To 3850 or not to 3850?

Currently I have two 5508 controllers each licensed for 100 AP's configured in a 1+N setup with a total of 100 AP's between the two controllers. (50 each).
I am going to add AP's in two remote buildings that are each connected to the core (where the 5508's are located) via a 20Mb TLS circuit. I was thinking of just adding more license to the 5508's and having all the new remote AP's just connect back to the existing 5508's. Keep in mind that all services are located at the core so anybody that connects to the wireless in the remote buildings will be accessing services in the core.
I have been doing a lot of reading about the new 3850's and I see the benefit of the CA and having the AP's terminate locally but in my case would it make sense to do that?
As I understand it I would have to have a 3850 in every closet where an AP comes back to as they have to be directly connected? So this would mean that I would have to upgrade my network closets to all new switches.
The total number of AP's after all remote sites are done will be about 250 so I could still provide the 1+N relationship with the two 5508's.
Thank you for the input.

As I understand it I would have to have a 3850 in every closet where an AP comes back to as they have to be directly connected? So this would mean that I would have to upgrade my network closets to all new switches.
//Absolutely, Yes.
With 3850 deployment, You can still make use of AP licenses from 5500, However you need to purchase more 3850s since AP has to be directly connected to the 3850.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/data_sheet_c78-720918.html
– Support for up to 50 access points and 2000 wireless clients on each switching entity (switch or stack)
//A 3850 switch doesn't have 50 ports
//MC failover to another MC is currently unavailable, just in case 5500 acting as MC goes down where the APs on 3850 goes stranded without AP licenses, if it is pulling from 5500. However, AP sso is supported that require additional infrastrcuture.

Similar Messages

3850 Stack not displayed correctly in CiscoView 6.1

HI,
our customer installed lms 4.2, updated it to 4.2.5 and applied the Maintenance_Release_4_2_5_01_LNX. Its a fresh installation, so there are no previous data. After a discovery via SNMPv3 the 3850 (stacks with 2 or 3 units) show up in CiscoView but only one unit, the others are missing. When I take a look in the fan status, it displays the fan status of the other stack members, so the stack is recognized, but not displayed...
Installed Packages:
CiscoView version is 6.1.156
Cat3850.cv50.v1-0.zip (installed with the 4.2.5 update)
Anybody got an idea how to fix this?
Thanks!

The reason why the C3850 switch stack is showing as standalone in LMS CiscoView is because
it's returning sysObjectID as standalone.
It should return as 1.3.6.1.4.1.9.1.1745 --cat38xxstack
While, if you poll it for sysObjectID, the Catalyst 3850 stack switches will be returning OID 1.3.6.1.4.1.9.1.1641.
This is an IOS bug "CSCul00003 - Incorrect Sys OID for Cat3850 Stack device".
Unless this bug is fixed, LMS will not be able to show it as stack device.
You can try to check if you can manually change the device identity to cat38xxstack from Inventory > add/edit device > edit identity.
Else we need to wait for the fix of this bug.
-Thanks
Vinod

Distributed multicast routing command not working on Catalyst 3850 switch

Hi Cisco community,
I was wondering if there is a known problem as to why the ip multicast-routing [distributed] option is not available on the Cat 3850 platforms
global command " ip multicast-routing " is accepted
the configuration guide named:
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
First Published: January 29, 2013
Last Modified: October 22, 2013
explains that this option "key word" [distributed] should be available>
Enables IP multicast routing.
ip multicast-routing [distributed]
Device(config)# ip multicast-routing distributed
=============== Here is what i have and see =========
Config attempt
============
CAT-3850-1(config)#ip multicast-routing distributed
^
Show command:
========
CAT-3850-1#show ip multicast
Multicast Routing: enabled
Multicast Multipath: disabled
Multicast Route limit: No limit
Multicast Fallback group mode: Sparse
Number of multicast boundaries configured with filter-autorp option: 0
Software:
========
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M),
Version 03.03.03SE RELEASE SOFTWARE (fc2)
License rights:
============
CAT-3850-1#sh license right-to-use
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
1 apcount adder 10 Lifetime
License Level on Reboot: ipservices
Slot# License name Type Count Period left
2 ipservices permanent N/A Lifetime
2 apcount adder 10 Lifetime
License Level on Reboot: ipservices
Any hints and help would be greately appreciated.
Many thanks in advance
Markus

Hi Reza,
Thank you for your quick reply, and for putting the record staright. As such, a helpful rating was provided
PS: Feel free to help me one more time if you happend to know folllow on this query :)>
I guess that the disributed function has been included in the standard mulitcast routing command because the key word is no longer needed. Or perhaps this platform does not support this at all.#
Once again , thank you for your help above.
Best regards

Why does my 3850-24T-E running 3.6.2aE with IP Services licence not support GLBP?

Hi all,
Just upgraded two 3850-24T-E's to 3.6.2aE (cat3k_caa-universalk9.SPA.03.06.02a.E.152-2a.E2.bin) and I have triple checked that the IP Services licence was loaded from factory.
Even although the Cisco Feature Navigator says that 3.6.0E supports GLBP (See below) I can't execute any of the 'glbp' commands in interface configuration mode so obviously it's not supported:
ukxxxxAAxx01(config)#int vlan 100
ukxxxxAAxx01(config-if)#glbp ?
% Unrecognized command
ukxxxxAAxx01(config-if)#glbp
Can anyone explain what I'm missing? 3.6.2aE isn't available in the feature navigator - is it SO different from 3.6.0E?!
Thanks!
James.

You're going to have to give us more information to work with.
1. When did this start happening?
2. Have you added anything new to your system before this problems started?
3. When did you put Google Chrome Helper on there? XScan?
4. What other apps or functions are working strangly on there?

3602 AP not able to join 3850 WLC

Hello,
I have a 3850 switch with inetegrated WLC and my 3602 is not able to join the controller. Error from AP:
*Oct 24 19:21:17.355: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 19:21:17.355: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 19:21:17.355: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
*Oct 24 19:21:20.355: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Oct 24 19:21:20.355: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Oct 24 19:21:20.355: %CAPWAP-3-ERRORLOG: Failed to send packet from queue
*Oct 24 19:21:20.355: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 19:21:20.355: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 19:21:20.355: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
., 1)24 19:21:23.355: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Oct 24 19:21:23.355: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Oct 24 19:21:28.903: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
Switch Config:
ip dhcp pool TMOWireless
network x.x.x.0 255.255.255.0
default-router x.x.x.1
dns-server 8.8.8.8 4.2.2.2
option 43 hex f104.0x4x.dx0x
option 60 ascii "Cisco AP c3602"
wireless mobility controller
wireless management interface Vlanxxxx
wlan xxxxx1 xxxxx
client vlan xxxx
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 xxxxxxxxx
no shutdown
show wlan summary
Mobility Controller Summary:
Mobility Role                                   : Mobility Controller
Mobility Protocol Port                          : 16666
Mobility Group Name                             : default
Mobility Oracle IP Address                      : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 0
Mobility Domain Member Count                    : 1
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP               Public IP        Group Name       Multicast IP     Link Status
x.x.x.x      -                default          0.0.0.0          UP   : UP
show ap summary:
clk5-Das-cor01#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model Ethernet MAC    Radio MAC       State
AP4c00.82df.ac68                  3602I     4c00.82df.ac68 f84f.57e3.8ec0 Registered
show capwap summary
CAPWAP Tunnels General Statistics:
Number of Capwap Data Tunnels       = 0
Number of Capwap Mobility Tunnels   = 0
Number of Capwap Multicast Tunnels = 0
Name   APName                           Type PhyPortIf Mode      McastIf
Name   SrcIP           SrcPort DestIP          DstPort DtlsEn MTU
Any help is appreciated, thank you.

Full error log:
*Oct 24 19:59:32.351: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Oct 24 19:59:37.891: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Oct 24 19:59:37.959: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Oct 24 19:59:37.959: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Oct 24 19:59:38.175: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 24 19:59:38.191: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Oct 24 19:59:38.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 24 19:59:38.991: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Oct 24 19:59:38.999: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Oct 24 19:59:39.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 24 19:59:39.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Oct 24 19:59:40.019: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Oct 24 19:59:40.027: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 24 19:59:40.035: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 24 19:59:41.019: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Oct 24 19:59:41.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 24 19:59:41.055: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 24 19:59:42.055: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Not in Bound state.
*Oct 24 20:00:33.687: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Oct 24 20:00:38.691: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Oct 24 20:00:38.815: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.66.222.69, mask 255.255.255.0, hostname AP4c00.82df.ac68
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (8.8.8.8)
*Oct 24 20:00:44.687: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.66.222.1 obtained through DHCP
*Oct 24 20:00:44.687: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Oct 24 20:00:44.935: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Oct 24 20:01:14.935: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 24 20:01:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.222.1 peer_port: 5246
*Oct 24 20:01:15.239: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.66.222.1 peer_port: 5246
*Oct 24 20:01:15.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.66.222.1
*Oct 24 20:01:15.371: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.66.222.1
*Oct 24 20:01:18.363: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Oct 24 20:01:18.363: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Oct 24 20:01:18.363: %CAPWAP-3-ERRORLOG: Failed to send packet from queue
*Oct 24 20:01:18.363: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 20:01:18.363: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 20:01:18.363: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
*Oct 24 20:01:21.363: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Oct 24 20:01:21.363: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Oct 24 20:01:21.363: %CAPWAP-3-ERRORLOG: Failed to send packet from queue
*Oct 24 20:01:21.363: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 20:01:21.363: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 20:01:21.363: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
*Oct 24 20:01:24.363: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Oct 24 20:01:24.363: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Oct 24 20:01:24.363: %CAPWAP-3-ERRORLOG: Failed to send packet from queue
*Oct 24 20:01:24.363: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 20:01:24.363: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 20:01:24.363: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
*Oct 24 20:01:27.363: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Oct 24 20:01:27.363: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Oct 24 20:01:27.363: %CAPWAP-3-ERRORLOG: Failed to send packet from queue
*Oct 24 20:01:27.363: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 20:01:27.363: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 20:01:27.363: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
*Oct 24 20:01:30.363: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Oct 24 20:01:30.363: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Oct 24 20:01:30.363: %CAPWAP-3-ERRORLOG: Failed to send packet from queue
*Oct 24 20:01:30.363: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 41, state 8
*Oct 24 20:01:30.363: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Oct 24 20:01:30.363: %CAPWAP-3-ERRORLOG: Failed to process Message timer message.
*Oct 24 20:01:33.367: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
., 1)

3850 wireless config will not save

I have a 3850 switch stack and 1602i Lightweight access points. I setup the APs to join the switch via the DNS entry. When I access the 3850 GUI and go to the wireless controller to change the APs configs such as the names of the APs or their IPs, they change for a while they revert back to what they were within 1 minute.

Duplicate posts.
Go here: http://supportforums.cisco.com/discussion/12143441/3850-wireless-ap-config-will-not-save

2602i does not Join to 3850 WLC

Trying to join 2602i to 3850 wlc but after join to WLC, the access point keeps rebooting
AP Console log:
APc067.afa7.1ee4#
*Nov 29 23:32:55.027: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 29 23:32:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:32:55.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:32:55.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
., 1)29 23:33:13.415: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Nov 29 23:33:13.415: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Nov 29 23:33:19.299: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 29 23:33:19.319: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 29 23:33:19.323: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 29 23:33:19.327: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:33:19.347: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:33:20.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:33:20.351: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 29 23:33:20.359: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 29 23:33:21.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 29 23:33:21.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 29 23:33:21.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:33:21.387: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 29 23:33:21.395: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 29 23:33:22.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 29 23:33:22.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:33:22.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:33:23.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Not in Bound state.
*Nov 29 23:34:14.847: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Nov 29 23:34:19.847: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.
*Nov 29 23:34:19.967: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.212, mask 255.255.255.128, hostname APc067.afa7.1ee4
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 29 23:34:25.847: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Nov 29 23:34:34.847: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Nov 29 23:35:04.847: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 29 23:35:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:35:04.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:35:04.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
., 1)29 23:35:22.411: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Nov 29 23:35:22.411: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Nov 29 23:35:27.479: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 29 23:35:27.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:35:27.527: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:35:28.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:35:28.531: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 29 23:35:28.539: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 29 23:35:29.523: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 29 23:35:29.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 29 23:35:29.559: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:35:29.567: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 29 23:35:29.575: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 29 23:35:30.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 29 23:35:30.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:35:30.595: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:35:31.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
WLC Log:
Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:40:46.470: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:40:46.471: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
54C1BR01A01254#
Nov 29 23:40:46.474: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:40:46.474: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xd670c00000002a for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
Nov 29 23:41:09.584: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
54C1BR01A01254(config)#
Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
GB - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
and sometimes:
Nov 30 21:16:56.781: *%CAPWAP-3-ALREADY_IN_JOIN: 1 wcm: Dropping join request from AP c025.5c68.7f10 - AP is already in joined state
Nov 30 21:16:56.785: *%CAPWAP-3-DATA_TUNNEL_DELETE_ERR2: 1 wcm: Failed to delete CAPWAP data tunnel with interface id: 0x0 from internal database. Reason: AVL database entry not found
Sh Wirless Country Configured:
GB - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Sh version (AP):
LWAPP image version 10.1.100.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:67:AF:A7:1E:E4
Part Number                          : 73-14588-02
PCA Assembly Number                  : 800-37899-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC17353HXS
Top Assembly Part Number             : 800-38356-01
Top Assembly Serial Number           : FCZ1743P1VC
Top Revision Number                  : A0
Product/Model Number                 : AIR-SAP2602I-E-K9
Configuration register is 0xF
APc067.afa7.1ee4#
APc067.afa7.1ee4#^C
Not in Bound state.
*Nov 30 20:04:56.019: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Nov 30 20:05:01.019: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.c
*Nov 30 20:05:01.139: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.211, mask 255.255.255.128, hostname APc067.afa7.1ee4
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 30 20:05:07.019: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
Sh ver (Switch):
Base Ethernet MAC Address          : d0:c7:89:75:c3:00
Motherboard Assembly Number        : 73-12238-06
Motherboard Serial Number          : FOC172896LQ
Model Revision Number              : B0
Motherboard Revision Number        : D0
Model Number                       : WS-C3850-24T
System Serial Number               : FOC1729V133
Switch Ports Model              SW Version        SW Image              Mode
*    1 32    WS-C3850-24T       03.03.00SE        cat3k_caa-universalk9 INSTALL
     2 32    WS-C3850-24T       03.03.00SE        cat3k_caa-universalk9 INSTALL
Switch 02
Switch uptime                      : 5 days, 23 hours, 2 minutes
Base Ethernet MAC Address          : ec:e1:a9:df:93:80
Motherboard Assembly Number        : 73-12238-06
Motherboard Serial Number          : FOC17236GD1
Model Revision Number              : B0
Motherboard Revision Number        : D0
Model Number                       : WS-C3850-24T
System Serial Number               : FOC1725V0FT
Configuration register is 0x102

Hi,
3850 is in MC mode.
The AP is connected to an access switch which is connected via trunk port to 3850. the access port is in a same vlan as wireless management VLAN.AP is not connected directly to 3850 as this switch is not poe capable.
Country code is set to GB as th AP is ion Europe domain.
NTP has been configured
1- show license right-to-use summary :
ipservices   permanent   N/A      Lifetime
apcount      base        0        Lifetime
apcount      adder       4        Lifetime
License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 4
AP Count Licenses In-use: 1
AP Count Licenses Remaining: 3
the one which is in use is my AP which has issue. keeps rebooting:
2. show wireless mobility summary
Mobility Controller Summary:
Mobility Role                                   : Mobility Controller
Mobility Protocol Port                          : 16666
Mobility Group Name                             : BSTAR
Mobility Oracle IP Address                      : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0x276d
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Mobility Domain Member Count                    : 1
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP               Public IP        Group Name       Multicast IP     Link Status
10.129.0.254     -                BSTAR            0.0.0.0          UP   : UP
3- Show run | in Wireless
qos wireless-default-untrust
wireless mobility controller
wireless mobility group name BSTAR
wireless management interface Vlan10
wireless wps ap-authentication

Cisco prime 2.1 not showing wired clients connected to Cisco 3850 switches

Hello All,
I have around 80 Cisco 3850 switches at a customer network and they are using prime infrastructure 2.1.2 to manage these devices. Most of the features are working fine except that the prime does not show the wired clients connected to the switches. The wireless clients are shown properly but not the wired clients. Their core switches are nexus 7k. The SNMP configuration on the switches is as follows.
snmp-server group xxxx v3 priv write xxxx-VIEW-WR
snmp-server view xxx-VIEW-WR mib-2 included
snmp-server trap-source Vlan100
snmp-server host x.x.x.x version 3 priv testuser
Please help me to resolve this issue.
Shabeeb

I managed to get the end hosts connected in 3850 switches with the use of snmp context command. But now the issue is that prime is showing only the mac address of the device , not the IP address.
Is there anyway to resolve this issue?

Route-Map not taken on 3850 IP Services

Something odd I am seeing.
Trying to use a 3850 L3 switch running IP Services, XE ver 03.03.03SE, to do some policy routing on one of the VLAN interfaces.
Interface VLAN 10
ip address 208.x.y.z 255.255.255.0
ip policy route-map Use_Route1
It seems to take the command but when I look back with a show run interface vlan 10, it is not there.
Also when I look at the show route policy it indicates that 0 packets have been processed.
Is this a bug or am I missing something?

Hi Richard,
Cisco 3850 even running on full IP services image will not support verify-availability command to track with IP SLA.
If you enable terminal monitor or configure the device using console you can see the syslog message when you try to configure the route-map with set ip next-hop verify-availability command
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map <name> not supported for Policy-Based Routing
You can see the route-map command showing up in the config BUT as soon as you try to apply to interface vlan10 the command will be not be applied and PBR will not work.
I hope Cisco find way to fix this!!
Workaround:
You can use EEM Applet with IP SLA
event manager applet internet_up
event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up"
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 3.2 cli command "interface Vlan10"
action 3.3 cli command "ip policy router-map Use_Internet"
action 3.4 cli command "exit"
event manager applet internet_down
event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down"
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 3.2 cli command "interface Vlan10"
action 3.3 cli command "no ip policy router-map Use_Internet"
action 3.4 cli command "exit"
repeat the same process for other IP SLA tracking you have
hope this helps
Santhosh

Single 3850(MC) how many AP can control

Hi All now i testing about 3850..
i have some question about 3850
1. how many APs can control in single 3850(MC)
if we buy Single 3850(48port) then can we use all port for AP?
2. build a MC-MA Wireless environment, If MC goes down MA Can still working without MC?(is there kind of NSF?)
3. for example MC has a AP and MA has a AP. then we can see ap only each 3850. how we can management whole APs
Prime infrastructure can see whole APs, is this only way ?. I think this is not good for management Wireless.
4. If MA has over two APs(AP1, AP2), User1 connected AP1, User2 connected AP2.
User1 need to connect with User2(FTP or something) , User1,2 can connect directly? without through of MC
MC-----------------MA
|
AP1 AP2
| |
user1 user2
if you have any answer plz talk to me.
thank you.

A 3850 can support up to 50 directly-connected APs.

3850 PoE issues with AP3600 and AP3700

The switch is more than capable of providing 30 watts of power to the 3600AP yet it negotiates 15.4 watts and then I get errors in prime. Can someone explain how to fix this issue or what is causing the problem? Both radios are enabled so I would expect it to draw about 20 watts. We are seeing the same issues with 3700 series APs on the 3850 series switches. The APs tie back to a controller and not the 3850 switch
Error Message from Prime
Virtual Domain: ROOT-DOMAIN
PI has detected one or more alarms of category AP and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:
1. Message: Access point 'CAZBM-LAPA02' associated with controller 'BRO-5500' draws low power from Ethernet. Failure reason: 'The AP draws 15.4 watts from Ethernet'.
(6 times)
E-mail will be suppressed up to 30 minutes for these alarms.
Switch Info:
Show Version
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.02.SE RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 14-Jun-13 19:24 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.2, RELEASE SOFTWARE (P)
BRO-Zone-A-Stack uptime is 18 weeks, 2 days, 23 hours, 56 minutes
Uptime for this control processor is 18 weeks, 2 days, 23 hours, 59 minutes
System returned to ROM by reload
System restarted at 09:42:37 EST Sat Nov 15 2014
System image file is "flash:packages.conf"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
License Level: Lanbase
License Type: Permanent
Next reload license Level: Lanbase
cisco WS-C3850-48P (MIPS) processor with 4194304K bytes of physical memory.
Motherboard Assembly Number : 73-14442-08
Model Revision Number : L0
Motherboard Revision Number : C0
Model Number : WS-C3850-48P
Switch Ports Model SW Version SW Image Mode
1 56 WS-C3850-48P 03.02.02.SE cat3k_caa-universalk9 INSTALL
Show power inline
Module Available Used Remaining
(Watts) (Watts) (Watts)
1 450.0 15.4 434.6
2 450.0 0.0 450.0
3 450.0 0.0 450.0
4 450.0 120.0 330.0
Interface Admin Oper Power Device Class Max
(Watts)
Gi1/0/1 auto off 0.0 n/a n/a 30.0
Gi1/0/2 auto off 0.0 n/a n/a 30.0
Gi1/0/3 auto off 0.0 n/a n/a 30.0
Gi1/0/4 auto off 0.0 n/a n/a 30.0
Gi1/0/5 auto off 0.0 n/a n/a 30.0
Gi1/0/6 auto off 0.0 n/a n/a 30.0
Gi1/0/7 auto off 0.0 n/a n/a 30.0
Gi1/0/8 auto off 0.0 n/a n/a 30.0
Gi1/0/9 auto off 0.0 n/a n/a 30.0
Gi1/0/10 off off 0.0 n/a n/a 30.0
Gi1/0/11 off off 0.0 n/a n/a 30.0
Gi1/0/12 off off 0.0 n/a n/a 30.0
Gi1/0/13 auto off 0.0 n/a n/a 30.0
Gi1/0/14 auto on 15.4 AIR-CAP3602I-A-K9 0 30.0
Gi1/0/15 auto off 0.0 n/a n/a 30.0

Duplicate post.
Go HERE.

Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

Hello,
I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
well as the Wireless solution.
At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
between the two switches and their integrated controller.
Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
state of their connections to the WLAN infrastructure.
To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
subnets need to be assigned to the SSIDs.
As such, I have the following questions:
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
the solution as per the next question. Please advise which is a better option?
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
Regards,
Amir

Hi Amir,
Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
MO is not required (it is only for very large scale deployments)
Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
Yes, documents are hard to find :(
These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
http://mrncciew.com/2014/05/06/configuring-new-mobility/
http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
HTH
Rasika
*** Pls rate all useful responses ****

[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

Hi everyone,
After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
Let me show you what I have,
interface GigabitEthernet1/0/3
description AP
switchport trunk native vlan 999
switchport mode trunk
trust device cisco-phone
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
          Mac Address Table
Vlan    Mac Address       Type        Ports
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30
Switch Ports Model              SW Version        SW Image              Mode
*    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
############################################# Different switch model - 2960 ##################################################
interface GigabitEthernet1/0/1
description AP
switchport trunk native vlan 999
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
SW1#$cation sessions interface GigabitEthernet1/0/1
            Interface: GigabitEthernet1/0/1
          MAC Address: xxxx.xxxx.4a38
           IP Address: 172.18.1.170
            User-Name: xx-xx-xx-xx-4A-38
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A18129D000060E39DAE8A8A
      Acct Session ID: 0x0000725D
               Handle: 0x0F00028C
Runnable methods list:
       Method   State
       mab      Authc Success
       Switch Ports Model              SW Version            SW Image
     1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M
SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30
Am I doing something wrong?
BR,

I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :)
Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it.
Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it.
Thank you for rating helpful posts!

Flexible Netflow (v.9) question on 3850 ipservices doesn't seem to register

Greetings all - I am trying to enable netflow on a new 3850-24 with ipservices. I am leveraging LiveAction and have raised a ticket with them to help me through the issue, but more generally I'm confused about the lack of features I'm seeing. Per the 3850 guide here (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/flexible_netflow/configuration_guide/b_fnf_3se_3850_cg/b_fnf_3se_3850_cg_chapter_010.html) it is stated that you will have the option of turning on inbound and outbound directions on 3850's with ipbase and ipservices.
We are running ip services:
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
However, we get the following error when trying to turn on flow inbound and outbound on the interfaces - whether they are svi (layer3) or interface (layer2)
-----------------Layer2: ----------------------------------------------
(config)#interface GigabitEthernet1/0/24
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR'
Unsupported match field "interface input" for ipv4 traffic in output direction
Unsupported collect field "interface output" for ipv4 traffic in output direction
---------------- Layer3 ---------------------------------------------
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
------------------------------------ untruncated output ------------------------------
switch(config-flow-record)#collect counter bytes
% Incomplete command.
switch(config-flow-record)#collect counter packets
% Incomplete command.
switch(config-flow-record)#collect flow sampler
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect interface output
switch(config-flow-record)#collect ipv4 destination mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 dscp
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 id
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source mask
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect ipv4 source prefix
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing destination as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing next-hop address ipv4
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect routing source as
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime first
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect timestamp sys-uptime last
^
% Invalid input detected at '^' marker.
switch(config-flow-record)#collect transport tcp flags
switch(config-flow-record)#exit
switch(config)#flow monitor LIVEACTION-FLOWMONITOR
switch(config-flow-monitor)#$ DO NOT MODIFY. USED BY LIVEACTION.
switch(config-flow-monitor)#exporter LIVEACTION-FLOWEXPORTER
switch(config-flow-monitor)#cache timeout inactive 10
switch(config-flow-monitor)#cache timeout active 60
switch(config-flow-monitor)#record LIVEACTION-FLOWRECORD
switch(config-flow-monitor)#exit
switch(config)#interface Vlan197
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#exit
switch(config)#interface Vlan190
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR input
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
switch(config-if)#ip flow monitor LIVEACTION-FLOWMONITOR output
% Flow Monitor: Flow Monitor 'LIVEACTION-FLOWMONITOR' flexible netflow not supported on vlan interfaces
-------------------- config it's trying to apply----------------------------
config t
ip cef
snmp-server ifindex persist
flow exporter LIVEACTION-FLOWEXPORTER
description DO NOT MODIFY. USED BY LIVEACTION.
destination <removed private IP address to liveaction server>
source Loopback0
transport udp 2055
template data timeout 600
option interface-table
exit
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect flow sampler
collect interface output
collect ipv4 destination mask
collect ipv4 dscp
collect ipv4 id
collect ipv4 source mask
collect ipv4 source prefix
collect routing destination as
collect routing next-hop address ipv4
collect routing source as
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
exit
flow monitor LIVEACTION-FLOWMONITOR
description DO NOT MODIFY. USED BY LIVEACTION.
exporter LIVEACTION-FLOWEXPORTER
cache timeout inactive 10
cache timeout active 60
record LIVEACTION-FLOWRECORD
exit
interface Vlan197
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface Vlan190
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/13
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/18
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/4
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/3
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/6
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/5
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/23
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
exit
interface GigabitEthernet1/0/24
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output

Welcome to the Arch forums. That was an amazing first post. It is refreshing to see a new forum member actually post with as much detail as possible in order to explain the situation. Too often we get people saying things like "I can't get to the internet... why?" as the extent of their post. So thanks.
So I am curious about what the dhcpcd is trying to do. It seems to be trying to soliciting for a ipv6 address, but mentions nothing about in ipv4 address. It is not unfortunately not entirely uncommon for dhcpcd to time out waiting for an ipv6 address that never comes. So are you using ipv6? Do you expect an ipv6 address? I noticed that when you tried to ping the google DNS server, you used their ipv4 address (8.8.8.8). So I am thinking that means you are actually using ipv4.
I wonder if you might be able to poll for just an ipv4 address with dhcpcd. Just run it with -4 and it should disable the ipv6 stuff. You might also want to try dhclient and see what kind of output it gives you. If you are definitely not using ipv6, and it is not offered in your area, you might want to disable it. There are instructions in the wiki on how to do this... but you might want to wait until you establish the issue before doing things like that.

QOS for PCoIP on a 3850

Teradici advises that packet loss be kept below 1% in PCoIP. I know that UDP is not guaranteed to arrive in order but, again according to Teradici, out of order packets may be considered as dropped packets. One suggestion is to turn on WRED on the 3850 but version 03.03.04SE of the IOS doesn't support this.
How can I enable this?

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Well, if the 3850 doesn't support WRED, then the answer to your question for how to enable is you don't.
That noted, it's unclear how WRED activation, if available, will help guarantee UDP packets are delivered in order, or how it will guarantee PCoIP packet loss be kept below 1%.
What you might do on a 3850, is place your PCoIP traffic into a class that guarantees sufficient bandwidth that PCoIP traffic won't be dropped. (Basically you should treat PCoIP somewhat like VoIP bearer or interactive video, i.e. delay and drop sensitive.)
Out-of-order delivery isn't a possibility unless you have multiple paths and/or reorder transmission of packets part of the same flow. Network devices usually, by default, will not resequence a flow's packets. The only time that "normally" happens is if there's a change in the logical or physical topology while packets are "in flight".

To 3850 or not to 3850?

Similar Messages

Maybe you are looking for