Configuration Cisco switch 802.1x for ISE

Similar Messages

• 3com and cisco switches (802.1q)vlan integration problem - broadcast storm?

  Hi forum,
  we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
  my questions:
  1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
  2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
  3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
  4) is there a way on the design side to effectly counter this problem?
  Kind regards,
  paul

  It sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
  As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
  P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do.

• NPS Discarding RADIUS request from Cisco switch (802.1x)

  Last few weeks I've been busy to get the following to work:
  - Cisco 2960 switch as the suppliant
  - Another Cisco 2960 as the authenticator switch
  - The supplicant is only able to send MS-EAP MS-ChapV2 requests
  - The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
  This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
  but I'd like to get it to work with Windows NPS.
  Within NPS I've setup the following Connection Request policy:
  - NAS Port Type: Ethernet
  I'm using the following Network Policy:
  - User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
  - NAS Port Type: Ethernet
  - Autehntcation Type: EAP
  Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
  User:
  Account Name: Rotterdam-Switch-8-1
  Account Domain: DOMAIN
  Authentication Details:
  Connection Request Policy Name: Secure Wired Connections
  Network Policy Name: Switches Allowed
  Authentication Provider: Windows
  Authentication Server: SERVER.DOMAIN.local
  Authentication Type: EAP
  EAP Type: -
  Account Session Identifier: -
  Reason Code: 1
  Reason: An internal error occurred. Check the system event log for additional information.
  Wireshark on the NPS server shows:
  1. The RADIUS Access-Request (1) being received by the NPS Server
  2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
  3. Another RADIUS Access-Request (1) is beging received by the NPS Server
  Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
  Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
  I've also tried the following:
  - I've also tested with an invalid username/password. The request is correctly denied
  - I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
  Any help would be greatly appriciated ofcourse.
  Kind regards,
  Peter

  It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
  Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
  authentication.
  End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
  Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
  http://support.microsoft.com/kb/922574/en-us
  Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
  http://support.microsoft.com/kb/981190"
  Please note that you'll have to enable 'Store password using reversible encryption’  on the accounts that will be used for NEAT authentication.
  All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
  could be sniffer using a hub/repeater/etc.
  Kind regards,
  Peter

• Refurbished Cisco Switches, worth it for home lab?

  Robert5205 wrote:
  Cablesandkits.com has some great prices on old Cisco gear. This week they have a 3560 PoE 48-port switch for $150.
  Yes, it is absolutely worth it to have real hardware in your hands. Packet tracing is fine, but it's not real life.
  Yeah I believe they are being sold by Cablesandkits through newegg.  Any suggestions on which switch or features I should look for?  Really I want something that's managed but beyond that I'm not sure. 

  So I been thinking about getting a decent switch to play around with at home.  During my search I found there's a good bit of "refurbished" Cisco switches online and was wondering if they are worth trying out.  Figured they are beyond EOL hence the cheapness, the one I'm looking at is a Cisco 2900 series for like $30 bucks.  Pretty new in IT and working on my Network+ and starting to look into the Cisco certs at the moment so having an actual Cisco switch would be useful. 
  This topic first appeared in the Spiceworks Community

• Configuring Cisco Switch VLANs for Samsung DLNA Sharing!

  Hello there,
  In my vlan 40, I have Samsung Smart TV and Samsung Allshare "DLNA" software on one of my PCs in the same vlan. Everything works fine and I can watch movies on my TV streaming from my PC.
  Now, my brother, which is in Vlan 20, bought Samsung Smart TV.
  I want my PC, which hosts Samsung Allshare software (vlan40), to send its media streaming to my brother's TV (vlan20) so he can watch my movies.
  I know broadcasts are dropped between vlans.
  So, How can I accomplish that?

  Hi,
  Have a look at this link:-
  http://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/9356-48.html
  If your switch is doing the inter vlan routing (IE Layer3 compatable)
  Then a simple DENSE mode config something like this should be OK.
  ip routing
  ip multicast-routing dist
  int vlan 20
  desc ***MY BROTHERS VLAN ***
  ip add 192.168.20.1 255.255.255.0
  ip pim sparse-dense-mode
  no shut
  int vlan 40
  desc ***MY  VLAN ***
  ip add 192.168.40.1 255.255.255.0
  ip pim sparse-dense-mode
  no shut
  Regards
  Alex

• NAP- Settings required on Cisco switches- 802.1X

  Hi All,
  We have to provide access control for users using NAP and Cisco 2960s switches.
  The request is to have only domain users authenticate to the operations vlan, non domain users will be assigned to a guest network.
  What would be the configs on the switch to allow this config to work? What will force the switch port to assign to the operations vlan when authenticated to the domain?
  Thanks much

  Hi,
  I suppsoe you are using ACS 4.x version.
  you need to config dot1x under the switchport. use the default VLAN as the guest VLAN.
  You need to configure the ACS to allow access to domain users only (by forcing MACHINE authentication with PEAP for example).
  In the NAP, you need to match the NAP selection on the NAS-IP-Address of the switch so that this NAP is only selected if this switch sends the request.
  Now, inside the NAP you have to allow only PEAP-MSCHAPv2. (you already forced machine authenticaiton with PEAP from under external DB config already as per earlier step).
  When auth works, from under the user/or group, send the attributes to assign a specific VLAN to the user.
  Otherwise, if the user auth is not successful it will be put in the default vlan which is the guest vlan.
  with ACS 5.x version, doing this is more flexible.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco switches and virtual ip address(load balancing address) on xenapp portals

  Hi I am quite new in configuring cisco switches and stumble across an issue after installing xenapp7.6 with load balanced portal to the ddc`s
  It seems i only can ping or get access to portal if using real ip address behind cisco switch from other subnets in my network.
  I can ping ddc01 and ddc02 and connect to the portal with http without problem. However when i triy to access the load balancing address of the ddc`s
  it wont answer to ping or http
  In same subnett it is no problem connecting to the load balancing address of the ddc`s, but in loactions on other subnets i only can access real server ip
  eks
  dd01   192.168.1.4    ok ping and access behind cisco switch from subnets
  ddc02 192.168.1.5   ok to ping  access behind cisco switch from subnets
  load balancing for both ddc 192.168.1.6 not able to get answer og access from subnets, only in same subnett
  Is there any way to configure switch to access the load balancing address of the ddc`s ?
  Regards
  Pål Arne Røberg

  Wrong forum. This forum is dedicated to feedback related to CSC framework itself. You should not wish for response here.
  Moved by moderator, no longer apply.

• What's "SAVE" configuration command for Cisco switch/ router?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
  but so long, any other command that easy to remenber?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
  any other command that easy to remenber?
  yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1

• Configure Domain Controller ( PDC emulator) as NTP source for Cisco switch 6509

  Hi All,
    My Org consists of 2 DC one Physical and One Virtual. All Roles are on Physical machine. I ran a W32tm /Query /Configuration command  on PDC emulator and the results are confusing.My PDC is using time source VMICTimeProvider a syou can see below.
  VMICTimeProvider (Local)
  DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  My first Question is that Is it Ok for PDC emulator to use this time source or should I change to some Other source like pool.ntp.org or time.windows.com,0x1.
  My Second Question is that I  have a core switch cisco 6509 and I want this switch to use my NTP server (PDC emulator ) as NTP source,but at present I cannot as I am getting this error on switch.(no select intersectionTP )
  Can Any one help ... Its is urgent
  Thanks in Advance
  EagleAsh

  You should not make your DCs sync their time with your Hypervisor. This usually ends with time synchronization problem so I would recommend to disable that on your DCs and domain joined VMs and use an external NTP server to sync time on your PDC while using
  your AD forest topology for time sync on other DCs and domain-joined computers.
  I have already started a Wiki article that describes how to configure time sync in an AD domain and you might consider using the GPO configuration option that is stated: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  For the CISCO switch, I would recommend asking them in CISCO forums.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• DACL does not get downloaded to Cisco Switch from ISE

  Hello,
  I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
  I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch.   dynamic vlan assignment workds fine, but dACL doesnot apply
  Any instruction plz?

  Hi Jatin,
  ISE is properly configured for dACL,   i think there is some compatibility issue on cisco switch ios.
  following is the debug output>>
  06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
  06:36:43: EAPOL pak dump rx
  06:36:43: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
  06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
  06:36:43:     dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
  06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
  06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
  06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
  06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
  06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
  06:36:43: RADIUS(00000049): sending
  06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
  06:36:43: RADIUS:  authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
  06:36:43: RADIUS:  User-Name           [1]   6   "test"
  06:36:43: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  06:36:43: RADIUS:  Framed-MTU          [12]  6   1500
  06:36:43: RADIUS:  Called-Station-Id   [30]  19  "00-11-5C-6E-5E-0B"
  06:36:43: RADIUS:  Calling-Station-Id  [31]  19  "00-19-B9-81-E8-12"
  06:36:43: RADIUS:  EAP-Message         [79]  8
  06:36:43: RADIUS:   02 7A 00 06 0D 00                 [ z]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0                [ Z6]
  06:36:43: RADIUS:  Vendor, Cisco       [26]  49
  06:36:43: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:43: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:43: RADIUS:  NAS-Port            [5]   6   50011
  06:36:43: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  NAS-IP-Address      [4]   6   192.168.2.250
  06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
  06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
  06:36:43: RADIUS:  authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  EAP-Message         [79]  255
  06:36:43: RADIUS:   4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34  [M]GFbv@wH1k^R3V4]
  06:36:43: RADIUS:   02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30  [29MyJBN\)=Z>u:}0]
  06:36:43: RADIUS:   81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70  [0U0U00UVPp0yUr0p]
  06:36:43: RADIUS:   30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C  [0nlj2http://sysl]
  06:36:43: RADIUS:   6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E  [og-server/CertEn]
  06:36:43: RADIUS:   72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65  [roll/FMFB_Truste]
  06:36:43: RADIUS:   64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C  [dCA.crl4file://\]
  06:36:43: RADIUS:   5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43  [\syslog-server\C]
  06:36:43: RADIUS:   65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54  [ertEnroll\FMFB_T]
  06:36:43: RADIUS:   72 75 73 74 65 64 43 41 2E         [ rustedCA.]
  06:36:43: RADIUS:  EAP-Message         [79]  251
  06:36:43: RADIUS:   63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A  [crl0+70*Hcwl7/6J]
  06:36:43: RADIUS:   74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A  [t3W9Vp"]&m`b$Aqj]
  06:36:43: RADIUS:   EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B  [\-@xTUYx]MDESFL;]
  06:36:43: RADIUS:   D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36  [f~[yS^I}uN2^(SS6]
  06:36:43: RADIUS:   82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4     [ 8>$HDhDo|l{V2]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33            [ ?b*$Y3]
  06:36:44: RADIUS(00000049): Received from id 1645/99
  06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
  06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
  06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
  06:36:44:     dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
  06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
  06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x7B length: 0x03F0 type: 0xD  data: @Cfui[ab2,Jt1){                                                                                                                              2]g&GZ1pIbu;+Ga;iF"jy#
  oohuV.aFZ4_|
  P0`At   )B
  06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:44: RADIUS:  Message-Authenticato[80]  18
  06:36:44: RADIUS:   F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5           [ VnJr[\`]
  06:36:44: RADIUS:  Vendor, Cisco       [26]  49
  06:36:44: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:44: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:44: RADIUS:  NAS-Port            [5]   6   50011
  06:36:44: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:44: RADIUS:  State               [24]  80
  06:36:44: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:44: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
  06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
  06:36:45: EAPOL pak dump Tx
  06:36:45: EAPOL Version: 0x2  type: 0x0  length: 0x0039
  06:36:45: EAP code: 0x1  id: 0x7E length: 0x0039 type: 0xD
  06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
  06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
  06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
  06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  06:36:46: EAPOL pak dump rx
  06:36:46: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:46: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
  06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
  06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.0006
  06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port  Fa0/11 is TRUE

• Cisco SG300 Network Expansion (Configure 2 Switches)

  I’m currently in the process of expanding my network having bought a second Cisco SG300-20 which is now sitting in my lab, my current setup is described below
  Internet
  ^
  |
  Draytek Router 192.168.1.1
  ^
  |
  Cisco SG300-20 192.168.1.2
  ^
  |
  VLAN 12 Workstations interface 10.0.12.1 
  VLAN 13 Management interface 10.0.13.1
  VLAN 14 Pubic interface 10.0.14.1
  VLAN 15 Private interface 10.0.15.1
  VLAN 20 Storage interface 10.0.20.1
  I then have a number of servers with multiple nics that run on the various VLANS attached to certain ports in the Cisco Switch
  VLAN 12 and 14 have been given access to the internet with routes added to Draytek to 10.0.12.1 / 10.0.14.1
  Now what I want to do is to expand the network running a link from my first switch to the new switch.  Ive read a number of notes on this forum but confused as to what I need to do.
  I want the new switch to have access to all the VLANS configured on the first switch and will set the ports access to the various VLANs for each server that is being connected.
  Have read that its best to have any additional switches on the network configured as Layer 2 and leave just one switch to do the routing (is that correct?).  So have left the new switch as Layer 2 and given it an IP of 192.168.1.3
  So the first question is how do I configure the uplink port from switch 1 (Port Gi2) to Switch 2 (Port Gi1).  
  Should I run multiple cables and create a LAG between the two switches?  Allowing for additional bandwidth (I stream a lot of HD movies across the network to the workstations)
  I have attached my running config from switch 1 below.
  Any help would be appreciated, unfortunately networks are not my strong point.
  prcswitch01#show running-config
  config-file-header
  prcswitch01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router 
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end XXXXXX
  vlan database
  vlan 12-15,20
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  ip dhcp server
  ip dhcp pool network Workstations
  address low 10.0.12.20 high 10.0.12.100 255.255.255.0
  lease infinite
  default-router 10.0.12.1
  dns-server 10.0.15.200 8.8.8.8
  exit
  bonjour interface range vlan 1
  hostname prcswitch01
  username cisco password encrypted XXXXXXX privilege 15
  ip ssh server
  interface vlan 1
   ip address 192.168.1.2 255.255.255.0
   no ip address dhcp
  interface vlan 12
   name Workstations
   ip address 10.0.12.1 255.255.255.0
  interface vlan 13
   name Management
   ip address 10.0.13.1 255.255.255.0
  interface vlan 14
   name Public
   ip address 10.0.14.1 255.255.255.0
  interface vlan 15
   name Private
   ip address 10.0.15.1 255.255.255.0
  interface vlan 20
   name Storage
   ip address 10.0.20.1 255.255.255.0
  interface gigabitethernet3
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet4
   switchport mode access                               
   switchport access vlan 12
  interface gigabitethernet5
   switchport mode access
   switchport access vlan 20
  interface gigabitethernet6
   switchport mode access
   switchport access vlan 20
  interface gigabitethernet7
   switchport trunk allowed vlan add 13-15
  interface gigabitethernet8
   switchport trunk allowed vlan add 13,20
   switchport trunk native vlan 12
  interface gigabitethernet9
   switchport trunk allowed vlan add 13-15
  interface gigabitethernet10
   switchport trunk allowed vlan add 13,20              
   switchport trunk native vlan 12
  interface gigabitethernet11
   switchport trunk allowed vlan add 13-15
  interface gigabitethernet12
   switchport trunk allowed vlan add 13,20
   switchport trunk native vlan 12
  interface gigabitethernet13
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet14
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet15
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet16                           
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet17
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet18
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet19
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet20
   switchport mode access
   switchport access vlan 12
  exit
  ip default-gateway 192.168.1.1
  prcswitch01#   

  Hi Aleksandra,
  Im still having issues with my setup.  The servers I have connected have VLAN tagging enabled
  Previously I had my esxi server connected via two nics with ports configured on my Layer 3 switch prcswitch01 as follows
  Port 1 Trunk VLAN 13-15
  Port 2  Trunk VLAN 13,20
  My NAS was configured on a single port on VLAN20
  The ESXI server can only have a single gateway which is used by both interfaces
  ~ # esxcli network ip route ipv4 list
  Network    Netmask        Gateway    Interface  Source
  default    0.0.0.0        10.0.13.1  vmk0       MANUAL
  10.0.13.0  255.255.255.0  0.0.0.0    vmk0       MANUAL
  10.0.20.0  255.255.255.0  0.0.0.0    vmk1       MANUAL
  Traffic was being passed from VLAN13 to VLAN20 to allow connectivity to the NAS on the ESXi server
  This no longer seems to be happening on my Layer 2 switch.
  I have configured the ports the same as previously setup on the Layer 3 switch.
  When I have the esxi server connected I can reach the server on 10.0.13.11 but the server cannot ping the NAS on 10.0.20.196
  Hope that makes sense, I’m confused about setting this new switch up.  Should I configure it as Layer 3 and setup interfaces for the various VLANS.  I was under the impression this would be done by my first switch.
  Thanks
  Paul

• Firewall Ports Required for NAC manager to manage/add Cisco switch

  Hi,
  I am trying to add cisco switches to the NAM, however i am not able to add the switch as I am getting the error "unable to control switch" I have tried to open ports 161-162 on the firwall; if i was to allow any traffic between the NAM and switch, the cisco NAM is able to add/manage the switch.
  Not sure what other ports may be required for cisco NAM to manage the switch?
  Thanks.

  Hi,
  AFAIK, only the UDP ports 161-162 for the SNMP communication need to be open.
  Please make sure you have configured the correct port on the switch:
  (config)# snmp-server host 172.16.1.61 traps version 2c cam_v2 udp-port 162 mac-notification snmp
  If still not working i would check the logs on the firewall for any blocked traffic between the CAM and the switch.
  HTH,
  Tiago
  If  this helps you and/or  answers your question please mark the question  as "answered" and/or rate  it, so other users can easily find it.

• Cisco Access Point Configuration to support 802.11b & 802.11g protocol

  How do i Configure access point to support both 802.11b & 802.11g clients on a Cisco 1121G series access point(AIR-AP1121G-A-K9)
  Regards
  Hitesh

  Hi Hitesh,
  Check out this excerpt from the 1121g AP Installation guide section on enabling the 802.11b and 802.11g radios.
  In Cisco IOS Release 12.3(4)JA and later, the access point radios are disabled by default, and there is no default SSID. You must create an SSID and enable the radios before the access point will allow wireless associations from other devices. These changes to the default configuration improve the security of newly installed access points. Refer to the "Configuring Basic Security Settings" section for instructions on configuring the SSID.
  In Cisco IOS Release 12.3(2)JA or earlier, the access point radio is enabled by default, and the default SSID is tsunami.
  To enable the radio interfaces, follow these instructions:
  Step 1 Use your web-browser to access your access point.
  Step 2 When the Summary Status page displays, click Network Interfaces > Radio0-802.11B or Radio0-802.11G and the radio status page displays.
  Step 3 Click Settings and the radio settings page displays
  Step 4 Click Enable in the Enable Radio field.
  Step 5 Click Apply.
  Here is a link to the actual document:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_installation_guide_chapter09186a00804d2b73.html
  Hope this helps!
  Rob
  Please remember to rate helpful posts....

• Cisco switches and 802.1.x

  Hi, there !
  I have a question for you.
  Cisco all switches, is it impossible to present for 802.1x ?
  I try to put a network access server in our network to authenticate.
  Thanks.
  I will wait your answer.
  Regards.

  Most Cisco switches will handle 802.1x, but it depends on the switch and the OS. Which specific ones are you considering?
  Wes

• Add Cisco Switch into a configuration

  I have a Dell 6248 switch with three VLANS defined (1,2,10).
  I need to expand VLAN 10 (need more ports) on the Dell Switch.
  I have downloaded the Cisco CNA.
  In the attached screen of the CNA, am I on the correct display to create a new VLAN 10 ?
  What is the best way to connect the Dell Switch to the Cisco?  
  thanks

  Yes, so far 21-24 are in VLAN 10, but I will need to set a few more .
  This is bit more complicated.
  What I am looking at an old test and dev virtual infrastructure configuration that was set up with a 1GB Linksys Switch and a Dell 6248 Switch.
  The reason given for the Linksys in the config is it was the only 1GB switch available at the time when the SAN had to be installed and there were no more available ports on the 6248. Running Dell Dpack reports show latency issues when migrating from an EqualLogic Volume to a MD3200 volume and from the MD3200 to Md3200 volumes (on the order of 30-45 minutes for a 20GB VM). Migrating from EqualLogic volumes to EqualLogic volumes is in seconds.
  I think the Linksys is the issue as does our Dell reps. We are looking at replacing the Linksys with a Cisco or another L2/L3.
  SAN traffic is isolated to VLAN 10 on the Dell Switch. I want to set up a VLAN 10 on the Cisco switch and then want to connect the Md3200 to the Cisco which will be connected to VLAN 10 on the Dell Switch for access to an EqualLogic SAN.  I am not sure what will be involved.
  Is it as simple as what you are saying,, I config the VLAN10 on the Cisco switch and connect a port from the Cisco to VLAN 10 on the Dell Switch.. .
  I have a diagram attached,,,it needs some updates but it is close to the config.