Re: Mac Address\IP Bunding on Cisco 3560

Similar Messages

• Mac-Address Different format for Authorization on Cisco ISE

  Dear All,
  I have problem with my Cisco ISE,
  This is the design :
  ISE ---- Core Switch ---- 3Com Switch --- PC User
  My Case:
  Authorization is based on Mac-address and Active Directory,
  But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
  Mac-address Cisco format :  XX:XX:XX:XX:XX:XX
  Mac-address 3Com format :  XXXX-XXXX-XXXX
  3Com Switch type is TRICOM 4210 26-PORT.
  Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
  note:
  authorization based on Active Directory is not problem with 3Com Switch.
  Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
  Thanks,
  Arika Wahyono

  I do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
  Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
  PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
  Tarik Admani
  *Please rate helpful posts*

• Cisco Aironet Remove Local MAC Address List (all)

  Hi All,
  I need to remove all MAC addresses in the LOCAL MAC Address List on a Cisco Aironet. I do not want to remove running config on the device as we have changed over to a RADIUS Server.
  Can anyone give me some advice please?

  I have found a solution, please close this forum post.

• Maximum MAC address table size

  Hello guys.
  what is the maximum MAC address table for the Cisco 3750X series switches?

  Scalability Numbers
  MAC, routing, security, and QoS scalability numbers depend on the  type template used in the switch. Routing template is not supported in  the LAN Base feature set. Table 10 shows Cisco Catalyst 3750-X and  3560-X Series Switch scalability numbers.
  Cisco Catalyst 3750-X and 3560-X Series Switch Scalability Numbers    
  Access
  Default
  Routing
  VLAN
  Unicast MAC addresses
  4K
  6K
  3K
  12K
  IGMP groups and multicast routes
  1K
  1K
  1K
  1K
  Unicast routes
  6K
  8K
  11K
  0
  Directly connected hosts
  4K
  6K
  3K
  0
  Indirect routes
  2K
  2K
  8K
  0
  Policy-based routing ACEs
  0.5K
  0
  0.5K
  0
  QoS classification ACEs
  0.5K
  0.5K
  0.5K
  0.5K
  Security ACEs
  2K
  1K
  1K
  1K
  VLANs
  1K
  1K
  1K
  1K

• Arp/mac address cache timeouts

  Anybody know how long a mac address stays in a Cisco IOS arp cache when issuing "show ip arp"? How about a mac address in a CatOS switch when issuing "show cam dynamic". What constitutes the length of time an arp entry is cached?

  Hello,
  the default ARP timeout (show ip arp) is 14400 seconds, which equals 4 hours. The CAM default agingtime (show cam dynamic) is 300 seconds, which equals 5 minutes. That means that the ARP or CAM entry will stay in the cache for a minimum of 4 hours and 5 minutes, respectively...
  Is that what you are asking ?
  Regards,
  GP

• Extended 48-bit MAC address access list

  How can I apply extended 48-bit MAC address access list on Cisco 7606?

  You can use the following example for the MAC address based access list :
  mac access-list extended CAPTURE 10
  permit any any
  vlan access-map IDS 10
  match mac address CAPTURE
  action forward capture
  vlan filter IDS vlan-list 115,119
  interface FastEthernet 3/48
  switchport
  switchport capture

• Understanding Wireless Mac Address

  Hi,
  I would like to know te range of mac address used for only Cisco Wireless, and I would appreciate to know how the ap and the controler assign the virtual mac address they use and how to get them from the WLC gui.
  WLC - 4400
  AP - Air1131
  Thanks

  As you add SSIDs (Service Set Identification(s)) to an access point each BSSID (Basic Service Set Identifier) receives a virtual mac address. This allows for wireless network segmentation as well as for wireless clients to communicate via LAYER 2 with each access point BSSID.
  A Cisco access point takes the base radio mac address and then virtualizes the mac address as additional SSIDs are added. What is interesting is how the virtual MAC addresses are selected. Pay very close attention to the 2.4GHz and 5 GHz radios and BSSIDs.
  BASE RADIO MAC ADDRESS
  You can find the base radio mac address under WIRELESS->Select Access Point
  Virtualized BSSID(s)
  I configured a controller with 16 SSIDs. Each SSID named as 01,02,03,04,05,06, 07,08,09,10,11,12,13,14,15 and 16. I then enabled both the 2.4 GHz and 5 GHz radios. Cisco WLC access points have a limit of 16 SSIDs on each radio.
  I then fired up AirMagnet WiFi Analyzer Pro to conduct a capture.
  Note: The access point base radio mac address ends in A9:10.
  2.4 GHz – Notice the first SSID ‘01’ is assigned the BASE RADIO MAC ADDRESS A9:10. The second SSID is appended with a .11 and so on.
  5GHz – Notice the sixteenth SSID ‘16’ is assigned the BASE RADIO MAC ADDRESS A9:10. The fifteenth SSID is appended with a .11 and so on.
  NOTE: The VIRTUAL MAC ADDRESSES get reused by the access point on both the 2.4GHz and the 5GHz radios.
  Virtualized BSSID Assignment
  Keep in mind, the assignment or order in which the virtual mac addresses are assigned in the above example has nothing to do with the WLAN IDs that are configured in the WLC. Rather, the virtual mac addresses are assigned in order by how the SSID is assigned to the access point.

• How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server

  Hi dearI 
  How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!

  Olivier,
  You can't reference WLP visitor roles in weblogic.xml, but you can
  reference global roles (created using the WLS console):
  - <security-role-assignment>
  <role-name>PortalSystemAdministrator</role-name>
  <externally-defined />
  </security-role-assignment>
  -Phil
  "Olivier" <[email protected]> wrote in message
  news:[email protected]..
  >
  We need to have login page to our portal app.
  When using "form based" authentication is it possible to map the securityon a
  "entitlement role" ?
  Our need is to be abled to give direct url acces to some pages of theportal (for
  exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
  Label=mypage")"
  by email to portal users) and need a simple mecanism of authenticationbefore
  redirecting to the portal page.
  Inste

• Multipe mac addresses entries for the same port (FE)-Switch 3560

  Dear All,
  I have a problem with a host whitch is connected to 11 port of my cisco 3560. from time to time the, the connection is lost with the host and after some troubleshooting i see two entries of mac-address table for the port 11.
  I'm asking if someone has an idee how to explain this issue and how to see if this port is participing to SPT or...
  I see also somme error of collision :
  ===================================
  5 minute input rate 1000 bits/sec, 2 packets/sec
    5 minute output rate 7000 bits/sec, 1 packets/sec
       64677029 packets input, 17167881111 bytes, 0 no buffer
       Received 39036768 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 39036088 multicast, 0 pause input
       0 input packets with dribble condition detected
       54722071 packets output, 8588329003 bytes, 0 underruns
       0 output errors, 992 collisions, 1 interface resets
       0 babbles, 2316 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  ======================================
  i have two routers in the same switch: my wan router + un other router used to conneced some separated hosts to internet.
  If i use statif addressing for the second subnet (2 hosts + internet router), is there any risk for collision or broadcast domains or errors ?
  is the second router distrub my LAN or WAN ?
  Manay thanks for your help and support.
  Best regards,

  Hello,
  For the first part of the question, I guess somebody might be connecting a hub to that port. If the hub is not negotiating the speed/duplex with the 3560 switch, then that port will go to half-duplex mode and you will see collisions on the port. That might also explain why you are seeing multiple MAC addresses on that port. Please check the port to see if the hub is connected and remove it. You can use features like port-security to ensure only one MAC address is registered on that port and people are not connecting hubs/dumb switches on that port.
  For the second issue, you can certainly use static IP addresses as long as they are not overlapping with other subnets in your network. If they are overlapping, you do need to configure NAT on the router so that they are not affecting rest of the network.
  Hope this helps.
  Regards,
  NT

• Cisco ISE 1.1.4 Patch 7 (Internal Endpoint Mac Addresses Getting Disppeared)

  Hi Folks,
  I am having issue that mac addresses which we are trying to add under Internal Endpoint Group for MAB getting disappear automatically after few minutes. We tried multiple mac addresses but result same. We can see the mac address which we added earlier but new mac address getting disappear. Is there any limit to add mac address under Internal Endpoint. We have following licenses.
  L-ISE-ADV-1K-M=  Cisco ISE 1000 EndPoint Advanced + Base Migration License
  Thanks

  Tabish,
  We'll update the latest patch and then look for the work around from any one of our Cisco experts

• Cisco Aiornet 1042 with MAC address

  Hi,
  I have a Cisco Aiornet, model  AIR-AP1042N-E-K9.
  I need to configure the AP to only certain MAC access. 
  I'm doing the configuration through the console. 
  The wireless network is not showing up in devices, anyone know why?
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap_disi
  logging rate-limit console 9
  enable secret 5 xxxxx.
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local 
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid DISI-WLAN24
     authentication open 
  dot11 ssid DISIWIFI
     authentication open mac-address mac_methods 
     authentication key-management wpa version 2
     infrastructure-ssid
  dot11 guest
  username Cisco password 7 xxxx
  username Admin privilege 15 password 7 xxxx
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm 
   ssid DISI-WLAN24
   ssid DISIWIFI
   antenna gain 0
   speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
   station-role root
   l2-filter bridge-group-acl
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   description AP SITAS
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm 
   ssid DISIWIFI
   antenna gain 0
   peakdetect
   no dfs band block
   speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   l2-filter bridge-group-acl
   no keepalive
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.0.252 255.255.254.0
   no ip route-cache
   ipv6 address dhcp
   ipv6 address autoconfig
   ipv6 enable
  ip default-gateway 192.168.1.254
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1 
  access-list 700 permit 8830.8a24.7eb5   0000.0000.0000
  access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
  snmp-server view dot11view ieee802dot11 included
  snmp-server community public view dot11view RO
  snmp-server location DISI
  snmp-server contact SITAS
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps tty
  snmp-server enable traps entity
  snmp-server enable traps disassociate
  snmp-server enable traps deauthenticate
  snmp-server enable traps authenticate-fail
  snmp-server enable traps dot11-qos
  snmp-server enable traps switch-over
  snmp-server enable traps rogue-ap
  snmp-server enable traps wlan-wep
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps syslog
  snmp-server enable traps cpu threshold
  snmp-server enable traps aaa_server
  snmp-server host 192.168.1.6 public 
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  sntp server 192.168.1.215
  sntp broadcast client
  end

  Please refer: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4-25d-JA/Configuration/guide/cg_12_4_25d_JA/scg12-4-25d-JA-chap16-filters.html#wp1034897

• Sh mac-address command in Cisco RSP4

  Hello guys,
  Need your ideas on how to know to which port a device connected to using mac-address information on Cisco DLSw RSP4.
  I did tried using command "sh mac-address add" but it is not recognized in this IOS.
  See below outputs:
  RSP-Core#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) RSP Software (RSP-DSV-M), Version 12.1(13), RELEASE SOFTWARE (fc3)
  Copyright (c) 1986-2002 by cisco Systems, Inc.
  Compiled Wed 30-Jan-02 13:58 by kellythw
  Image text-base: 0x60010958, data-base: 0x61186000
  cisco RSP4 (R5000) processor with 131072K/2072K bytes of memory. >>>>>>>>>
  R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
  RSP-Core>sh ip arp tok 1/1/0
  Protocol Address Age (min) Hardware Addr Type Interface
  Internet 146.X.3.76 5 0060.9435.63e2 SNAP TokenRing1/1/0
  Internet 146.X.3.77 5 4000.2030.2410 SNAP TokenRing1/1/0
  RSP-Core#sh mac-address add ?
  % Unrecognized command
  RSP-Core#sh mac-

  Interesting hardware you have there.
  Is this perhaps a cat 5xxx with an RSM module?
  In that case, the RSM is in fact a router blade.
  The command "sh mac-adress " is only found on switches. This info is there already but you need to get it from the supervisor which will be running CatOS.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/catos/4.5/configuration/guide/5000_cfg.html
  regards,
  Leo

• Cisco WLC Client MAC address backup to new Controller & ISE

  Hi All,
  We have an existing 4400 controller with MAC filtering for clients configured. Right Now, we are migrating to 5500 WLC and ISE setup.
  We want to use MAC filtering due to company policies on the new Controller as well as ISE.
  Is there a way (from GUI/CLI) that we can export the client MAC Addresses into an Excel file from existing WLC to new WLC & ISE?
  Thanks,
  CJ

  On the CLI issue a show macfilter summary and then import that into excel or a text editor.
  Sent from Cisco Technical Support iPhone App

• MAC Address FF:FF:FF:FF:FF:FF on a Cisco 7920

  Hi!
  Maybe someone of you can help me about my problem. I have my 7920 that can not authenticate to the CallManager and no signal for wireless is detected. When checking the Mac address I could see that it reflects ff:ff:ff:ff:ff:ff
  Can this be fixed? How?
  Thank you,
  Oscar.

  Try upgrading the firmware through the Configuration Utility.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7920/3_3/english/administration/guide/7920frm.html

• Mac-Address Locking on ML-1000 for the Cisco 15454

  Does anyone know if you can do mac-address locking on the ML-1000 card on the Cisco 15454. I would like to enter the command "mac-address-table secure", but it does not look like it is possible to do this.
  Thanks,
  Eric

  The command is not supported on the ML-1000 card.