cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
3
Replies

IOS-XE Smartport Macro for changing speed/duplex on 802.1x port

stefan.tabell
Level 1
Level 1

Hi,

A customer has PLC devices that requires 10Mbit half-duplex to be configured on the switch ports. The switch ports are configured with 802.1x and MAB and the PLC gets authenticated based on MAC address in ISE. 

In ISE I push the radius attribute smartport PLC10HALF to the switch and it executes it as expected. The issue is when it changes the duplex the ports goes down, which in turn causes the LINKUP == NO to trigger. This ends up in a endless bouncing on the port.

 

Macro configuration
macro auto execute PLC10HALF {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
speed 10
duplex half
exit
end
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description $TRIGGER
speed auto
duplex auto
exit
end
fi
}

 

Port is bouncing
Dec 1 14:26:44.793 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Dec 1 14:26:45.799 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
Dec 1 14:26:49.289 CET: %DOT1X-5-FAIL: Authentication failed for client (00e0.4c00.0001) on Interface Fa1/1 AuditSessionID 0A80EE0A0000002100F96188
Dec 1 14:26:49.389 CET: %AUTOSMARTPORT-5-INSERT: Device detected on interface FastEthernet1/1, executed PLC10HALF
Dec 1 14:26:49.532 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:26:50.564 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
Dec 1 14:26:51.562 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to down
Dec 1 14:26:51.696 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:26:51.696 CET: %AUTOSMARTPORT-5-REMOVE: Device removed from interface FastEthernet1/1, executed PLC10HALF to remove the configuration
Dec 1 14:26:55.245 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Dec 1 14:26:56.251 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
Dec 1 14:26:59.489 CET: %DOT1X-5-FAIL: Authentication failed for client (00e0.4c00.0001) on Interface Fa1/1 AuditSessionID 0A80EE0A0000002200F98950
Dec 1 14:26:59.590 CET: %AUTOSMARTPORT-5-INSERT: Device detected on interface FastEthernet1/1, executed PLC10HALF
Dec 1 14:26:59.749 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:00.773 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
Dec 1 14:27:01.779 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to down
Dec 1 14:27:01.930 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:01.930 CET: %AUTOSMARTPORT-5-REMOVE: Device removed from interface FastEthernet1/1, executed PLC10HALF to remove the configuration
Dec 1 14:27:08.364 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
Dec 1 14:27:09.371 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
Dec 1 14:27:13.146 CET: %DOT1X-5-FAIL: Authentication failed for client (00e0.4c00.0001) on Interface Fa1/1 AuditSessionID 0A80EE0A0000002300F9BEB1
Dec 1 14:27:13.213 CET: %AUTOSMARTPORT-5-INSERT: Device detected on interface FastEthernet1/1, executed PLC10HALF
Dec 1 14:27:13.347 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:14.371 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down
Dec 1 14:27:15.369 CET: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to down
Dec 1 14:27:15.503 CET: %SYS-5-CONFIG_I: Configured from console by tty17
Dec 1 14:27:15.503 CET: %AUTOSMARTPORT-5-REMOVE: Device removed from interface FastEthernet1/1, executed PLC10HALF to remove the configuration

 Any suggestions or ideas on how we can solve this issue? Customer has several hundred PLC of this type and they are sometimes moving devices around between ports. Everything should be dynamic/automatic, so omitting the $LINKUP == NO to just put the 10Half config permanently isn't an option for now. They also have over a hundred authorization policies for all different kind of devices and configuring all of those to set back to auto-auto with another macro isn't good neither. 

 

Thank you!  

3 Replies 3

mlund
Level 7
Level 7

Hi

Why do you want to hardcode the speed and duplex. By default the speed will find out what speed to use, and duplex setting will be half duplex if connected device do not negotiate. Just leave it in auto/auto and the plc:s will connect.

/Mikael

Hi @mlund - The best practice from the PLC manufacturer states that switch side needs to be hardcoded. And there has been a few incidents where it didn't default to 10Half as expected. 

mlund
Level 7
Level 7

I'm curios, what was the result when it didn't went to 10half?

I have nothing to test with, and not shure if it is supported, but is it possible to insert a Wait command? something like this

if [[ $LINKUP == NO ]]
wait 10 <<<< maybe something lower?
if [[ $LINKUP == NO ]]
then conf t
and so on

 

Review Cisco Networking for a $25 gift card