Cisco Catalyst 3850 - StackPower.

Just wanted to make a note about Catalyst 3850 and StackPower feature.

Cisco Catalyst 3850 Series Switches:

StackPower allows customers to simply add one extra power supply in any switch of the stack and either provide power redundancy for any of the stack members or simply add more power to the shared pool. StackPower eliminates the need for an external redundant power system or installation of dual power supplies in all the stack members. StackPower is available in LAN Base license level (or higher). For LAN Base, cables need to be purchased separately.

Switch#show license right-to-use usage
 Slot#  License Name     Type     usage-duration(y:m:d)  In-Use  EULA
-----------------------------------------------------------------------
 1      ipservices     permanent    0 :0 :0                no    no
 1      ipservices     evaluation   0 :0 :0                no    no
 1      ipbase         permanent    0 :0 :0                no    no
 1      ipbase         evaluation   0 :0 :0                no    no
 1      lanbase        permanent    0 :6 :21               yes   yes
 1      apcount        evaluation   0 :0 :0                no    no
 1      apcount        base         0 :0 :0                no    no
 1      apcount        adder        0 :0 :0                no    no

Switch#

Cisco Catalyst 3850 Series Switches > Q&A:

• Q. Do I need to populate all of the power supply slots in my switch?
• A. No. The Cisco Catalyst 3850 switches provide two slots for the use of redundant power supplies, but only one supply is needed to run a single switch unless full PoE+ is deployed on a 48-port switch. In that case, the power requirement is about 1700W, which is more than the 1100W provided by the largest available power supply. If the switch is deployed within a Cisco StackPower stack, a second power supply might not be needed if the stack has extra power to meet the requirements of this switch, though the power supply slot must be covered to maintain proper airflow.

• Q. Can you give priority to an important switch in the stack?
• A. The Cisco StackPower solution assigns a default priority to the switches in a stack as well as to the ports (high or low) of every switch. The administrator has the ability to change and program these priorities with “power-priority switch <1-27>” and “power-priority low | high <1-27>” configuration commands.

All you need is just enough cables: CAB-SPWR-30CM (37-1122-01) - $15 each on Ebay.

Example for a stack of two switches

Real example for a stack of two switches (WS-C3850-48T, without PoE) with only one power supply installed in each device (PWR-C1-350WAC entry level ones, by default). To get a power redundancy you can order two power supplies OR only one cable CAB-SPWR-30CM, connect it as you want, I did the following - port1 to port1. Technically, it will work without any further configuration. If you connect a power supply of any of the nodes, two switches will be powered, it means to get two switches powered, you need to connect anyone of the nodes. If you want you can add the following configuration:

stack-power stack StackPower
 mode power-shared
 exit

stack-power switch 1
 stack StackPower
 power-priority switch 1
 exit

stack-power switch 2
 stack StackPower
 power-priority switch 2
 exit

Here you can find a video from Cisco regarding StackPower in action - Cisco Catalyst 3750-X StackPower.

Cisco WLC and Windows NPS as a RADIUS server.

Today I was needed to reconfigure AIR-CT5760 to use Windows NPS as RADIUS servers for Wireless client authentication.

Here is a list of useful documents about it:
5760/3850 Series WLC PEAP Authentication with Microsoft NPS Configuration Example - MUST READ.
External RADIUS Server EAP Authentication with 5760/3850 WLC Configuration Example.
Converged Access -802.1X/EAP using External server, Local radius/LDAP on 5760 WLC and 3850.

If you have only one RADIUS server the configuration is pretty simple:

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 exit

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

If you have two servers and you really want to be sure that switchover will work, you have to configure a little bit more (please refer to the greatest document from Cisco - Demystifying RADIUS Server Configurations):

radius server NPS-192.168.1.1
 address ipv4 192.168.1.1
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

radius server NPS-192.168.1.2
 address ipv4 192.168.1.2
 timeout 5
 retransmit 2
 automate-tester username dummy probe-on
 key 0 SECRET_KEY
 exit

aaa group server radius RADIUS-WIRELESS-AUTH
 server name NPS-192.168.1.1
 server name NPS-192.168.1.2
 exit

radius-server dead-criteria time 15 tries 2
radius-server deadtime 5

aaa authentication dot1x default group RADIUS-WIRELESS-AUTH

For me, the most useful show command listed below:

AIR-CT5760-WLC#show aaa servers | i id|State|Dead|Quarant|request
RADIUS: id 1, priority 1, host 192.168.1.1, auth-port 1645, acct-port 1646
     State: current UP, duration 73029s, previous duration 0s
     Dead: total time 0s, count 84
     Quarantined: No
     Authen: request 1429752, timeouts 14115, failover 0, retransmission 10956
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
RADIUS: id 2, priority 2, host 192.168.1.2, auth-port 1645, acct-port 1646
     State: current UP, duration 150814s, previous duration 0s
     Dead: total time 0s, count 10
     Quarantined: No
     Authen: request 8417, timeouts 8085, failover 2209, retransmission 6084
     Author: request 0, timeouts 0, failover 0, retransmission 0
     Account: request 619681, timeouts 593, failover 0, retransmission 593
AIR-CT5760-WLC#

Cisco - Demystifying RADIUS Server Configurations.

Just found the greatest Cisco document regarding RADIUS - Demystifying RADIUS Server Configurations - MUST READ.

Cisco IOS - How to run debug safely. [TESTED]

Everybody knows that using debug commands is risky, you have to use it with caution. Enabling debugging can disrupt operation of the router when internetworks are experiencing high load conditions. Hence, if logging is enabled, the access server can intermittently freeze as soon as the console port gets overloaded with log messages. More info you can find here - Important Information on Debug Commands.

In this note, I’d like to provide a list of necessary command that must be applied before enabling debug messages, just for quick copy/paste. BTW, before all of that it’s better to make sure that:

• NTP is configured and synchronized.
• Timezone is configured.

clock timezone PST -8 0
clock summer-time PDT recurring

List of general pre-debug commands

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service sequence-numbers
no logging console
no logging monitor
logging on
logging trap 0
logging buffered 10000000 debugging
logging queue-limit 10000
logging rate-limit 10000

Let’s do it one by one:

service timestamps - service timestamps [debug | log] [uptime | datetime [msec]] [localtime] [show-timezone] [year]

Mar  6 18:47:21.597 UTC:: %SYS-5-CONFIG_I: Configured from console ...

service sequence-numbers - Each system status messages logged in the system logging process have a sequence reference number applied. This command makes that number visible by displaying it with the message. The sequence number is displayed as the first part of the system status message.

000031: Mar  6 18:47:50.563 UTC: %SYS-5-CONFIG_I: Configured from console...
000032: Mar  6 19:03:43.853 UTC: %SYS-5-CONFIG_I: Configured from console...

no logging console - To limit messages logged to the console based on severity, use the logging console global configuration command. To disable logging to the console terminal, use the no form of this command.

no logging monitor - To disable logging to the terminal lines (monitors).

logging on (enabled by default) - Enabling the “logging on” command may substantially slow down the router. Any process generating debug or error messages will wait until the messages have been displayed on the console before continuing. The “logging synchronous” line configuration command also affects the displaying of messages to the console. When the logging synchronous command is enabled, messages will appear only after the user types a carriage return.

logging trap - To limit messages logged to the syslog servers based on severity, 0 is “emergencies”.

logging buffered - To enable system message logging to a local buffer. Optional size of the buffer, in bytes is in range from 4096 to 2147483647. The default size varies by platform.

logging queue-limit - To control how much system memory may be used for queued log messages. Optional parameter - The number of messages in the logger queue. The valid range is 100 to 2147483647. The default is 100.

logging rate-limit - To limit the rate of messages logged per second. The default is 10 messages logged per second.

Before start

In addition, you can clear logging buffer before start (confirmation is required):

Cisco#clear logging
Clear logging buffer [confirm]
Cisco#

Then start debugs:

debug ...

Stop debug

un all

Collect debug messages

show logging

Additional part for basic VOICE troubleshooting

service internal
voice iec syslog

• service internal - Allows additional debugs/tests that are not normally available. You can google to dig more specific information about it.

voice iec syslog - To enable viewing of Internal Error Codes as they are encountered in real time, use the voice iec syslog command in global configuration mode. To disable IEC syslog messages, use the no form of this command.

SolarWinds NCM “Device Template” for Cisco ACS 5.6. [TESTED]

By default, NCM don’t have a special “Device Template” for Cisco ACS 5.X, NCM chooses the closest template by SysObjectID. BTW, it differs and depends on particular ACS version. For example, ACS 5.6 has 1.3.6.1.4.1.9.1.1117. Default template for Cisco IOS works fine, but ADE-OS on ACS 5.X (at least on 5.5 and 5.6) requires proper SSH session closing (by using exit).

You can find a template for ACS on thwack, it’s ok, but it needs to be modified. Here are some important changes:

... Device="Cisco ACS 5.6" SystemOID="1.3.6.1.4.1.9.1.1117" ...
... Name="DownloadConfig Value="show ${ConfigType}${CRLF}exit" ...

Admin area