12-01-2022 05:42 AM
Hi,
A customer has PLC devices that requires 10Mbit half-duplex to be configured on the switch ports. The switch ports are configured with 802.1x and MAB and the PLC gets authenticated based on MAC address in ISE.
In ISE I push the radius attribute smartport PLC10HALF to the switch and it executes it as expected. The issue is when it changes the duplex the ports goes down, which in turn causes the LINKUP == NO to trigger. This ends up in a endless bouncing on the port.
Macro configuration
macro auto execute PLC10HALF {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
speed 10
duplex half
exit
end
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description $TRIGGER
speed auto
duplex auto
exit
end
fi
}
Port is bouncing
Dec 1 14:26:44.793 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Dec 1 14:26:45.799 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
Dec 1 14:26:49.289 CET: %DOT1X-5-FAIL: Authentication failed for client (00e0.4c00.0001) on Interface Fa1/1 AuditSessionID 0A80EE0A0000002100F96188
Dec 1 14:26:49.389 CET: %AUTOSMARTPORT-5-INSERT: Device detected on interface FastEthernet1/1, executed PLC10HALF
Dec 1 14:26:49.532 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:26:50.564 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
Dec 1 14:26:51.562 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to down
Dec 1 14:26:51.696 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:26:51.696 CET: %AUTOSMARTPORT-5-REMOVE: Device removed from interface FastEthernet1/1, executed PLC10HALF to remove the configuration
Dec 1 14:26:55.245 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Dec 1 14:26:56.251 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
Dec 1 14:26:59.489 CET: %DOT1X-5-FAIL: Authentication failed for client (00e0.4c00.0001) on Interface Fa1/1 AuditSessionID 0A80EE0A0000002200F98950
Dec 1 14:26:59.590 CET: %AUTOSMARTPORT-5-INSERT: Device detected on interface FastEthernet1/1, executed PLC10HALF
Dec 1 14:26:59.749 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:00.773 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
Dec 1 14:27:01.779 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to down
Dec 1 14:27:01.930 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:01.930 CET: %AUTOSMARTPORT-5-REMOVE: Device removed from interface FastEthernet1/1, executed PLC10HALF to remove the configuration
Dec 1 14:27:08.364 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Dec 1 14:27:09.371 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
Dec 1 14:27:13.146 CET: %DOT1X-5-FAIL: Authentication failed for client (00e0.4c00.0001) on Interface Fa1/1 AuditSessionID 0A80EE0A0000002300F9BEB1
Dec 1 14:27:13.213 CET: %AUTOSMARTPORT-5-INSERT: Device detected on interface FastEthernet1/1, executed PLC10HALF
Dec 1 14:27:13.347 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:14.371 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
Dec 1 14:27:15.369 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to down
Dec 1 14:27:15.503 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:15.503 CET: %AUTOSMARTPORT-5-REMOVE: Device removed from interface FastEthernet1/1, executed PLC10HALF to remove the configuration
Any suggestions or ideas on how we can solve this issue? Customer has several hundred PLC of this type and they are sometimes moving devices around between ports. Everything should be dynamic/automatic, so omitting the $LINKUP == NO to just put the 10Half config permanently isn't an option for now. They also have over a hundred authorization policies for all different kind of devices and configuring all of those to set back to auto-auto with another macro isn't good neither.
Thank you!
12-01-2022 06:35 AM
Hi
Why do you want to hardcode the speed and duplex. By default the speed will find out what speed to use, and duplex setting will be half duplex if connected device do not negotiate. Just leave it in auto/auto and the plc:s will connect.
/Mikael
12-01-2022 06:48 AM
Hi @mlund - The best practice from the PLC manufacturer states that switch side needs to be hardcoded. And there has been a few incidents where it didn't default to 10Half as expected.
12-06-2022 03:18 AM
I'm curios, what was the result when it didn't went to 10half?
I have nothing to test with, and not shure if it is supported, but is it possible to insert a Wait command? something like this
if [[ $LINKUP == NO ]]
wait 10 <<<< maybe something lower?
if [[ $LINKUP == NO ]]
then conf t
and so on
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide