I replaced an access switch 3750 with a switch 2960. Basically I just copy the whole config of the 3750 to 2960.
The 3750 use AAA, Crypto pki trustpoint TP-self-signed and radius-server host etc.
Now I can only telnet to 2960 but not SSH to it.
how to stack 2 switches catalyst 2960 also haw to stack 2 cisco 3750 switches
View 3 Replies View RelatedI have 2 switches. 2960 and 3750. I have trunk on both ports of the switch. there are couple of vlans and ports are assigned to those vlans. examples are management, voice and data. int vlan 1 has ip there is default gateway the hosts are able to connect to the internet when connected to the switch.
View 5 Replies View RelatedFirst, my configuration, (then the problem down below):
I have an Aironet 1142 with multiple SSIDs [mapped to V LANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area. This switch is up linked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.
Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS
I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS. RADIUS is sending VSA device-traffic-class=switch to the 2960. The closet-2960 has no special 802.1x configuration, nor is it an authenticator switch; it just has a manually-configured trunk port to the user-area 2960 [for now; I'm trying to take this one step at a time!].
The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB]. The Aironet boots up, the port is opened, I can ping the Aironet on the native V LAN, and all is well [so it seems]. The Aironet dot11Radio is configured for two SSIDs and mapped to V LANs, which are being spanned via STP thru the user-area 2960 and the closet-2960. STP is correct and verified on all switches.
I have DHCP snooping configured on the user-area 2960 but only for V LAN 1 [but NOT the wireless user V LANs], the trunk port to the closet 2960 is a trusted port. Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs. On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses. Again, I am *NOT* running dhcp snooping on wireless SSID V LANs [i read elsewhere that can cause problems as users roam between Aironets].
I do have CISP configured on the user-area 2960. I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong]. Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise. The Aironet simply would not run dot1x [best I could tell]. The documentation and configuration didn't seem complex, so I was quite confused.
I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but I'm willing to be persuaded otherwise, based on sound advice]. Ok, now the problem:
Users on the guest wireless SSID (V lan 20) say they cannot connect. Yep, classic. V LAN 20 is trunk and spanned to all the sufficient places. The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server! DHCP snooping is not configured on that V LAN. I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries. I appear to have that problem. However, the user on the Staff wireless (V LAN 10) has full access. Am I running into a problem with "multi- host" authentication config? Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20. What puzzles me is how I do see *SOME* traffic from a V LAN 20 host on this SSID, but no uni cast traffic!
Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:
#sh run br | in ip dhcp
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp_snoop.txt
ip dhcp snooping
[code]......
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)
I am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
View 1 Replies View RelatedI would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
Cisco 3750 can support other IOS than 12.2 who have this ability ?
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies View Relatedi have an issue to connect a trunk between cisco switch and extreme switch i have many vlans that i want to cross via a link between cisco 3750 switch and a Extreme Alpine 3800 switch
View 12 Replies View RelatedWe are going to upgrade our IOS on our WS-C2960G-48TC-L. But before we do that i want to ask whats the best IOS release to choose. Why we want to upgrade is because our switch software now don't support ssh just telnet access
Switch details:
Model: WS-C2960G-48TC-L
SW Version: 12.2(25)SEE2
Image: C2960-LANBASE-M
I was thinking about upgrading the IOS to 12.2(44)SE6 are maybe i should upgrade it to a newer release?
One more thing we have a bunch of stacked 3750 switches, that also need to be upgraded.
I have two 3750-X configured to be a stack and I am planning to re-rack these somewhere else. What I would like to know is what are the effects of having the master switch itself lose power? Does it immediately just make the member take over master (there should be no election since there are only 2 switches??) and there would be no loss of connectivity?
View 1 Replies View RelatedYesterday Cisco released IOS 15 code into the wild for the 2960 and 3560/3750 families but the link to the release notes is not working. Because I already have a whole bunch of 4500/Sup7's running IOS 15 I am thinking about taking the plunge with 30 3750-X's I have on order but want to review the release notes first. where they might be hiding?
View 4 Replies View RelatedI have switch 2960 and router that connect with one interface to that switch. the link is trunk and Router function is inter vlan routing between 4 vlan. This netwrok has only one ip address space that is 10.10.2.0/24 and work without problem. We connect cisco switch 2960 with optic link to another switch that in stack 3750 which configured as trunk link and allowed only 3 vlan between them. In the other side netwrok which consist the switch 3750 we have different subnet ip address that switch working in layer 3 too. the problem is that when I permit vlan 210 in the switch 2960 only layer 2 between this switch and the 3750 in network that consist th ip address 10.10.2.0/24 devices, if I disconnect and then connect pc to network he says that he has ip conflict and in the log he show mac address of router that has vlan 210 subinterface configured with 10.10.2./24 subnet. But how I gibe back vlan 210 from permited vlan in trunk devices start normaly working. If I again put vlan 210 to permit vlan in that trunk devices again said that there are conflict ip address and show mac address vlan 210 router subinterface.
View 10 Replies View RelatedI'm fairly new at trying to create isolated network segments on Cisco switches. What I'm trying to do is have multiple isolated paths that originate from my v Sphere infrastructure travel through a layer 2 link, v LAN, up to a MLS, and ultimately out to to the internet through a firewall. Each sub net might ultimately have a number of hosts on it, but I don't think the make up of those hosts will matter here.
My initial thought was creating v LAN tagged port groups on v Switches on my v Sphere infrastructure. Physical connections will go from my ESXi hosts to the 2900 series Cisco switch connected to trunk ports. Both v LANs would be configured on the switch but not assigned to physical ports. The physical connection to the 3750 would also be a trunk port connection from the 2960. The 3750 would have SVI's created that are attached to VRFs that would control route traffic. This might be totally wrong but from what i've read it seems to be going down the correct path I think.
Two part question, is this the best way to go about designing this network? If so I seem to be really struggling with the SVI/VRF part. Every time I create an SVI all of my hosts on the 10.10.10.x network can ping them, regardless of which v LAN they're on.
I just cannot seem to isolate the 172 network.
We have a pair of WS-C3750X-24T-S in a stack and four WS-C2960S-48TS-L in a stack of their own. There is not really anything too fancy configured (no special VLAN configuration/trunks or etc.) but the 3750 do have two ports configured as L3 for routing. We are not trying to use those ports for EtherChannel. These devices are running IOS 12.2(55)SE3 Essentially we are attempting to make an EtherChannel group using port 48 on all four of the 2960's in their stack (four ports). On the 3750 we will configure an EtherChannel group using port 23 and 24 on both switches (four ports). We then connect them up to form a four member EtherChannel.The ports on both ends are configured as mode ON and they are all 1Gb ports. I elected mode on because I understand at least one of the EtherChannel protocols will not work cross stack. What I would like to ask is whether the above configuration is possible or are we hitting some sort of limitation of EtherChannel cross stack, etc..? I cannot find anything to suggest this configration is invalid, but thought I would ask to see if I missed something in the EtherChannel articles.
View 3 Replies View RelatedI am experiencing the same problem described in this post {URL}. I have seen this happen on different networks, with different equipment attached. It happens on both 2960 and 3750 switches. Basically the connection drops, and we see in the web interface "Port is Disabled". This appears to happen every 10 minutes.
On the CLI, the status shows as connected.
Port Name Status V lan Duplex Speed Type
Fa0/38 connected 1 a-full a-100 10/100BaseTX
I have ran cable diagnostics while the drop out is occurring.
Interface Speed Local pair Pair length Remote pair Pair status
--------- ----- ---------- ----------------- ----------- -------------------
Fa0/38 100M Pair A 28 +/- 15 meters Pair B Normal
[code]...
During the outage, I see the duplex fluctuate between full and half. The outage occurs for approx 90 seconds. If I fix the duplex and speed at both ends, the outage reduces to around 30 seconds. If I apply spanning-tree port fast the outage reduces further to around 10 seconds. Before I change any configuration on the port, the logs show the interface going down
Aug 16 13:06:51.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/38, changed state to down
Aug 16 13:06:52.874: %LINK-3-UPDOWN: Interface FastEthernet0/38, changed state to down
[code]...
However, once I apply the configuration nothing is logged. However we can still see the connection is disappearing for around 10 seconds. I suspect the issue wasn't resolved for the person reporting the problem in the link above, but because the outage is minimized, and not being logged it is going unnoticed.
I have configured the cisco 2960 switch with AAA & the radius server is free radius. I am able to login into the switch when radius server is working.But when radius server is not reachable, in that particular condition the switch doesn't move to local authentication configured on the switch.
aaa new-modelaaa group server radius radiuss server 10.1.0.215 auth-port 1812 acct-port 1813!aaa authentication login default group radiuss enableaaa authentication login CONSOLE localaaa authentication enable default group radiusaaa authorization exec default group radius if-authenticated
radius-server host 10.1.0.215 auth-port 1812 acct-port 1813 key 7 071F285C422948514117171
radius-server retransmit 2
line con 0 exec-timeout 5 0 privilege level 15 password 7 14341B1B7D6F0417626173455E47060F login authentication CONSOLEline vty 0 4 access-class 91 in exec-timeout 5 0 password 7 106D004F2C3B7B7F757E6A64812812d transport input sshline vty 5 15 access-class 91 in exec-timeout 5 0 password 7 106D000A061845jsajtqwkd327E6A64 transport input ssh
why Windows Server 2008 is not a supported OS for Cisco Network Assistant?I am currently evaluating switch management solutions for use with Catalyst 2960 and 3750 series switches, and would like to be able to backup and restore configurations, as well as make configuration changes. My management Server is running Server 2008.Is Prime LMS my only option?
View 5 Replies View RelatedI have a problem, here are the situation
- 1 Catalyst 3750
- 1 Catalyst 2960
- 4 Finger Print
- 1 HUB
Configuration
- Catalyst 3750
Interface VLAN182
IP Address 10.62.182.254 255.255.255.0
Interface G0/2
Description Finger Print Server
Switchport mode access
[code]....
Here are the problem,If i connect Finger Print Device to port catalyst 2960, some device not sending data to server, but if i connect all Finger Print to HUB and from HUB connect to Catalyst 2960 at port F0/5, All Device(Finger Print) can send data to server...Is there any special configuration in catalyst so all device can direct connect to port catalyst 2960 without HUB?
I am trying to setup a network using Cisco 2960 switches with vlans configured. One vlan will handle video coming from four cameras that are connected to another 2960.
We have four cameras feeeding one port each on a 2960, that 2960 in turn feeds one port on the main 2960 which is the video vlan for that site. From the site it goes back to a Cisco 3750 to be sent over to a Sonicwall firewall. If we connect to the 2960 that the camera are connected to we can see the video, but not on the main site 2960.
How do I create static smartport macro on Catalyst 2960 & 3750 equivalent to below static smartport macro:
macro name NOT_USED
description UNUSED_PORT
switchport
switchport mode access
switchport access vlan 100
shut
@
I am able to create above smartport macro on Catalyst 3760 & 6500, but not on 2960 & 3750 (see below):switch(config)#macro ? auto Macro autoexecution settings global Enter global macro configuration
I have more than 20 Cisco switches in my office which is basically a soap manufacturing factory. The switches include Cisco 2950, 2960, 3560, 3750 etc. We have routers also which include 2821, 2951 etc. We also have Cisco WLC 2125 and LAP 1262 series. Sometimes all these devices management comes very tough to us.
We need to log on to different devices for troubleshooting/network management which sometimes becomes very tough to us. So I wonder if there any Cisco applications or tools by which we can centrally manage all these devices.
while working with Cisco's CNA (Cisco Network Assistant) on a 2960 switch, any change done by this tool is sent out as an empty set of commands, to a TACACS server to approve.
I have 2960 switch, a PC with CNA on it and brand new ACS 5.2. This switch is set up for TACACS+ authorization. While working with TELNET/SSH, all commands are authorized properly. When doing "debug aaa authorization", you can see the commands are being sent to a TACACS server (as expected) for approval. And what is more important – within the debug output every command appears at "AV CMD= …" and "Arguments = …" Those commands seen by the ACS and approved correctly.But, when working with CNA, those fields (i.e. av cmd and arguments) are empty in the first place. Hence all what ACS does see are "empty commands" and no clue for the correct ones (say, changing interface's description). The HTTP server has it set of authorization commands.
We have a configuration that work fine but one of the combinations it don´t work. When we connect a guest laptop, the first time work fine. The configuration is when the laptop don´t authenticates with radius, the dhcp server assigned vlan guest and ip guest. The first time was ok. After, We connect a laptop with users authenticates work ok, the radius asigned vlan of users and dhcp server assigned ip users. The problem was when we connect for two time a guest laptop, radius didn´t validate and laptop didn´t negociate ip with dhcp server. In this time, the administrator of dhcp server, tell us that they didn´t see nothing traffic of my mac. and anymore run fine. If Whe change the port of switch , the laptup start working again.
Radius=NPS
Server dhcp: is typical.
Our scenario is with a ip cisco phone. the ip phone don´t have the authentication. The administrator of radius tell us that the configuratation is fine and the configuration of dhcp is fine. When we connect only laptop, everything run ok.
Configuration Port.
interface GigabitEthernet1/0/3
switchport access vlan 202
switchport mode access
[Code]...
I am trying to get AAA Authentication working on a Cisco 2960-24pc-l running 12.2(55)SE5 IOS and cannot get it to work. I have it currently working on a Cisco 3750-24te-m running 12.2(55)SE IOS. Here is my config: [code]
When I login to the 3750, AAA is used. When I login to the 2960, the local username is used. Any thoughs here as to why it works on the 3850 and not the 2960?
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
I configure 3750 stack switch as core and 2960 stack switches as access layer switches.I connected my laptop to one of my core stack in VLAN 10 and I am pinging to one of my server in VLAN 1. What will be the minimum latency at the time of inter VALN routing
View 2 Replies View RelatedI configured the below config in Routers it is working good , but when i do the same in SWITCH-2960 , i am getting a problem not able to login to enable mode ... i am getting the basic login only ....
Error msg : % Error in Authentication.
Need to be configured at TAFE Network Devices: Code...
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts? Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34.
[Code] ........
I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
I am trying to configure the interface using the following commands: [code] similar result is obtained while trying to configure a auth-fail vlan. the full configuration file is attached.
Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local
[Code].....
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
i have 2960 Catalyst with LANLITE. And i cannot set "transport input ssh", it allows only telnet. I'm wondering if cisco lanlite switches have ssh input in newer releases of IOS or there is no way to make ssh input on this switch?Here's show ver output (i removed all serial and part numbers):
S14#sh ver
Cisco IOS Software, C2960 Software (C2960-LANLITE-M), Version 12.2(37)EY, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 28-Jun-07 18:07 by antonino
Image text-base: 0x00003000, data-base: 0x00D00000
[code]....