switch aaa and radius authentication settings for duo etc

 aaa group server radius DUO-AUTH

aaa authentication login default group DUO-AUTH local

aaa authentication login CON-LOCAL local

aaa group server radius DUO-AUTH

 server name DUO-AUTH-PROXY

 ip radius source-interface Vlan2

radius server DUO-AUTH-PROXY

 address ipv4 192.168.1.1 auth-port 18122 acct-port 18122

 pac key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

can't ping SVI interface on remote switch across S2S VPN

 Had an issue could ping vlan1 (LAN) SVI but not vlan146 (VOICE)

The setup was

LAN client -> L2 VL1 -> L3 SVL VL1 -> Inside ASA -> S2S VPN -> HQ 

Phone client -> L2 VL146 -> L3SVI VL146 -> L3 SVI 1 -> Inside ASA-> S2S VPN -> HQ -> Phone server

I found some messed up NAT's

Removed the global

object network obj_any

 nat (any,outside) dynamic interface

The NoNat had a missing object in the destination

nat (voice,outside) source static obj-10.60.146.0 obj-10.60.146.0 destination static HQ-NET HQ-NETS no-proxy-arp route-lookup

Also needed this NAT on the INSIDE with the 146 networks to ping the SVI. This is becuase the route to the HQ network is through the inside interface of the ASA.

nat (inside,outside) source static obj-10.60.146.0 obj-10.60.146.0 destination static HQ-NET HQ-NETS no-proxy-arp route-lookup

new upgrade commands on 9200 and 9300 switch

Looks like the install/upgrade process has changed a bit on cisco 9200 switch. 

install add file flash:cat9k_lite_iosxe.16.10.01.SPA.bin activate commit

*This command will copy the file to other switches in the stack

If you forget the last 2 keywords you will need to run:

install inactive remove

Full guide

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-10/release_notes/ol-16-10-9200.html#id_67613

Needed this command when there was no space on the local disk

install add file tftp://172.30.180.160//cat9k_iosxe.17.06.05.SPA.bin activate commit

****

check for this before reboot

#show romvar | in STARTUP

SWITCH_IGNORE_STARTUP_CFG=0

If the variable is set, please:

no system ignore startupconfig switch all

move from type 5 or 7 passwords to type 9 on cisco router

username admin algorithm-type scrypt secret cisco

(this is type 9 and best at time of writing) 

enable jumbo frame on cisco 3850

conf t
system mtu 9198
wr
reload

Taken from cisco forums
The limitations of the platform in question would make no sense if system mtu routing would apply to routed ports, but at the same time would not apply to SVIs. The point here seems to be that the model line cannot fragment in hardware.  So to avoid that, it just makes sure every L3 interface (routed port  and SVI alike) has the same IP MTU, so there is never any need to  fragment a packet.
I've tested this in the lab using two 3560E chassis, trivially set up with the default VLAN, connected through Gigabit (so system mtu jumbo will apply) and then pinging each other's SVIs. Now let's configure the  following (using the maximum frame size the platform supports, there's  not much sense in limiting it here):
system mtu jumbo 9198
After rebooting, all physical ports running 1000Base or better will allow payloads of up to 9198 bytes to be encapsulated. The routing mtu will still be 1500 at this point. Try to ping one switch from the other like
ping 10.1.1.2 size 1500 df-bit
and it will succeed, but increasing size to 1501 will fail.
Now let's add:
system mtu routing 9000
to both switches and try again (no reboots needed). You will see that
ping 10.1.1.2 size 6000 df-bit
will suddenly work now, and the interface counters  will make clear that no fragmentation happens - it's really a single  6000 byte IP packet bouncing forth and back between the switches. That  works up to 9000, and starts failing at 9001, exactly as you would  expect.
Why is there a rumour that system mtu routing doesn't apply to SVIs? Probably because show interface of an SVI will show you an MTU of 1500 (or whatever your system mtu is), while the same command applied to a routed port will show 9000.  This seems to be a glitch, as so often with interface MTU in show  commands. More specifically, the show interface MTU is  supposed to be the potential payload MTU of the underlying physical  interface of that routed interface, and there are other cases where it  displays rubbish. One should always compare to the IP MTU as given by show ip interface. Et voila: The IP MTU of our SVI (as given through show ip int vl1) displays as 9000. So the succeeding ping is not a mystery and system mtu routing does exactly what it intuitively states: Change the IP MTU of every L3 interface of the platform.
I know this won't help in cases like the one discussed  here, where supposedly two L3 interfaces running at different MTUs are  needed. In such cases, one should first reassure that what's needed is  really that and there's no way to redesign the setup to avoid that (by  placing L3 and L2 boundaries appropriately). If there is no way around  that, the 3560 will likely have to go for something that has  per-interface IP MTU, like the 49xx or 4500X platforms.
Discussions about MTU often mix up different problems  and lead to chaos. IMO this is because two things are often not regarded  to the necessary extent by the participants:

1. There is not one MTU. When talking about MTU, always define  the layer you consider. That's often hard because you actually have to  think about a layer boundary, so two layers are involved. The mythical  1500 for instance is the L3 MTU on top of a classic L2 of the Ethernet  family. Things fundamentally change when you discuss L2 MTUs with regard  to some underlying L1 (but things are easier here, as L1+L2 are often  developed together as one technology, while the boundary between  technology layers and the network layer has more degees of freedom).
2. MTU  doesn't exist as such, but is an emerging concept. In other words, MTU  is what everybody in a system of communicating nodes (typically a  broadcast domain) thinks it is, with the emphasis on everybody.  In that sense it's like the IP network that lives on top of a broadcast  domain - it doesn't exist per se, but by convention of everybody using  that broadcast domain as a bearer for IP packets sourced from  non-colliding adresses from the same visibility range (aka prefix, aka  network and netmask, in ancient times aka subnet/subnetmask). MTU is a  convention as well, a single node just changing its MTU (up or down from  the convention, that is, what everybody else uses) is a recipe for  disaster. That's why you don't do it except you know exactly what you  are doing, and have the might to change it everywhere in a broadcast  domain (every involved intermediate network device and every end node).  It's viral. Luckily it's not as widespread as the viral issue of people  configuring ports full duplex because that's what they always did,  introducing duplex mismatches up and down and then telling you that as  obviously auto negotiation doesn't work, they will continue this  practice. You see the common scheme: Breaking a convention is a bad  idea, unless you are the sole dictator.

packet capture on cisco router/switch

*** Setup ACL
ip access-list extended CAP_ACL
permit ip host x host y

*** Setup buffer
monitor capture buffer CAP_BUFF circular

*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL

*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both

*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF

*** Show the setup
show monitor capture buffer CAP_BUFF

*** Start the cap
monitor capture point start CAP_POINT

*** Send the test traffic
send test traffic ping or telnet on the port etc

*** Stop the cap
monitor capture point stop CAP_POINT

*** show brief
show monitor capture buffer CAP_BUFF brief

*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap

*** Open the pcap in wireshark

For 3850 - but it didn't work for me

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-16/epc-xe-16-book/nm-packet-capture-xe.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F

stacking cisco switches

Before ordering

• Visual inspection of the racks
• Can we space the stack 1u apart from each member
• Usually need one 3m stack cable (top<->bottom), do we need to more ?
  
• Do we have power is it normal plug or female power cable ?
• Are power cables cisco notch or not ?
  

After the gear arrives we need to visit site to do the following:

• Check we got everything in the delivery.

• Unbox all the gear, take a picture of the serials.

• Check the power cables make sure they didn't ship the EU ones.

• Check if we got the correct power cables, do they matchup with what’s available in the racks, normal sockets or UPS (C13)

• Install any network modules and SFPs
• Put the ears on get the stack going (See building the stack below)
• Provision and set priority (See building the stack below)
• If we have dual power supplies, can the racks accommodate the extra cables?
• Check the front of the rack, could the switch be replaced are there any network cables in the way?
• Is there room to install the new stack with a space between each switch?
• Check the back of the rack, keep in mind new switches are longer and stack cables come out further, can the switch be replaced, any cables in the way?
• Get a backup of the config on the current stack
• Take note of VLANs and trunk ports

Next site visit
• Convert the config
• Install the new switches in the rack
• Swap over cables
• Deal with any issues after end user testing

Building the stack

All switches need to be on the same licence and software before they will form a stack.
Boot one switch at a time and run the licence command below and check the software version.
Download and update the software version to latest stable release recommended by cisco if required.
It will need a reboot after running it. Also switch provision / priority.
WR and shut them all down.
Connect stack cables, boot master first, 10 seconds and boot the rest

Commands
license right-to-use activate ipservices all acceptEULA
switch 1 provision ws-c3850-48p (? Get the switch make by sh ver and enter that here)
switch 2 provision ws-c3850-48p
conf t
switch 1 priority 15
switch 2 priority 14

Stack cabling
Top left to bottom right
right to next left
right to next lefts
continue until finished

Power stack cabling
Yellow cable -> yellow port
Green -> green

Copying the bin file from tftp server on my laptop to switch
copy tftp://10.56.3.200/cat3k_caa-universalk9.16.03.03.SPA.bin flash:


Install modes
Bundle Mode = BIN FILE

Install Mode = PACKAGES

The switch can't boot an image over 400mb. The later images are nearly 500mb. Bundle mode the bin file is extracted into memory on boot. Install mode the bin file is extracted to several packages with a packages.conf pointing to the packages. Install mode is the recommended.

Converting BUNDLE -> INSTALL

request platform software package expand switch 1 file flash:cat3k_caa-universalk9.16.03.03.SPA.bin to flash:

Copy the bin and extract on all switches in the stack
Set your boot to packages.conf
boot system switch all flash:packages.conf

Enable the stack port
In rare cases the switch might ship with stack port disabled
switch 1 stack port 1 enable
sh switch

Auto upgrade other switches
software auto-upgrade
wr

Stack show commands
show switch
show switch 2
show switch detail
show switch nei
show switch stack-ports
show switch stack-ports summary - to see cable lengths
show redundancy
show redundancy state

More on upgrading the stack
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-8/release_notes/ol-16-8-3850.html#id_67699

renumbering switch stacks

Boot up one switch set it as master (priority 15)
set all its other values
Boot up  second switch set it as backup (pri 14)
and other values

Create the stack between the two devices.
Now add other switches to the stack and give them numbers etc.

set start priorty
provision switch 1 ws-3850-u etc

switch 2 renumber switch 1

Once you swap switch numbers you can't swap them again
Make the swaps you can
write mem
reload (takes about 10mins on 3850)

Check again
sh switch

Move the remaining switches

sample switch config

Setup a local user
username local-user privilege 15 password 0 P@55w0rd

username MYUSER privilege 15 algorithm-type scrypt secret P@55w0rd

Set the enable secret
enable secret s3cr3t

Save 
write mem

Set hostname
hostname SITE-3650

Don't try to look up hostnames
no ip domain lookup 

Set up the line settings
line con 0
 logging synchronous
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh


Enable cdp
cdp run

set ntp server
ntp server 172.30.123.1

Set default gateway (L2)
ip default-gateway 172.30.1.1


Set banner
banner login ^
*** MY BANNER ***
^

Enable ip routing (L3 functions)
ip routing

Set L3 default route
ip route 0.0.0.0 0.0.0.0 vlan 10 172.172.10.249

Set domain name
ip domain-name mydomain.ie



Generate rsa key (for ssh)
conf t
crypto key generate rsa general-keys label MYLABEL modulus 2048

Setup spanning tree
spanning-tree mode rapid-pvst

Set up local logging buffer
Generally its set very low. Use dir to check how much space you have.
If you have a syslog server its not an issue
logging buffered 5000000 debugging

Set up AAA
aaa new-model
!
!
aaa group server radius NPS
 server 172.16.50.1 auth-port 1645 acct-port 1646
 server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa authentication login default group NPS local
aaa authentication login CON local
aaa authentication dot1x default group NPS local
!
!
!
aaa session-id common

Setup SVI on the switch
interface Vlan10
 ip address 172.30.10.253 255.255.255.0
 ip helper-address 172.16.1.50

Set management interface
interface Loopback100
 description SWITCH MGMT
 ip address 172.30.100.10 255.255.255.255

Setup so radius can come from the management IP
ip radius source-interface Loopback100

Set up radius
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server retransmit 0
radius-server timeout 1
radius-server key MY-SECRET-RADIUS-KEY


****
Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group


aaa group server radius NPS
server name NPS-1
server name NPS-2

radius server NPS-1
address ipv4 172.16.35.63 auth-port 1645 acct-port 1646
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1645 acct-port 1646
pac key ********
!

Setup your access ports
interface FastEthernet0/1
 switchport mode access (set the port as an access port)
 switchport access vlan 10 (data vlan for PC)
 switchport voice vlan 200 (voice vlan for IP phone)

 switchport port-security (turn on port security)
 switchport port-security maximum 2 (max 2 MAC's phone and PC)
 switchport port-security violation restrict (log and ignore the extra traffic)
 spanning-tree portfast (don't wait 60 seconds to bring the port up)
 spanning-tree bpduguard enable (err-disable the port if we detect switch/BPDU)
 no shutdown (bring the port up)

Setup trunk ports
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk





You may have to set tftp source interface
ip tftp source-interface

Setup VTP
You won't find settings in show run. Use "sh vtp status" and "sh vtp password" on another switch and configure the same settings on the new switch. Most likely you'll want to use the client mode.
SITE-3650#sh vtp status
VTP Version                     : running VTP2
Configuration Revision          : 15
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 30
VTP Operating Mode              : Client
VTP Domain Name                 : MYDOMAIN
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x7C 0x91 0x1E 0x52 0x99 0x80 0x60 0x5E




This one has ACL applied to SSH
line con 0
 session-timeout 15
 exec-timeout 0 0
 logging synchronous
 login authentication CON
 history size 256
line vty 0 4
 session-timeout 15
 access-class 2 in
 exec-timeout 15 0
 password 7 0034212757550A045E72
 logging synchronous
 length 0
 history size 256
 transport input ssh
 transport output ssh
line vty 5 15
 session-timeout 15
 access-class 2 in
 exec-timeout 15 0
 password 7 0034212757550A045E72
 logging synchronous
 history size 256
 transport input ssh
 transport output ssh

Setup port channel interface if needed
interface Port-channel40
 description "*** PortChan members gig1/1/1 and gig2/1/1 ***"
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 storm-control broadcast level 10.00
 ip dhcp snooping trust

Setup port channel members (channel-group)
interface GigabitEthernet1/1/1
 description *** Link to core ***
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust dscp
 storm-control broadcast level 10.00
 channel-group 40 mode on
 ip dhcp snooping trust
end

interface GigabitEthernet2/1/1
 description *** link to core ***
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust dscp
 storm-control broadcast level 10.00
 channel-group 40 mode on
 ip dhcp snooping trust

Setup eigrp
router eigrp 100
network 172.30.1.0 0.0.0.255 (wildcard mask)