VoIP configure on edge switch 3750
Greeting
I am testing no cisco phone on 3750:
interface FastEthernet1/0/6
description testing
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust dscp
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
end
and found that "switchport port-security"
will drop the phone's dhcp discovery packets.
When phone first time power on, it can get ip address from dhcp server; but, when you log out from current phone number, and the phone start to get ip address from dhcp again, the switch will drop the dhcp discover packets which the phone used to communicate with dhcp server.
I tried to increase max number to 6 (switchport port-security maximum 2) but it is not useful.
I did show port-security int command, and there is only one mac address on the interface.
I have also checked the mac address, and I can not see any violated to the security rules.
Could any one advice me:
- what the cause ?
- how can I debug it?
- if possible to fix it without disable the port security?
Any comments will be appreciated
thanks in advance
Great thanks for the reply, I have found the problem. the problem is the "switchport port-security aging time" has to be lower than 2. I have set it to 1 min.
Another question, we have been asked to set qos trust dscp, as:
mls qos trust dscp
can I get advice, if it will cause the workstation (PC/server) which plug into this port to get high priority treatment?
Please advice.
Many Regards
Similar Messages
-
Hi,
I have a doubt. The company wants to implement VoIP, but the core switches are Cisco 3750. Is it possible to implement it with these switches?.
Any experience in this task will be appreciate it.
Thanks
WladimirWell Wladimir,
you could implement it in one step or in several steps. It depends on several parameters I do not know, like time frame, staff, size, maintainance windows, etc.
Be aware that implementing VoIP will most likely require QoS on at least the trunk ports and all ports, where VoIP traffic is passing.
VLAN implementation would be the base for any traffic, So I would make sure to design and implement rapid spanning tree per VLAN first.
Make sure the root bridges are selected carefully. Test failure scenarios.
Increasing the number of VLANs should not pose any problem, so this could be an ongoing process, while you plan your VoIP implementation.
VoIP needs a LOT more than just switch design. Have a look at the VoIP SRND (www.cisco.com/go/srnd). If you have no experience with setting up VoIP get professional help, if your budget allows it. Make sure your staff is properly trained to support the new network.
Just a few recommendations to get you onto the right track - I still might miss some important points, as I do not know your requirements and network in great detail.
Hope this helps nevertheless. Please use the rating system.
Regards, Martin -
802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help
I configured the Switch 3750 and ACS for 802.1x authentication.
when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
What is the most possibly problem?
Thx in advance!!!
The configuration is Sw3750 is:
aaa new-model
aaa authentication login default local
aaa authentication enable default line
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/18
description Link to test 802.1x
switchport access vlan 119
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key keepopen0
In the ACS:
Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
user setup -->real name:test1, password: test1.
Attached is the debug informationWhat do you see in acs failed attempts?
-
Help me to choose Right Core switches and Edge switches as per my Spec
Dear All
Please help me to choose Core and Edge switches and all required hard ware and software.
the spec details as per below
Core Switches
1. High performance, highly scalable core switch to provide multi-10GE connectivity to various segments in the network.
2. Switch should have redundant switch fabric and routing engines or management / supervisor modules
3.should have separate control and forwarding planes
4.Each switch should have redundant power supplies in N+N or N+1 fashion
5. Must allow for two spare slots once services, management, processing modules and line cards populated
6. Easy to manage firmware- i.e. single code type enterprise/service provider) or train, and robust operating system
7. Supports for the VRRP, NSR, GRES, BFD, STP, MSTP, RSTP, VSTP, LACP redundancy protocols
8. Hot plugging and removal
9. The switch should have native switching architecture with up to sufficient performance such that the loss of one switching fabric should not lead to degraded performance
10. Switch should support switching at least 400Mpps
11. Switch should be able to support 40 10Gig line rate ports in a fully redundant configuration
12. Chassis that can scale to 700 Gbps
13. The proposed Backbone switch should support, but not be limited to the following Layer 3 features:
Static ip routing
Routing information protocol (RIP) and RIP2
Open shortest path first (OSPF)
IGMP v1, v2 and v3
IGMP Snooping
IP multicast routing protocol
14. The switch should support the following features at a minimum:
Spanning Tree 802.1D, 802.1S, 802.1W
GVRP
802.1x single and multi-supplicant: VLAN and ACL assignment
Dynamic ARP Inspection (DAI), DHCP snooping, IP Source gurard
LLDP, LLDP-MED
802.3X, 802.3ad
Redundant Trunk Group (RTG)
IGMP snooping
Unicast static, OSPF v1/v2, RIP v1/v2
Multicast IGMPv1/v2, PIM
Graceful Route Engine SwitchoverI have gone through your document and I am surprised to see MORE information in the document than what you've posted. I am so mildly suspicious about the authenticity of the document and spreadsheet you've attached.
So far, based on this document, the client wants a chassis that can support up to 700 Gbps backplane. The only candidate, other than a full-blown Nexus solution, is the 6807-X.
Next, the document also states dual supervisor card with two spare slots. Good luck trying to get that much empty space on a 6807-X. This means 6509E. You can't use a 6513E because of line-card-to-slot limitation.
If you look under the heading "Edge Switching", the first sentence already makes references to 6800ia switch.
There's also a reference stating that the product should have a 100 Gbps backplane. You can take the 6509E chassis out of the equation.
So you see, I am suspicious about the authenticity of the document. I agree with mali's and devil's recommendation that if you are serious, you would be engaging Cisco SE/AM in your region. There are only three reasons, that I can think of, why you've posted this here. One of them is the intended purpose of this document (and the audience). -
Dear Experts,
I'm going to try configure on how to telnet to Edge switch but still no result. My Network topology is below:
- 1 Core Switch 3560
- 3 Edge Switch 2960
I'm configured 4 VLAN:
+ Vlan 19: 10.19.10.0/24
+ Vlan 20: 10.20.10.0/24
+ Vlan 21: 10.21.10.0/24
+ Vlan 22: 10.22.10.0/24
On each Vlan, I was assigned Vlan interface IP.
I'm using VTP mode (Server and client) to trunking VLAN and Core SW is standing a VTP Server. I can telnet to Core SW using VLAN Interface IP.
The question is how can I configure to telnet to Edge SW?
Has somebody help me on this?
Thanks in advance!
JHHi,
From looking at your topology, the configuration should work. You should be able to telnet into the edge switches from anywhere in the network using the ip addresses of the vlan interfaces on each switch.
What exactly is the issue you're experiencing?
Are you able to ping the switch ip addresses?
Looking forward to hearing from you -
How to telnet to an edge switch?
We have a 6506 which have dot1q trunk links to 2950 edge switches....
my problem is that i need to be able to remotely access these 2950 switches using telnet.
Is it just a case of assigning each switch an ip address to vlan1 and also assigning an ip address to vlan1 on the 6506?
any help would be great
CheersJonathan
I think you have pretty well described what you need to do. You assign an IP address to each 2950 for management purposes (all management addresses in the same subnet). By default that address is associated with VLAN 1. You also need to configure VLAN 1 on the 6506 with an IP address in the subnet that you are using on the 2950s. That way the 6506 can get to all the 2950s. You also need to provide appropriate routing so that devices in other parts of the network have routes to the subnet and the 6506 has routes to the other subnets in the network. You should then be able to telnet to any of the switches.
HTH
Rick -
Configuration of Routers/SWitches
I would like to know what is the best configuration to connect 2 Routers 7206 to 2 Switches 3750 . The best configuration between Routers , between Switches and between Routers/switches . Thanks .
wrong forum.
Try "LAN, Switching and Routing"
Gilles. -
Configure Private VLAN on 3750 & 2960
Hi All,
( R ) ------ [ 3750 ] ------- [ 2960 A ]
|------------ [ 2960 B ]
I had these VLAN on the 3750 & 2960:
- Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
2960 Configure
On uplink to 3750
switchport mode trunk
On end device port
switchport trunk native vlan 35
switchport trunk allowed vlan 34,35
switchport mode trunk
switchport protected
spanning-tree portfast
How do I go about configure private VLAN on the 3750?
3750 Configure
On downlink to 2960
switchport mode trunk
Interface vlan8
ip address 10.8.0.1 255.255.255.0
Interface vlan17
ip address 10.17.0.1 255.255.255.0
Interface vlan34
ip address 10.34.0.1 255.255.255.0
Interface vlan35
ip address 10.35.0.1 255.255.255.0
What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35?I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
But you can configure with private vlan.
let's say client A is in port f0/1 and client B in port f0/2
Parent (main) VLAN is 100 and child is 999
You would configure the VLANs in ALL switches.
vlan 999
private-vlan isolated
vlan 100
private-vlan primary
private-vlan association 999
Now you would need to configure the ports.
int range f0/1 - 2
switchport mode private-vlan host
switchport private-vlan host-association 100 999
If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
interface vlan 100
private-vlan mapping 999
That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
wrote too much, if this answers your question let me know, or we can create a practical scenario for it. -
Hi,
I am configuring authentication 802.1X in my Access Switchs. The switchs are WS-C3750G-24PS running C3750-IPBASEK9-M, Version 15.0(1)SE2, RELEASE SOFTWARE (fc3). The Radius server is a IAS server, in the IAS there is a Remote Policy with the Windows Group of the users and the atributtes Service Type (Frame), Tunnel-Medium-Type (802), Tunnel-Pvt-Group-ID (100) and Tunnel-Type (Vlan) were configured.
The configuration in a switch is as follow:
aaa new-model
aaa session-id common
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.11.28 key 7 093204802934802934123132132123
interface GigabitEthernet1/0/23
switchport mode access
authentication event fail retry 5 action authorize vlan 5
authentication event no-response action authorize vlan 5
authentication port-control auto
authentication periodic
authentication violation protect
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout server-timeout 30
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-reauth-req 10
dot1x timeout held-period 300
spanning-tree portfast
end
I have these logs, when I connect a workstation with 802.1x configured:
016569: *Mar 2 04:07:37: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to up
016570: *Mar 2 04:07:41: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016571: *Mar 2 04:07:41: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016572: *Mar 2 04:07:41: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016573: *Mar 2 04:08:09: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
016574: *Mar 2 04:08:09: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
Other show commands:
Switch#show dot1x interface gigabitEthernet 1/0/23 detail
Dot1x Info for GigabitEthernet1/0/23
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 5
ServerTimeout = 10
SuppTimeout = 2
ReAuthMax = 10
MaxReq = 2
TxPeriod = 2
Dot1x Authenticator Client List
EAP Method = (0)
Supplicant = 2965.0a1d.3431
Session ID = C0A813FD000000CF060CE68E
Auth SM State = HELD
Auth BEND SM State = IDLE
Any idea?
Any suggest?Hi Matthew,
Please let me know what is the EAP method you are using ? (For eg; PEAP with EAP-MS-CHAPv2 .).
The backend RADIUS server logs should have hint on why the 802.1x failed.
If you are using PEAP with EAP-MSCHAPv2,
1) make sure whether the certificate on the RADIUS server is fine.
2) check the config in the RADIUS server (reg what EAP methods are allowed ) and check the settings in the supplicant.
3) Make sure that the CA certificate of the RADIUS server is trusted in the supplicant.
4) Check the RADIUS server logs and the logs should give a hint regarding the issue.
If needed, create a case with the respective RADIUS server vendor's TAC.
Regards,
Karthik Chandran -
Best way to remove CSM configuration from a switch
have a redundant pair of CSM , would like to move slave CSM to a new switch, what is quickest way to eliminate all configuration from this switch so the same can be installed on the new switch , without reloading the switch or causing any downtime to already existing connections through the master CSM.
HI Imre,
Kindly read the following section for the required :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/redun.html#wp1047388 -
How to identify that a host is connected to which particular edge switch
Hello Guys
Can anybody explain how to identify that a host is connected to which particular edge switch and port in a Cisco SAN Fabric ??Hi,
Hopefully you know the host PWWN.
If the edge switch is not in NPV mode, get the FCID from the output of "show fcns database"
The answer may also be as simple as finding this entry in the "show fcns database detail".
If not, once you have the fcid, the first byte of the fcid is the switch domain ID. With the combination of "show fcdomain domain-list vsan xx" "show fcs ie" you should be able to determine what you need.
If the edge switch is in NPV and registers as a NPV device ( Cisco switches do ), then the FCID will be assigned by the core switch upstream of that edge switch. You can see this from a "show flogi database". Find the PWWN here. There will likely be multiple entries for the port where the host is connected. Once you find the port where the NPV switch is attached. The first flogi entry on that port will be the switch WWN. Get the FCID for the switch and then find the entry for this FCID in the "show fcns database detail", this will give you the switch information.
Best regards,
Jim -
Where prime saves configuration files of switches from invetory
Hi Guys,
we are using PI 1.3.
PI monitor and manage several switches. (about 30 devices)
I want to review the configuration of the switches with a text editor so it would be great if I could access the configuration files which PI creates by the background task "switch inventory".
Does anyone know where the PI store these files?
Thanks and Regards, AlexanderHi Alex,
Check the below post ,hope it will answer your query :
https://supportforums.cisco.com/discussion/11852236/pi-where-devices-archive-files-are-located#3975460
Thanks-
Afroz
***Ratings Encourages Contributors **** -
Urgent...i'm newbe on cisco networking, I have 3 2811 with voice router in my network, internet and data networking configuration now is good work, but i have problem with voip configuration, i can't do it. Scenarion for voip: all extension phone in one SITE can connected dial call to other SITE and all extension phone all SITE can dial call to out (ISDN). This is my append attachments my network topology. My router 2811 site B (Router B) have include call manager and interface to ISDN on SITE B and interface to PABX on SITE C is VWIC-1MFT-G703(E1 trunk).
Please...any one can help me to give example configurations or completion configurations for my network???
Thanks a lot for your Help....Help me, you can do it friends????
-
Hi Experts,
We required VoIP configuration:
We have following hardware and network diagram is attached
(1) Location A to B is connected through 2 mbps MPLS line – currently working OK through Cisco Routers.
(2) We want to configure Total 4 Cisco Ip Phones – (2 in Location A + 2 in location B ) + 1 Cisco Analog telephone adopter.
(3) We have 4 IP phones and 4 analog Phones.
ROUTER A T HEAD OFFICE .
(1) 2901 UC Bundle w/ PVDM3-16 FL-CME-SRST-25 UC License PAK
(2) Communication Manager Express or SRST - 25 seat license
(3) 16-channel high-density voice and video DSP module
(4) Cisco Communications Manager Express License
RUTER B
CISCO 1905/K9 – ROUTER.
WE WANT INTERNAL CALLING
EXTENSION TO EXTENSION FOR THIS 8 PHONES.
IF POSSIBLE THEY HAVE EPABX WITH THEM- WE WANT TO CONFIGURE OUTSIDE CALLING ALSO.
WE DON’T REQUIRE ANY MORE – HIGHER FACILITY.Configure your 2901 as CME router and register all 8 IP phones and Cisco ATA with CME. You can have internal calling with all phones and for external PSTN calling configure dial-peer on CME and point it to E1/T1 or FXO or remote PBX ports.
-
CiscoWorks:Archieve configurations of routers/switches with only ssh/telnet
Hi,
I want to do the archieve configurations of couple of routers/switches with only ssh/telnet and rest thousands of devices will be via snmp.
Currently I am backing up the configurations of thoudands of routers/switches via snmp, as snmp is configured on them, but couple of routers/switches are external and snmp is not configured on them so I want to get their configuration via ssh/telnet only.
Please advise me that is it possible to do the archieve configurations of routers/switches with only ssh/telnet?
I am using the
LMS: 1.2.0
RME: 4.3.0
CS: 3.3.0
CM: 5.2.1
DFM: 3.2.0
ThanksThe config archive protocol order applies to all devices universally. Since you are using TFTP for most of your devices, I recommend you leave TFTP at the top of the protocol order list. Add TELNET and SSH below TFTP. The external devices will be attempted with SNMP/TFTP, but those operations will fail. RME will then fall back to TELNET then to SSH. It will eventually fetch the configuration successfully.
Maybe you are looking for
-
Satellite A505-S69803 - How to replace the Wlan card?
Before I go into the details of my problem. I have rolled out a DSL product, set up hundreds of wireless routers. I was a notebook service tech for 3 years for laptops as well. I picked up a toshiba cause the price is right, and so far I am learning
-
I upgraded iTunes to 7.4.3.1 on my Windows computer and it is giving me this message when I connect my 2nd gen shuffle. It didn't give me this message before I upgraded. "The iPod "Share" cannot be used with iTunes because it is not formatted properl
-
Regarding Quotation & purchase order
Dear experts, I want to get clear how purchase order play a role in creating a quotation. So long i heard of process Enquiry->Quotation->Sale order -> Delivery->Billing->FI posting. But i have no idea how purchase order is used to create quotation. P
-
Video chat volume? Can't seem to calibrate mike to get sound.
Can't seem to calibrate mike to get sound. Person on the other end of the chat can't hear me.
-
I got factory unlocked iphone5s A1530 model from india with warranty... Now i shifting to regina canada so will this phone work in canada with canadian sim card...with Canadian operators permanently...