Do1x Cisco 3850
Hi experts,
is it possible to integrate 3850 Cisco switch with Active Directory so that users can be authenticated via AD prior to accessing the network.
I am confused between incorporating the switch AD and ACS. I know that ACS will be used for authentication of access management.
Grateful if someone can clarify this for me.
Thank you
Haitham Jneid
ACS to be integrated with AD to recover the database user/group - Yes
dot1x must be configured between the switch and DCC - ACS and Yes, as I said, this is where you will configure the authentication and authorization of dot1x strategies.
in this case wired to users once that they plug their laptop on a switch port enabled for authentication of the dot1x, the switch will be contact ACS and ACS already has the AD database. ACS verifies if the user is in the database and allow the access or not. Yes based on your authentication and authorization of dot1x strategies.
Please note and mark the correct comment if you find it useful. *
Tags: Cisco Security
Similar Questions
-
ESXi->; Cisco 3850->; router upstream routing does not
Please see the attached diagram.
I currently have the installation of "router on the stick" and I move to lass on Cisco 3850 battery. Initially, I moved VLAN100. I can ping to each of the directly connected devices (i.e. the router 3850 and 2911). I can't do a ping to a virtual machine on vlan 100 router and vice versa. Here's what works what doesn't work.
Work in both sense
VM (172.16.100.51) <->GW on IVR (172.16.100.254)
VM (172.16.100.51) <->an another IVR (172.16.230.254)
VM (172.16.100.51) <->Int L3 on 3850 (10.2.2.2)
L3 on 3850 (10.2.2.2) int <->int L3 on 2911 (10.2.2.1)
SVI on 3850 (172.16.100.254) <->int L3 on 2911 (10.2.2.1)
Does not not in both directions:
VM (172.16.100.51) <->L3 interface on 2911 (10.2.2.1)
VM (172.16.100.51) <->else NOT routed on 3850
I have following routes on 2911 and 3850.
3850:
IP route 0.0.0.0 0.0.0.0 10.2.2.12911:
IP route 172.16.100.0 255.255.255.0 10.2.2.2
IP route 172.16.230.0 255.255.255.0 10.2.2.2
If in theory everything that comes from 172.16.100.51 no 3850 premises must be sent to 10.2.2.1 since it is the default route on 3850.
I suspect that this is a problem with the license. I have IP Base feature set stack license 3850. I have checked using the license to show and display the version controls.
According to this FAQ Cisco, http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-..., routing should work because I do not have more than 16 static routes and I'm only using base L3 routing features.
I am at a loss here. What is going on? Can someone please confirm?
I bought WS-C3850-24 t-S,
http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3850/software/...
thinking that I would be able to use Lass and keep all traffic to get into the routers as switches upstream of our most ancient were only L2.
It looks like an upgrade for all IP Services features is possible.
https://cisco3850.wordpress.com/2015/04/22/licensing-for-cisco-catalyst-....
That I have to upgrade the image so or can I just pass the license using the built-in commands described here.
http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3850/software/...
I hope that I don't have to reboot switches because this configuration is currently using this stack as the core and distribution.
Any help is appreciated.
Thank you
Turning and the "IP routing" did?
->->->->->->-> -
Dear all
I have updated IOS based cisco 3850, he came to Flash, but still is not in "sh version" command and also I can't boot from this new IOS, to mention the steps start the new IOS.
Thanks and greetings
Jean Luc
3850 normaly use command: software install file flash:cat3k_caa-universalk9.SPA.03.06.01.SE.150-1.EZ1.bin
-
Cisco 3850 - Direct Connect APs
Can you not - APs to connect directly to a 3850. For example, if you had several offices in a branch of the site and your MC 3850 was in the Bay of server and had 2960 s in other offices. Could you connect your APs to 2960 switch and make them joined MC 3850?
I read that must be connected directly to the 3850, however it supports flexconnect APs?
If you'd be grateful if someone could shed some light.
Thank you
3850 will not support flexconnect. You must also connect the AP to 3850 (no transitional interrrupteurs as 2960).
Refer to this Q & A to answer your two questions
http://www.Cisco.com/en/us/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
HTH
Rasika
-
Incompatibility of Version H/w stacking Cisco 3850
I have a cisco failure 3850. I got a new switch and the IOS was lower than my pile to course, so I've updated. When I do a show worm IOS looks right but when I do a show the H/W version parameter are different. What causes my carpet to fail?
New switch:Model switch SW Version SW Image Mode ports------ ----- ----- ---------- ---------- ----* 1 56 WS-C3850 - 48P INSTALL 03.07.03E cat3k_caa-universalk9Current H/WSwitch # Mac address priority Version State role------------------------------------------------------------* 1 active 15 ready V04Old switch:Model switch SW Version SW Image Mode ports------ ----- ----- ---------- ---------- ----* 1 56 WS-C3850 - 48P INSTALL 03.07.03E cat3k_caa-universalk9SCurrent H/WSwitch # Mac address priority Version State role------------------------------------------------------------* 1 active 15-V06 readyHi Kurt,.
That will not cause the battery to fail, you just need to make sure that the version of IOS and the level of license are the same between the members of the battery and make sure you turn the switch before plugging in the battery again.
HTH
Julio
-
Change the certificate used by a Cisco 3850
I have a new L3 3850 switch. He had a self-signed certificate installed when I first started the switch. The certificate is displayed either 512 or 1024 in length. I would like to create a key of 2048 in length. Can I issue the command generated rsa encryption key and specify the length of 2048 and I get a new cert. I can't just understand hw to make the new cert as the active cert.
When he started it first, here is the configuration of the switch section:
Crypto pki trustpoint TP-self-signed-127070658
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 127070658
revocation checking no
rsakeypair TP-self-signed-127070658
!
!
TP-self-signed-127070658 crypto pki certificate chain
certificate self-signed 01 nvram:IOS - Self-Sig #1.cer
When I create new cert and validate them with the copy running-config startup-config and then recharge, it will show that the new cert is stored in NVRAM:private - config, but it does not show the cert when I cd in NVRAM: and issue the dir command. What is the right order to get the new cert to use.
Here are the results of the dir command:
2049 rw-1897
startup-config 2050-3821
private-config 2051 rw-1897
base-config 1 0
rf_cold_starts 2 cpu_trap.eci of
- rw - 1079 4 rw-1072
cpu_threshold_trap.eci 6 - rw - 886
memory_trap.eci 7 - rw - 858
rf_trap.eci 8 rw-3123
wireless_trap.eci 11 - rw - 270
ma_trap_keyword 12-86
- persistent data 14 - rw - 578
IOS-Self-Sig #1.cer -rw-0 15
ifIndex-table William Coats
I was wondering how to do it myself, so I took him as a small project on our laboratory 3650. The documentation leaves to be desired, but I finally thought to it.
1 generate a 2048 bit rsa key pair:
seclab-3650 (config) #crypto generate keys rsa 2048 2048-bit-key module label
2. create a trustpoint specifying registration self-signed and tell the TP to use this key pair
seclab-3650 (config) #cry pki trustpoint 2048-bit-TP
seclab-3650(ca-trustpoint) #enrollment selfsigned
seclab-3650(ca-trustpoint) #usage - server ssl
seclab-3650(ca-trustpoint) #on nvram:
seclab-3650(ca-trustpoint) #rsakeypair 2048-bit-key
seclab-3650(ca-trustpoint) #exit
3 register the trustpoint - at this point the switch will generate the 2048-bit certificate.
seclab-3650 (config) #crypto pki enroll 2048-bit-TP
% Include the serial number of the router in the name of the topic? [Yes/No]: Yes
% Include an IP address in the name of the topic? [None]:
Generate a self signed certificate router? [Yes/No]: Yes
Router self-signed certificate created successfully
seclab-3650 (config) #.
4. tell your ip http secure server to use this trustpoint
seclab-3650 (config) #ip http secure-trustpoint 2048-bit-TP
Once I did this, I can go to the switch via https and see the key of 2048 bits being used in the self-signed certificate. Click on the image below to enlarge:
-
Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.
Switch(Config-if) #do show worm
Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Last update Mon 23 - Sep - 13 18:24 by prod_rel_teamCisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Some components of the Cisco IOS - XE software are
distributed under the GNU General Public License ("GPL") Version 2.0. The
software licensed code GPL Version 2.0 is a free software that comes
WITHOUT ANY WARRANTY. You can redistribute it and/or modify it
Code GPL under the terms of the GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "Mention of license" file that accompanies the IOS - XE software.
or the applicable URL listed on the brochure that accompanies the IOS - XE
software.ROM: IOS - XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
The availability of HK-CSW001 is 4 hours, 0 minutes
Availability for this command processor is 4 hours, 3 minutes
System return to the ROM to reload
System image file is "flash: packages.conf.
Reload last reason: reload the commandThis product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.htmlIf you need assistance please contact us by mail at
[email protected] / * /.License level: Ipbase
License type: Permanent
Then reload license level: IpbaseCisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
Card processor ID FOC2007U0YG
2 virtual Ethernet interfaces
28 gigabit Ethernet interfaces
4 ten interfaces Ethernet Gigabit
2048K bytes of non-volatile configuration memory.
K 4194304 bytes of physical memory.
250456K bytes of Crash crashinfo files:.
1609272K bytes of Flash Flash:.
0K bytes of Flash model to usbflash0:.
0K bytes of to webui::.MAC Ethernet base address: 00:cc:fc:d1:55:80
Motherboard Assembly number: 73-16297-04
Motherboard serial number: FOC20061W6G
Revision number of the model: Z0
Motherboard revision number: B0
Model number: WS-C3850-24 t
System serial number: XXXXXXXXXXXMy problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the
"interface vlan XXX".
"ip address subnet XXX.XXX.XXX.XXX.
command "watch version 2" is not available or the day before ipXXX XX. is not available either.
I'm stuck with this problem now, appreciate any help from you guys.
Thank you
The f
Hello Jeff,.
We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.
I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.
So, please try a newer version of the software.
See you soon
Ichnafi
Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0
-
Cisco Layer 3, singing and VLAN
I have a 5.5 vSphere install and am currently an upgrade of the network for implementation of VOIP. Switching equipment that I use is a stack of switches Cisco 3850 layer 3 and I go round and round on getting traffic vlan to work properly. I hope someone can point me in the right direction.
I have a NETWORK adapter that is connected to the switch (10GB fiber) which handles all the traffic for the esxi host (with the exception of management). VLAN ID is set to zero (0) and the load balancing is set to the original function of virtual port route.
I have 2 subnets, 10.1.0.0/16 (management, VLAN 1 and data) and 10.10.1.0/24 (voice, VLAN 10)
On the host, I Win 2012 R2 server which will host a VOIP PBX. It must be able to communicate with (VLAN 10) IP phones and other servers (vlan1).
The switches will be intervlan routing.
Finally can my question - anyone give me some advice on how to configure the interface on the Cisco for connecting fiber 10GB of my host? The actual port settings would be extremely useful. Everything I do at the end of vmware I should do differently?
In case someone falls on this in a search, here's what I ended up with, 1 Cisco switch:
switchport trunk allowed vlan 1.10
switchport mode trunk
switchport nonegotiate
switchport voice vlan 10
Cisco-switch macro description
spanning tree portfast
point to point spanning tree-type of link
The virtual switch, I set all the vlan id and route from the originating virtual port.
-
Hello
I want to configure security switch-switch link. (manual mode) on a Cisco 3850 IP basis.
But under "sap... mode-list" is the only entry: No.-encap "»
I need to gcm - encrypt, but this option is not displayed.
SW version: 03.06.00E
SW Image: cat3k_caa-universalk9
License level: Ipbase
Model: WS-C3850-24 t
What could be the problem?
Best regards
3850 material is able to effect, but it is not yet implemented in the software:
It's the 3850 Q & A:
Q. what service modules for the Cisco Catalyst 3850?A. There is no service for the Cisco Catalyst 3850 module. Features supported by the service module of 3750-X (including Flexible NetFlow and effect *) are natively supported by the Cisco Catalyst 3850.* Software support effect could be added later as part of a software update. -
Compatibility of the AP1240 series with the 8.2.111 of the WLC code
Hello world
I need advice on this one if anyone could happen to any suggestion.
We have remote sites (4-5) where we again 1242 series APs. Recently, I upgraded my controller 8.2 WLC code and these APs do not come to live as they are stuck in "Download"... ».
Linked below, Cisco said 1240 series is no longer supported.
http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/release/notes/c...
Now, my question is there any solution for this or that's all. We need new APs for remote sites.
On the other hand, I also Cisco 3850 WLC active Cisco switch, so I can use Cisco 3850 for these APs. If so, then please share any link.
Kind regards
The choices are:
1. the new APs get handled by the 3850 and the old APs is maaged by WLC running 8.0.X. or
2. the years 1240 is converted into a stand-alone; or
3. get another controller, as the 2504, for example.
-
Hello
I have an architecture of converged with 5508 as MC and 3850 as access MY. Currently, in the main site, him access point are saved on each 3850.
My remote site, I do not have cisco 3850 and I want to use my 5508 FlexConnect. So the point of remote access, sign up to 5508. is this possible?
My cisco 5508 can support a mixed architecture?
- Converged access for main site,
- Classical architecture, to the remote site.
Thanks in advance,
Sylvain.
Do not forget to 8.1 onward MC feature supported in AireOS for 3850/3650MA will be deleted.
With Release 8.1 in a New Mobility environment, Cisco WLCs running Cisco Wireless software cannot function as mobility controllers (MC). However, the Cisco WLCs can function as guest anchors.
http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/release/notes/crn81.html
This is why it is advised to do not to have an AireOS controller as MC for the configuration of your converged access.
HTH
Rasika
Pls note all useful responses *.
-
Hello
I've 3850 configured as a switch Board where I run BGP on it. I do not you connected our network MGMT port internal mgmt in light of security concerns. So what worries me is if the switch gets somehow hacked from the outside (we run SSH or HTTP server on it) the attacker access the MGMT port or not? MGMT interface is on a separate data plan, so there is no possible way to get the controller above the switch ports? I couldn't find this info in the Administrator's guide, so I ask if anyone of you know :).
Thank you!
The management port catalyst 3850, like many others of the most modern Cisco switches use a completely separate virtual routing and transfer (VRF) instance.
As long as you do not expose the interfaces of layer 3 (routed ports or switch Virtual Interfaces (LASS)) to the outside world, your management plan is totally isolated. If the switch had external interfaces L3 and was completely compromised, you can connect to the switch and then throwing sessions (from the switch itself) for the accessible host internally which can be consulted via the VRF management.
For more information about the internal architecture of the switch, please see Presentation Cisco Live BRKARC-3438. Notes on slide 30 + how they show the 'PEM' (the management Ethernet Port) directly connected to the switch CPU and don't share does not return or controllers that govern data ports.
Also note the configuration guide which States:
The switch cannot route packets from Ethernet port to a port in network management and vice versa.
-
2504 versus 3850 wireless controller
We are just beginning to look at wireless on our secure networks. We have a 2504 and some WAP 36xx but never installed. We also ordered a couple of 38xx WAP and group the 3850 templates which included the wireless controller. We plan use our Cisco ACS with CERT and AD for authentication.
We're finally going wireless at several sites of fiber attached if cela pans.
To save time by going down the wrong path, I have some basic questions to ask.
My questions are... what (2504 versus 3850 WC) approach is better? I know the 3850 series may have mulitgibit connections to WAP with the newest 3850 model x, which can be a more thereafter. I also don't know the process of how data is placed the user wireless via the WAP to the local network. Data must tunnel through a tunnel of IPSEC for the 2504 and then placed on the local network to the location of 2504? Or is this just tunnel for authentication and wired LAN between WAP and switch allows direct data flow? We have a few wireless on our network, but we use a totally different method.
What bothers me is that if there is a certain wireless access to a corporate network and servers I think 1 GB for the WAP connection could be a bootleneck... esp if the data can not be placed right on the local network to the WAP connection to the switch.
A 3850W model controls the only devices on the local stack or it may go beyond this restriction too? I mean, it's can support 3850W THAT connected to another WAP stack too?
I would not use the 3850 unless your environment is weak, that being said, the 3850 and the AP must be on 3850 or 3650 in your environment. I'd go with the 2504 his stable and you will not regret it :)
-Scott
Please evaluate the useful messages *.
-
CiscoWorks LMS 4.0.1 and 3850 switch support
HI, I want to know if the 3850 switch is supported in ciscoworks LMS 4.0.1 I added devices, successful inventory collections but peripheral icon is blue with question mark '? ' and config sync always fails.
I tried to download the packages to install it, but I couldn't find it.
Thanks help fo
3850 is supported on LMS 4.2.3. Check the list supported here:
You must upgrade to 4.2.3 LMS or 1.3 FT go.
-Thank you
Vinod
*Side encourages contributors and it's really free. **
-
Could you let me know on 3850 catalyst to connect to the access point status?
Dear experts,
The 3850 catalyst to connect the Access Point.
I checked the OCC, but I don't know to connect the access point directly or indirectly...
Is that it must connect the Access Point to the 3850 catalyst directly?Could you let me know on 3850 catalyst to connect to the access point status?
I want to know the ORC page on this subject.
Best regards
TakuroHello
See below
Q. does the Cisco Catalyst 3850 in charge of indirectly connected access points?A. No. switch Cisco Catalyst 3850 will always take the CAPWAP tunnel locally. Pass-through or indirectly connected access point mode is not supported at this time. Note that a model SFP Cisco Catalyst 3850-12 or 24 channels can be a good choice to act as controller of mobility for a stack of switches Cisco Catalyst 3850 ending CAPWAP tunnels locally.HTHRasikaPls note all useful responses *.
Maybe you are looking for
-
Is this Airport Extreme or cable provider?
I have an IMAC (latest updates installed), an Airport Extreme (firmware updated this week) and use our local cable provider. Suddenly lost all internet including wifi access. Cable called - I was told it was an ipv4 vs ipv6 problem because of the A
-
Safari crashes constantly and is very slow
Hello I have a problem with safari, it blocks constantly when I try to open the pages such as apple.com. Google.com works, but is very slow. I already deleted the internet plugins folder in both libraries. On another user, everything works fine. Proc
-
Satellite T110-107 - Touchpad does not properly
I love my Satellite T110-107, but there are problems with the touchpad. (1) the mouse cursor does not move sometimes. With this one, I get to move taking both hands away from the laptop for a while.(2) the cursor of the mouse all of a sudden 'draws'
-
load itunes in 2000, I need refund
I bought 4 itunes card loading 500 each scratch of the file number, take a photo sent to apple pay to make the payment online. How can I get my money back?
-
MyHP3070 deskjet will scan and print via USB link, but don't scan the network, printing is authorized via netowrk. Used to work but not anymor. I have windows XP laptop. I tried HP doctor but in vain. It says that it cannot connect with the driver. T