yes the C3850 can run BGP and EIGRP or BGP and OSPF at the same time.
Of course you cannot expect teh C3850 to be able to support a full BGP table that is made of 780,000 routes.
within the prefix limits of the platform you can use two routing protocols.
Hope to help
... View more
I am attempting to mitigate the issues surrounding bug report CSCum44673. According to the software release notes found here, I need to ensure that all of my routers are on IOS version 15.2(2) or newer. I also believe I need to include the statement "ntp allow mode control 3" on each of them.
So far I've verified that all of my routers are on newer software versions than that. What I am confused about is that many of them include the statement, "ntp allow mode control 0". I was under the impression that the only allowed values were from 3 - 15. I was also under the impression that a value of 3 was the default value.
What is the effect of using a 0 for the value?
Does this effectively mean that rate limiting of ntp queries is turned off and that the router is still vulnerable to the potential DoS attack described in that bug report?
Is this command only useful if the router is setup as an ntp master ("ntp master 3" for example in the config)?
If it is only configured to synchronize with an ntp server located elsewhere ("ntp server x.x.x.x" in the config) does this command have any use?
Thanks for any clarification.
... View more
Looks like I've run into the bug report number: CSCva13731. But the bug report does not indicate that the problem is found in the version 7.3(3)N1. The bug report does say that 7.3(1)N1 is a known fixed release so I'm going to downgrade to 7.3(1)N1 and see if this goes away.
... View more
I'm not there yet. "Dynamic VLAN assignment based on MAC-Based Authentication" is really what we've been striving for. The port is not getting assigned to the VLAN as indicated in the Access-Accept Message. I've confirmed in my Users file that the following is defined:
50f7222df327 ClearText-Password := "50f7222df327"
I can see on the Radius server's debug output that when the client gets authenticated the Access-Accept Message gets sent. The output shows:
Sending Access-Accept of id 74 to 192.168.101.2 port 43920
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-ID:0 = "118"
I even setup a span port on the nexus switch and used WireShark to capture the Access-Accept packet to ensure that the switch is receiving it. The Access-Accept packet in WireShark has the following Attribute Value Pairs:
AVP: t=Tunnel-Type(64) l=6 tag=0x00 val=VLAN(13)
AVP: t=Tunnel-Medium-Type(65) l=6 tag=0x00 val=IEEE-802(6)
AVP: t=Tunnel-Private-Group-ID(81) l=5 val=118
So I know that the switch is receiving the Access-Accept packet with the proper tunnel attributes. But the switch doesn't appear to be reading them or applying them as it should.
I turned on "debug radius aaa-request" and then ran: "dot1x re-authenticate int eth2/16".
Here's the output I saw:
NexusFiveKLab# dot1x re-authenticate int eth2/16
NexusFiveKLab# 2019 Jan 9 21:38:44.550973 radius: get_radius_server_info_from_group:
2019 Jan 9 21:38:44.551038 radius: radius_update_request_state_for_server(1439):retrieved the global-conf.
2019 Jan 9 21:38:44.551087 radius: is_intf_up_with_valid_ip(1347):Proper IOD is found.
2019 Jan 9 21:38:44.551146 radius: is_intf_up_with_valid_ip(1350):Port is up.
2019 Jan 9 21:38:44.551258 radius: radius_update_request_state_for_server(1519):Using if_index Vlan101
2019 Jan 9 21:38:44.551296 radius: radius_update_request_state_for_server(1594):Server-shared-secret encryption-type is PROTO_NO_ENCRYPTION.
2019 Jan 9 21:38:44.551328 radius: radius_update_request_state_for_server(1652):Server-shared-secret is present in plain.
2019 Jan 9 21:38:44.551397 radius: radius_update_request_state_for_server(1679): request->id : 74
2019 Jan 9 21:38:44.551509 radius: num_inet_addrs: 1 first s_addr: 40216768 188.8.131.52 s6_addr : c0a8:6502::
2019 Jan 9 21:38:44.551546 radius: radius_get_ip_local_from_src_index(413):interface ip_type: IPV4
2019 Jan 9 21:38:44.551580 radius: s_addr no: 0, numeric_ip: 40216768, ip: 184.108.40.206
2019 Jan 9 21:38:44.551614 radius: get_destination_socket: last_id = 74
2019 Jan 9 21:38:44.551645 radius: getaddrinfo serv_port 1812
2019 Jan 9 21:38:44.551676 radius: get_destination_socket(271): Setting context id to 1
2019 Jan 9 21:38:44.552222 radius: radius_set_src_intf(1944):setsockopt success, using src-intf:for server: 192.168.101.11 for sock: 44 Error returned:0x0 errno string:No such file or directory
2019 Jan 9 21:38:44.553524 radius: radius_request_process: DATA_AVAILABLE
2019 Jan 9 21:38:46 NexusFiveKLab %DOT1X-3-AUTH_SUCCESS: Authorization successfull Dot1x authentication on interface Ethernet2/16
I'm concerned about the 3rd from the bottom and the 2nd from the bottom lines. I'm thinking that's where the switch is failing to read the tunnel attributes or to apply them. I'm interested in knowing what it means on the 2nd from the bottom line about DATA_AVAILABLE. I'm feeling like this is getting to the point where I need genuine Cisco support or an engineer to look into the guts of the software.
... View more
Yes. You will find the information in the above pasted link under Ordering Information . For a 7841 you will need to order this:
Cisco IP Phone 7841 shipped with multiplatform phone firmware
... View more