Cisco 3850 - Direct Connect APs
Can you non-directly connect APs to a 3850. For example if you had multiple offices within one branch site and your 3850 MC was in the server rack and had 2960s in the other offices. Could you connect your APs to the 2960 switch and have them joined to the 3850 MC?
I've read that APs need to be directly connected to the 3850 however it supports flexconnect?
Would appreciate if anyone could shed some light.
Thanks,
3850 won't support flexconnect. Also you have to directly connect AP to 3850 (not via transient switches like 2960).
Refer this Q&A to find answer to your both queries
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
HTH
Rasika
Similar Messages
-
Catalyst 3650 as MC with non-directly connected APs
Hello,
I have a Catalyst 3650 operating as a Mobility Controller. I had to change the interfaces on the 3650 that connected to the access points to explicit access ports (switchport mode access). Before that command was configured, the APs sparatically dropped from the controller - now they are fine. I have a few other APs in the building that cannot be directly connected to the 3650, but need to terminate CAPWAP with it. The uplink from another switch (Access Switch 1) to the 3650 is a trunk, and the port from Acccess Switch 1 to the AP is an access port, however I getting the same message in the 3650's logs about it not being an access port and the AP is dropping connection to the MC.
How can I properly terminate CAPWAP from an AP connecting to Access Switch 1 through a trunk to the 3650 operating as a Mobility Controller?
Thankswith the 3850, the AP needs to be directly connected to the switch for it to be able to terminat the CAPWAP tunnel. If your other closet switch is a 3850, you can put it in MA mode, and build the SPG to the MC.
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/deployment_guide_c07-727067.html
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
WLC 2504, directly connected APs
I need to configure a 2504 wlc and two 1142 APs that I want to connect directly to the wlc. I've heard I can't use the PoE on port 3 and 4. If so, can I use power injectors instead?
I can't seem to get the APs to speak to the wlc. Using example below, how would I go about configuring this andwhen do i need to enable Dynamic AP Management? Appreciate all suggestions.
Example:
mgmt vlan 10
guest vlan 20
empolyee vlan 30
Wlan: Guest
Wlan: EmployeeYou can use the PoE ports but
Is not Cisco supported. The ap will have to obtain an ip address on the same vlan as the wlc management interface.
Thanks,
Scott Fella
Sent from my iPhone -
I have two Cisco 3850 switches that I cannot get to talk to one another over VLAN routing. I appear to have everything configured correctly but the VLAN traffic is not passing over the trunk. I have included both configurations. I cannotget traffic between VLAN 6 and 7.Any possible assistance is appreciated. =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.07.16 14:23:41 =~=~=~=~=~=~=~=~=~=~=~=
User Access VerificationPassword:
Switchen
Password:
Switch#sho ru w run
Building configuration...Current configuration : 5138 bytes
! Last configuration change at 17:58:01 UTC Thu Jul 16 2015
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Switch
boot-start-marker
boot-end-marker
vrf definition Mgmt-vrf
address-family ipv4
This topic first appeared in the Spiceworks CommunityHi
You can't register any AP to a 3850 unless those APs are directly connected to your 3850. So you won't able to register remote site's AP to central site 3850.
If you have directly connected APs & having issues with registering them to 3850, please refer below post.
http://mrncciew.com/2013/09/29/getting-started-with-3850/
HTH
Rasika
**** Pls rate all useful responses **** -
Direct Connect OSPF and BGP AWS failover setup
Hi,
We recently installed AWS Direct Connect which was successful but now we are looking at the best way to automatically fail over if our Direct Connect fails to route via our back VPN.
The setup
Cisco 6500 distributes routes via OSPF internally to all production environments with one area set.
A second Cisco 2901 was installed to support the AWS Direct Connect which uses BGP with a single ASN. This router is connected to the Cisco 6500 and now within the OSPF area. Static routes exist to the Cisco 2901 currently which unless we physically detach from the network fail over wont work.
What we want to achieve
The Cisco 2901 Direct Connect to be the default AWS route until we have a link issue or alike and dynamically fail over to our VPN via the firewall to AWS. What we are confused is do we advertise these BGP routes within OSPF or should we setup BGP on the Cisco 6500?
I appreciate your time.Hi,
We recently installed AWS Direct Connect which was successful but now we are looking at the best way to automatically fail over if our Direct Connect fails to route via our back VPN.
The setup
Cisco 6500 distributes routes via OSPF internally to all production environments with one area set.
A second Cisco 2901 was installed to support the AWS Direct Connect which uses BGP with a single ASN. This router is connected to the Cisco 6500 and now within the OSPF area. Static routes exist to the Cisco 2901 currently which unless we physically detach from the network fail over wont work.
What we want to achieve
The Cisco 2901 Direct Connect to be the default AWS route until we have a link issue or alike and dynamically fail over to our VPN via the firewall to AWS. What we are confused is do we advertise these BGP routes within OSPF or should we setup BGP on the Cisco 6500?
I appreciate your time. -
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
Cisco 2504 OEAP NAT directly connect AP's no ip
I setup my 2504 to work with OEAP. When I enabled NAT on the management interface the one AP I have directly connected to the WLC is no longer getting an IP address. Any idea why this is?
First, it is not recommended to have an AP directly connected to the WLC, you really need to connect it to an upstream switch and let it connect that way.
My first thought would be that you need to take a look a the below link that talk about how the NAT ip commands work.
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/command/reference/cli70MR1commands.html#wp14087790
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Cisco 3850 Mobility Agent unable to connect clients
Hi
We are trying to use Cisco 3850 as Mobility agents with 5760. We can't seem to get the clients to authenticate to the radius server. We don't even see them appear in the radius logs.
We have defined the radius server and the profile
wlan Wireless 2 WAP
aaa-override
accounting-list Radius
client vlan wireless
security dot1x authentication-list Radius
session-timeout 1800
no shutdown
radius server Primary
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
timeout 5
retransmit 2
key 7 ........
radius server Primary
address ipv4 x.x.x.x port 1812 acct-port 1813
timeout 5
retransmit 2
key 7 .........
The client appears to connect to the AP but can't authenticate so gets kicked off
If we do a test aaa group username password then it says that it's sucessful.
In the debug we get 802.1X required but then it never seems to get any further.Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
What is Mobility Anchor?
A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature. -
Cannot ping Cisco C series server using direct connect to UCSM
We have connected 2 Cisco C series servers (VIC 1225 Cards) with direct connect to Fabric Interconnects and managed via UCSM but cannot get network working.
Service profiles have been created and pushed with only 1 VLAN and the default VLAN as native but cannot communicate with IP address configured. Mac address is learnt at the Nexus 5K northbound switches. Seems to be a VLAN tagging issue somewhereWe do not use the CIMC as the server is all managed from UCSM and the CIMC has to be set to default for this mode
Sorry I was not clear; I mean of course that even with UCSM, your C-series server will get an IP address for CIMC, which is used if you open a KVM session. You should be able to ping this IP address. -
Cisco prime 2.1 not showing wired clients connected to Cisco 3850 switches
Hello All,
I have around 80 Cisco 3850 switches at a customer network and they are using prime infrastructure 2.1.2 to manage these devices. Most of the features are working fine except that the prime does not show the wired clients connected to the switches. The wireless clients are shown properly but not the wired clients. Their core switches are nexus 7k. The SNMP configuration on the switches is as follows.
snmp-server group xxxx v3 priv write xxxx-VIEW-WR
snmp-server view xxx-VIEW-WR mib-2 included
snmp-server trap-source Vlan100
snmp-server host x.x.x.x version 3 priv testuser
Please help me to resolve this issue.
ShabeebI managed to get the end hosts connected in 3850 switches with the use of snmp context command. But now the issue is that prime is showing only the mac address of the device , not the IP address.
Is there anyway to resolve this issue? -
Hello all)
I have the task to configure QoS for SSID. I have 1602E points and 4 SSIDs per point. I want to priorities one of them. APs are connected to cisco 3850. Please help me how can I do it?Bandwidth and Priority Management at SSID Level
The next step is to take care of the QoS policy at the SSID level. This step applies to both the Catalyst 3850 switch and to the 5760 controller. This configuration assumes that voice and video traffic is identified through the use of class-map and access-lists and is tagged properly. However, some incoming traffic that is not targeted by the access-list may not display its QoS marking. In that case, you can decide if this traffic should be marked with a default value or left untagged. The same logic goes for traffic already marked but not targeted by the class-maps. Use the default copy statement in a table-map in order to ensure that unmarked traffic is left unmarked and that tagged traffic keeps the tag and it not remarked.
Refer the link for the Complete Configuration : www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116479-configure-qos-00.html#anc15 -
Cisco 3850 Switch and Windows 7 IP Conflicts
Team,
Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
we went with a very vanilla config on each port
interface g1/0/1
switchport host
that is it - nothing special at all.
well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
we tried 3+ hours of prescribed work-arounds found when researching this issue -
ip device tracking probe delay 10 (global config)
ip device tracking max 0 (disabed, on interface)
finally,
nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
Finally,
we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
Doing more research, I found out this also can effect vmware guests running windows SERVER.
this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
the work-around I came up with which is not great is -
Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
interface g1/0/1
switchport mode trunk
switchport trunk native vlan 1
this is NOT an acceptable workaround as this presents security issues even with
switchport trunk allowed vlan 1, etc. as the only allowed vlan.
Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
4) when could confirm NO DHCP SNOOPING
5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
thanks,
Joe Brunner
#19366thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
Answers in line -
This all stems from a switch replacement correct?
yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
Are these 3850's in a stack?
>yes, tested all aspects of the stack many times.
Does it have a managment ip address -If so, is it using the old switch ip address
>old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
>various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
How are they connected( L3 interface/L2 trunk/access port)
>all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
Are thse switches performing inter-vlan routing or just acting as host switches?
>dumb flat network, no routing.
Is ip routing enabled?
>not unless enabled on 3850 by default. I didnt type "ip routing"
Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
Your 7 pcs = are they just client pcs not servers?
client PC's - no servers OS per say.
can you confirm something like ICS isnt enabled (Internet connection sharing) on any of them?
>yes not enabled.
Are the just using one NIC each?
> one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
sh switch
2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
tested all power and general 3850 stacking. saw no issues.
sh int trunk
>all ports are now trunks (hence the workaround used to get it up).
has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
sh vlan brief
>just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
sh vtp status
not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
sh cdp neighbours
cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
sh ip route
just the L and C routes for the vlan 1 ip address 192.168.17.1/24
no static routes
no vlan interfaces other than int vlan 1
no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
int g0/0/0
ip vrf forwarding Switch_Mgmt
i can get over there if you think of anything else key to show the group.
thanks,
Joe -
Unable to change boot file on Cisco 3850
I was working on a Cisco 3850 24 port switch today and I read that it doesn't use the normal "boot system flash:XYZ.bin" but instead it's something like this:
"software install file flash:XYZ.bin new"
That changes the install package or something which makes it boot in the newly selected package which contains the new IOS. Anyway, when i put in that command I get something about "Failed to ...." or something. I'm sorry but I'm at home now and I don't have the device with me and it just occured to me to post this on the forum for possible help. Either way, it's specifically says "Failed..." as the first word which is not what it should normally say.
I used these directions:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/deployment_guide_c07-727067.html#wp9000169
I am in Install mode. Can anyone help me figure out why this is happening before my outage window on Sunday night? I've downloaded the new version of the IOS from Cisco.com and verified it is currently located in the flash of this device.
Thanks for any help you can provide!Joshua,
Plesae find quick guide on upgrading and booting, see below as a reference.
Recovering from a 3850 boot failure.
There are multiple reasons a 3850 may fail to boot correctly including a corrupt boot image, a corrupt packages.conf file, missing files, etc. Below are a few different possible recovery methods to try. I will also explain the two possible mode options, Install and bundle and why you might want to use one or the other.
Install vs. Bundle Mode
There are a few difference in the two modes, I would recommend reading over the config guide for more in-depth details. The recommended mode during operation is INSTALL mode because it allows for more features and requires fewer resources when booting.
++Install Mode
This is the out-of-the-box mode that your switch will be in. INSTALL mode uses a package provisioning file named packages.conf to boot the switch.
If you happen to be in bundle mode upon boot, you can simply boot your switch in install mode by booting the software package provisioning file that resides in flash. If packages.conf doesn�t exist in flash, you need to expand the bundle into the flash file system by running
Switch# software expand file flash: cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin to flash:
Once this completes, you will have all the needed files in flash. You can then change the boot statement to boot to packages.conf
Switch#Config t
Switch(config)# no boot system
Switch(config): boot system switch all flash:packages.conf (do not modify this file, unless necessary)
Switch#write memory
The provisioning file contains a list of software packages to boot, mount, and run. The ISO file system in each installed package is mounted to the root file system directly from flash.
NOTE **Auto-upgrade is disabled, by default. (once in install mode - execute the following command in global config: software auto-upgrade enable )
NOTE **Auto-upgrade includes an auto-copy process and an auto-extract process.
++Bundle Mode
As noted previously, bundle mode consumes more memory than booting in install mode because the packages are extracted from the bundle and copied to the RAM. If you decide to convert to bundle mode, you will first need to download the .bin file from CCO if you don�t already have it in flash. Once in flash, you can simply change your boot statement to point to the (.bin) file:
Switch#Config t
Switch(config)# no boot system
Switch(config): boot system switch all flash: cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin
Switch#write memory
The provisioning file contained in a bundle is used to decide which packages to boot, mount, and run. Packages are extracted from the bundle and copied to RAM.
NOTE **Auto install and smart install functionality is not supported in bundle boot mode.
Recovery Methods
USB
The 3850 has a USB port on the front that can be used for both console access and also the ability to utilize a flash drive for image backup and recovery.
If you happen to be stuck at the switch: prompt with a corrupt image or .conf file, you can easily boot to a file stored on the USB drive.
1. Verify that the flashdrive is recognized and the .bin file exists
switch: dir usbflash0:
Directory of usbflash0:/
74 -rw- 223734376 cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin
2. Boot to the USB image
switch: boot usbflash0:cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin
Corrupt packages.conf
I�ve seen instances in which packages.conf continually calls files that no longer exist in flash. You can boot to an image from ROMMON just fine, however upon reload it will call packages.conf again and fail to boot. If this happens, I recommend backing up the existing packages.conf file by renaming it or deleting all together. NOTE: The previous step is mandatory as the next step will fail if a .conf file already exists. You can then run an BUNDLE extract which will create a new packages.conf file.
1. Once booted up (in BUNDLE mode) verify the files in flash
Switch#dir flash:
Directory of flash:/
15500 -rwx 1243 Aug 1 2013 07:04:02 +00:00 packages.conf
2. Copy or rename the existing packages.conf file
Switch#cp flash:packages.conf flash:packages.conf.badop flash:packages.conf flash:packages.conf.bad
Destination filename [packages.conf.bad]?
Copy in progress...C
1243 bytes copied in 0.140 secs (8879 bytes/sec)
Switch#dir flash:
Directory of flash:/
15500 -rwx 1243 Aug 1 2013 07:04:02 +00:00 packages.conf
15502 -rw- 1243 Aug 1 2013 11:53:51 +00:00 packages.conf.bad
3. Delete packages.conf
Switch#del flash:packages.conf
Delete filename [packages.conf]?
Delete flash:/packages.conf? [confirm]
4. Expand BUNDLE to create new packages.conf
Switch#software expand running switch 1 to flash:
Preparing expand operation ...
[1]: Expanding the running bundle
[1]: Copying package files
[1]: Package files copied
[1]: Finished expanding the running bundle
5. Verify boot
Switch#show boot
Switch 1
Current Boot Variables:
BOOT variable does not exist
Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Manual Boot = no
Enable Break = no
6. Reload Switch
switch#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
Emergency Recovery
If all else fails, the 3850 has a �trap door� method of recovering the system. All you need is a terminal connected to the management port of the 3850 running a tftp server. Download a valid image file from CCO and store it in the root of the tftp server.
On the switch, you are most likely stuck at the switch: prompt. If however you are in some sort of boot loop, you can use the �mode� button on the front of the switch to break the cycle. Simply hold the button for roughly 10 seconds and the switch should react by breaking the cycle and stopping at a switch: prompt. The following steps will walk you through the recovery:
1. Set the switch IP
switch: set IP_ADDR 192.0.2.123/255.255.255.0
2. Set the default gateway
switch: set DEFAULT_ROUTER 192.0.2.1
3.Test connectivity by pinging terminal (that contains the tftp server)
switch: ping 192.0.2.1
ping 192.0.2.1 with 32 bytes of data ...
Host 192.0.2.1 is alive.
4. Verify that the emergency files exist in the switches file system
switch: dir sda9:
Directory of sda9:/
2 drwx 1024 .
2 drwx 1024 ..
11 -rwx 18958824 cat3k_caa-recovery.bin
36903936 bytes available (20866048 bytes used)
5. Run the emergency install feature
switch: emergency-install tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin
The bootflash will be erased during install operation, continue (y/n)?Y
Starting emergency recovery (tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin)...
Reading full image into memory......................done
Nova Bundle Image
Kernel Address : 0x6042f5d8
Kernel Size : 0x317ccc/3243212
Initramfs Address : 0x607472a4
Initramfs Size : 0xdc6546/14443846
Compression Format: .mzip
Bootable image at @ ram:0x6042f5d8
Bootable image segment 0 address range [0x81100000, 0x81b80000] is in range [0x80180000, 0x90000000].
File "sda9:cat3k_caa-recovery.bin" uncompressed and installed, entry point: 0x811060f0
Loading Linux kernel with entry point 0x811060f0 ...
Bootloader: Done loading app on core_mask: 0xf
### Launching Linux Kernel (flags = 0x5)
Initiating Emergency Installation of bundle tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin
Downloading bundle tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin...
Validating bundle tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin...
Installing bundle tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin...
Verifying bundle tftp://192.0.2.1/cat3k_caa-universalk9.SPA.03.02.02.SE.150-1.EX2.bin...
Package cat3k_caa-base.SPA.03.02.02.SE.pkg is Digitally Signed
Package cat3k_caa-drivers.SPA.03.02.02.SE.pkg is Digitally Signed
Package cat3k_caa-infra.SPA.03.02.02.SE.pkg is Digitally Signed
Package cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg is Digitally Signed
Package cat3k_caa-platform.SPA.03.02.02.SE.pkg is Digitally Signed
Package cat3k_caa-wcm.SPA.10.0.111.0.pkg is Digitally Signed
Preparing flash...
Syncing device...
Emergency Install successful... Rebooting
Restarting system.
Please let me know if you have any further questions.
HTH
Regards
Inayath -
Access points are directly connected to 2016 wlc but not functional
Hello All,
access points are directly connected to 2016 wlc.
Event log from the wlc
AP event log download completed.
======================= AP Event log Contents =====================
*Mar 1 00:00:30.157: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:30.161: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:00:30.190: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:30.191: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:00:30.204: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:31.190: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:00.088: %LWAPP-3-CLIENTEVENTLOG: Did not get vendor specific options from DHCP.
*Mar 1 00:01:00.088: %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.
*Mar 1 00:01:00.089: %LWAPP-3-CLIENTEVENTLOG: Did not get any DNS options from DHCP.
*Mar 1 00:01:00.089: %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER
*Mar 1 00:01:00.089: %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER
*Mar 1 00:01:12.094: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:01:12.094: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Mar 1 00:01:12.094: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Mar 1 00:01:12.094: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:01:12.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
(Cisco Controller) >show port summary
STP Admin Physical Physical Link Link
Pr Type Stat Mode Mode Status Status Trap POE
1 Normal Forw Enable Auto 100 Full Up Enable N/A
2 Normal Disa Disable Auto Auto Down Enable N/A
3 Normal Disa Disable Auto Auto Down Enable N/A
4 Normal Disa Disable Auto Auto Down Enable N/A
5 Normal Disa Disable Auto Auto Down Enable N/A
6 Normal Disa Disable Auto Auto Down Enable N/A
7 Normal Forw Enable Auto 100 Full Up Enable Enable (Power On )
8 Normal Forw Enable Auto 100 Full Up Enable Enable (Power On )
but still access points are not functional ????
any idea ??
RegardsYour AP-manager and management interfaces is mapped to port 1:
ap-manager 1 80 10.41.80.2 Static Yes No
only APs connected to port 1 will work.
You need to either use a switch and keep port 1 connected to it while APs join through the switch or you need to create a new ap-manager interface. not even sure if you can map it to the same port or different port! not even sure about the management interface!! it is mapped to port 1 and should be reachable anyway. it is a mess!!! have you read the best practice document that I put the link for earlier?
So you need eventually a switch to fix your issue. direclty connected APs are not recommended.
I am still not knowing how Cisco provided such swtich that is supposed to handle direclty connected Aps while it does not provide a smooth way to do so.
Use a switch and everything supposed to be fine.
HTH
Amjad -
How do you promote a static route over a directly connected?
Hi all,
I have a need for a static route to be used instead of a directly connected route. (Long story - involving firewalls and anti-spoofing.. but can go further if required)
I am using a Cisco 3750 switch. I notice directly connected routes have a metric of 0, and the highest metric I can give a static route is 1.
Therefore, how is it possible for me to make the switch use the static route and not the directly connected?
Any help would be appreciated!
Cheers,
BenHi Rick,
Thanks for your patience.
Maybe I should start again.
Initially we had 16 VLANs within the 10.0/16 address space. We have some Cisco 3750's connected by dark fibre accross a couple of kms and then lower access switches all hanging of these by some means. The network is flat.
We have a checkpoint firewall hanging off one of the 3750s connected using a TRUNK port. The firewall has an IP address on all VLANs and is used to route traffic between VLANs based on its ruleset.
So if I have a user in VLAN 10 who wants to talk to VLAN 20, they travel to the firewall, if a rule permits the access, the firewall routes the packet on to VLAN 2 and the switches deliver at Layer 2.
The switches all have their default VLAN 1 disabled, and have an IP address on our management VLAN to allow us to manage the switches.
Its quite important that this IP is on a secured management VLAN as we don't want just anyone being able to snoop switch logins etc..
If we need to login to a switch, the firewall routes our traffic from whatever VLAN we are on to the Management VLAN.
One of our VLANs (the Desktop VLAN) is quite large (approx 1300 hosts) and suffers a great deal from too much arp broadcast traffic.
As we have a flat switched network across several kms, the cost of putting in routers to subnet this large VLAN is excessive.
However, the 3750's we have are perfectly capable of routing between VLANs, so we decide to create a load of new VLANs instead of subnetting our large VLAN. We don't want to use the firewall to route between these new VLANs as thats just giving the firewall more to do, and previously all these hosts were on a single subnet, so we have no need for any strict security - at most we can use ACLs on the switches if we even need that!
So far so good.
With 1300 hosts, we obviously can't make sudden topology changes. Therefore we need to be able to route between the Desktop VLAN and the new VLANs.
We therefore introduce the static routes between the firewall and the switches.
So the firewall says:
route 10.1.0.0/16 via Multilayer switch IP on 10.1.0.0/16
The multilayer switch says:
route 10.0.0.0/16 via Firewall IP on 10.1.0.0/16
This allows routing perfectly between the Desktop VLAN and the new VLANs.
However the moment we enable ip routing on the switches we break access between the desktop VLAN and the Management VLAN.
A packet leaves the desktop VLAN through the default gateway on the firewall. This is then routed to the Management VLAN. The return packet doesn't use the Management VLAN default gateway (firewall), it follows the static route on the switch and ends up at the firewall on 10.1.0.0/16. This is subsequently dropped as the firewall knows the packet hasn't come from the 10.1.0.0/16 network, it originally came from the desktop VLAN on 10.0.0.0/16.
It might seem we can define a route on the switch to say:
route 10.0.50.0/24 (management VLAN) via 10.0.50.254 (firewall). However, this would result in all packets from 10.1.0.0/16 being dropped by the firewall.
The other problem is that if we are on a new VLAN and want to talk to the management VLAN. The packet goes to its default gateway on the switch. The switch says - "I have an IP on the management VLAN, its directly connected" - therefore it ignores the static route, and passes the packet on its way. We have now bypassed the firewall, which is bad.
Incidentally the return packets get routed through the firewall and dropped, as the original packet didn't come through the firewall, there is no entry in the state table for its return.
I think if we turned off the management interface on the switch and managed it through the interface on 10.1.0.0/16, I assume everything would work. However, we don't want to do this for a whole load of other reasons I wont go into.
Im sure there must be a fairly simple solution - I just don't have enough experience!
Cheers,
Ben
Maybe you are looking for
-
Hi experts, I am not very familiar with SD billing domain, i am getting this error message when try to create a billing document. Number range for bill number is missing; enter a number range Message no. FVD_BILL017 For you info the number rnge of th
-
I have my own domain name with email hosted by Gmail which I wanted to setup an address such as [email protected] to forward to the randomly generated ePrint address. When I try this I get the error below, which technically it wasnt sent to multiple
-
Hi there, I'm having a problem updating a table in Oracle Forms 9i.... The user searches for a match in table A (consists of a sequential primary key and 4 other data fields) and if a match is found the results come up; they then choose one of the da
-
How can I save a video clip?
-
Is there anyway to download a DVD I own on to my ipad
is there anyway to download a DVD I own, on to my ipad