Cisco 3850 and Licences for WLC??

Similar Messages

• Default username and password for WLC 5508 series

  Hi ,
  please let me know the default username and password for the below  WLC  device
  Model :
  AIR-CT5508-100-K9
  Image : AIR-CT5500-K9-7-0-230-0.aes                
  Regards
  Lerner 

  Password Recovery in WLC versions 5.1 and later
  If you forget your password in WLC version 5.1 and later, you can use the CLI from the serial console of the controller in order to configure a new user name and password.
  After the controller boots up, enter the Restore-Password command at the user prompt. This command is only accepted for the initial user login and becomes disabled after a user logs in. You are prompted to enter a new username/password, which can then be used to log into the controller and modify settings.

• Cisco ISE and authentication for 802.1x printer

  Hello
  What is the best practice to authenticate a 802.1x printer in Cisco ISE?
  The printer can store a certificate for authentication and support EAP-TLS.
  Thanks for answer.
  Marco

  EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
  I hope this puts you in the right direction!
  Thank you for rating helpful posts!

• Cisco RV215W and support for Huawei E3276.

  I have a number of these devices, bought after testing that the combination did actually Work.
  Unfortunately our phone operator (Hi3G Denmark) has shipped the E3276 HiLink version, which seems not to be supported in the RV215W.
  Any possibility for support of the Huawei E3276 HiLink in the RV215W firmware?
  Best regards
  Kristian Hansen

  Khansen,
  I have reviewed the dongle list for Denmark support and you correct is not supported. If i may suggest try opening a support case with Small Business Support Center. Just keep in mind that demand for this particular dongle would have to be high to support it and add to list.
  Dongle list:
  https://supportforums.cisco.com/document/127976/rv215w-supported-dongle-modems

• 2602 AP and cisco 3850

  Hi,
  i would like to know if i could use the cisco 3850 as a pass through to register with cisco 5508 (flex connect) at our main site. at the moment i can see the AP registering to cisco 3850 and not 5508. if i plug in the ap to a cisco 2960 will connect to 5508 ?
  also which mode should it be if the above is possbile (Moblity controller mode or Mobility agent mode)
  Thanks

  Hi Raskia,
  Thanks for your reply. so if i go for option 1 can i still use mobility tunnel and mobility anchor feature. I need to for form a mobility tunnel to 5508 on the inside network and another tunnel to 4400 controller in the dmz (i know it has problems with tunnel to 4404 controller due to ios problems but if i can do to 5508 it will be fine)
  its a shame if i cant do the above i will have to remove the wireless feature and use it as l2 switch. when i do no wireless management inter x then does it remove the router (l3) bit of the router?
  Thanks

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Cisco 3850 WLC mac-filtering

  Hi:
  Cisco 3850 in WLC how to config mac-filtering
  thanks

  When you create a MAC address filter on WLCs, users are granted or       denied access to the WLAN network based on the MAC address of the client they       use.
  There are two types of MAC authentication that are supported on       WLCs:
  Local MAC authentication
  MAC authentication using a RADIUS           server
  With local MAC authentication, user MAC addresses are stored in a       database on the WLC. When a user tries to access the WLAN that is configured       for MAC filtering, the client MAC address is validated against the local       database on the WLC, and the client is granted access to the WLAN if the       authentication is successful.
  By default, the WLC local database supports up to 512 user entries.
  The local user database is limited to a maximum of 2048 entries. The       local database stores entries for these items:
  Local management users, which includes lobby           ambassadors
  Local network users, which includes guest users
  MAC filter entries
  Exclusion list entries
  Access point authorization list           entries
  Together, all of these types of users cannot exceed the configured       database size.
  To Know how to configure Mac filtering please go to the below link.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe

• Emergency Responder and Cisco 3850 Switches

  I'm running Cisco ER V8.5, and recently installed new Cisco 3850 Switches. All the phones connected to the 3850 switches show a "unlocated" status. I've check the hardware compatibility Matrix for ER V8.5 and the 3850 is not on it.
  What are my options for locating these phones in ER and assigning them to an ERL. Manually defining the phones? Is there a patch or update to ER V8.5 that would make a 3850 compatible?

  I haven't used the 3850's with ER yet so can't speak to that specifically, but generally speaking you have more flexibility using location by subnets vs switches.  Scalability-wise, you can add way more subnets than switches.  There's more going on under the hood if you're locating by switches so the process overhead is greater.
  The only downside with using subnets is if you need to get more granular with your locations than your deployed subnets allow (ie a single voice subnet for an entire building but you need to define and assign locations at the floor level).  As long as you've been a little forward thinking on the route/switch side, you'll be fine.
  hope that helps,
  will

• Generate Certificates for WLC and clients

  Hi Guys
  I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
  How do I get this? 
  Thanks in advance for your support!
  Marcelo

  Hi,
  If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
  Below post may help you to see how you can do this
  http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Cisco 3850 SSO and NSF failover time

  Dear Member,
  I m trying to setup a network with few second fail-over with Cisco 3850 stack, C3850 support SSO and NSF on OSPF.
  However, when the Master fails, Slave take up the role and re-learn routing information and around 10 sec to fail-over.
  May any brothers have this experience and 10 sec fail-over should be the normal behavior or can be enhance?
  Attach diagram for reference.
  Regards
  Russ

  Great, adding the following command and only have 1 ping loss with end to end.
  =========================
  Stack-mac persistent timer 0
  router ospf 1
  nsf cisco enforce global
  ========================

• Looking for Cisco 3850 power-stack OID

  Hi all,
  Does anyone know the OID for the Powerstack interfaces of the Cisco 3850?
  It is not the normal ifentry like the data-stacking cables!
  Thanks
  Willem

  Hi,
  See this information below:
  24-Port PoE Switch
  48-Port PoE Switch
  PoE on all ports (15.4W per port)
  One PWR-C1-715WAC
  One PWR-C1-1100WAC or two PWR-C1-715WAC
  PoE+ on all ports (30W per port)
  One PWR-C1-1100WAC or two PWR-C1-715WAC
  Two PWR-C1-1100WAC or one PWR-C1-1100WAC and one PWR-C1-715WAC
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/data_sheet_c78-720918.html
  Hope this helps.

• Sample configuration of IME 7.0 with NME-IPS-K9 and How to get licence for NME-IPS-K9?

  Dear all,
  I already installed NME-IPS-K9 with Cisco Router 2821 series successfully and I used IME(Cisco IPS Manager Express 7.0.1) to configure NME-IPS-K9 but I never try with this before. I have some issue need everyone help:
  1. Could you share the sameple for configuring IME with NME-IPS-K9 to monitor and manage all network traffice or package that attack to NME-IPS-K9?
  2. Could you show me how to get licence for NME-IPS-K9?
  Thanks everyone for your time to help me and share your great ideas.
  I am really appreciated and  looking for forward to hearing response from you all.
  With my warm regards,
  Sarem Phy
  H/P:092562530

  CPU 100% on the NME-IPS module is normal. It will always show 100%. CPU on IPS is not related to the inspection load.
  To check if the IPS module is overloaded, please check the "Inspection Load" speedometer.

• How to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

  how to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

  Hi ,
   Have you got any additional public IP Address from your service provider , If yes on router you can have static route for those additional IP Address pointing to your ASA  outside interface . 
  Accordingly you can configure NAT 
  HTH
  Sandy . 

• User Name and Password for Cisco Prime Infrastructure 2.1

  Hi all:
  I am stuck at the login page of Cisco Prime Infrastructure 2.1.
  I have tried using the user name root and its password (when log in with root at Vsphere Client) and also the login user name "before" get into the appliance infrastructure, all cannot work.
  Anybody knows what is the default username or password or any way to set the username and password for this Cisco Prime Infrastructure 2.1 website?
  Thanks!
  tangsuan

  Hi Tangsuan,
  Following is the documented procedure for password recovery..
  In order to modify the GUI root user password, you will need to login to the NCS CLI
  as an admin user, and enter the command
  "ncs password root password <new password>" (without the quotes)
  This should set the web interface root user password :
  http://www.cisco.com/en/US/docs/wireless/ncs/1.1/configuration/guide/manag.html#wp1268889
  If you have lost your CLI password , try the default logging that is  ,
  CLI user is admin and not root, so please try logging in as admin with
  the password that was set during setup. If that does not work , you need
  the install disk that came with the appliance to recover that password.
  Follow these steps:
  Recovering a Lost Admin Password
  If you lose or forget the admin password for NCS appliance, follow these steps.
  Step 1 Reboot the NCS appliance with the ISO DVD inserted. The Cisco Prime Network Control
  System Welcome screen appears:
  ISOLINUX 3.11 2005-09-02  Copyright (C) 1994-2005 H. Peter Anvin
               Welcome to Cisco Prime Network Control System
  To boot from hard disk, press <Enter>.
  Available boot options:
     [1] Network Control System Installation (Keyboard/Monitor)
     [2] Network Control System Installation (Serial Console)
     [3] Recover administrator password. (Keyboard/Monitor)
     [4] Recover administrator password. (Serial Console)
  <Enter> Boot existing OS from Hard Disk.
  Enter boot option and press <return>.
  boot:
  Step 2 Select the desired recovery option, 3 or 4, depending on how you
  are connected to the appliance and then follow the prompts.
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****