Emergency Responder and Cisco 3850 Switches
I'm running Cisco ER V8.5, and recently installed new Cisco 3850 Switches. All the phones connected to the 3850 switches show a "unlocated" status. I've check the hardware compatibility Matrix for ER V8.5 and the 3850 is not on it.
What are my options for locating these phones in ER and assigning them to an ERL. Manually defining the phones? Is there a patch or update to ER V8.5 that would make a 3850 compatible?
I haven't used the 3850's with ER yet so can't speak to that specifically, but generally speaking you have more flexibility using location by subnets vs switches. Scalability-wise, you can add way more subnets than switches. There's more going on under the hood if you're locating by switches so the process overhead is greater.
The only downside with using subnets is if you need to get more granular with your locations than your deployed subnets allow (ie a single voice subnet for an entire building but you need to define and assign locations at the floor level). As long as you've been a little forward thinking on the route/switch side, you'll be fine.
hope that helps,
will
Similar Messages
-
Cisco 3850 Switch getting message %SPI_FC-3-HIGH_WMARK_REACHED
Hi Team,
We have one Cisco 3850 Switch installed at the Customer site and getting the message as below,
Mar 28 10:57:11.578: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
-Traceback= 1#830db5fd318976b0280defe233875463 :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
.Mar 28 10:58:31.585: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
-Traceback= 1#830db5fd318976b0280defe233875463 :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
--More-- .Mar 28 10:59:51.586: %SPI_FC-3-HIGH_WMARK_REACHED: Number of messages in the queue for channel 9 has reached maximum.
-Traceback= 1#830db5fd318976b0280defe233875463 :10000000+153F71C :10000000+B5E9B0 :10000000+B5EBA4 :10000000+3CC5CC :10000000+3CD0B4 :10000000+39AB00 :10000000+27CDD2C :10000000+7C7814 :10000000+27AC29C
Please suggest the meaning of these messages and suggestion for resolution on the same.
Attaching show version, show logging for this Switch.
Regards
AshutoshHi Akilhasan,
The switch is hitting a bug which is currently under investigation. The latter implies there is no official workaround, but my suggestion would be that you consider reloading the switch outside of business hours (considering preventive measures i. e. back the configuration up, save changes, etc.).
The most stable version and recommended per Cisco is 03.03.03. There is newer 03.06.00 available, just released past June, so you may consider as well upgrading the IOS, of course under a properly carried out risk assessment, and you can roll back if something unexpected occurs. I would suggest doing so only if you have a solid knowledge of the customer's network and business needs.
Hope this helps.
Kind regards,
- Ed -
Cisco prime 2.1 not showing wired clients connected to Cisco 3850 switches
Hello All,
I have around 80 Cisco 3850 switches at a customer network and they are using prime infrastructure 2.1.2 to manage these devices. Most of the features are working fine except that the prime does not show the wired clients connected to the switches. The wireless clients are shown properly but not the wired clients. Their core switches are nexus 7k. The SNMP configuration on the switches is as follows.
snmp-server group xxxx v3 priv write xxxx-VIEW-WR
snmp-server view xxx-VIEW-WR mib-2 included
snmp-server trap-source Vlan100
snmp-server host x.x.x.x version 3 priv testuser
Please help me to resolve this issue.
ShabeebI managed to get the end hosts connected in 3850 switches with the use of snmp context command. But now the issue is that prime is showing only the mac address of the device , not the IP address.
Is there anyway to resolve this issue? -
How can i configure hsrp in cisco 3850 switch please guide me
how can i configure hsrp in cisco 3850 switch please guide me
Hi Mauleshg,
Please the below mention link to configure Hsrp hope this will help you.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ip/configuration_guide/b_fhrp_3se_3850_cg/b_fhrp_3se_3850_cg_chapter_010.html
Br.
Mohseen Patel -
Cisco 3850 Switch and Windows 7 IP Conflicts
Team,
Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
we went with a very vanilla config on each port
interface g1/0/1
switchport host
that is it - nothing special at all.
well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
we tried 3+ hours of prescribed work-arounds found when researching this issue -
ip device tracking probe delay 10 (global config)
ip device tracking max 0 (disabed, on interface)
finally,
nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
Finally,
we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
Doing more research, I found out this also can effect vmware guests running windows SERVER.
this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
the work-around I came up with which is not great is -
Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
interface g1/0/1
switchport mode trunk
switchport trunk native vlan 1
this is NOT an acceptable workaround as this presents security issues even with
switchport trunk allowed vlan 1, etc. as the only allowed vlan.
Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
4) when could confirm NO DHCP SNOOPING
5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
thanks,
Joe Brunner
#19366thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
Answers in line -
This all stems from a switch replacement correct?
yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
Are these 3850's in a stack?
>yes, tested all aspects of the stack many times.
Does it have a managment ip address -If so, is it using the old switch ip address
>old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
>various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
How are they connected( L3 interface/L2 trunk/access port)
>all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
Are thse switches performing inter-vlan routing or just acting as host switches?
>dumb flat network, no routing.
Is ip routing enabled?
>not unless enabled on 3850 by default. I didnt type "ip routing"
Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
Your 7 pcs = are they just client pcs not servers?
client PC's - no servers OS per say.
can you confirm something like ICS isnt enabled (Internet connection sharing) on any of them?
>yes not enabled.
Are the just using one NIC each?
> one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
sh switch
2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
tested all power and general 3850 stacking. saw no issues.
sh int trunk
>all ports are now trunks (hence the workaround used to get it up).
has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
sh vlan brief
>just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
sh vtp status
not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
sh cdp neighbours
cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
sh ip route
just the L and C routes for the vlan 1 ip address 192.168.17.1/24
no static routes
no vlan interfaces other than int vlan 1
no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
int g0/0/0
ip vrf forwarding Switch_Mgmt
i can get over there if you think of anything else key to show the group.
thanks,
Joe -
Hi,
i would like to know if i could use the cisco 3850 as a pass through to register with cisco 5508 (flex connect) at our main site. at the moment i can see the AP registering to cisco 3850 and not 5508. if i plug in the ap to a cisco 2960 will connect to 5508 ?
also which mode should it be if the above is possbile (Moblity controller mode or Mobility agent mode)
ThanksHi Raskia,
Thanks for your reply. so if i go for option 1 can i still use mobility tunnel and mobility anchor feature. I need to for form a mobility tunnel to 5508 on the inside network and another tunnel to 4400 controller in the dmz (i know it has problems with tunnel to 4404 controller due to ios problems but if i can do to 5508 it will be fine)
its a shame if i cant do the above i will have to remove the wireless feature and use it as l2 switch. when i do no wireless management inter x then does it remove the router (l3) bit of the router?
Thanks -
Error in GUI of Cisco 3850 Switch with Wireless Controller.
Hi,
I have Configured 3850 switch wireless controller. But while accessing the controller through GUI, I faced following errors while configuring it through GUI.
Because its complecated to configure it through CLI.
Attached are the snaps of error faced.
and if I didnt get this error, and able to configure, I can save it because of this error.
Please help me on this issue, so that I can easily configure the controller.
Brgds,
Ninad ThakareHi Sandeep,
Here is the configuration which I have did.
ip http server
ip http secure-server
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
wireless mobility controller
wireless management interface Vlan4 ( Voice VLAN )
wlan FG-WiFi 1 FG-WiFi
client vlan 4
ip dhcp server 10.106.72.1
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 testing1234
no security wpa wpa2
no security wpa wpa2 ciphers aes
no wmm
no shutdown
wlan GLOBALACCESSII 2 GLOBALACCESSII
client vlan 4
ip dhcp server 10.106.72.1
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 testing1234
no security wpa wpa2
no security wpa wpa2 ciphers aes
no wmm
no shutdown
ap group default-group
ap group 3850WLC
wlan FG-WiFi
vlan 4
wlan GLOBALACCESSII
vlan 4
end
Brgds,
Ninad Thakare -
AAA and Cisco MDS switches.........
have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
Could anyone help me in this regard.local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
config t
# Enable TACACS+
tacacs+ enable
tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
# Specify TACACS+ Server groups
aaa group server tacacs+ tacgrp
server nnn.nnn.nnn.nnn
server mmm.mmm.mmm.mmm
aaa authentication login default group tacgrp
aaa authentication login console local
# Enable TACACS+ Accounting
aaa accounting default group tacgrp local
end
copy running-config startup-config
Thanks
MOhan -
Having a problem with PEAP and Cisco 2960 Switch
Hi All,
I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828 Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843 Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps. -
ASA5525-X and Cisco 3850 Traffiic routing
Hi,
I apologise if this question has been answered already, I tried searching but found nothing.
I have a Cisco 3850X and an ASA5525 firewall, and I want to create a specific route from a particular VLAN in order to filter the traffic.
I am using VLAN 15, which is intended for wireless access only.
I want to;
Route all wireless hosts traffic on VLAN 15 to the firewall for filtering through two physical interfaces grouped together in a channel-group
Route filtered traffic back from the firewall into the same switch via the same channel-group (same physical interfaces.)
Allow filtered traffic to communicate with other VLANs via their gateways
If somebody could point me in the right direction with this I would appreciate it. I have attached a drawing of the physical cabling to give you a better idea of how the equipment is connected.
Thank you.Hi Collin,
Thanks, I've now managed to create the trunk following your instructions.
I have set the switch up so that the trunks native vlan is 15, but vlans 10-15 are allowed. As follows:
Switch:
interface GigabitEthernet1/0/1
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active
interface GigabitEthernet1/0/2
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active
Firewall
interface Port-channel10.10
vlan 10
nameif inside
security-level 100
ip address 10.196.10.1 255.255.255.0
interface Port-channel10.15
vlan 15
nameif dmz
security-level 50
ip address 10.196.15.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
I am able to ping the .15 gateway from a host sitting on VLAN15 on the switch, however, even with the 'same-security' configuration I am still unable to ping across to the .10 gateway.
I tried creating a route, 'route inside 10.196.15.0 255.255.255.0 10.196.10.0' however was returned an error message 'Cannot add route connected route exists'. However when I looked at sh route, no such route exists:
C 10.196.15.0 255.255.255.0 is directly connected, dmz
C 10.196.10.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, management
I should not that I have only used the gateway addresses 10.196.10.1 and 10.196.15.1 in the firewalls configuration, I have removed these gateway addresses from the switch, as I assumed the firewall should be used as the gateway, and didn't want the switch to route between the vlans internally bypassing the firewall.
I'm obviously still missing something, might I have to setup NAT to translate the two addresses?
Thanks again for your help -
Cisco 3850 Switch Management Port - ACL on VTY
Hi,
I got these switches.
Switch Ports Model SW Version SW Image Mode
* 1 32 WS-C3850-24T 03.03.02SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24T 03.03.02SE cat3k_caa-universalk9 INSTALL
SSH access to Management port G0/0 with an ACL applied on line vty 0 4 is failing, even through the ACL is permiting traffic.
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.16.12.3 255.255.255.0
negotiation auto
ip access-list standard ACLVTY
permit any log
line vty 0 4
access-class ACLVTY in
exec-timeout 15 0
length 0
history size 64
transport preferred ssh
transport input ssh
transport output telnet ssh
037599: *Mar 28 2014 04:59:49.919 AEDT: %SEC-6-IPACCESSLOGS: list permit-any permitted 172.16.12.100 1 packet
# show ip access-list permit-any
Standard IP access list permit-any
10 permit any log (3 matches)
If I remove the ACL under VTY "no access-class ACLVTY in", then SSH to the management port works. If I don't use the management port and use a normal port say G1/0/1 configured on management VLAN and assigned the same IP address, then SSH works with the VTY ACL still existing.
Any ideas ?
Thanks,
Rick.Hi,
IOS will accept all VTY connections by default. However, if an access-class is used, the assumption is that connections should only arrive from the global VRF. If you need control the IP source while allowing VTY connections from VRF instances, you have a try configuration option "vrf-also"
So, you should get something like this:
line vty 0 4
access-class ACLVTY in vrf-also -
SBR and cisco routers/switches
HI all,
i have a juniper SBR and large no of cisco devices as RAS/NAS.
i would like to have level 1 team to have just read only profile .
and level 2 team to have read and write access . i guess to accomplish this on a non cisco aaa product ,
1) DO i need to downlaod cisco radius attribute dictonary file . if yes where is the downlaod link ?
2) As user profiles are basic one ., their should be a standard attribute which has this feature . in case this is true which ietf attribute i can use ?
3) what aer vsa ? does cisco vsa help me in accomplishing my goals with SBR?
4) if i get above answers i can move in right direction accompleshing the same with firewall vendor a , ssl vpn vendor b , wifi controller vendor c , dslamp vendor e ....
Any response will be much appreciated .I have a 3750X and an SG300 trunked together and they are both running RSTP.
I set my 3750X to rapid-pvst
I set my SG300 to rstp
A "show spanning" on both devices yields: "Spanning tree enabled protocol rstp".
Both seem to be communicating STP fine. -
Configuring rcp on ciscoworks LMS 2.5 and cisco 3560 switch
Dear All,
i am having LMS 2.5 and nearly 50 cisco 3560 in my network. And I want to configure rcp. How can I do it. Kindly help
regards,
RAHIL KHANHave a look at this link for the server:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/swmgt.html#wp1328314
For the device you'll need something like:
username cwuser password 7 000C1C0A05
ip rcmd rcp-enable
ip rcmd remote-host cwuser 172.17.246.221 cwuser enable
ip rcmd remote-username cwuser -
Hi all,
We had 802.1x/MAB running fine at a site with Cisco 3750 switches. We then upgraded to Cisco 3850 switches. Now we find that a number of Avaya IP phones get stuck saying "Discover xxx.xxx.xxx.xxx" and when you do a "sh auth session int gi x/y" it shows the "D" flag and it says "Blocked On: Pending Deletion".
Has anyone come across this before?
Thank you in advance!Ugh, I think you might have hit the same issue that I did with a deployment that I have done in the past, except in my case I was dealing with Cisco 4500-X that also runs the XE code. The "IP Device Tracking" is disabled by default on Catalyst IOS but enabled by default on IOS XE. The command is needed (even for layer 2 switches) if you plan on deploying dot1x with DACLs.
I have worked with both Arista and HP (Actually 3com) in the past. Arista had some very nice and fast switches while HP had nothing that really impressed me. To be fair, I have ran into issues/bugs with both manufacturers :) So just keep in mind that nobody will be perfect out there :)
Btw, I still believe that Cisco's TAC and communities, such as this is what sets Cisco apart from the rest of the competition.
Best regards,
Neno -
How many Cisco Catalyst 3850 switches can make up a Cisco StackPower stack?
I know the number of Cisco 3850 switches for stacking is 9, so, if I make up a Cisco StackPower stack, MAX is 9, too?
Hi, emma, only 4 switches can become part of the same Cisco StackPower stack in a ring topology.
For the Cisco 3850 switches stack number,there are two types:
Up to 9 Cisco Catalyst 3850 switches can be stacked together to build single logical StackWise-480 switch since Cisco IOS XE Release 3.3.0SE. Prior to Cisco IOS XE Release3.3.0SE, up to 4 Cisco Catalyst 3850 switches could be stacked together.
Maybe you are looking for
-
Time Capsule Won't Wirelessly Connect to Internet
If I connect my computer to my time capsule using ethernet, I can view internet pages fine. However, if I connect to time capsule using airport, internet pages won't load. How can I fix this?
-
Why do I keep getting error -65581 when trying to use a cRIO 9024 and c series modules
I am simply trying to send out a digital high on DIO0 of a 9401 c series module and I get the following error every time. Error -65581 occurred at Shared Variable in Send True Value Out.vi Possible reason(s): CompactRIO: (Hex 0xFFFEFFD3) The FPGA
-
The sound on my iPhone 4S doesn't work anymore.
Hey Guys, I have this problem with my iPhone 4S,the sound stopped working on the speakers or even if I put the earphones in e.g. i made a video and i wanted to listen to it so i press play and i saw it won't work,i pressed the bottons on the side and
-
How to create a Folder using a SQL Query?
Hi How can I create a Folder (eg. C:\MyNewFolder) using SQL Query?
-
MX: Annual Tax Declaration (Form 37) Complementary declarations
Hi, about form 37 for Mexico, I would like to know which is the procedure to do complementary tax annual declarations? Best Regards