Guest-vlan; catalyst 2960
Hello,
I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
The IOS version (obtained trough: show version) is:
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 12.2(53)SE2 C2960S-UNIVERSALK9-M
I am trying to configure the interface using the following commands:
RAK-ASW01#configure
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
RAK-ASW01(config)#interface gigabitEthernet 1/0/11
RAK-ASW01(config-if)#switchport mode access
RAK-ASW01(config-if)#dot1x port-control auto
RAK-ASW01(config-if)#dot1x guest-vlan 17
RAK-ASW01(config-if)#end
the result is the following, as if the guest-vlan is not supported:
RAK-ASW01#show dot1x interface gigabitEthernet 1/0/11
Dot1x Info for GigabitEthernet1/0/11
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RAK-ASW01#
similar result is obtained while trying to configure a auth-fail vlan.
the full configuration file is attached.
many thanks in advance,
Alaeddine
Hi,
I am trying to see the guest-vlan configuration, but I was not able to see it. Therefore, my first thought was that the guest-vlan is not supported by this IOS release.
Another point is that, although I am not able to see the configuration of the guest-vlan and the auth-fail vlan, they do exist and they are operational: when I try to connect a device to the switch and it fails to authenticate, the switch connects the device to the restricted vlan.
So my question is: why I can not see the guest-vlan and the auth-fail vlan configuration?
Thanks in advance,
Alaeddine
Similar Messages
-
Moving VLAN config from catalyst 2960 to SG300
Dear all,
my existing catalyst 2960 config for vlans:
interface FastEthernet0/2
description 3Com Switch
switchport access vlan 10
switchport mode access
interface FastEthernet0/5
description to Cyberoam
switchport mode trunk
interface FastEthernet0/18
switchport access vlan 40
switchport mode access
interface FastEthernet0/19
interface FastEthernet0/20
switchport access vlan 20
switchport mode access
interface FastEthernet0/21
interface FastEthernet0/22
interface Vlan1
no ip address
no ip route-cache
interface Vlan10
ip address 192.168.0.51 255.255.255.0
no ip route-cache
Inside trunk there are VLAN10 (native), VLAN20,30,40
now, when I try to configure the same on SG300 I get trunk issues - no VLAN10 (native) inside trunk.
Regards
GNHi Mlechte, I cheated on your question a bit. I have used two SG300-52 switches. I am able to accomplish what you're asking with these models.
On my master switch the configuration fundamental is simple. For argument sake, I disabled all CDP. I create vlan 100 for voice. Assigned my voice vlan 100. I enabled LLDP on every port. I enabled every optional TLV on every individual port.
I then connected a 100% factory default SG300-52 to the 'master switch'. After about 3 minutes the VSDP created the voice vlan, the link between switches became 1u, 100t. The vlan database populated the vlan 100 and everything just worked nicely.
So, to answer your inquiry, if your 2960 supports the same TLVs it should work okay.
I do recommend you use the SX300 series, it is a much more robust switch, supports full CLI and has a lot better feature set. A SG300-08 (srw2008-k9-na) is around $250. The SG200-08 is about a $100 cheaper. The difference between models is astronomical and a much better investment.
Please review
console_log_master <--This is the switch that will advertise to the downstream
console_log_receive <-- This is a default switch that received the LLDP information
-Tom
Please rate helpful posts -
802.1x on Cisco Catalyst 2960
I am trying to enable 802.1x on one of
the switchports of the Cisco Catalyst
2960:
C2960#sh run | i radius
aaa authentication login test group radius local
aaa authentication dot1x default group radius
radius-server host 10.250.97.26 auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server key 123456
C2960#sh run | i dot
aaa authentication dot1x default group radius
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
C2960#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C2960(config)#int g0/14
C2960(config-if)#dot1x ?
% Unrecognized command
C2960(config-if)#dot1x
As you can see, I can not enable 802.1x
at the interface level. The code is am running is 12.2.25SEE4:
Switch Ports Model SW Version SW Image
* 1 24 WS-C2960G-24TC-L 12.2(25)SEE4 C2960-LANBASEK9-M
System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
According to Cisco, this image supports
802.1x. Why can't enable it at the
interface level?
Can someone help me out? Thanks.some additional info:
C2960#sh dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 2
Critical Recovery Delay 100
Critical EAPOL Enabled
C2960# -
Troubleshooting Fiber Connection on a Catalyst 2960
I am trying to test my fiber connectivity on a Catalyst 2960 before I deploy it. So what I thought I would do is connect it to another switch in my office with a open port for the fiber connection. The other switch is a Catalyst 3560G. Here are the port configurations:
interface GigabitEthernet0/2
switchport trunk allowed vlan 1,100
switchport mode trunk
macro description cisco-switch
interface GigabitEthernet0/25
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100
switchport mode trunk
The first one is the catalyst 2960 and the 3560G is the second.
When you show the interface for each of these it shows that it recognizes the media but the line protocal and the GigbitEthernet Port is down.
Any Ideas?Sorry... a fiber optic cable with a connector on each end.
To aid in troubleshooting, many times we loopback the signal back to the originating device. An optical loopback is just connecting the transmit (Tx) to the receive (Rx).
The multimode SFP/GBIC transceiver you are using will allow you to directly connect the Transmit and Receive ports without damage to the unit. This should provide you with a green link LED.
If so, then you can reconnect your fibers and loopback (connect the two fibers together) at the far end of the fiber link (use an optical adapter) and see if you get a green LED. -
Catalyst 2960 Problem with Cisco SPA512
Hi there,
I hope someone can help me.
I don't have much experience with switches, I'm doing the desktop support in our company.
We have Catalyst 4510 R+E to 2 Catalyst 2960 switches and seperate VLAN's for IP Phones and for Internet in one part of our office.
Now I'm running into trouble with some IP Phones that are connected to the 2960 switches. It appears only to happen with Cisco's SPA-512. I've tried FW 7.5.2, 7.5.5 and 7.5.5b. These phones sporadically drop the call / connection, with the red MIC button blinking. Based on my research this means that it looses Internet connection. I have 1 SPA512 with FW 7.5.1 that does not show these symptoms.
I have other phones SPA942 and Polycom IP335 in the same area behind the same switches and no issues.
We've tried to disable auto negotiate and set a fixed transmition rate or either 1Gbps and 100Mbps, both without success.
I also have SPA512 in other areas of the office just connected to our Catalyst 4510 R+E and they work just fine. That's why I don't believe it has anything to do with the 4510, but I can be wrong.
That's all I have for you guys. Hope someone can help me to fix / troubleshoot this..
FrankSSwitch3#test cable-diagnostics tdr int g1/0/16
TDR test started on interface Gi1/0/16
A TDR test can take a few seconds to run on an interface
Use 'show cable-diagnostics tdr' to read the TDR results.
SSwitch3#show cable-diagnostics tdr int g1/0/16
TDR test last run on: June 27 13:39:21
Interface Speed Local pair Pair length Remote pair Pair status
Gi1/0/16 1000M Pair A 52 +/- 10 meters Pair A Normal
Pair B 52 +/- 10 meters Pair B Normal
Pair C 52 +/- 10 meters Pair C Normal
Pair D 52 +/- 10 meters Pair D Normal
SSwitch3# -
802.1X with Guest vlan support IOS version ???
I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
please reply to my question.Tkank for your help.
Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
ex) TW_14F_A_C2950_32.8#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
Model number: WS-C2950-24
please, reply for my question -
Catalyst 2960-x Tel 1 and g49, bug
Hi Cisco Community
I am experiencing a very strang bug or it's just a "feature". We are setting up 3 Catalyst 2960-x (EX5) as a stack. Te 1/0/1 and Te 2/0/1 are bundled as Etherchannel. (works fine "In-channel-group")
But we just can not connect anything else to Te 1/0/2 or Te 2/0/2.
When i checked the "sh run" i noticed that there are the Ports g49 and g50. What should be Te 1 and Te 2.
interface GigabitEthernet1/0/49
switchport access vlan 901
switchport trunk native vlan 901
interface GigabitEthernet1/0/50
switchport trunk allowed vlan 1,10,20,30,40,50,761,901
interface TenGigabitEthernet1/0/1
description Ecosw2-1:Te1
switchport trunk allowed vlan 1,10,20,30,40,50,761,901
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-switch
auto qos trust
spanning-tree link-type point-to-point
spanning-tree vlan 1,10,20,30,40,50,60,761,901 port-priority 64
channel-group 1 mode active
interface TenGigabitEthernet1/0/2
description Ecovm05:1
switchport access vlan 901
switchport trunk native vlan 901
Connecting my Blade to Te 1/0/2 or g50 just will not bring up any link.
Can somebody help me out here?
Best regardsHello Ajay,
This is hardware failure. Please replace it.
Another useful post i found
https://supportforums.cisco.com/discussion/12251826/brom-boot-2960xr-switch
Hope this helps
******Please rate useful posts******
Thanks,
Madhu -
I had to connect a new Catalyst 2960 48TT switch to my Network. Which is connected straight to port two in Catalyst 3750G 48+4. I have three other already connected: 2 x Catalyst 2960 48TT and 1 Catalyst 2960 48TC.
The problem is I can not see the newly connected switch in Cisco Network Assistant. I see the other two switches but not the new one.
I have couple of computers connected to the new switch which are working fine.
I changed the main cables which go from 3750G to the other switches.
The network is working fine, the connected compuetrs have internet...
Can someone please help...?....Port Settings, on the 3750G(port 2)...
(ALL the ports are set correctly, on all the switches)
Status: enable
Duplex: auto
speed: auto
PortFast: enable when static access
Flow ctrl: off
Auto MDIX: on
VLAN SETTINGS:
Administrative port: 802.1Q Trunk
trunk allowed VLAN:1,2,5,10,15,20.....
Pruning VLAN: 2-1001
Native VLAN: 1 -
Catalyst 2960 and SGE500 switches
Hi,
Can we on the same network use Cisco Catalyst 2960 and Cisco SGE500 switches and share the same VLANs ?Hi,
I didn't find VLAN support in key feautures of SGE500 but I'm sure it is there. For VLAN sharing you must configure trunk between switches. The number of VLAN must be the same (exluded some cases).
For sharing VLAN information (VLAN count, names etc) the switches must support VTP protocol, not sure that SGE500 support it. But VTP is not necessary for trunking between switches. -
Catalyst 2960 XR support standar IEEE 802.3i
Hi
The Catalyst 2960 XR support standar IEEE 802.3i?.
becouse the datasheet not is present.
Best regards.Data Sheet doesnt cover this standard:
tandards
● IEEE 802.1D Spanning Tree Protocol
● IEEE 802.1p CoS Prioritization
● IEEE 802.1Q VLAN
● IEEE 802.1s
● IEEE 802.1w
● IEEE 802.1X
● IEEE 802.1ab (LLDP)
● IEEE 802.3ad
● IEEE 802.3af
● IEEE 802.3ah (100BASE-X single/multimode fiber only)
● IEEE 802.3x full duplex on 10BASE-T, 100BASE-TX, and 1000BASE-T ports
● IEEE 802.3 10BASE-T specification
● IEEE 802.3u 100BASE-TX specification
● IEEE 802.3ab 1000BASE-T specification
● IEEE 802.3z 1000BASE-X specification
Could you please open a TAC case so that we check with BU on the same? -
Catalyst 2960 for my LAN WS-c2960-48TC-S vs WS-c2960-48TC-L
Hello
I want buy a Catalyst 2960 but i don't now which is great for my situation.
Model : WS-c2960-48TC-S (LAN Lite - 400 euro) vs WS-c2960-48TC-L (LAN Base - 900 euro) the difference of price is half.
I need 3 VLAN (2 VLANs with data and other VLAN (3th only voice).All security options want applied on ports.(MAC,ACCESS..etc)
Between switch and router will be a TRUNK channel...
The network design parts: lan printers - 4, desktop - 16, phone IP - 10.
I have only ISP .
So..what i need? LAN Lite or LAN Base
Another question: In LAN Lite i have all commands?
thank'sQ. What are the advantages of Cisco Catalyst 2960 Series Switches with the LAN Base software relative to Cisco Catalyst 2960 Series Switches with the LAN Lite software?
A. Cisco Catalyst 2960 LAN Base switches deliver intelligent services for branch offices and wiring closets. The LAN Base IOS software supports enhanced Layer 2+ security, quality of service (QoS), availability, and scalable management to enable new converged applications. Catalyst 2960 LAN Base switches include both 10/100 Fast Ethernet and 10/100/1000 Gigabit Ethernet connectivity in 8-, 24-, and 48-port configurations.
Cisco Catalyst 2960 LAN Lite switches are for entry-level branch office and wiring closet networks. They simplify the migration from nonintelligent hubs and unmanaged switches to a fully scalable and reliable network. The LAN Lite IOS software supports standard Layer 2 security, QoS, and availability while lowering the network total cost of ownership. Catalyst 2960 LAN Lite switches deliver 10/100 Fast Ethernet connectivity in 24- and 48-port configurations.
All Cisco Catalyst 2960 Series Switches have technical support service options available through Cisco SMARTNet ® service. All come with a Limited Lifetime Hardware Warranty, and LAN Base and LAN Lite software updates are provided at no additional cost.
Information came from the below link:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/prod_qas0900aecd80322c37.html
Will all commands be available? No...if they were then what would be the point of having different software levels? Will the switch meet all basic to intermediate needs? Yes. If you are looking for a set of specific commands to see if they are available then check out the command reference tools available from Cisco.
http://www.cisco.com/c/en/us/support/switches/catalyst-2960-series-switches/products-command-reference-list.html -
Catalyst 2960 - IBM/Cisco IGESM - Trunk port configuration
Good day all!
I am new in Cisco world and try to configure a trunk between a Catalyst 2960 switch and a IBM Blade Center IGESM switch (manifactured by Cisco).
Unfortunately, it seems that the network traffic doesn't cross the trunk link.
I have followed (at least, I think so) the instructions given on the different Cisco documentation papers but I can't find the mistake in my configuration (lack of experience :-( !).
Both switches are using IOS. 2960 uses IOS 12.2(25)FX and IGESM uses IOS 12.2(22)EA8.
The ports are connected through a cross-over cable Cat5e.
Please find below the configuration for each ports:
Catalyst 2960:
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,99,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
IBM/Cisco IGESM:
Name: Gi0/20
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,99,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
For my test, I try to ping a blade (connected to IGESM) in VLAN 200 from a workstation connected to Catalyst 2960 (in VLAN 200 too). From a network anaylser (ethereal), I can see the ARP broadcast from each side but none are going across the trunk link.
I am a bit lost about this problem and would be grateful for any assistance in solving it!
Many, many thanks in advance for your time!
Best regards,
FabianHi Glen!
Both switches (Catalyst 2960 & IGESM) are brand new and most ports are still reflecting manufacturer's default configuration. Vlan 2 is the default native vlan for IGESM ports (excluding ports used for switch management which use vlan 1 as most Cisco switches).
I changed the native vlan for g0/5 on IGESM to 200. Now, ports g0/5 (access mode) and g0/20 (trunk mode) are on native vlan 200. On g0/5 is installed Windows 2003 instance (firewall disabled). The only purpose is to receive and send ping request to test connectivity.
My workstation is connected to 2960 switch on port fa0/1 (please find the configuration below). I can successfully ping other vlan 200 machines connected on the same switch. For testing purpose, I try to ping the blade machine connected on port g0/5 on IGESM.
Configuration of fa0/1:
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Is there any other information I could provide to better help you to understand the configuration?
Cheers!
Fabian -
Hi,
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
The server is Juniper IC4500.
Switch is 2960G, IOS 15.0(1)SE2
the configuration:
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
dot1x system-auth-control
dot1x test timeout 30
dot1x guest-vlan supplicant
dot1x critical eapol
interface FastEthernet0/32
switchport access vlan 28
switchport mode access
authentication event fail action authorize vlan 41
authentication event server dead action authorize vlan 41
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 41
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication port-control auto
authentication timer reauthenticate 300
authentication violation protect
mab eap
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x max-req 1
dot1x max-reauth-req 1
dot1x max-start 1
spanning-tree portfast
Anyone with experience on this pls help.
Thanks,
hoanghiepforgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
Ref:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875 -
HQ and Remote Wired Guest VLAN
Hello all,
I am having trouble to create a standard condition for Policy Authorization. Basically there are HQ and remote locations configure for guest access.
Each location has its own guest vlan. On ISE the standard rule are:
Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
This rule is working good for HQ.
Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
with internal users since the condition is Unknown OR MTL_Devices. There is no AND condition for this.
Let me know if anyone has idea or have solved this problem.
Thank you.Hi,
You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Bandwidth monitoring on a Catalyst 2960
Hello all, I'm working with two Catalyst 2960 switches and I would like to know if there is a way to monitor bandwidth on individual ports. Ideally I would like to have one graph showing a bandwidth usage reading on each port. I tried using the Network Assistant to accomplish this, but I was only able to view one port at a time. I also tried using a traffic graphing program from Paessler, but a MIB file is needed to allow the program to connect to the switch. When I ran a search on the network management page the 2960 was not on the list for MIB supported products. Is this type of graph possible to do? Or is there a more effective way to accomplish what I would like to do. Any ideas or suggestions would be helpful.
Hi, we have just swapped all our avaya switches with catalyst 2960 (12, 24 and 48 ports) and 3750 (48 ports with 10gig module).
How do I find what port I should monitor for bandwith graphs?
Target[10.0.0.22_loc1]: 1:@10.0.0.22:
Maybe you are looking for
-
If you buy a itunes gift card, can you use it to make in game/app purchases?
if you buy a itunes gift card, can you use it to make in game/app purchases?
-
[svn:fx-4.x] 14147: Runtime integrations:
Revision: 14147 Revision: 14147 Author: [email protected] Date: 2010-02-12 10:02:42 -0800 (Fri, 12 Feb 2010) Log Message: Runtime integrations: AIR - athena/2.0/20100125_apams1167 Player(Argo) - 10_1_d50_452 QE notes: Doc notes: Bugs: Reviewer:
-
I'm trying to find a app that will allow me to change the size of a digital stamp. I have heard that Adobe Photoshop will allow me to do this but that is outside of my price range right now. Would Keynote allow me to do this?
-
NetWeaver 2004s upgradation problems
Hi All Recently we done a upgradation to NetWeaver 2004s but I am having lot of issues here. major issues are <b>1)Dropdowns are net getting data from backend(JCO's and sld working fine) 2)java.lang.ClassNotFoundException: com.sapportals.portal.prt.r
-
Does the window which popup from parent window share the session of parent?
I use javascript "window.open(uri, name, features, replace);" popup a window, does the window using the same session with parent?