cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2206
Views
10
Helpful
4
Replies
Highlighted

IE-1000 (ie1000) caveat's before buying

Just letting anyone looking to purchase the IE-1000's (any variant) about the product and its platform. We have about 80 IE-1000's so far and this is our impressions.

 

1) The IE-1000's DO NOT support AAA/TACACS+ (As of code 1.6). Oddly, the configuration shows up in the CLI, but it's not activated. (We have asked for a feature request, but we're not holding our breath)

 

Cisco SR683004440

Problem description: IE-1000-8P2S-LM authentication assistance.

Resolution summary:

-Informed that by architecture, these switches doesn’t support radius/tacacs authentications.

-They support only local authentications.

 

IE1000#
IE1000#
IE1000# sh aaa
Authentication : 
  console : local 
  telnet  : no 
  ssh     : local 
  http    : local 
Authorization : 
  console : no, commands disabled
  telnet  : no, commands disabled
  ssh     : no, commands disabled
Accounting : 
  console : no, commands disabled, exec disabled
  telnet  : no, commands disabled, exec disabled
  ssh     : no, commands disabled, exec disabled
IE1000#
IE1000#
IE1000# sh tacacs-server 
Global TACACS+ Server Timeout      : 5 seconds
Global TACACS+ Server Deadtime     : 0 minutes
Global TACACS+ Server Key          : 3689...<removed>...b61b7
No servers configured!
IE1000#
IE1000#

 

 

2) The IE-1000's DO NOT support CDP.

 

Cisco SR683689081

Problem description: IE-1000 does not speak CDP.

Resolution summary:

Indeed, as the IE-1K documentation specifies, it is only CDP aware:

https://www.cisco.com/c/en/us/products/collateral/switches/industrial-ethernet-1000-series-switches/datasheet-c78-737277.html

CDP-aware means that the IE1K can read CDP but does not send CDP advertisements. Upstream devices will not find the IE1K via CDP.

In the other hand, as same document specifies, it is LLDP capable, so I went to my IE-1K and configured LLDP, I was able to see it in my upstream switch after it:

  

C9300_lab#show lldp ne

Capability codes:

    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device

    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

 

Device ID           Local Intf     Hold-time  Capability      Port ID

IE1K1               Gi2/0/21       120        B               1

 

  • So it is determined that IE-1K CDP capability is limited to “aware” and it fully supports LLDP. So as a workaround the use of LLDP is suggested in order to be able to visualize the IE-1K from the upstream devices.

 

 

3) The IE-1000's don't seem to have a way to enter domain names other the hostname. Not the end of the world, but annoying.

 

 

4) When monitoring these devies in SolarWinds Orion we have found that when we 'discover' the resources within the device we see the 'interfaces' counter on Orion go into the thousands! We thought this was an error until we finally just let it finish. What we found was Orion seems to discover ALL 4096 VLAN's! So when you bring these into monitoring and they show as having 4,000+ interfaces it's normal (I guess).

 

Other than these glaring issues, we are still happy overall with the IE-1000 platform. We operate in environments that need lots of industrial/outdoor environmental equipment and having a low cost industrial switch from Cisco has been great.

If Cisco can fix the first 2 big issues we would be very appreciative.

4 REPLIES 4
Cisco Employee

Re: IE-1000 (ie1000) caveat's before buying

starting with a release later this (v1.7) the IE1000 will support TACACS/RADIUS for AAA authentication of network administrators.

 

Release v1.7 is scheduled for summer 2018.  check the IE1000 page on Cisco.com

 

Beginner

Re: IE-1000 (ie1000) caveat's before buying

Hi Albert,

do you have a link to the IE1000 Roadmap?

I cannot find documentation regarding the 1.7 Software Release.

 

Regard,

Oron

Cisco Employee

Re: IE-1000 (ie1000) caveat's before buying

Oron,

 

the upcoming SW release for  the IE1000 will have these new features.

  • TACACS+/RADIUS - Remote Secure Access
  • PnP Agent – Zero Touch Deployment (ZTD) for volume installation
  • Port Security – 802.1x
  • Port Security – sticky port
  • BootP - Reserved IP addressing for Industrial I/O installation
  • DHCP per port - Support persistent ip addressing for attached end devices

the release is on track for this summer 2018.  check back to the IE1000 web page on cisco.com to see when the SW release is made available.  or just reply to this thread.

 

ALBERT

Beginner

Re: IE-1000 (ie1000) caveat's before buying

Hi to all , 

I upgraded  an  IE1000 to rel 1.7 for  tacacs access .

I configured  by web page  , tacacs server, Key  and aaa auth method 

tacacs server is reachable  from  device 

 

..... # ping ip  10.29.15.62

64 bytes from 10.29.15.62: icmp_seq=0, time=9ms
64 bytes from 10.29.15.62: icmp_seq=1, time=11ms
64 bytes from 10.29.15.62: icmp_seq=2, time=9ms

 

 By cli  I  have :

TACACS+ Server #1:
Host name : 10.29.15.62
Port : 49
Timeout : 5 seconds
Key : 40058e9c5600dfc4734b1812d176d6cbd312c5a6dd04dcaa6a3dbf1bd94f06e76fd3ea57db08c277e9dc14327aa6cd58e126e0ad2c089e170a636ea0ceb57710
ITTO6swq153IVEfm# sh aaa
Authentication :
console : local
telnet : no
ssh : tacacs local
http : tacacs local
Authorization :
console : no, commands disabled
telnet : no, commands disabled
ssh : no, commands disabled
Accounting :
console : no, commands disabled, exec disabled
telnet : no, commands disabled, exec disabled
ssh : no, commands disabled, exec disabled

 

 I don't able to login By tacacs  on devices only .   Are there  something else to do ?

 

Bye Paolo

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards