Emergency Responder and Cisco 3850 Switches

Similar Messages

• Cisco 3850 Switch getting message %SPI_FC-3-HIGH_WMARK_REACHED

  Hi Team,
  We have one Cisco 3850 Switch installed at the Customer site and getting the message as below,
  Mar 28 10:57:11.578: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
  -Traceback= 1#830db5fd318976b0280defe233875463  :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
  .Mar 28 10:58:31.585: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
  -Traceback= 1#830db5fd318976b0280defe233875463  :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
   --More--         .Mar 28 10:59:51.586: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
  -Traceback= 1#830db5fd318976b0280defe233875463  :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
  Please suggest the meaning of these messages and suggestion for resolution on the same.
  Attaching show version, show logging for this Switch.
  Regards
  Ashutosh

  Hi Akilhasan,
  The switch is hitting a bug which is currently under investigation. The latter implies there is no official workaround, but my suggestion would be that you consider reloading the switch outside of business hours (considering preventive measures i. e. back the configuration up, save changes, etc.). 
  The most stable version and recommended per Cisco is 03.03.03. There is newer 03.06.00 available, just released past June, so you may consider as well upgrading the IOS, of course under a properly carried out risk assessment, and you can roll back if something unexpected occurs. I would suggest doing so only if you have a solid knowledge of the customer's network and business needs.
  Hope this helps. 
  Kind regards,
  - Ed

• Cisco prime 2.1 not showing wired clients connected to Cisco 3850 switches

  Hello All,
  I have around 80 Cisco 3850 switches at a customer network and they are using prime infrastructure 2.1.2 to manage these devices. Most of the features are working fine except that the prime does not show the wired clients connected to the switches. The wireless clients are shown properly but not the wired clients. Their core switches are nexus 7k. The SNMP configuration on the switches is as follows.
  snmp-server group xxxx  v3 priv write xxxx-VIEW-WR
  snmp-server view xxx-VIEW-WR mib-2 included
  snmp-server trap-source Vlan100
  snmp-server host x.x.x.x version 3 priv testuser
  Please help me to resolve this issue.
  Shabeeb

  I managed to get the end hosts connected in 3850 switches with the use of snmp context command. But now the issue is that prime is showing only the mac address of the device , not the IP address. 
  Is there anyway to resolve this issue?

• How can i configure hsrp in cisco 3850 switch please guide me

  how can i configure hsrp in cisco 3850 switch please guide me

  Hi Mauleshg,
  Please the below mention link to configure Hsrp hope this will help you.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ip/configuration_guide/b_fhrp_3se_3850_cg/b_fhrp_3se_3850_cg_chapter_010.html
  Br.
  Mohseen Patel

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe

• 2602 AP and cisco 3850

  Hi,
  i would like to know if i could use the cisco 3850 as a pass through to register with cisco 5508 (flex connect) at our main site. at the moment i can see the AP registering to cisco 3850 and not 5508. if i plug in the ap to a cisco 2960 will connect to 5508 ?
  also which mode should it be if the above is possbile (Moblity controller mode or Mobility agent mode)
  Thanks

  Hi Raskia,
  Thanks for your reply. so if i go for option 1 can i still use mobility tunnel and mobility anchor feature. I need to for form a mobility tunnel to 5508 on the inside network and another tunnel to 4400 controller in the dmz (i know it has problems with tunnel to 4404 controller due to ios problems but if i can do to 5508 it will be fine)
  its a shame if i cant do the above i will have to remove the wireless feature and use it as l2 switch. when i do no wireless management inter x then does it remove the router (l3) bit of the router?
  Thanks

• Error in GUI of Cisco 3850 Switch with Wireless Controller.

  Hi,
  I have Configured 3850 switch wireless controller. But while accessing the controller through GUI, I faced following errors while configuring it through GUI.
  Because its complecated to configure it through CLI.
  Attached are the snaps of error faced.
  and if I didnt get this error, and able to configure, I can save it because of this error.
  Please help me on this issue, so that I can easily configure the controller.
  Brgds,
  Ninad Thakare

  Hi Sandeep,
  Here is the configuration which I have did.
  ip http server
  ip http secure-server
  wsma agent exec
  profile httplistener
  profile httpslistener
  wsma agent config
  profile httplistener
  profile httpslistener
  wsma agent filesys
  profile httplistener
  profile httpslistener
  wsma agent notify
  profile httplistener
  profile httpslistener
  wsma profile listener httplistener
  transport http
  wsma profile listener httpslistener
  transport https
  wireless mobility controller
  wireless management interface Vlan4 ( Voice VLAN )
  wlan FG-WiFi 1 FG-WiFi
  client vlan 4
  ip dhcp server 10.106.72.1
  no security wpa akm dot1x
  security wpa akm psk set-key ascii 0 testing1234
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no wmm
  no shutdown
  wlan GLOBALACCESSII 2 GLOBALACCESSII
  client vlan 4
  ip dhcp server 10.106.72.1
  no security wpa akm dot1x
  security wpa akm psk set-key ascii 0 testing1234
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no wmm
  no shutdown
  ap group default-group
  ap group 3850WLC
  wlan FG-WiFi
    vlan 4
  wlan GLOBALACCESSII
    vlan 4
  end
  Brgds,
  Ninad Thakare

• AAA and Cisco MDS switches.........

  have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
  Could anyone help me in this regard.

  local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
  config t
  # Enable TACACS+
  tacacs+ enable
  tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
  tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
  # Specify TACACS+ Server groups
  aaa group server tacacs+ tacgrp
  server nnn.nnn.nnn.nnn
  server mmm.mmm.mmm.mmm
  aaa authentication login default group tacgrp
  aaa authentication login console local
  # Enable TACACS+ Accounting
  aaa accounting default group tacgrp local
  end
  copy running-config startup-config
  Thanks
  MOhan

• Having a problem with PEAP and Cisco 2960 Switch

  Hi All,
      I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 
      The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
  Any ideas?

  Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work.  I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client.  I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2.  I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
  CSSC Client pops out:
  14:25:08.453  Network Connection requested from user  context.
  14:25:08.468  Connection authentication started using the logged in  user's credentials.
  14:25:08.468  Port state transition to  AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
  14:25:08.796  Port state  transition to  AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
  14:25:09.828   Port state transition to  AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
  14:25:09.843   Identity has been requested from the network.
  14:25:09.875  Identity has been  sent to the network.
  14:25:09.890  Authentication started using method type  EAP-PEAP, level 0
  14:25:09.890  The server has requested using authentication  type: EAP-PEAP
  14:25:09.890  The client has requested using authentication  type:  EAP-PEAP
  14:25:09.968  Profile does not require server  validation.
  14:25:10.031  Identity has been requested from the  network.
  14:25:10.031  Identity has been sent to the  network.
  14:25:10.046  Authentication started using method type  EAP-MSCHAP-V2, level 1
  14:25:10.046  The server has requested using  authentication type: EAP-MSCHAP-V2
  14:25:10.046  The client has requested  using authentication type:  EAP-MSCHAP-V2
  14:25:10.078  Port state transition  to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
  14:25:10.078  The  authentication process has succeeded.
  *************************Raidus Ouptut for PEAP:**************************
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.7 seconds.
  Waking up in 0.7 seconds.
  Waking up in 0.1 seconds.
  Waking up in 3.7 seconds.
  Waking up in 0.1 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for anonymous
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  rlm_ldap: object not found or got ambiguous search result
  [ldap] search failed
  rlm_ldap: ldap_release_conn: Release Id: 0
  [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  Waking up in 0.9 seconds.
  Waking up in 0.9 seconds.
  Waking up in 0.9 seconds.
  Waking up in 0.8 seconds.
  Waking up in 0.8 seconds.
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  Waking up in 0.7 seconds.
  Waking up in 3.7 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  **************************Radius ouput for EAP******************************
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.7 seconds.
  Waking up in 0.7 seconds.
  Waking up in 0.1 seconds.
  Waking up in 3.7 seconds.
  Waking up in 0.1 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  Waking up in 3.9 seconds.
  Ready to process requests.
  Hope that Helps.

• ASA5525-X and Cisco 3850 Traffiic routing

  Hi,
  I apologise if this question has been answered already, I tried searching but found nothing.
  I have a Cisco 3850X and an ASA5525 firewall, and I want to create a specific route from a particular VLAN in order to filter the traffic.
  I am using VLAN 15, which is intended for wireless access only.
  I want to;
  Route all wireless hosts traffic on VLAN 15 to the firewall for filtering through two physical interfaces grouped together in a channel-group
  Route filtered traffic back from the firewall into the same switch via the same channel-group (same physical interfaces.)
  Allow filtered traffic to communicate with other VLANs via their gateways
  If somebody could point me in the right direction with this I would appreciate it. I have attached a drawing of the physical cabling to give you a better idea of how the equipment is connected.
  Thank you.

  Hi Collin,
  Thanks, I've now managed to create the trunk following your instructions.
  I have set the switch up so that the trunks native vlan is 15, but vlans 10-15 are allowed. As follows:
  Switch:
  interface GigabitEthernet1/0/1
   switchport access vlan 15
   switchport trunk native vlan 10
   switchport trunk allowed vlan 10-15
   switchport mode trunk
   switchport nonegotiate
   speed 1000
   duplex full
   channel-group 2 mode active
  interface GigabitEthernet1/0/2
   switchport access vlan 15
   switchport trunk native vlan 10
   switchport trunk allowed vlan 10-15
   switchport mode trunk
   switchport nonegotiate
   speed 1000
   duplex full
   channel-group 2 mode active
  Firewall
  interface Port-channel10.10
   vlan 10
   nameif inside
   security-level 100
   ip address 10.196.10.1 255.255.255.0
  interface Port-channel10.15
   vlan 15
   nameif dmz
   security-level 50
   ip address 10.196.15.1 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  I am able to ping the .15 gateway from a host sitting on VLAN15 on the switch, however, even with the 'same-security' configuration I am still unable to ping across to the .10 gateway.
  I tried creating a route, 'route inside 10.196.15.0 255.255.255.0 10.196.10.0' however was returned an error message 'Cannot add route connected route exists'. However when I looked at sh route, no such route exists:
  C    10.196.15.0 255.255.255.0 is directly connected, dmz
  C    10.196.10.0 255.255.255.0 is directly connected, inside
  C    192.168.1.0 255.255.255.0 is directly connected, management
  I should not that I have only used the gateway addresses 10.196.10.1 and 10.196.15.1 in the firewalls configuration, I have removed these gateway addresses from the switch, as I assumed the firewall should be used as the gateway, and didn't want the switch to route between the vlans internally bypassing the firewall.
  I'm obviously still missing something, might I have to setup NAT to translate the two addresses?
  Thanks again for your help

• Cisco 3850 Switch Management Port - ACL on VTY

  Hi,
  I got these switches.
  Switch Ports Model              SW Version        SW Image              Mode   
  *    1 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
       2 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
  SSH access to Management port G0/0 with an ACL applied on line vty 0 4 is failing, even through the ACL is permiting traffic.
  interface GigabitEthernet0/0
   vrf forwarding Mgmt-vrf
   ip address 172.16.12.3 255.255.255.0
   negotiation auto
  ip access-list standard ACLVTY
   permit any log
  line vty 0 4
   access-class ACLVTY in
   exec-timeout 15 0
   length 0
   history size 64
   transport preferred ssh
   transport input ssh
   transport output telnet ssh
  037599: *Mar 28 2014 04:59:49.919 AEDT: %SEC-6-IPACCESSLOGS: list permit-any permitted 172.16.12.100 1 packet
  # show ip access-list permit-any
  Standard IP access list permit-any
      10 permit any log (3 matches)
  If I remove the ACL under VTY "no access-class ACLVTY in", then SSH to the management port works. If I don't use the management port and use a normal port say G1/0/1 configured on management VLAN and assigned the same IP address, then SSH works with the VTY ACL still existing. 
  Any ideas ?
  Thanks, 
  Rick.

  Hi,
  IOS will accept all VTY connections by default. However, if an access-class is used, the assumption is that connections should only arrive from the global VRF. If you need control the IP source while allowing VTY connections from VRF instances, you have a try configuration option "vrf-also"
  So, you should get something like this:
  line vty 0 4
  access-class ACLVTY in vrf-also  

• SBR and cisco routers/switches

  HI all,
  i have a juniper SBR and large no  of cisco devices as RAS/NAS.
  i would like to have level 1 team to have just read only profile .
  and level 2 team to have read and write access . i guess to accomplish this on a non cisco aaa product  ,
  1) DO i need to downlaod cisco radius attribute dictonary file . if yes where is the downlaod link ?
  2) As user profiles are basic one ., their should be a standard attribute which has this feature . in case this is true which ietf attribute i can use ?
  3) what aer vsa ? does cisco vsa help me in accomplishing my goals with SBR?
  4) if i get above answers i can move in right direction accompleshing the same with firewall vendor a , ssl vpn vendor b , wifi controller vendor c , dslamp vendor e ....
  Any response will be much appreciated .

  I have a 3750X and an SG300 trunked together and they are both running RSTP.
  I set my 3750X to rapid-pvst
  I set my SG300 to rstp
  A "show spanning" on both devices yields: "Spanning tree enabled protocol rstp".
  Both seem to be communicating STP fine.

• Configuring rcp on ciscoworks LMS 2.5 and cisco 3560 switch

  Dear All,
  i am having LMS 2.5 and nearly 50 cisco 3560 in my network. And I want to configure rcp. How can I do it. Kindly help
  regards,
  RAHIL KHAN

  Have a look at this link for the server:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/swmgt.html#wp1328314
  For the device you'll need something like:
  username cwuser password 7 000C1C0A05
  ip rcmd rcp-enable
  ip rcmd remote-host cwuser 172.17.246.221 cwuser enable
  ip rcmd remote-username cwuser

• 3850 switches and NAC

  Hi all,
  We had 802.1x/MAB running fine at a site with Cisco 3750 switches. We then upgraded to Cisco 3850 switches. Now we find that a number of Avaya IP phones get stuck saying "Discover xxx.xxx.xxx.xxx" and when you do a "sh auth session int gi x/y" it shows the "D" flag and it says "Blocked On: Pending Deletion".
  Has anyone come across this before?
  Thank you in advance!

  Ugh, I think you might have hit the same issue that I did with a deployment that I have done in the past, except in my case I was dealing with Cisco 4500-X that also runs the XE code. The "IP Device Tracking" is disabled by default on Catalyst IOS but enabled by default on IOS XE. The command is needed (even for layer 2 switches) if you plan on deploying dot1x with DACLs. 
  I have worked with both Arista and HP (Actually 3com) in the past. Arista had some very nice and fast switches while HP had nothing that really impressed me. To be fair, I have ran into issues/bugs with both manufacturers :) So just keep in mind that nobody will be perfect out there :)
  Btw, I still believe that Cisco's TAC and communities, such as this is what sets Cisco apart from the rest of the competition. 
  Best regards, 
  Neno

• How many Cisco Catalyst 3850 switches can make up a Cisco StackPower stack?

  I know the number of Cisco 3850 switches for stacking is 9, so, if I make up a Cisco StackPower stack, MAX is 9, too?

   Hi, emma, only 4 switches can become part of the same Cisco StackPower stack in a ring topology.
  For the Cisco 3850 switches stack number,there are two types:
  Up to 9 Cisco Catalyst 3850 switches can be stacked together to build single logical StackWise-480 switch since Cisco IOS XE Release 3.3.0SE. Prior to Cisco IOS XE Release3.3.0SE, up to 4 Cisco Catalyst 3850 switches could be stacked together.