Cisco 3850 LAN Base license slow throughput

I was working on a installation and configuration of a C3850 switch with LAN base license.

What is in the name with LAN Base license…  As we all know from previous licenses (like 3750-X licenses), there is no routing available but… there is basic routing functionality available in the LAN base license for C3850 switches!

There are some limitations for routing with LAN base license though:

  • Maximum of 15 static routes
  • no routing protocols, only static routing

During the test phase of our implementation, we encountered performance issues:

  • File transfers inside VLAN’s: no issues
  • Inter-VLAN file transfers: slow throughput with a maximum of ~10Mb/s

Continue reading

Cisco Champions

I wrote a blog about Cisco Champion nominations a few weeks ago: this post. Today, november 15th, the first Cisco Champions are selected and I’m very honored and proud to let you know that I’m invited to the program!

I’ll keep you informed about the program and offcourse I keep blogging about the technologies and products I work with. This all to share the needed knowledge to everyone who needs it.

I want to thank everyone who nominated me for the program!

cisco_champions BADGE_200x200


Cisco Champion nominations

Cisco started the Cisco Champion program for people who are passionate about (Cisco) Datacenter technologies and love to share their knowledge with the rest of the world by blogging, twittering and other social media.

The nominations are open until oct 31th and it’s possible to nominate me and all other great bloggers we all check out regularly.

How to nominate?

Send your nomination to and make sure the text “Data Center” is in the message body.

All nominations are appreciated!

More information about the Cisco Champion program can be found here:


Cisco ISE Part 10: Profiling and posture

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.

Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.

A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.

There are 9 availabled probes:

  • Netflow
  • DHCP
  • HTTP
  • NMAP
  • DNS

Profiling uses CoA (change of authorization). There are 3 options:

  • No CoA: CoA is disabled
  • Port bounce: use this only of there is a single session on a switchport
  • Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled

ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.

An endpoint profiling policy contains a simple condition or a set of conditions (compound).


Probe configuration

First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.

Switch(config)# snmp-server host version 3 priv ISE
Switch(config)# snmp-server enable traps snmp linkdown linkup
Switch(config)# snmp-server enable traps mac-notification change move

On all interfaces:
Switch(config-if)# snmp trap mac-notification change added

For DHCP probing, configure an additional IP helper on the SVI to the policy node:

Switch(config-if)# ip helper-address

Cisco ISE configuration

Click Administration – System – Settings, click Profiling and configure the CoA.


Continue reading

How to: Cisco WLC Tacacs/radius for management

It took some time this morning for configuring a RADIUS or TACACS server for management access to a Cisco WLC. So, let’s write a short how-to:

  1. Login into the WLC and click Security – AAA – TACACS+ (or Radius) – Authentication
  2. Click New and enter:
    • Server IP Address – IP address of the TACACS server
    • Shared secret – The configured shared secret on the TACACS server
  3. If you’re using TACACS, click Authorization and enter the same Server IP address and Shared Secret. Configuring accounting is optional
  4. Click Security – Priority order – Management user and make sure TACACS (or radius) is in top of the list