We are using mac authentication, it is working fine on all of the other 3560's except this new one.
Mac address shows up completely different (very long hex, doesnt even look like a mac address) on ACS compared to what its showing on the switch in the mac address table.
Im stumped, config matches every other 3560 in the building, has something changed in the v2 software compared to the older 3560's ?
My configuration:
radius-server host 10.138.44.57 auth-port 1645 acct-port 1646 key 7 ******
!
aaa new-model
!
aaa authentication dot1x default group radius local
[code]....
I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
I´ve a little problem with the aaa authentication over RADIUS with a Cisco 3560G-48PS - IOS 12.2(58)SE2. When I try to log in to the Switch per Telnet, it didn`t works and my windows domain account is locked. Here the aaa config:
aaa new-model
aaa authentication login default local group radius
aaa authorization config-commands
[Code].....
We bought a 3560 PoE switch to replace tons of PoE-injectors but when connecting the devices our logs were flooded with
Mar 11 15:09:20.725: %ILPOWER-7-DETECT: Interface Fa0/7: Power Device detected: IEEE PD
Mar 11 15:09:20.725: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/7: has detected invalid IEEE class: 7 device. Power denied
Mar 11 15:09:20.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
Mar 11 15:09:20.985: %ILPOWER-7-DETECT: Interface Fa0/7: Power Device detected: IEEE PD
Mar 11 15:09:20.985: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/7: has detected invalid IEEE class: 7 device. Power denied
While the message seems quite clear im wondering if there's any workaround on the problem?
I am trying to configure a 3560 (Version 12.2(55)SE3) with IPServices to run WCCP to two to an Ironport WSA.
I believe everything is setup correctly, however WCCP is still not operational. I have check the debug logs on the switch and I'm presented with a number of messages along the lines of...
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: enter
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: exit
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: enter
[Code]....
I am trying to limit traffic inbound to 10Mbps on a gig interface 0/48 set to 100/full. So I downloaded some big files over this link and I'm able to see 30- 40Mbps or more. You can see from the show int - rate-limit command that parameters are never showing exceented so nothing has been dropped. [code]
View 3 Replies View RelatedWe have two Cisco switches with one 3560 and one 3750 we have created a new Vlan 4 with IP 10.1.3.x 255.255.255.0 - no shut then assigne to gi 2/0/46 on the 3560 Vlan 4 ip address 10.1.3.x 255.255.255.0 no shut then assign to FA0/45. All interfaces are up up along with the Vlan up up, we can ping the local IP address bu not able to pint the other switch.
View 2 Replies View RelatedA Cisco 3560V2 was bought to complete a project at my company. I noticed the IPBase IOS Image was installed. I was unable to configure RADIUS. I upgraded the IOS to the Latest Release of the IPServices IOS Image. I still dont have the capabilities of configuring RADIUS.
View 4 Replies View Relatedgetting radius to work on a 2950G switch with an older IOS of 12.1(22)EA1. I have radius setup on a windows 2k8 box and all of my other switches 2960's and above have no issues. I am unable to input the nas-identifier of 32 into the config using - radius-server 32 attribute 32 include-in-access-req format %h as well as the aaa session-id common commands. Doing a debug radius says that the radius server is not defined.
View 5 Replies View RelatedI went to configure RADIUS on my 3750X with IOS 15, and lo and behold it is not where it used to be. Did it get moved somewhere else that I can't seem to find very easily?
View 2 Replies View RelatedI'm about to configure radius on a 2960 and 2955 switch as I have been testing this on a 1841 router and to my dismay I can't see the options to configure radius, do these L2 switches not supoprt radius?
edit - apoligies I forgot the "aaa new-model" all ok now
Although when I added:
radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 key 123456789
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accountingradius-server vsa send authentication
I got this:
Warning: This CLI will be deprecated soon. Please move to radius server <name> CLI.
And what woudl the above look like if I configured it that way?
I currenly have a cisco AP1142N configured to work with our radius server (It was already configured when I took over the network). I order two additional access points for building coverage on multiple floors. Currently, I uploaded the config of the orginal access point to the new device and I can access the device via web and the ssid is being broadcasted. I then added in the access point into IAS with the radius secret key to our Radius server. When I go to connec to the new access point w/ domain credentials I am not able to establish a connection. I am not very familiar with CISCO products. I followed a video to get the access point up and running w/ an IP from CLI so I could access the web interface and upload the edited config.txt file. Are there any issues with setting up multiple access points w/ a single windows radius (IAS) server?
View 7 Replies View RelatedI am facing issue with nexus 7010 login authentication by radius server. I have two nexus 7010, one of them is working perfectly. Other taking long time to authenticate. If i use local database to login it works perfectly. It works fine also if i login from console using radius for authentication.
View 1 Replies View RelatedCisco 3560 does not support "set ip next-hop verify-availabilty". I need this command in my config. "set ip next-hop" do not do the same job.
View 8 Replies View RelatedThe last few days I've been exploring options in getting rid of some old routers accross a wan connections. I have a cat 3560 to play with and I thought I would try and use the no switchport command test out routing with switch. I've got some type of route issue and I tried a few things which I thought would fix the issue but had no effect. I'll post the config and a few commands so you can see what the basic setup is.
Here we can see in the arp that it knows about both 10.7.1.2 (PC unable to ping 10.3.3.254) as well as 10.3.3.254 (ASA).I tried adding in a ip route of 10.7.0.0 255.255.0.0 10.3.3.110 as well as 10.3.3.254. Neither produced the results I wanted allowing 10.7.1.2 (PC) to ping the ASA (10.3.3.254). [code]
I have an environment of 3 X 3560G of which I have 1st switch-CORE(f0/10) connecting to the VPN router(CE) interface-f0/0. Remaining 2 Cisco 3560's(Access) are connected to Gi0/1 and Gi0/2 on the 1st switch-CORE via gi0/1 . On all three switches I have created multiple VLANs and assigned ports to these VLAN. The switch to switch connection is trunk allowing all VLANs created on all these 3 switches. Now the issue is how I am going to have all these VLANs routed through single interface on the routeri-e f0/0, as all these subnets will communicating to remote site over VPN. What should be default gateway on the 2 Access switches and the CORE switch, also what static route should be on router to reach all subnets(VLANs) created on these 3 switches.
I have read inter-VLAN routing i-e creating sub interfaces on router but dont want to proceed with that and looking for any other way to have my VLANs talk on all three switches and then are accessible to remote site ove VPN?
I have tried to make policy based routing on Cisco 3560. I use ipservices ios (SW version 12.2.(50)SE3 and SW-IMAGE C3560-IPSERVICESK9-M) For below configuration there is no problem and pbr is working.
“Access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
Access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
Route-map pbr1 permit 10
Match ip address 100
Set ip next-hop verify-availability 1.1.1.2 1 track 11
interface fasthethernet 0/1
ip policy route-map pbr1”
But when i add another sequence to the "pbr1" with another sequence number like that.
“Route-map pbr1 permit 11
Match ip address 101
Set ip next-hop verify-availability 1.1.1.3 1 track 12”
pbr is not working. Switch gives message "PLATFORM_PBR-3-UNSUPPORTTED_RMP:Route-map pbr1 not supported for Policy Based Routing”"ip policy route-map pbr1" command not shown in the running config. And "show ip policy" output is blank.Configuration guide says you have insert many sequence to the route-map with the same name. And also this command is not in the unsupported command list.
I am trying to get my workstation to talk to a workstation on a different sub-net through a Cisco 3560 switch. The switch is running the following IOS version: [code]
My primary network is 172.16.0.0 and I am trying to connect to a device on a 192.168.111.0 sub-net. [code]
What would be the best way to get the two workstations talking via the switch?
I implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B
Network A. 10.0.12.0/24
Network B 10.0.24.0/24
The configuration is
interface Vlan1
description Data VLAN
[Code].....
We recently purchased Cisco 3560X Layer3 Switch. We need to perform simple Inter VLAN routing. We have configured VLAN1 (name-server_vlan) and VLAN2 (name- user_vlan). We have also assigned the Ports and IP address to both the VLANs. After assiging this if we plug Laptop A into VLAN1 then it doesnt communicates with Laptop B (btw, Laptop A is able to Ping VLAN2 Gateway ) in VLAN2 but on the other hand Laptop B is able to communicate with Laptop A and ping everything i.e. Gateway of VLAN1.
View 17 Replies View RelatedWe have two catalyst 3560 switches running c3560-ipbasek9-mz.122-58.SE2.bin They are connected using etherchannel using gi 0/21 - 24 interfaces.
on 3560-1 switch, there isn't any ip-default gateway or ip route configured. It only have 1 interface vlan configured.
on 3560-2 switch, there is ip default gateway configured along with 1 interface vlan.
What i dont understand here is that, i can reach out to other subnets from 3560-1 switch in which the routing is not enabled?
I have a 2504 WLC connected to a Catalyst 3560 which has multiple vlans and is connected to a 2800 series router. I know the catalyst is L3 but I am needing nat functions to get outside to the internet. From my 2800 series router I am able to ping out to the internet, also I am able to ping the vlan interfaces on the catalyst switch. Problem is from the catalyst switch I can ping the inside and outside address of the 2800 but I cannot get any further then that. I cannot ping the 2800 router gateway. Not sure what I am doing wrong as far as routing.
I've attached my 2800 and 3560 configs.
I have Cisco 2960 switches deployed in my environment along with radius server authentication. Now i need to assign some roles to particular users (shutdown port, description) so what i need to do for this task so not all users have same privileges.
View 1 Replies View RelatedWe faced with problem after upgrade ASR from 12(2) 33 XNE2. I know that this is an old XE release but our Radius deny authization from ASR with more new XE version. Here is our radius attribute configuretion:
!
radius-server attribute 44 include-in-access-req
radius-server attribute nas-port format d
radius-server host x.x.x.x auth-port 1812 acct-port 1813 non-standard
[Code]....
How can I add in my configuration that ASR send necesserry NAS-Port-Type - VPDN
I couldn't found out any info ((( for radius-server attribute 61 extended
I am trying to configure 802.1x RADIUS Authentication on cisco 2950-24TT-L Switch. I am using following set of command as given below
Switch# configure t
Switch(config)# aaa new-model
Switch(config)# aaa authentication dotx default group redius
Switch(config)# dot1x system-auth-control
Switch(config)# inter fasteth 0/1
Switch(config)#dot1x port-control atuo
I am facing problem dot1x command is not working on interface.
I am using radius authentication on C4507R+E with supervisor card 6L-E and IOS 15.0.2(SG1). It works perfectly but all radius messages appear in the console. Radius is very verbose, I can't use console because of the significant number of messages and I am worried about switches performances. I add that all debug commands are disabled.
View 1 Replies View RelatedI am trying to upgrade the IOS in 3560 but I am facing one issue. Its flash is 15MB & available space is 8MB whereas the IOS is of 11MB. How can I upgrade the IOS without upgrading the flash?
View 4 Replies View RelatedI have a Cisco SW ( 3560 ) with one Trunk link to my router ( 7606 ), Trunk link is fully utilized so i need to add 2nd Trunk.Shall all move some customers from old trunk to 2nd one and create a new subterface for them ?I am think if i can create bundle and add subinterfaces under this bundle ?Add two GE ports to be memeber of this bundle ?
View 5 Replies View RelatedWe have a IP-phone system connected to port 1 on a 3560 switch, the phone system tags traffic with dscp. The switch uplink is on port 24.
Is this configuration correct:
interface 1:
auto qos trust
interface 24:
priority-queue out
I have a 3560, which is being used as our core router that I have recently installed. It still has the standard IOS which came with (C3560E-UNIVERSALK9-M) it but I need to implement policy based routing so need to upgrade it and have downloaded c3560-ipservicesk9-mz.122-58.SE2.bin and indeally would like to install it in the morning before people start work.
I have 2 questions, 1, Is the ipservices capable of PBR as I have been reading conflicting reports, in fact my friend who works for Cisco has advised that it is not possible on the 3560.
2, When I do upgrade will there be any current configurations that are not compatible with the new one, I wouldnt image that there would be any but just wanted to make sure as it would be the biggest headache ever if it went wrong.
I configured following command to implement QoS on Cisco 3560.
class-map match-any IND
match access-group name Lync
policy-map LyncAV
class IND
set ip precedence 4
[code]....
how to apply this QoS on interface?
I have a 3560 POE that will no longer boot and I am not able to load a fresh copy of software onto it. It appears that it has lost all data. When I attempt to TFTP a new IOS, I receive that following error:
Transfer cancelled by remote system
I have tried using dir flash: to see what is contained in the flash directory but I receive the below message:
unable to stat flash/: no such device
I am stuck in rommon mode so when I do switch: dir command, I don't even see flash as being a filesystem. The below list are the only systems registered.
bsdcs[0]: (read-only)
bstage[1]: (read-only)
fstage[2]: (read-write)
xmodem[3]: (read-only)
null[4]: (read-write)
tftp[5]: (read-only)
Is this switch finished or is there something else I could try?