?switchport protected between switches

Similar Messages

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• Private Vlan and Switchport Protected

  Dear All,
  My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
  How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
  Thanks.
  C.K.

  Hi C.k.,
  I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
  Try that and let us know.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
  HTH,
  -amit singh

• Firmware bug: SF220 "switchport protected" command missing

  Hello!
  We have SF220-48 switches and there are no "switchport protected" command:
  sw-u1(config)#interface fa1
  sw-u1(config-if)#switchport
    access         VLAN unaware port
    default-vlan   default vlan
    dot1q-tunnel   802.1Q tunnel port
    forbidden      forbidden
    general        Configure switchport in general mode
    mode           port mode
    port-security  Configure an interface to be a secure port
    trunk          VLAN aware port
    vlan           VLAN
  sw-u1(config-if)#
  But show interfaces protected-ports command available.

  Hi Tim,
  I saw this problem in 1.4 while not in 1.3.5.
  Now there is a solution for this issue, which is to add the trunk native vlan setting to the user defined macro so that it will finally be recovered after reboot.
  no macro auto user smartport macro ip_phone_desktop
  # disassociated the user macro
  macro name u_ip_phone_desktop
  #macro keywords $u_native_vlan $u_voice_vlan
  #macro key description: $u_native_vlan: The native VLAN for trunk
  #                       $u_voice_vlan: The voice VLAN ID
  #Default Values are
  #$u_native_vlan = 10
  #$u_voice_vlan = 30
  #the default mode is trunk
  smartport switchport trunk allowed vlan add $u_voice_vlan
  smartport switchport trunk native vlan $u_native_vlan
  no macro description
  spanning-tree portfast
  macro name no_u_ip_phone_desktop
  #macro keywords $u_voice_vlan
  #macro key description: $u_voice_vlan: The voice VLAN ID
  #Default Values are
  #$u_voice_vlan = 30
  smartport switchport trunk allowed vlan remove $u_voice_vlan
  no macro description
  spanning-tree portfast auto
  macro auto user smartport macro ip_phone_desktop u_ip_phone_desktop $u_native_vlan 10 $u_voice_vlan 30

• How can I encrypt my data links between switch uplink ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me

  How can I encrypt my data uplinks between switch trunk ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me as I want to encrypt my switch-to-switch link with Cisco TrustSec.

  Hi 
  Login to switch & go to interface..
  There you can give tags.. (ISL & DONT1Q)
  Command switch-port mode trunk
  Switch-port trunk encapsulation ssl or dot1Q

• Speed between Switches & IDF MDF

  Hello,
  I had a question reguarding the types of speed and cable one should use when connecting switches in an IDF togeather, and then connecting those swtiches back to an MDF.
  If I connect each switch in the idf togeather with gigabit ethernet, probably cat 6 cables,  how do I know that these 1 gigabit inter-connections will support all the traffic between the switches without issues? What if the right speed that I should have used was 10 gigabit? How often is 10gigabit used to interconnect switches in the idf?
  And this is the same issue im trying to figure out with connecting the IDF back to the MDF. Would 1 cat6 via gigabit ethernet speed be enough for all that traffic goign back to the MDF? Is there a general rule or something to follow so that I know what speeds to use when?
  Also, why use fiber 1gb vs 1gb over cat6 if distance between mdf and idf is less than 100m.
  Thank you for your time

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  Regarding your questions about bandwidths between switches, that really depends on traffic volume.  An old rule-of-thumb has been uplink bandwidths might be good at about 24:1 for users and 4:1 to 8:1 for servers.  Such a rule-of-thumb doesn't account for your hosts their bandwidth requirements, and I believe, with higher bandwidth links, ratios can be increased.
  For various technical reasons, fiber is generally considered superior to copper, and so is often preferred by many for inter-network-device links, even when copper offers equivalent performance.  I, though, have used gig copper for inter-network-device links with no notable issues (but with huge cost savings).

• Difference between Switching Structure in CCA and Transfer Structure in PC

  Hi experts,
  Could anybody define the difference between Switching Structure in CCA and Transfer Structure in CO-PCP? I can't also define when we create Primary Cost Component Split, do we use only range of Primary Cost Elements in the Cost Components for the Primary Cost Component Structure? Thanks for the help!
  Best Regards,
  Georgi

  This has been discussed please check it in forum
  https://forums.sdn.sap.com/click.jspa?searchID=480466&messageID=114309
  https://forums.sdn.sap.com/click.jspa?searchID=480466&messageID=1419481
  https://forums.sdn.sap.com/click.jspa?searchID=480466&messageID=1479212
  Shortly:
  Append structures are used for enhancements that are not included in the standard. An append structure is a structure that is assigned to exactly one table or structure. There can be more than one append structure for a table or structure.
  http://help.sap.com/saphelp_erp2004/helpdata/en/cf/21eb61446011d189700000e8322d00/content.htm
  Includes are used to group fields, an include structure can be assigned to many tables. If you add a fields to an include structure, all tables/structures, which contain that include structure, will be updated too.
  http://help.sap.com/saphelp_erp2004/helpdata/en/cf/21ea6a446011d189700000e8322d00/content.htm
  Regards,
  Santosh

• Difference between Switch -off and disable of an aggregate.

  Hi All,
  Can any one please tell me whats the difference between Switch-off and Disable an aggregate?
  Appreciate ur help.
  Thanks,
  Soumya.

  Hi,
  You can temporarily switch off an aggregate to check if you need to use it. An aggregate that is switched off is not used when a query is executed.
  To do this select the relevant aggregate and choose This graphic is explained in the accompanying text Switch On/Off. An aggregate that is switched off is marked in column Filled/Switched off with This graphic is explained in the accompanying text.
  Since aggregates that are switched off must also be consistent, you do not have to activate the aggregate again or to fill it when you switch it back on.
  Execute a query or trace that would use the aggregate that was switched off. Compare the time that the database needs with the time that the query needs when using the aggregate. If the query is not significantly slower without the aggregate, you can deactivate or delete the aggregate.
  The system deletes all the data and database tables of an aggregate. The definition of the aggregate is not deleted.
  Deactivation
  Select the required aggregate and choose This graphic is explained in the accompanying text Deactivate.
  The status display in the columns Status and Filled/switched off change back to This graphic is explained in the accompanying text.
  If you want to, you can activate and fill the aggregate again later.
  More information:
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/26/4bc0417951d117e10000000a155106/frameset.htm
  Hope it helps.
  Regards,
  Ray

• Re: Difference between switcher component and router activity

  Hi all,
  Here i want to know the difference between switcher component and router activity.
  Can anybody give the difference between them or suggest any blog for this.
  Thanks,
  Syam

  <af:switcher> component is an ADF Faces component. You can use it within (the source of) a JSF page or fragment to include a particular group of other JSF components depending on the switcher expression's value.
  Router activity is not a JSF component, i.e. you cannot use it within a JSF page of fragment. It is an ADF taskflow activity. You can use it as an activity within an ADF Taskflow to route transitions between some other activities in the taskflow depending on the router's expression.
  Dimitar

• Nokia E71 Difference between Switch mode and Profi...

  I have Nokia E71, Phone having option to switch modes and also we have profile option.
  Can some body explain the difference between switch mode and having different profile ?.
  Thanks

  The profile impacts things like default ringtone, vibration settings, etc.
  With the mode switching you can also switch active standby applications and plugins (e.g., work vs. free time).
  Personally, I don't use the modes, and with profiles, I only use "General" and "Silent" and don't bother with others.

• Password protect between 10pm and 5am only

  I want to password protect my iMac between 10pm and 5am only. At any other times no password would be required.

  Log out at 10 pm and log back in at 5 am. Note that, although there are ways to script this automatically, it wouldn't be wise, as unsaved documents would ultimately cancel log out if you're not there to take care of it.
  Alternately, you could see my response on the following topic, which requires fast user switching to be turned on (in System Preferences -> Accounts -> Login Options). Of course, then if you lose power or something in the middle of the night, unsaved documents are simply lost.

• Etherchannel or Aggregated ports between switch and AIX server

  I have a problem with the configuration of an etherchannel or port aggregation between an 4507 Catalyst switch and a server running AIX 5.2 maintenance level 4. The two ports on the switch are on the same blade.
  I tried configuring etherchannel with the command
  config-if# channel-group XX mode on
  and I tried configuring 802.3ad with the command
  config-if# channel-group XX mode activ
  but in both cases, as soon as I configured the second port, connection went down (I monitored with pings).
  On the AIX, I tried configuring modes "round-robin" and "802.3ad" with both switch configurations, but the result was the same.
  Does anyone has experience with this kind of configuration?
  thanks,
  Antoine

  Hi amaitre
  Could you setting  the etherchannel with the AIX Server?
  I configured in my switch 4510 with a AIX, but the 2 ports with channel-group keep in suspend. This is the configuration
  interface Port-channel2
  description ## LACP AIX ##
  switchport
  switchport access vlan 100
  load-interval 30
  interface GigabitEthernet4/20
  description  ## LACP AIX ##
  switchport access vlan 100
  channel-protocol lacp
  channel-group 2 mode active
  spanning-tree portfast
  interface GigabitEthernet4/21
  description ## LACP AIX ##
  switchport access vlan 100
  channel-protocol lacp
  channel-group 2 mode active
  spanning-tree portfast
  This configuration works with a server Dell with windows 2008.
  The schema is 1 switch 4510 with etherchannel to AIX.
  Thanks!

• Can two WRT610N routers be used to create a wireless connection between switches?

  I am getting somewhat lost in the jargon involved with routers and access points and need better understanding of the functionality of the WRT610N router. The questions I need answered are:
  To eliminate the need for WUSB600N USB adapters for each of the happily switched office computers: can I use two WRT610N routers to connect one end of the building to the other without wires in between? One end has the switched LAN the other has the internet connection.
  If this is not the highest bandwidth solution... what is?
  Sorry to go off topic but, whether the above is feasable or not, can I establish more than one wireless network - one internal and one for guests - using a WRT610N router?

  Firstly thank you for your interest
  It is not possible to connect the two parts of our network with a physical connection such as a wire. The goal is therefore to wirelessly join one end of the building to another with as much bandwidth as possible. I am hoping to use high end dual band N equipment. However as linksys does not seem to have an access point which - with my limited understanding - suspect I could connect to an existing gigabit switch. I wish to know if a router can be configured to slave itself to the internet connected router.
  One end of the building has the internet and a reception room workstaion, the other end currently has 3 computers and a NAS which need to be connected to the internet and each other, as efficiently as possible. I am concerned that USB adapters for each computer would drain workstation resources and be quite expensive.
   I am pleased with every aspect of the WRT610N as a router but need guidance as to how to best deal with the other end of the building.
  Furthermore I would like to provide a separate independent wireless network for guests to access the internet. Can one dual band router produce two networks? One for internal use only - secured against the outside world and a separate network for guests. If not can a/the second router pull this off?
  Does this explain more?
  Thank you for any assistance

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• Encrypting vlan-trunk traffic between switches

  Hi,
  Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
  I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
  Thanks for any input,
  Regards,
  Oyvind Mathiesen
  mnemonic
  Norway

  Hi,
  Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
  We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
  The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
  We also need to encrypt the datatraversing this connectivity.
  MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
  And that would cause me to eat into the 100 MAC limit.
  Ridiculous I know, but we are looking for an out-of-the-norm plan...
  Thanks