There's a mobile version of our website.
Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about converged networks using the Cisco Catalyst 3850 Series Switch with experts Luke Primm, Colby Beam and Nicholas Tate. Our experts will answer all your questions about understanding, configuring, and troubleshooting a converged network using the Cisco Catalyst 3850.
The Cisco Catalyst 3850 is part of a unified access solution based on Cisco’s one policy, one management, one network. One network is the convergence of wired and wireless networks into one physical infrastructure with greater intelligence, performance, features, and operational consistency for simplicity and ease of use.
The Cisco Catalyst 3850 is a converged access switch for both wired and wireless Ethernet. It brings the best of wired and wireless together by supporting wireless tunnel termination and full wireless LAN controller functionality. This technical forum is intended to help answer and aid in the deployment of the Cisco Catalyst 3850 in your network.
Luke Primm is a member of the TAC LAN switching team at Cisco responsible for the support of all Cisco IOS Software switching platforms. He has more than nine years of experience supporting small to enterprise-sized networks. Luke's technical career started as a high school computer technology teacher responsible for teaching the Cisco Networking Academy curriculum. Upon leaving the classroom, he spent the next eight years in education technology helping design and support K-12 network solutions. Luke graduated from Eastern Washington University with a BS degree in computer technology and recently achieved an MS degree in network architecture from Capella University.
Colby Beam has been a technical leader on the LAN switching team for the past year. Additionally, he spent two years working on the Cisco Nexus 5000 and 2000 platforms. He has more than eight years of experience with networking. Colby also has extensive experience with a wide variety of networks and data centers. He holds a bachelor of science degree in computer science from the University of North Carolina at Asheville.
Nicholas Tate is a senior customer support engineer in the global technical assistance center supporting wireless technologies, where he works on complex wireless enterprise issues. He has published numerous wireless documents to Cisco.com and the Cisco Support Community. Tate has been with working at Cisco since 2011 and holds a degree in information computer technologies from East Carolina University.
Remember to use the rating system to let Luke, Colby, and Nicholas know if you have received an adequate response.
They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure community and sub-community, LAN, Switching and Routing discussion forum shortly after the event.
This event lasts through December 13, 2013.. Visit this forum often to view responses to your questions and the questions of other community members.
I have a two questions. First, where can I find some documentation that will help me come up to speed with the configuration steps necessary to deploy the converged features of the 3850. Second, do AP's need to be directly connected to the 3850 or can the 3850 be used as a the distribution switch of a small site with alternate (I.e. 2960's) as the access switches that the AP's plug into? Thanks for your time and for sharing your expertise with us.
Thanks for getting us started on this Ask the Expert event. These are very good questions that TAC gets asked a lot. Lets start with your second question. In order for APs to join a 3850 switch they DO have to be directly connected to it. They shouldn't be installed on a 2960 that is trunked to the 3850. Also, keep in mind that your APs will need to be on the same VLAN as the 3850's wireless managment interface and be on access ports only.
To answer your first question. Documentation of this product is a little more limited then the classic WLC. In the past couple months TAC has put together a lot of public facing documents with more on the way. These links are great places to start.
3850/5760 Deployment Guide
NGWC GUI Config
NGWC 802.1x Config
I am looking for documentation on how to setup 3850 switches connecting to two 6509’s in a VSS cluster maximizing ten gig connects in two , three and four stack setups . I want to use it across two blades for redundancy one being a 16 port and the other being an eight port. SO multiple 10 gig connects from the 3850 stacks. Can you point me in the right direction?
Excellent question. There is no exact documentation for the topology you are describing, however here is a quick example.
switchport mode trunk
switchport mode trunk
channel-group 15 mode active
switchport mode trunk
channel-group 15 mode active
The configuration on the 6500 VSS would be almost identical excepf for the added encapsulation commands. The 3850 only supports Dot1Q, so there is no need to specify which encapsulation method on the 3850.
switchport trunk encapsulation dot1q
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk encapsulation dot1q
switchport mode trunk
This would give you two uplinks across a stack of 3850s, and also across the switches in the 6500 VSS creating a MEC (Multichassis EtherChannel). You could added extra links as needed or required. Let me know if there are further questions on this. The only addition configuration I can see is restricting which vlans you want on these links.
I was able to find some documentation on best practices for 6500 VSS.
I'm replacing my 3750 with the 3850 and need to configure QoS. What are some major differences between these platforms? Thank you for your help.
This is a common question as we have a number of customers that are migrating off the 3750 and onto the 3850 platform. The biggest difference is that we no longer support MLS QOS and we have moved to an MQC (Modular QOS CLI) based configuration, which is conceptually simpler in my opinion. Customers often realize this when they try and paste their old QOS configurations into their 3850's and the commands are rejected.
Another difference is that QOS is enabled out of the box on the 3850, unlike your 3750 where you had to enable MLS QOS globally. Lastly, we have moved to a trust model in which we trust (DSCP) all markings by default on ingress. You will recall on the 3750 that this was not the case and we would strip the markings and remark. These are probably the three "biggest" differences that we explain to customers, however there are many others. I would encourage you and anyone moving to the 3850 to check out the config guide below for much more detailed explanations of the differences.
:: Configuring QoS on 3850: CLICK HERE
As noted previously, this a common question within TAC and we usually encourage the end customer to migrate to "auto-qos" if possible. We find that auto-qos fits the vast majority of our customers needs and its simplicity makes it an excellent option. Below are the supported auto-qos commands available.
:: Auto QoS commands
auto qos classify police
auto qos trust cos
auto qos trust dscp
auto qos video cts
auto qos video ip-camera
auto qos video media-player
auto qos voip cisco-phone
auto qos voip cisco-softphone
auto qos voip trust
:: Configuring Auto-QoS on the 3850: CLICK HERE
I hope this at least gives you a start on QOS differences, if there are any other more specific questions, please reply and I can provide a more detailed answer. Thanks!
Apart from these config guides, is there any reference guide or design guide to understand this QoS topic in detail for these product platform ?
Is there any plan to update below QoS SRND 4.0 with this latest product ?
It is my understanding that yes indeed we will be updating the campus design to include some of the newer platforms including the 3850. The timeline however is still unknown, but my guess is it will be mid to late 2014 before we have a new release. I do have a few links that I routinely provide to my customers that may help in your design process. I would also encourage you to check out the recently released End-To-End QOS Network Design book from Cisco press. It does cover both wired and wireless QOS on the 3850 and may be your best bet until we release something on CCO.
End-to-End QoS Network Design: Quality of Service for Rich-Media & Cloud Networks, 2nd Edition
Common resources that I frequently provide to my customers:
QoS on Converged Access Controllers and Lightweight APs Configuration Example
QoS Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Enterprise Medianet Quality of Service Design 4.0—Overview
Medianet Campus QoS Design 4.0
If you have a Cisco Live subscription (FREE), you can checkout the live presentation - BRKCRS-2501 - Campus QoS Design Simplified
goto www.ciscolive365.com (Register - its free)
Enter BRKCRS-2501 in the search
** I would highly recommend checking out the Cisco live presentation noted above, its an excellent resource for not only the 3850 platform but the 3750, 4K, and 6K.
I hope this helps, please let me know if you have any further questions, thanks!
Thanks for prompt & detail response. All of them are really useful links.
I have already purchased that End-to-End QoS book. Will go through it soon (Noticed CH20-21 cover CA QoS ).
Yes that presentation is an excellent resource
Hello 3850 Experts,
I am wondering how to get some advice on the wireless capabilities of the Cisco 3850 switches please. In particular, I want to know if we can somehow get the Cisco 3850's to locally terminate the data traffic of a single SSID, while passing the traffic of other SSID's back to our central 5508 WLC / data centre.
Our 5508 WLC has several existing SSID's for data which work fine, but we are trying to add a Voice SSID. Our voice engineer thinks it would be great if we can terminate the wireless voice traffic on the 3850's, but the rest of the data traffic must go back to the WLC because of security reasons. Thanks for your help.
Yes this is possible. You will need to do a basic config on your 3850, have your APs join, and configure both your data and voice WLANs. By default all your data will be switched locally at the 3850. In order to get your existing SSIDs data pushed to the 5508 you will need to create an auto anchor.
The first step in this process is to ensure your 5508 has new mobility architecture turned on. This feature is only found in 126.96.36.199 or 7.5.x code or higher. (7.4.x doesn't have this feature). Next step is to create a mobility group between these 2 devices (you can also perform this as a SPG (switch pair group) if your 3850 is running in MA mode. Once the mobility group is up and running you will configure the wlan on the 3850 to anchor the traffic to the 5508.
There isn't a good tech tip on this exact deployment; however, there are some documents you can piece together to get this up and running. Go ahead and review these and if you hit a snag go ahead and open a TAC case and we can get this configured for you.
Mobility on 3850
Mobility on 5508
Hi, I have a question about 3850 Switches , How many AP are supported in each switch?? and if Ihave a stack of these switches , duplicates the number of AP supported??
This is a very good question. The 3850 switch is limited to 50 APs. When you stack switches together they become one logical switch. The end result of that is 1 3850 stack will support upto 50 APs. Please note that 2 seperate switches or 2 seperate stacks will support 50 APs each.
Thank you for the details answer! One more question about the 3850. How many switches can be stacked together with the Catalyst 3850?
As of release 3.3, we now support nine switches in a stack. Previous to the 3.3 release, we only support a stack of four at a time.
reference: 3850 Stacking
This is one of my previous posts that expanded on the 3.3 release features
Luke, Colby, Nick -
I have an SSID configured for Web Authentication however, my clients are unable to receive the splash page. How do I resolve this issue?
Thanks for the help.
This is a good question. Web authentication rediect failures can fail for a number of reasons. These are the common issues seen here:
Client missing an IP or unable to ARP for it'd default gateway.
DNS resolution is failing
Mis-config on the web authentication
Captive portal disabled (relevant only for Apple devices)
I would first suggest disabling web authentication and ensure your client can reach the internet and resolve DNS as this will confirm the first 2 items. Next, take a look at the config and compare it to this section of the deployment guide. Depending on your config you will need an AAA list, a global and seperte web auth paramater map configured, and your WLAN configure for web auth referencing these 2 things. Lastly, enable captive portale if you are using Apple devices. You may also want to consider being on 3.2.3 or 3.3 code for complete captive portal support.
Web Auth Deployment Guide
If the above do not work to resolve the issue feel free to open a TAC case and we'll be able to look into this one further.
When we managing 3850 (configured as MC) via Prime, should we add it as a switch or as a WLC ? Once it adds as a switch, does Prime represent it correctly as a WLC if we have that configuration ?
In my case I have switch management & WLC management on the same vlan & there are no two different IP address for SW & WLC itself ?
This is fine. There isn't a seperate switch and WLC with this as it is all intergrated. This is a good guide on how to add your device to Prime.
I got a 3700 AP under EFT & was able to get it working with 7.6.x without any issue. I got software code 03.09.06.MZP for 3850/5760 but could not get it working with 3850. AP get registered, but Radio interface get disabled once AP registered to 3850.
What are the possible cause for this ? Is there any troubleshooting commands I can use to find the cause?
Hope you can point me to a right place. Even under EFT documentation there is nothing much to assist in this situation
Give to little bit more information on this, AP (AIR-CAP3702I-Z-K9) is in "Z" regulatory domain which is latest addition to AU/NZ. I suspect 3850 code given to us may not work with this based on the below error msg I am getting when try to configure the 802.11a/n/ac radio. Can you confirm this please ?
Here is the 3850 information.
3850-1#sh wireless country configured
Configured Country.............................: AU - Australia
Configured Country Codes
AU - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48P 03.09.06.MZP cat3k_caa-universalk9 INSTALL
The code you are running ins't a normal build of code. You are correct that your country code is probably causing the issue here. I'll need to direct you to open a TAC case for assitance with enabling support for the -Z country domain.
Thanks for the reply.
Since I am doing EFT would TAC support me on this ? They may say they are not aware of such code.
I already forward the request to Cisco AM to get me a CA resourece who can help me on this.. but no luck so far
I was wondering what will be the best wireless router to provide wireless internet to a 10 unit 3 stories apartment building? I'm currently using a motorola SB6141 cable modem with a linksys EA6500 wireless router. Timewarner is the broadband provider. Everybody in the building gets good connection its just I have to reset the wireless router about once every two weeks. Please help. thanks.
I'm not too sure why the router is acting up. If you want to root cause that I would suggest reaching out to Linksys support. They will be able to provide more direction on that issue.
Hello…..I’m installing new 3850 switches and noticed when I went to configure for SSH I got this when installing my TACACS server info “Warning: The cli will be deprecated soon”…..can you explain this?
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.02.SE RELEASE SOFTWARE (fc2)
the error got rolled over from buffer....but below is what i was putting in, and right after the "Warning: The cli will be deprecated soon" error pop up.....but it still took it however....I just thought it was strange.
config i was putting in
tacacs-server host X.X.X.X
All this means is that we changed the syntax some. It will still work, but eventually will be removed in later versions. I just tested this in the lab and got the same thing. It will also tell you the new syntax.
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.00SE RELEASE SOFTWARE (fc1)
3850(config)#tacacs-server host 188.8.131.52
Warning: The cli will be deprecated soon
'tacacs-server host 184.108.40.206'
Please move to 'tacacs server <name>' CLI
Therefore in the future we will be using tacacs sever intead of of tacacs-server host. This is usually to fall into line with other platforms to make it easier to configure when moving between platforms for platform independent features, such as tacacs.
All of the switches in the stack have to have the same license level
What are the license requirements for a Cisco Catalyst 3850 switch stack?
A. In a Cisco Catalyst 3850 stack, all switches should be at the same image-based license (IP Services/IPBase/LAN Base) level. The active switch license level is considered as the reference, and the member switch licenses are compared against it. If there is a mismatch, the active switch with the syslog message "license mismatch error" indicates that the stacking was unsuccessful.
The mgmt interface is in its own VRF and would be treated as a "host" interface. You cannot put it in a different VRF. The only configuration is an IP address
vrf forwarding Mgmt-vrf
ip address X.X.X.X X.X.X.X
no ip route-cache
You would also need to create a default route for this VRF. Example:
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 Y.Y.Y.Y
If you wish to use this interface for copying TO the switch, you would need to configure the following. This will tell the switch to use this interface
ip ftp source-interface GigabitEthernet0/0
ip tftp source-interface GigabitEthernet0/0
The upstream device that this Gi0/0 is plugged into just needs to be configured as a switchport access vlan. Typically customers put this in their mgmt vlan that they have configured in their network to access their devices via ssh/telnet.
Let me know if you have further questions.
Hello we are also upgrading our campus 3750 switches with 3850….I want to know is there any big changes in trunking, etherchanneling, or portchanneling with this new IOS XE 3.3? any new particular steps. Also can you point me to 3850 documentation for NetFlow, and NetFlow_v9.
The biggest difference between thse three things (trunking, etherchanneling, port-channeling) is we only support Dot1Q now on the 3850 vs the 3750. ISL is gone. This is across all version for 3850, not specific to 3.3.0. I would also check out Luke's post above about QoS on the 3850 vs 3750 as we moved from MLS QoS to MQC QoS. This is a major change.
I would check out the "what's new" for 3.3.0 to get the newest feature as we did add some significant features improvements
Below is the config guide for NetFlow. I started you off at the restrictions as we support flexible netflow on the 3850.
Thank you for the second question. I like your interest in this new product and will be glad to help.
This can happen for a couple of reasons. Start with the basic, are your APs connected and are the wireless networks on and the radios on the APs up?
Generally, when I see this issue popping up I see that the SSIDs are outside of the defaullt AP group called "default-group". If your WLAN ID number is higher then WLAN ID 16, your SSIDs are not placed in the Default-Group and your SSIDs are not broadcasted. There are 2 ways to correct this. Rewrite your WLAN config to a WLAN ID between 1-16 or create an AP group and assign an AP to the new AP group.
Lets us know if you have any other questions.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion