Cisco 3850 Switch Management Port - ACL on VTY

Similar Messages

• Cisco prime 2.1 not showing wired clients connected to Cisco 3850 switches

  Hello All,
  I have around 80 Cisco 3850 switches at a customer network and they are using prime infrastructure 2.1.2 to manage these devices. Most of the features are working fine except that the prime does not show the wired clients connected to the switches. The wireless clients are shown properly but not the wired clients. Their core switches are nexus 7k. The SNMP configuration on the switches is as follows.
  snmp-server group xxxx  v3 priv write xxxx-VIEW-WR
  snmp-server view xxx-VIEW-WR mib-2 included
  snmp-server trap-source Vlan100
  snmp-server host x.x.x.x version 3 priv testuser
  Please help me to resolve this issue.
  Shabeeb

  I managed to get the end hosts connected in 3850 switches with the use of snmp context command. But now the issue is that prime is showing only the mac address of the device , not the IP address. 
  Is there anyway to resolve this issue?

• How can i configure hsrp in cisco 3850 switch please guide me

  how can i configure hsrp in cisco 3850 switch please guide me

  Hi Mauleshg,
  Please the below mention link to configure Hsrp hope this will help you.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ip/configuration_guide/b_fhrp_3se_3850_cg/b_fhrp_3se_3850_cg_chapter_010.html
  Br.
  Mohseen Patel

• Emergency Responder and Cisco 3850 Switches

  I'm running Cisco ER V8.5, and recently installed new Cisco 3850 Switches. All the phones connected to the 3850 switches show a "unlocated" status. I've check the hardware compatibility Matrix for ER V8.5 and the 3850 is not on it.
  What are my options for locating these phones in ER and assigning them to an ERL. Manually defining the phones? Is there a patch or update to ER V8.5 that would make a 3850 compatible?

  I haven't used the 3850's with ER yet so can't speak to that specifically, but generally speaking you have more flexibility using location by subnets vs switches.  Scalability-wise, you can add way more subnets than switches.  There's more going on under the hood if you're locating by switches so the process overhead is greater.
  The only downside with using subnets is if you need to get more granular with your locations than your deployed subnets allow (ie a single voice subnet for an entire building but you need to define and assign locations at the floor level).  As long as you've been a little forward thinking on the route/switch side, you'll be fine.
  hope that helps,
  will

• Cisco 3850 Switch getting message %SPI_FC-3-HIGH_WMARK_REACHED

  Hi Team,
  We have one Cisco 3850 Switch installed at the Customer site and getting the message as below,
  Mar 28 10:57:11.578: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
  -Traceback= 1#830db5fd318976b0280defe233875463  :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
  .Mar 28 10:58:31.585: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
  -Traceback= 1#830db5fd318976b0280defe233875463  :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
   --More--         .Mar 28 10:59:51.586: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
  -Traceback= 1#830db5fd318976b0280defe233875463  :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
  Please suggest the meaning of these messages and suggestion for resolution on the same.
  Attaching show version, show logging for this Switch.
  Regards
  Ashutosh

  Hi Akilhasan,
  The switch is hitting a bug which is currently under investigation. The latter implies there is no official workaround, but my suggestion would be that you consider reloading the switch outside of business hours (considering preventive measures i. e. back the configuration up, save changes, etc.). 
  The most stable version and recommended per Cisco is 03.03.03. There is newer 03.06.00 available, just released past June, so you may consider as well upgrading the IOS, of course under a properly carried out risk assessment, and you can roll back if something unexpected occurs. I would suggest doing so only if you have a solid knowledge of the customer's network and business needs.
  Hope this helps. 
  Kind regards,
  - Ed

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe

• Error in GUI of Cisco 3850 Switch with Wireless Controller.

  Hi,
  I have Configured 3850 switch wireless controller. But while accessing the controller through GUI, I faced following errors while configuring it through GUI.
  Because its complecated to configure it through CLI.
  Attached are the snaps of error faced.
  and if I didnt get this error, and able to configure, I can save it because of this error.
  Please help me on this issue, so that I can easily configure the controller.
  Brgds,
  Ninad Thakare

  Hi Sandeep,
  Here is the configuration which I have did.
  ip http server
  ip http secure-server
  wsma agent exec
  profile httplistener
  profile httpslistener
  wsma agent config
  profile httplistener
  profile httpslistener
  wsma agent filesys
  profile httplistener
  profile httpslistener
  wsma agent notify
  profile httplistener
  profile httpslistener
  wsma profile listener httplistener
  transport http
  wsma profile listener httpslistener
  transport https
  wireless mobility controller
  wireless management interface Vlan4 ( Voice VLAN )
  wlan FG-WiFi 1 FG-WiFi
  client vlan 4
  ip dhcp server 10.106.72.1
  no security wpa akm dot1x
  security wpa akm psk set-key ascii 0 testing1234
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no wmm
  no shutdown
  wlan GLOBALACCESSII 2 GLOBALACCESSII
  client vlan 4
  ip dhcp server 10.106.72.1
  no security wpa akm dot1x
  security wpa akm psk set-key ascii 0 testing1234
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no wmm
  no shutdown
  ap group default-group
  ap group 3850WLC
  wlan FG-WiFi
    vlan 4
  wlan GLOBALACCESSII
    vlan 4
  end
  Brgds,
  Ninad Thakare

• How many Cisco Catalyst 3850 switches can make up a Cisco StackPower stack?

  I know the number of Cisco 3850 switches for stacking is 9, so, if I make up a Cisco StackPower stack, MAX is 9, too?

   Hi, emma, only 4 switches can become part of the same Cisco StackPower stack in a ring topology.
  For the Cisco 3850 switches stack number,there are two types:
  Up to 9 Cisco Catalyst 3850 switches can be stacked together to build single logical StackWise-480 switch since Cisco IOS XE Release 3.3.0SE. Prior to Cisco IOS XE Release3.3.0SE, up to 4 Cisco Catalyst 3850 switches could be stacked together.

• Cisco Catalyst 3850 switches

   How many Cisco Catalyst 3850 switches can stack into a single logical entity?

   Hi, emma, only 4 switches can become part of the same Cisco StackPower stack in a ring topology.
  For the Cisco 3850 switches stack number,there are two types:
  Up to 9 Cisco Catalyst 3850 switches can be stacked together to build single logical StackWise-480 switch since Cisco IOS XE Release 3.3.0SE. Prior to Cisco IOS XE Release3.3.0SE, up to 4 Cisco Catalyst 3850 switches could be stacked together.

• Cisco 3850 Power Stack

  Hi
  We recently purchased four Cisco 3850 switches (WS-C3850-48P-S) which comes with 715WAC power supply. We have also purchased additional four 1100WAC power supplies.
  Our requirements are:
  Configure four switches in stack
  Use power stack feature
  All 192 ports in Stack should be POE enabled
  Questions:
  Can we use both 715WAC and 1100WAC power supplies in same switch
  Can we have all ports POE enabled with having both 715WAC and 1100WAC power supplie
  Thanks
  Muhammad Ibrahim

  Hi,
  See this information below:
  24-Port PoE Switch
  48-Port PoE Switch
  PoE on all ports (15.4W per port)
  One PWR-C1-715WAC
  One PWR-C1-1100WAC or two PWR-C1-715WAC
  PoE+ on all ports (30W per port)
  One PWR-C1-1100WAC or two PWR-C1-715WAC
  Two PWR-C1-1100WAC or one PWR-C1-1100WAC and one PWR-C1-715WAC
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/data_sheet_c78-720918.html
  Hope this helps.

• Solarwinds Netflow products what will work with a 3850-switch

  Does anybody know….what Solar winds product will do Net Flow with Cisco 3850-switches? I know Net Flow Configurator will not work….but what about Net Flow Real-time for a Cisco 3850 switch?

  For a lot of people, it is not neccessary. I used to ask myself that question until I came across a need for things that iLife and the Finder would not do.
  Toast is a great program with a lot of features that just are not standard on a Mac.
  You can make music DVDs. You can span a HD backup over multiple disks. You can make hybrid PC/Mac disks. It has DVD compression tools to fit a 8.5GB dual-layer DVD onto a single layer 4.7GB DVD.It suppoprts OGG and FLAC audio formats. You can turn your iMovie and iDVD projects into DivX disks.
  It also has lots of nice tools to clean up audio that is imported from a noisy source - like vinyl.
  It is all in all a very useful program, but not unless you need any of those features of course.

• 3850 switches and NAC

  Hi all,
  We had 802.1x/MAB running fine at a site with Cisco 3750 switches. We then upgraded to Cisco 3850 switches. Now we find that a number of Avaya IP phones get stuck saying "Discover xxx.xxx.xxx.xxx" and when you do a "sh auth session int gi x/y" it shows the "D" flag and it says "Blocked On: Pending Deletion".
  Has anyone come across this before?
  Thank you in advance!

  Ugh, I think you might have hit the same issue that I did with a deployment that I have done in the past, except in my case I was dealing with Cisco 4500-X that also runs the XE code. The "IP Device Tracking" is disabled by default on Catalyst IOS but enabled by default on IOS XE. The command is needed (even for layer 2 switches) if you plan on deploying dot1x with DACLs. 
  I have worked with both Arista and HP (Actually 3com) in the past. Arista had some very nice and fast switches while HP had nothing that really impressed me. To be fair, I have ran into issues/bugs with both manufacturers :) So just keep in mind that nobody will be perfect out there :)
  Btw, I still believe that Cisco's TAC and communities, such as this is what sets Cisco apart from the rest of the competition. 
  Best regards, 
  Neno

• WEBGUI 3850 SWITCH

  Dears,
  I have cisco 3850 switch with with ios      3.03.01SE .
  How we can enable webgui for 3850s. i referred the below link to do this activity
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/system_management/configuration_guide/b_sm_3se_3850_cg_chapter_010101.html
  There is inbuilt wireless controller on this switch.
  I am unable to get any of the options as the wireless gui webpage itself is not coming.
  Please help me how we can do this configs
  Regards
  Deva

  HI Deva,
  Onboard web GUI requires Cisco IOS XE Release 3.2.2SE or later.
  Go to CLI and congfigure these:
  If you want unsecured (http://) web access, go to conf t and enter:
  ip http server
  If you want secure (https://) access, go to conf t and enter:
  ip http secure-server
  Regards

• Router ACL and Port ACL

  how to find out after looking at the ACl that this is router acl and this is port acl.
  is there is any syntax difference between these two acl's? or these two look the same.

  how to find out after looking at the ACl that this is router acl and this is port acl.
  It depends on where the ACL is applied:
  Layer-3 interface (SVI, routed port): Router ACL
  Layer-2 interface (physical switch interfaces): Port ACL
  is there is any syntax difference between these two acl's?
  Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
  Link: c3560 Configuring Network Security with ACLs

• Cisco 3850 VLANs

  I have two Cisco 3850 switches that I cannot get to talk to one another over VLAN routing. I appear to have everything configured correctly but the VLAN traffic is not passing over the trunk. I have included both configurations. I cannotget traffic between VLAN 6 and 7.Any possible assistance is appreciated. =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.07.16 14:23:41 =~=~=~=~=~=~=~=~=~=~=~=
  User Access VerificationPassword:
  Switchen
  Password:
  Switch#sho ru w run
  Building configuration...Current configuration : 5138 bytes
  ! Last configuration change at 17:58:01 UTC Thu Jul 16 2015
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service compress-config
  hostname Switch
  boot-start-marker
  boot-end-marker
  vrf definition Mgmt-vrf
  address-family ipv4
  This topic first appeared in the Spiceworks Community

  Hi 
  You can't register any AP to a 3850 unless those APs are directly connected to your 3850. So you won't able to register remote site's AP to central site 3850.
  If you have directly connected APs & having issues with registering them to 3850, please refer below post.
  http://mrncciew.com/2013/09/29/getting-started-with-3850/
  HTH
  Rasika
  **** Pls rate all useful responses ****