Connecting the world…


Catalyst 3750X licensing

While making a kit list for a network design with Cisco Catalyst 3750X switches, I got confused while looking at the different licensing features. The Cisco Catalyst 3750X switches are available with multiple licensing options, which can be upgraded.

A new switch can be ordered with two licensing options. These are LAN Base (Enhanced Intelligent Services) and IP Base (Baseline Enterprise Services). However an additional license is available: IP Services (Enterprise Services). The LAN Base feature is relative new for this switch. A normal Cisco Catalyst 3750 is a multilayer switch with routing capabilities by default. The LAN Base licensing only allows the usage of layer 2 “switching” features and no routing capabilities.

The LAN Base feature set offers enhanced intelligent services that includes comprehensive Layer 2 features. The IP Base feature set provides baseline enterprise services in addition to all LAN Base features. IP Base also includes the support for routed access, StackPower, and MACsec. The IP Services feature set provides full enterprise services that includes advanced Layer 3 features such as Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Protocol Independent Multicast (PIM), and IPv6 routing such as OSPFv3 and EIGRPv6. IP Services feature set also includes the Embedded Event Manager (EEM) and IP service-level agreements (SLAs) initiator functionalities. All software feature sets support advanced security, QoS, and management features. The IP Services feature set is only available as an upgrade option at the time of ordering or through a license at a later time; there is no dedicated IP Services switch model. [Source]

As I mentioned before, by default, the Cisco Catalyst 3750X can only be ordered with the LAN Base or IP Base license. Customers have the ability to upgrade from LAN Base to IP Base or from IP Base to IP Services. Below you see the article numbers for the different upgrades:

C3750X-24-L-S C3750X-24 LAN Base to IP Base Paper License
C3750X-48-L-S C3750X-48 LAN Base to IP Base Paper License
L-C3750X-24-L-S C3750X-24 LAN Base to IP Base E-License
L-C3750X-48-L-S C3750X-48 LAN Base to IP Base E-License
LL-C3750X-24-L-S C3750X-24 LAN Base to IP Base E-License for Used Switch
LL-C3750X-48-L-S C3750X-48 LAN Base to IP Base E-License for Used Switch
C3750X-24-IOS-S-E C3750X-24 IP Base to IP Services factory IOS Upgrade
C3750X-48-IOS-S-E C3750X-48 IP Base to IP Services factory IOS Upgrade
C3750X-24-L-E C3750X-24 IP Base to IP Services Paper License
C3750X-48-L-E C3750X-48 IP Base to IP Services Paper License
L-C3750X-24-L-E C3750X-24 IP Base to IP Services E-License
L-C3750X-48-L-E C3750X-48 IP Base to IP Services E-License
LL-C3750X-24-L-E C3750X-24 IP Base to IP Services E-License for Used Switch
LL-C3750X-48-L-E C3750X-48 IP Base to IP Services E-License for Used Switch

Hhhhmm, as you can see you have multiple choices for upgrading from LAN Base to IP Base or from IP Base to IP Services. But what do they all mean?!?! I didn’t know exactly and had doubts, so I asked our Cisco account manager and he gave me the following information.

Factory IOS Upgrade You can directly upgrade from IP Base to IP Services at the moment you buy the switch. To receive a switch with an IP Services software image, you simply have to add the “IP Base to IP Services Factory Upgrade”. The article number contains only the license which can be used with a brand new switch.
Paper License You need to order this license if you already have the switch or if you are already using the switch. With the Paper License you receive a PAK code in paper format
E-License Comparable to Paper License, but the license is delivered via e-mail.
E-License for Used Switch This license is delivered via e-mail and needs to be ordered if you would like to upgrade a refurbished switch

The above explanation cleared a lot of my confusion about the new licensing mechanism. Hope it will help you too.

Where is the Internet Authentication Service?

Microsoft IAS server is often used as RADIUS server to authenticate VPN users or in conjunction with ISA reverse proxy to authenticate OWA users or PDA synchronization.

Today I had to install an ISA reverse proxy server with ISA 2006 Standard and Exchange 2007. I wanted to install Microsoft IAS as RADIUS server to authenticate the OWA users. Normally I install IAS on one, but preferably, on two domain controllers. I logged in on a domain controller through RDP. I noticed that the OS of the domain controller was Windows Server 2008.

Cool, finally working with a Windows Server 2008. After getting familiarized with the new view and layout, I started to search for a way to add the needed Windows component IAS. After searching for a while I found how to add Windows component. Looking at the complete list, I couldn’t find the Internet Authentication Service.

Oops, did Microsoft remove the IAS functionality from its server platform??? After googling for a second, I found that IAS has been replaced by Network Policy and Access Server service in Windows 2008.

Microsoft TechNet told me the following:

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.


As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP). Source

After installing NPS, I started the configuration. You really have to get familiar with the way Windows Server 2008 works. There are a lot of different wizard and multiple configuration options to choose from. Everything looks a bit more fancy. NPS is not only a replacement for IAS, but has also many enhancements.

More information about installing and configuration Network Policy Server can be found in the article Understanding the new Windows Server 2008 Network Policy Server on Here you can read that NPS has a lot of functions related to Network Access Protocol (NAP). A very detailed example of using NPS to perform NAP can be found in Brian Posey’s series An Introduction to Network Access Protoction.