
         netmask 255.255.255.0
         network 192.168.0.0
         broadcast 192.168.0.255
         gateway 192.168.0.1
         dns-nameservers 192.168.0.10 192.168.0.20
         dns-search xyz.mycompany.com
         slaves eth0 eth1
         bond_mode ???
         bond_miimon 100
         bond_downdelay 200
         bond-updelay 200
  First question: What bond mode should I use?
  The switchports looks like this:
  interface GigabitEthernet3/0/4
   switchport access vlan 20
   switchport mode access
   spanning-tree portfast
  What changes are necessery here? Something like this?
  interface GigabitEthernet3/0/4
   switchport trunk encapsulation dot1q
   switchport mode trunk
   spanning-tree portfast
  Thanks a lot for suggestions, hints, etc.! :-)
  Greets
  Stephan

  Hi Michael,
  thanks a lot for your answer - and sorry for my late reply!
  I like to show you my solution - I hope that it is a solution. ;-)
  My config on the switch(stack):
  switch#show etherchannel summary
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  2      Po2(SU)         LACP      Gi3/0/3(P)  Gi4/0/3(P)
  switch#show running-config interface GigabitEthernet 3/0/3
  Building configuration...
  Current configuration : 172 bytes
  interface GigabitEthernet3/0/3
   description myserver, eth0
   switchport access vlan 20
   switchport mode access
   channel-group 2 mode active
   spanning-tree portfast
  end
  lansw01#show running-config interface GigabitEthernet 4/0/3
  Building configuration...
  Current configuration : 172 bytes
  interface GigabitEthernet4/0/3
   description myserver, eth1
   switchport access vlan 20
   switchport mode access
   channel-group 2 mode active
   spanning-tree portfast
  end
  switch#show running-config interface port-channel 2
  Building configuration...
  Current configuration : 82 bytes
  interface Port-channel2
   switchport access vlan 20
   switchport mode access
  end
  The /etc/network/interfaces of my Debian machine looks like this:
  auto lo
  iface lo inet loopback
  auto bond0
          iface bond0 inet static
          address 192.168.1.xxx
          netmask 255.255.255.0
          gateway 192.168.1.xxx
          dns-nameservers 192.168.1.xxx
          dns-search xxx.xxx.xxx
          bond-mode 4
          bond-miimon 100
          bond-downdelay 200
          bond-updelay 200
          bond-lacp-rate 1
          slaves eth0 eth1
  This setup seems to work well. But I'm wondering that there is nothing with "trunking" in my setup. Would you like to give me your opinion about this?
  Thanks a lot and many greets
  Stephan

• Interconnecting Catalyst 3750 and 2948G-L3

  I am trying to interconnect a Catalyst 3750 and a 2948G-L3 using fiber GBIC. The interfaces where the GBIC and fiber are attached show up as physically down. I have tried different ports and also changed both switches. No Luck. If I connect a 3524 to the 3750 using the same connection it works.
  Are 2948G-L3 switches compatible with the 3750?
  Thanks,
  VT

  Should have no problem. Can you try the following on the 3750's gig interface:
  speed nonegotiate
  See of the link comes up.
  Please rate all posts.

• Do Cisco router 2811 and Catalyst 3750 support SNMPv3?

  Hi,
  Do Cisco router 2811, IOS 12.4(20)Ti, and Catalyst 3750, IOS 12.2.(53)SE, support SNMPv3?
  Attached file contains my SNMPv3 configurations and "show snmp" results.  Would you please give me your advice?  Thanks.
  Hugh

  Hugh
  Certainly both the 2811 and the 3750 do support SNMPv3. So support for the feature is not an issue in your situation.
  I have looked at the config that you attached and believe that it looks reasonable. You have not told us about the SNMP server that will communicate with these devices. So we have no way to know if the details of the configuration are correct.
  Have you attempted to discover these devices with an SNMP server that is configured to use SNMPv3 and has this user and passwords configured? If it does not work my first suggestion would be to check to verify that the passwords configured are exactly the same on the clients and on the server (and perhaps re-configure the passwords just to be sure). If the passwords are not a problem my second suggestion would be to check and verify that the authentication and encryption parameters match between the server and the clients.
  HTH
  Rick

• WCCP ACL on Catalyst 3750

  Hi
  I have a stack of 3750s with IP Services and 2 WAAS appliances connected to the stack. I am running wccp in the stack and redirecting traffic to the WAAS appliances using a redirect acl. I read in the command guide for the 3750 that ONLY permit entries are supported. I have a appox 20 vlans and there are local traffic flowing between some of them.
  My questions is if I can`t use deny entries in the redirect acl in the switch, how can I stop the local traffic between the vlans getting redirected unnecessarly. The local traffic will be redirected to the WAAS appliance and then just go bypass and go back to the switch stack or does WCCP handle this in someway so only the first packets for each session gets redirected?
  BR
  CJ Ekman

  Hey CJ,
  Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
  Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
  Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
  Hope this helps!
  -Chet

• VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related

  Hello expert,
  I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
  [Cisco Catalyst 3750 Switch]
  interface GigabitEthernet1/0/45
   description NCC-CC-1stFlr
   no switchport trunk encapsulation dot1q
   no switchport trunk allowed vlan 101-103
   spanning-tree portfast
  [Cisco SF300-48P Switch]
  interface fastethernet48
   spanning-tree link-type point-to-point
   switchport trunk allowed vlan add 101-103
   macro description switch
   !next command is internal.
   macro auto smartport dynamic_type switch
  interface fastethernet29
   switchport mode general
   switchport general allowed vlan add 103 tagged
   switchport general pvid 103
  Are these are correct? Kindly advice!
  Thank you very much!
  Regards,
  Alex

  Hi Alex,
  for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
  The configuration on catalyst should :
  #config terminal
  #interface Gi 1/0/45
  # switchport encapsulation 
  #switchport trunk encapsulation dot1q
  #switchport mode trunk 
  #switchport trunk allowed vlan 101-103
  #spanning-tree portfast
  For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
  #interface fastethernet29
   #switchport mode access
   #switchport ccess vlan 103
  Please let me know after this configuration
  Thanks
  Mehdi
  Please rate or mark as answered to help other Cisco Customers

• Trunking between Huawei S3900 and Cisco catalyst 3750

  One of my edge Huawei S3700  switches  is dead, I am going to replace it with a Cisco switch Catalyst 3750 series PoE-48 via a trunk link  with GE fiber port on both ends, please see the diagram below.
                                    trunk                     trunk
     Core switchrouter<----------S3700<--------------->Cisco Catlyst 3750
  I haven’t touch Cisco switch for many years, I would like to ask the following questions:
  1.)      Do I need to take any precaution before connecting this Cisco switch into my Huawei network? Only one link between S3700 and C3750, so I don't need worry anout STP? Do I need to worry about Default vlan regarding trunking port?
  2.)      I need to use different trucking protocol e.g. 802.1Q etc to interconnect these two switches (S3700-28TP-SI-AC and Catalyst 3750), please see the following configuration:
  For C3750:
  switchport trunk encapsulation dot1q
  switchport trunk native vlan (What you want)
  switchport trunk allowed vlan (VLANs required)
  switchport mode trunk
  spanning-tree portfast trunk
  For S3700:
   port link-type trunk
   port trunk permit vlan all
  Do you think the configurations above are right?
  Do I need to manually enter Duplex and speed options ?       
  3.)If the configurations are not right, then what are the commands for trucking port/link should I use on the Cisco switch (it uses IOS software) and Huawei switch?  Procedures of the commands would be really helpful !
  Any information and help would be much appreciated.
  Thanks
  Regards

  Hello
   3750 - basic config
   ================
  See as you are using this switch as an host switch you need to make sure ip routing isn't enabled ( it isn't by default)
  Also it looks like the s3700 Huawei switch is permitting all vlans and I assuming the default native vlan is 1 ( as is cisco) so no need to specify the native either.
  If you are requiring the access ports on this new cisco 3750 to be in multiple vlans then usually cisco to cisco interconnect would ultise VTP for vlan propagation however this wont occur between the Huawei switch, so you will need to manually add the vlans on the switch also.
  so to summarize below is a basic host switch config for 3750.
  conf t
  no ip routing
  hostname XXXXXX
  username xxxx privilege 15 secret xxxxxxx
  service password-encryption
  enable secret xxxxx
  security passwords min-length xx
  security authentication failure rate xx log
  aaa new-model aaa authentication login default local
  logging buffered 4096
  no service udp-small-servers
  no service tcp-small-servers
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  no ip domain-lookup
  spanning-tree mode rapid-pvst
  spanning-tree portfast bpduguard default
  int vlan x ( this may or not be vlan 1 - its whatever the L3 vlan interface is on the core switch for management connectivity)
  ip address x.x.x.x y.y.y.y.
  exit
  ip default-gateway x.x.x.x ( ip address of CORE SVI management interface)
  vlan x,x,x,x ( add the L2 vlans to the switch as vtp would not be used between the Huawei switch)
  exit
  int gigx/x
  Description Link to Huawei switch
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  no shut
  ( no need for spanning-tree portfast trunk- this is usually only for ESX host ports)
  int rang fa0/1 -48
  Description - Access-ports
  switchport host
  switchport access vlan x (wihout this defaults to vlan 1)
  no shut
  clock timezone gmt 0
  ntp peer
  ntp server x.x.x. prefer
  res
  Paul

• Catalyst 3750 12.2(25)SD1 and dual nics

  When a Catalyst 3750 stack master fails or leaves the stack, a cross-stack EtherChannel in trunk mode running Link Aggregation Control Protocol (LACP) protocol might stop forwarding traffic on some VLANs.
  The workaround is to enable the stack-mac persistent feature by using the stack-mac persistent timer global configuration command. You can also use the shutdown interface configuration command and then the no shutdown command on the EtherChannel interface.
  Network Infrastructure: LAN Routing and Switching
  I have upgrade a Catalyst 37024 TS 2 switch stack to 12.2(25)SED1 from 12.1(14)EA. The switch has an Alpha Server Custer connected to it the cluster has two servers each having two nics . There is a active server which has an application IP address and each server has a Server IP address one nic active ata time.
  All worked ok upto the upgrade. Now every night when the backup runs noone can access the application ip address or the acive server address but te offline server is pingable. This is only for devices outside the serrver VLAN. Devices within the server VLAN can hapily ping any address.
  I thought this was arouing issue but all looks ok and the offline server can be pinged from any where.
  the active server nics areon 1/0/20 and 2/0/24
  Any one have any ideas?

  I forgot to add if I shut both interfaces an then do a no shout on both the issue is resolved until the next night.