Re: network-policy self config on interface issue

BorislavPenchev0962 · ‎12-01-2020

Hi all,

we have noticed that when we issue command: show network-policy profile

switch does not return any result, but on most interfaces we have network policy configured:

interface GigabitEthernet1/0/1
description aaa
network-policy 1234567

also in previous backups we noticed that policy nr. has changed itself several times;

how can we explain this, we are not sure if we did configured any policy ?

catalyst 2900

Regards

Boris

balaji.bandi · ‎12-02-2020

show network-policy profile - if this is not showing there is nothing offline configured 1234567

view better post us show run.

you can find more information here :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swlldp.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BorislavPenchev0962 · ‎12-02-2020

could that be anything online/dynamically configured , but as far as we know we are not using this;

here the tech support attached

balaji.bandi · ‎12-02-2020

Looks you have Do1.X environment with ISE - is this correct ? then it is coming from ISE.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BorislavPenchev0962 · ‎12-02-2020

yes we do have ISE with 2.6 Patch 8. but

why then are only a few switches/network-policy profile affected of this?

We authenticate thousands of ports a day and all are authenticated against the same rule on the ISE.BR

balaji.bandi · ‎12-02-2020

That need to investigate properly - check on the ISE Live Logs and check on the switch.

1. Define the problem

2. when was this started.

3. what changes were done before this causing issue.

sometimes hard to says what went wrong. if this is not critical reset the switch and put the config(minimal) and test it.

Other note you mentioned - catalyst 2900

as per the config, it was WS-C3560CX-8PC-S - are you investigating the right device?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BorislavPenchev0962 · ‎12-03-2020

Hi ,

l think should be OK that we see the network-policy configured on the 2900 switch ports,

as we are using port authentication policies with ISE ?

on the last years backup of 2900 switch, we see network-policy profile Nr. 1234567 then

in the middle of the year is 3412456 and in the last backup 5431254.

we are only wondering why the network-policy number is changing itself ?

did not noticed when it started - seems one year ago , but we do not keep track of the configuration changes so long.

BR

balaji.bandi · ‎12-03-2020

is this the case only this switch or all the switches ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BorislavPenchev0962 · ‎12-03-2020

we have around 200 switches different series running different IOSes and we noticed this only on 5 devices; all switches/ports are authenticated against the same rule on ISE.

any guesses ?

BorislavPenchev0962 · ‎12-08-2020

we do have ISE with 2.6 Patch 8.

why then are only a few switches/network-policy profile affected of this?

We authenticate thousands of ports a day and all are authenticated against the same rule on the ISE.

probably we should go for TAC

balaji.bandi · ‎12-08-2020

since its developped only few switch, others work, worth open a TAC and investigate for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help