VoIP configure on edge switch 3750

Greeting
I am testing no cisco phone on 3750:
interface FastEthernet1/0/6
description testing
switchport access vlan 100
switchport mode access
switchport voice vlan 101
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust dscp
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
end
and found that "switchport port-security"
will drop the phone's dhcp discovery packets.
When phone first time power on, it can get ip address from dhcp server; but, when you log out from current phone number, and the phone start to get ip address from dhcp again, the switch will drop the dhcp discover packets which the phone used to communicate with dhcp server.
I tried to increase max number to 6 (switchport port-security maximum 2) but it is not useful.
I did show port-security int command, and there is only one mac address on the interface.
I have also checked the mac address, and I can not see any violated to the security rules.
Could any one advice me:
- what the cause ?
- how can I debug it?
- if possible to fix it without disable the port security?
Any comments will be appreciated
thanks in advance

Great thanks for the reply, I have found the problem. the problem is the "switchport port-security aging time" has to be lower than 2. I have set it to 1 min.
Another question, we have been asked to set qos trust dscp, as:
mls qos trust dscp
can I get advice, if it will cause the workstation (PC/server) which plug into this port to get high priority treatment?
Please advice.
Many Regards

Similar Messages

  • VoIP with Switch 3750

    Hi,
    I have a doubt. The company wants to implement VoIP, but the core switches are Cisco 3750. Is it possible to implement it with these switches?.
    Any experience in this task will be appreciate it.
    Thanks
    Wladimir

    Well Wladimir,
    you could implement it in one step or in several steps. It depends on several parameters I do not know, like time frame, staff, size, maintainance windows, etc.
    Be aware that implementing VoIP will most likely require QoS on at least the trunk ports and all ports, where VoIP traffic is passing.
    VLAN implementation would be the base for any traffic, So I would make sure to design and implement rapid spanning tree per VLAN first.
    Make sure the root bridges are selected carefully. Test failure scenarios.
    Increasing the number of VLANs should not pose any problem, so this could be an ongoing process, while you plan your VoIP implementation.
    VoIP needs a LOT more than just switch design. Have a look at the VoIP SRND (www.cisco.com/go/srnd). If you have no experience with setting up VoIP get professional help, if your budget allows it. Make sure your staff is properly trained to support the new network.
    Just a few recommendations to get you onto the right track - I still might miss some important points, as I do not know your requirements and network in great detail.
    Hope this helps nevertheless. Please use the rating system.
    Regards, Martin

  • 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

    I configured the Switch 3750 and ACS for 802.1x authentication.
    when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
    The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
    What is the most possibly problem?
    Thx in advance!!!
    The configuration is Sw3750 is:
    aaa new-model
    aaa authentication login default local
    aaa authentication enable default line
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    dot1x system-auth-control
    interface GigabitEthernet1/0/18
    description Link to test 802.1x
    switchport access vlan 119
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    spanning-tree portfast
    radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
    radius-server source-ports 1645-1646
    radius-server key keepopen0
    In the ACS:
    Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
    user setup -->real name:test1, password: test1.
    Attached is the debug information

    What do you see in acs failed attempts?

  • Help me to choose Right Core switches and Edge switches as per my Spec

    Dear All
    Please help me to choose Core and Edge switches and all required hard ware and software. 
    the spec details as per below 
    Core Switches
    1. High performance, highly scalable core switch to provide multi-10GE connectivity to various segments in the network.
    2. Switch should have redundant switch fabric and routing engines or management / supervisor modules
    3.should have separate control and forwarding planes
    4.Each switch should have redundant power supplies in N+N or N+1 fashion
    5. Must allow for two spare slots once services, management, processing modules and line cards populated
    6. Easy to manage firmware- i.e. single code type enterprise/service provider) or train, and robust operating system
    7. Supports for the VRRP, NSR, GRES, BFD, STP, MSTP, RSTP, VSTP, LACP redundancy protocols
    8. Hot plugging and removal 
    9. The switch should have native switching architecture with up to sufficient performance such that the loss of one switching fabric should not lead to degraded performance
    10. Switch should support switching at least 400Mpps
    11. Switch should be able to support 40 10Gig line rate ports in a fully redundant configuration 
    12. Chassis that can scale to 700 Gbps
    13. The proposed Backbone switch should support, but not be limited to the following Layer 3 features:
    Static ip routing
    Routing information protocol (RIP) and RIP2
    Open shortest path first (OSPF)
    IGMP v1, v2 and v3
    IGMP Snooping 
    IP multicast routing protocol 
    14. The switch should support the following features at a minimum:
    Spanning Tree 802.1D, 802.1S, 802.1W
    GVRP
    802.1x single and multi-supplicant: VLAN and ACL assignment
    Dynamic ARP Inspection (DAI), DHCP snooping, IP Source gurard
    LLDP, LLDP-MED
    802.3X, 802.3ad
    Redundant Trunk Group (RTG)
    IGMP snooping 
    Unicast static, OSPF v1/v2, RIP v1/v2
    Multicast IGMPv1/v2, PIM
    Graceful Route Engine Switchover 

    I have gone through your document and I am surprised to see MORE information in the document than what you've posted.  I am so mildly suspicious about the authenticity of the document and spreadsheet you've attached.  
    So far, based on this document, the client wants a chassis that can support up to 700 Gbps backplane.  The only candidate, other than a full-blown Nexus solution, is the 6807-X.  
    Next, the document also states dual supervisor card with two spare slots.  Good luck trying to get that much empty space on a 6807-X.  This means 6509E.  You can't use a 6513E because of line-card-to-slot limitation.  
    If you look under the heading "Edge Switching", the first sentence already makes references to 6800ia switch.
    There's also a reference stating that the product should have a 100 Gbps backplane.  You can take the 6509E chassis out of the equation.  
    So you see, I am suspicious about the authenticity of the document.  I agree with mali's and devil's recommendation that if you are serious, you would be engaging Cisco SE/AM in your region.  There are only three reasons, that I can think of, why you've posted this here.  One of them is the intended purpose of this document (and the audience).

  • How to telnet to Edge Switch

    Dear Experts,
    I'm going to try configure on how to telnet to Edge switch but still no result. My Network topology is below:
    - 1 Core Switch 3560
    - 3 Edge Switch 2960
    I'm configured 4 VLAN:
    + Vlan 19: 10.19.10.0/24
    + Vlan 20: 10.20.10.0/24
    + Vlan 21: 10.21.10.0/24
    + Vlan 22: 10.22.10.0/24
    On each Vlan, I was assigned Vlan interface IP. 
    I'm using VTP mode (Server and client) to trunking VLAN and Core SW is standing a VTP Server. I can telnet to Core SW using VLAN Interface IP. 
    The question is how can I configure to telnet to Edge SW? 
    Has somebody help me on this?
    Thanks in advance!
    JH

    Hi,
    From looking at your topology, the configuration should work. You should be able to telnet into the edge switches from anywhere in the network using the ip addresses of the vlan interfaces on each switch.
    What exactly is the issue you're experiencing?
    Are you able to ping the switch ip addresses?
    Looking forward to hearing from you

  • How to telnet to an edge switch?

    We have a 6506 which have dot1q trunk links to 2950 edge switches....
    my problem is that i need to be able to remotely access these 2950 switches using telnet.
    Is it just a case of assigning each switch an ip address to vlan1 and also assigning an ip address to vlan1 on the 6506?
    any help would be great
    Cheers

    Jonathan
    I think you have pretty well described what you need to do. You assign an IP address to each 2950 for management purposes (all management addresses in the same subnet). By default that address is associated with VLAN 1. You also need to configure VLAN 1 on the 6506 with an IP address in the subnet that you are using on the 2950s. That way the 6506 can get to all the 2950s. You also need to provide appropriate routing so that devices in other parts of the network have routes to the subnet and the 6506 has routes to the other subnets in the network. You should then be able to telnet to any of the switches.
    HTH
    Rick

  • Configuration of Routers/SWitches

    I would like to know what is the best configuration to connect 2 Routers 7206 to 2 Switches 3750 . The best configuration between Routers , between Switches and between Routers/switches . Thanks .

    wrong forum.
    Try "LAN, Switching and Routing"
    Gilles.

  • Configure Private VLAN on 3750 & 2960

    Hi All,
    ( R ) ------ [ 3750 ] ------- [ 2960 A ]
                            |------------ [ 2960 B ]
    I had these VLAN on the 3750 & 2960:
    - Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
    Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
    2960 Configure
    On uplink to 3750
     switchport mode trunk
    On end device port 
     switchport trunk native vlan 35
     switchport trunk allowed vlan 34,35
     switchport mode trunk
     switchport protected
     spanning-tree portfast
    How do I go about configure private VLAN on the 3750? 
    3750 Configure
    On downlink to 2960
     switchport mode trunk
    Interface vlan8
     ip address 10.8.0.1 255.255.255.0
    Interface vlan17
    ​ ip address 10.17.0.1 255.255.255.0
    Interface vlan34
    ​ ip address 10.34.0.1 255.255.255.0
    Interface vlan35
    ​ ip address 10.35.0.1 255.255.255.0
    What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35? 

    I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
    But you can configure with private vlan.
    let's say client A is in port f0/1 and client B in port f0/2
    Parent (main) VLAN is 100 and child is 999
    You would configure the VLANs in ALL switches.
    vlan 999
    private-vlan isolated
    vlan 100
    private-vlan primary
    private-vlan association 999
    Now you would need to configure the ports.
    int range f0/1 - 2
    switchport mode private-vlan host
    switchport private-vlan host-association 100 999
    If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
    interface vlan 100
    private-vlan mapping 999
    That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
    If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
    wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

  • 802.1X IAS Switch 3750

    Hi,
    I am configuring authentication 802.1X in my Access Switchs. The switchs are WS-C3750G-24PS running C3750-IPBASEK9-M, Version 15.0(1)SE2, RELEASE SOFTWARE (fc3). The Radius server is a IAS server, in the IAS there is a Remote Policy with the Windows Group of the users and the atributtes Service Type (Frame), Tunnel-Medium-Type (802), Tunnel-Pvt-Group-ID (100) and Tunnel-Type (Vlan) were configured.
    The configuration in a switch is as follow:
    aaa new-model
    aaa session-id common
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    radius-server host 192.168.11.28 key 7 093204802934802934123132132123
    interface GigabitEthernet1/0/23
    switchport mode access
    authentication event fail retry 5 action authorize vlan 5
    authentication event no-response action authorize vlan 5
    authentication port-control auto
    authentication periodic
    authentication violation protect
    dot1x pae authenticator
    dot1x timeout quiet-period 300
    dot1x timeout server-timeout 30
    dot1x timeout tx-period 2
    dot1x timeout supp-timeout 2
    dot1x max-reauth-req 10
    dot1x timeout held-period 300
    spanning-tree portfast
    end
    I have these logs, when I connect a workstation with 802.1x configured:
    016569: *Mar  2 04:07:37: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to up
    016570: *Mar  2 04:07:41: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
    016571: *Mar  2 04:07:41: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
    016572: *Mar  2 04:07:41: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
    016573: *Mar  2 04:08:09: %DOT1X-5-FAIL: Authentication failed for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
    016574: *Mar  2 04:08:09: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (2965.0a1d.3431) on Interface Gi1/0/23 AuditSessionID C0A813FD000000CE06090907
    Other show commands:
    Switch#show dot1x interface gigabitEthernet 1/0/23 detail
    Dot1x Info for GigabitEthernet1/0/23
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    QuietPeriod               = 5
    ServerTimeout             = 10
    SuppTimeout               = 2
    ReAuthMax                 = 10
    MaxReq                    = 2
    TxPeriod                  = 2
    Dot1x Authenticator Client List
    EAP Method                = (0)
    Supplicant                = 2965.0a1d.3431
    Session ID                = C0A813FD000000CF060CE68E
        Auth SM State         = HELD
        Auth BEND SM State    = IDLE
    Any idea?
    Any suggest?

    Hi Matthew,
    Please let me know what is the EAP method you are using ? (For eg; PEAP with EAP-MS-CHAPv2 .).
    The backend RADIUS server logs should have hint on why the 802.1x failed.
    If you are using PEAP with EAP-MSCHAPv2,
    1)  make sure whether the certificate on the RADIUS server is fine.
    2) check the config in the RADIUS server (reg what EAP methods are allowed ) and check the settings in the supplicant.
    3) Make sure that the CA certificate of the RADIUS server is trusted in the supplicant.
    4) Check the RADIUS server logs and the logs should give a hint regarding the issue.
    If needed, create a case with the respective RADIUS server vendor's TAC.
    Regards,
    Karthik Chandran

  • Best way to remove CSM configuration from a switch

    have a redundant pair of CSM , would like to move slave CSM to a new switch, what is quickest way to eliminate all configuration from this switch so the same can be installed on the new switch , without reloading the switch or causing any downtime to already existing connections through the master CSM.

    HI Imre,
    Kindly read the following section for the required :
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/redun.html#wp1047388

  • How to identify that a host is connected to which particular edge switch

    Hello Guys
    Can anybody explain how to identify that a host is connected to which particular edge switch and port in a Cisco SAN Fabric ??

    Hi,
    Hopefully you know the host PWWN. 
    If the edge switch is not in NPV mode, get the FCID from the output of "show fcns database"
    The answer may also be as simple as finding this entry in the "show fcns database detail".
    If not, once you have the fcid, the first byte of the fcid is the switch domain ID. With the combination of "show fcdomain domain-list vsan xx" "show fcs ie" you should be able to determine what you need.
    If the edge switch is in NPV and registers as a NPV device ( Cisco switches do ), then the FCID will be assigned by the core switch upstream of that edge switch.   You can see this from a "show flogi database".  Find the PWWN here.  There will likely be multiple entries for the port where the host is connected.  Once you find the port where the NPV switch is attached.  The first flogi entry on that port will be the switch WWN.  Get the FCID for the switch and then find the entry for this FCID in the "show fcns database detail", this will give you the switch information.
    Best regards,
    Jim

  • Where prime saves configuration files of switches from invetory

    Hi Guys,
    we are using PI 1.3.
    PI monitor and manage several switches. (about 30 devices)
    I want to review the configuration of the switches with a text editor so it would be great if I could access the configuration files which PI creates by the background task "switch inventory".
    Does anyone know where the PI store these files?
    Thanks and Regards, Alexander

    Hi Alex,
    Check the below post ,hope it will answer your query :
    https://supportforums.cisco.com/discussion/11852236/pi-where-devices-archive-files-are-located#3975460
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ****

  • Voip Configuration

    Urgent...i'm newbe on cisco networking, I have 3 2811 with voice router in my network, internet and data networking configuration now is good work, but i have problem with voip configuration, i can't do it. Scenarion for voip: all extension phone in one SITE can connected dial call to other SITE and all extension phone all SITE can dial call to out (ISDN). This is my append attachments my network topology. My router 2811 site B (Router B) have include call manager and interface to ISDN on SITE B and interface to PABX on SITE C is VWIC-1MFT-G703(E1 trunk).
    Please...any one can help me to give example configurations or completion configurations for my network???
    Thanks a lot for your Help....

    Help me, you can do it friends????

  • Help - VOIP CONFIGURATION

    Hi Experts,
    We required VoIP configuration:
    We have following hardware and network diagram is attached
    (1)    Location A to B is connected through 2 mbps MPLS line – currently working OK  through Cisco Routers.
    (2)    We want to configure Total 4 Cisco Ip Phones – (2 in Location A + 2 in location B ) +  1 Cisco Analog telephone adopter.
    (3)    We have 4 IP phones and 4 analog Phones.
    ROUTER A T HEAD OFFICE .
    (1) 2901 UC Bundle w/ PVDM3-16 FL-CME-SRST-25  UC License PAK
    (2) Communication Manager Express or SRST - 25 seat license
    (3) 16-channel high-density voice and video DSP module
    (4) Cisco Communications Manager Express License
    RUTER B
    CISCO 1905/K9 – ROUTER.
    WE WANT INTERNAL CALLING
    EXTENSION TO EXTENSION FOR THIS 8 PHONES.
    IF POSSIBLE THEY HAVE EPABX WITH THEM- WE WANT TO CONFIGURE OUTSIDE CALLING ALSO.
    WE DON’T REQUIRE ANY MORE – HIGHER FACILITY.

    Configure your 2901 as CME router and register all 8 IP phones and Cisco ATA with CME. You can have internal calling with all phones and for external PSTN calling configure dial-peer on CME and point it to E1/T1 or FXO or remote PBX  ports.

  • CiscoWorks:Archieve configurations of routers/switches with only ssh/telnet

    Hi,
    I want to do the archieve configurations of couple of routers/switches with only ssh/telnet and rest thousands of devices will be via snmp.
    Currently I am backing up the configurations of thoudands of  routers/switches via snmp, as snmp is configured on them, but couple of routers/switches are external and snmp is not configured on them so I want to get their configuration via ssh/telnet only.
    Please advise me that is it possible to do the archieve configurations of routers/switches with only ssh/telnet?
    I am using the
    LMS: 1.2.0
    RME: 4.3.0
    CS:    3.3.0
    CM:   5.2.1
    DFM: 3.2.0
    Thanks

    The config archive protocol order applies to all devices universally.  Since you are using TFTP for most of your devices, I recommend you leave TFTP at the top of the protocol order list.  Add TELNET and SSH below TFTP.  The external devices will be attempted with SNMP/TFTP, but those operations will fail.  RME will then fall back to TELNET then to SSH.  It will eventually fetch the configuration successfully.

Maybe you are looking for