Open mode (monitor mode) with ise and catalyst switches

Similar Messages

• CWA with ISE and 5760

  Hi,
  we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
  I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
  aaa authentication login Webauth_ISE group ISE
  aaa authorization network cwa_macfilter group ISE
  aaa authorization network Webauth_ISE group ISE
  aaa accounting network ISE start-stop group ISE
  aaa server radius dynamic-author
  client 10.232.127.13 server-key 0 blabla
  auth-type any
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 31 send nas-port-detail mac-only
  wlan test4guests 18 test4guests
  aaa-override
  accounting-list ISE
  client vlan 1605
  no exclusionlist
  mac-filtering cwa_macfilter
  mobility anchor
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list Webauth_ISE
  no shutdown
  wc5# debug aaa coa
  Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
  Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
  Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
  Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
  Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
  Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
  Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
  Feb 27 12:19:08.444: COA: Message Authenticator decode passed
  Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444:
  Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
  Feb 27 12:19:08.444:
  wc5#

  Reason for this are two bugs which prevent this from working:
  https://tools.cisco.com/bugsearch/bug/CSCul83594
  https://tools.cisco.com/bugsearch/bug/CSCun38344
  This is embarrassing because this is a really common scenario. QA anyone?
  So, with ISE and 5760 CWA is not working at this time. 

• How do I reboot my iMac in Lion? Right now it opens a black screen with dos and asks me to insert the boot disk.

  How do I reboot my iMac in Lion? Right now it opens a black screen with Dos and asks me to insert the boot disk.I recently installed Parallels & Windows 7. Now if I have to turn the system off, it starts up as per above in Dos. know I need to start up and press a couple of keys, but which ones? I forgot....

  A simple search around here, identified this thread https://discussions.apple.com/message/15762361#15762361
  The More Like This box on the right has more.

• Dacl on ACS 5.1 and Catalyst switch 3560

  Dear all
  I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
  This authrization profile is used on access policy.
  I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
  Steps:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
  11003  Returned RADIUS Access-Reject
  DACL:
  deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
  permit ip any any log
  Thanks on advance,

  Dear Tiago
  I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
  Dec 13,10 10:29:00.513 AM
  00-23-AE-7A-58-A6
  00-23-AE-7A-58-A6
  Default Network Access
  Lookup
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  22056 Subject not found in the applicable identity store(s).
  Dec 13,10 10:28:29.186 AM
  #ACSACL#-IP-Guest-4cfcc14d
  Dot1x-3560-Switch
  1.2.3.4
  TESTACS
  Dec 13,10 10:28:28.726 AM
  acstest
  00-23-AE-7A-58-A6
  Default Network Access
  PEAP (EAP-MSCHAPv2)
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  Thanks,

• When I open about this mac - more info and I switch through the tabs (display,memory,storage,support,service) it lags (fps drops, animation looks choppy not smooth). Why does this happen? (over 300 gb free,same programs installed,free desk-downloads)

  When I open about this mac -> more info and I switch through the tabs (display,memory,storage,support,service) it lags (fps drops, animation looks choppy not smooth) even though all the mac (programs , interface ) works smooth . Why does this happen? (over 300 gb free,same programs installed,free desktop-downloads -no garbage there- everything neat and tidy.) Need some help. Only there it the animations goes like 2 fps and is not smooth. I do not understand why because the programs are the same so its the usage. Nothing is changed, yet i experience this little issue for a couple of days.

  OK, I'm confused. When I do About this Mac > More Info in OS10.9, I don't see any animation other than the window resizing. Is that the animation you are describing?
  Which if any of the following apply to your computer:
  1) Are you running any anti-virus/internet security applications?
  2) Are you running any "cleaning/tune-up/optimizations" applications?
  3) Any peer-to-peer or torrent downloading software?
  4) Any third-party disk backup software that came bundled with an external hard drive?
  5) Any online backup scheme other than iCloud (Carbonite; GoogleDrive; MS One Drive)?
  6) Did your financial institution ask you to install Trusteer EndPoint Protection (also known as Trusteer Rapport)?

• Can the system automatically start up with OSX and later switch to windows after starting up?

  I mean, I don't want to choose between OSX or Windows when I start up. I just want to start up with OSX. Is it possible to only start with OSX and later switch to Windows after starting up, or is there any option?

  you want to override the default and reboot into Windows next time?
  Use BootChamp or Option key.
  But when there are Windows updates it will need to be set to boot into Windows.
  Sounds like you don't want to run Windows natively.

• Slow file browsing in MED-V / XP Mode with NAT and DFS

  Note, for the purposes of this question, this issue is with the Windows Virtual PC / XP Mode integration portion of MED-V so is not MED-V specific.
  We are in the process of deploying hundreds of MED-V instances to Windows 7 PCs to support legacy applications until they are replaced with versions that are compatible with Windows 7.  Due to security concerns and our network infrastructure configuration,
  we are required to use "Shared Networking (NAT)" mode for the Windows XP virtual machines.  Our network drives are mapped to DFS shares.  Depending on the site and drive mappings of a user, when opening or saving a file in an application,
  it can take several minutes to browse to the target directory, even if it's not on a DFS share.  Occasionally, it takes so long that the RemoteApp window hangs and disappears, even though the application is still running in the Windows XP VM.
  Running network traces in the VM, I can see that Windows XP tries to "ping" all of the DFS targets whenever the network drives are enumerated, such as when clicking on My Computer.  It waits for responses, then eventually times out. 
  From what I understand, this is the way that Windows XP determines which DFS target link is the fastest.  Unfortunately, since vpc.exe does not run with admin rights in Windows 7, ICMP (ping sends ICMP ECHO REQUESTS) is blocked by the NAT
  between the VM and the Windows 7 host.  (This is why you cannot ping other PCs on the network from within the Windows XP VM when using NAT.)  Therefore, the long wait times happen while XP waits for the replies that never come.
  To verify that this is indeed the problem, I started vpc.exe with admin rights, then started the MED-V Workspace.  I could ping other computers now from within XP and browsing took seconds instead of minutes.  However, our users will not have admin
  rights in Windows 7 so this is not an option for them.  I also tested in bridged mode instead of Shared Networking mode with the same positive results.  However, this is also not an option in our environment.
  Any solutions or recommendations will be greatly appreciated.
  Thank you in advance,
  Victor S.
  Victor S. - Sogeti USA

  Hi,
  I would do some research on this issue.
  And I would update as soon as possible.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Problem with HD6630M and catalyst on custom kernel

  My laptop is a sony vaio sa with hd6630m and intel graphics as a hybrid graphics setup. i m using linux-sony from aur.
  This is what i ve done so far:
  i have followed the instructions in the catalyst wiki in order to install catalyst for custom kernel, with catalyst-hook
  but after installing, aticonfig --initial -f throws no supported adapters detected. i m sure that my adapter is supported by the latest driver as some guys have successully made the setup.
  i' ve read every thread i could find in google about my issue but i didn't make a progress although other have made it!
  Things i tried:
  - installing the .run package from ati manually
  - reinstalling xorg and make a xorg.conf by my own (Xorg -configure does not work either)
  - installing catalyst in default latest kernel
  - i have not tried any other distro lately to see if i could make it work.
  - the open drivers also do not work with my setup, i can only have intel card and blacklisting radeon. (vgaswitcheroo does not work either)
  - many others i cannot recall
  The two cards show up in lspci so it isnt a hardware problem
  has anyone idea whats might going on or what i m doing wrong?

  Hello All
  I find out the solution myself !!!! Phew!!
  In order to create a french page couple of things need to be done
  1)In the configuration manager > display tab > chnage the language the to french
  2) Log in to Application designer and create the same component and page that was created in English. You may not have to create the page from scratch since you would first create it in base language english and hence when you log in as french you will have the page but it will be distorted so it will be rearranged.
  3) Any text that is there on the page will have to be rewritten in french if its is static text or else if it is being called from a message catalog it needs to be first written in English(this writes to PSMSGCATDEFN). Now go to PeopleTools>Translation>Translate System Definitions>Messages.
  And create the french transaltion.For more details on hopw to create new language specific message read peoplebooks(type Translating Messages in the search of peoplebooks).
  The language sepecific messages are written to PSMSGCATLANG table.
  Now when you log in to peoplesoft as french you will see all you custom pages in french.
  Have fun creating any global pages

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• Cisco ISE and Catalyst 2950

  Hello!
  Please, could you help me? Is it possible to install ISE on Catalyst 2950? In Component Compatibility Guide
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  Catalyst 2950 only support 802.1X and VLAN.
  At first I need to know about VLAN change(from resticted to corporate). Is Catalyst 2950 support it?
  Thaks for help!

  this would let both user and machine authenticate. for"5434Endpoint conducted several failed authentications of the same scenario" check  Suppress Anomalous Clients option.  This issue comes in to picture when endpoint attempts a couple of failed authentications and if Suppress Anomalous Clients option with Reject Requests After Detection is enabled then  ISE Policy nodes protect themselves from overwhelming numbers of authentication requests by sending an immediate reject for suppressed clients as opposed to processing all the steps in a normal authentication. So if that user did some authentication failure, he will be locked for 1 hours (bydefault).

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• Unable to open links in emails with FireFox and Outlook Express 07.

  Seems to be a javascript error. When it is disabled, links will open. But other problems appear on browser.
  Have reset default programs.
  Win IE will open links. [ctrl + click] will sometimes open a new window with link. Usually, only the browser window opens with no link showing.
  If all defaults go to Windows IE, everything is ok.

  See this: <br />
  https://support.mozilla.com/en-US/kb/How%20to%20make%20Firefox%20the%20default%20browser

• Airport wifi problems with uverse and gigabit switch resolved

  I think there is a bug in airport firmware 7.6 with how spanning tree works in addition to problems with the Uverse router. Having an Airport with a uverse 2wire 3801 and gigabit switch will not work. Putting the extreme in NAT mode with DMZ plus behind the uverse resolved the problem.
  Network configuration:
  Uverse 2wire 3801 router
      3801 provides prioritization for upstream traffic so skype and VoIP work better when doing a lot of stuff on Internet
  Airport extreme firmware 7.6
  two airport express 802.11n hardwired to extreme. Set up in bridge mode. All access points have same SSID "create a network" to enable roaming. Ignore anything to do with extending a network.  firmware 7.6
  two gigabit switches
      Netgear GS608 - 8 port gigabit switch
      Trendnet TEG-S80g - 8 port gigabit switch
      100BT 5 port switch - did not figure into problem
  Three Uverse set top boxes wired on Ethernet. They have to be wire directly to the 2wire box to work correctly. See: http://forums.att.com/t5/Features-and-How-To/At-amp-t-U-Verse-modem-setup-Airpor t-Extreme/td-p/2300785
  However, you need to be careful to place your own PCs and other internet devices on the network created by your gear (airport extreme in your case), but keep AT&T's set top boxes for the IPTV services IN FRONT of your own router - so they remain on AT&T's provided network.
  So it would work like this ...
  Network 1: 2wire RG (4 lan ports) ->  Any Set tops, and to the WAN port on your AirportExtreme
  Network 2: Airport Extreme LAN ports -> to any computers or internet devices (but not AT&T set top boxes).
  The RG prioritizes the traffic for your Uverse Voice and your Uverse TV ahead of internet data traffic, as it rationalizes data heading out of your home.  If you place your own equipment in that equation (like putting AT&T set top boxes behind your Airport Extreme) the performance and function of your AT&T set top boxes could really flake out on you.
  Symptom:
      Everything would be working fine, then intermittently all my wifi access points would stop working. ~6,000 ms latency, dropped packets. Ethernet worked fine. Here is an example of my macbook pinging the extreme when associated with the extreme over wifi with a strong signal.
  ping: sendto: Host is down
  Request timeout for icmp_seq 23
  Request timeout for icmp_seq 24
  64 bytes from 192.168.1.64: icmp_seq=25 ttl=255 time=267.051 ms
  Request timeout for icmp_seq 26
  Request timeout for icmp_seq 27
  Request timeout for icmp_seq 28
  64 bytes from 192.168.1.64: icmp_seq=26 ttl=255 time=3402.599 ms
  Request timeout for icmp_seq 30
  Request timeout for icmp_seq 31
  Request timeout for icmp_seq 32
  64 bytes from 192.168.1.64: icmp_seq=30 ttl=255 time=3060.673 ms
  64 bytes from 192.168.1.64: icmp_seq=34 ttl=255 time=24.115 ms
  64 bytes from 192.168.1.64: icmp_seq=35 ttl=255 time=31.056 ms
  64 bytes from 192.168.1.64: icmp_seq=36 ttl=255 time=39.828 ms
  Root cause:
      It looks like the 2wire 2801 router has a problem with spanning tree when interoperating with gigabit switches and airports. There is interplay with the airport.
  I did not have this problem until the 7.6 airport firmware. I had been using the Netgear hub for about a year with the extreme in bridge mode. I added the Trendnet hub and upgraded airport firmware at the same time which made fault isolation difficult.
  Problem recreation:
  Set up airport expresses hard wired to extreme
  Connect gigabit switch anywhere to network
  Everything OK
  Dettach one computer from wifi then reattach, then all wifi stops working. It takes a few seconds for the problem to propagate.
  Ethernet still works fine
  Problem Resolution:
  Connect to 2wire with ethernet
  Set 2wire route to have subnet as 192.168.2.x
  Set extreme in NAT mode behind 2wire. It will complain about double NAT. Override the warning. Set the subnet to 192.168.1.x so you don't have to change any static IP addresses. Note that 2wire uses 192.168.1.254 as default route whereas airport uses 192.168.1.1.
  I set DHCP to start at .10 to leave the lower addresses for assigning static IP addresses to computers I want to expose outside the firewall.
  Go into firewall settings. Select airport extreme. Select the bottom setting which is "DMZ Plus". When you go into the airport extreme settings, you will now see that it has the uverse public IP address on its WAN port. NAT port mappings work fine on the extreme behind the 2wire router.

  Keeping this very short here is a summary of the actual problem and solution to allow your Apple Airport Extreme to run in Bridge mode on the same subnet as your uVerse settop boxes (if your Layer 2 switch is configurable). 
  Devices: Uverse, Cisco SG300, and Airport Extreme
  uVerse uses Multicast to broadcast video streams between the uVerse network to the settop box, and from settop box to settop box.
  X number of Multicast Groups are created based on X number of settop boxes you have.  You can see the multicast definitions by logging into the webinterface of the iNid. Each settop box is a member and can choose to display a broadcasted TV stream or not.
  Multicast membership is setup by the use of ICMP messages for IPv4 (MLD for IPv6).  Each of the settop boxes become members of each others multicast group by reporting up to the iNid (MultiCast Proxy).
  In an ideal world a layer 2 switch will track these memberships and only forward a broadcast packet to the ports on the switch to which the settop boxes are connected to.  The switch would do these via snooping on the ICMP packets.  Most switches by default do not do this by default and simply forward the broadcast packett out every one of it's switch ports.
  Here in lies the problem.  Problem is that the Apple AES doesn’t do ICMP snooping / filtering and floods the wireless network with these broadcast streams.
  In order to fix this you must turn on ICMP snooping and filtering on the switch (or buy a switch that does this).  I have a Cisco SG300 and list out the configuration below.
  Other notes:
  Ensure that all Media renderers (settop boxes) and servers are wired directly off the switch and not attached to any of the Airport Express ports.  This way no media transverses the Airport (only control point traffic goes through the WiFi - which is fine).  Obviously if the IGMP snooping switch sees any client requesting Multicast streaming traffic on the same port as the WAP, it will add that Multicast address to the forwarding table for that port, and then, yes it could get flooded.
  Remember, you need to allow some Multicast traffic through your WAP to allow UPnP discovery to work (assuming that you will be using Wireless control points.)
  Read the Multicast chapter in the SG 300 switch Admin Guide as it explains things very well.
  Setting up multicast on the SG300s using the WebUI:
  1. Multicast/Properties/
  Tick enable Bridge Multicast Filtering Status for VLAN 1, and
  set the Forwarding Method to IP Group Address for both IPv4 & IPv6.
  2. Multicast/ IGMP snooping/
  Tick enable IGMP snooping status then select and edit the entry and ensure that IGMP querier status is ticked.
  It's essential for IGMP snooping to work that there must be at least one active IGMP querier on the network - if more than one is enabled, they will carry out an "election" to decide which one should be active (normally the one with the lowest IP address.)
  3. Multicast Router Port
  Set whichever port that is connected to the uVerse iNid to Status which means that it the uVerse router connected to this port is the Multicast Router
  4. Multicast/ Unregistered Multicast
  set all ports to Filtering. (The default is Forwarding.)
  There are a lot of other variables within all the above - the defaults are OK, you should probably leave them alone!
  In the config file you would then expect to see the above appearing as something like this:
  ip igmp snooping
  ip igmp snooping vlan 1
  ip igmp snooping vlan 1 immediate-leave
  interface vlan 1
  bridge multicast mode ipv4-group
  bridge multicast ipv6 mode ip-group
  interface range gi1-10
  bridge multicast unregistered filtering
  ip igmp snooping vlan 1 querier
  ip igmp snooping vlan 1 querier address <IP-Addr>

• The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

  Hello
  I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
  Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
  PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
  Is it possible to integrate into Cisco Router such as Cisco 891F ?
  In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
  I think there might be any unsupported feature on Cisco 891F.
  I appreciate any information. thank you very much in advance.
  Best Regards,
  Masanobu Hiyoshi

  Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
  Ummmm ... The most common question I get is "what is the difference between a router and a switch".
  However, if you get a question like this, then my impression to this line of questioning are:
  1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
  2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question.