Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About andrewswanson
08-27-2019
Stats
Member since
05-02-2006
532
Posts
293
Helpful
39
Solutions
08-21-2019
11:46 AM
Hi Reza - yes, I was planning to do the "impact" verification before each upgrade. The impact of the first upgrade looked minimal (no bios, power etc upgrades) so I was hoping that upgrade wouldn't take too long. I've arranged a maintenance window for the work so the NAS/VM admins are aware. Thanks again Andy
... View more
08-21-2019
09:12 AM
Thank you both for the replies. I'll go down the non-ISSU disruptive upgrade path recommended by Cisco (upgrading one switch at a time). I'll mark question as answered and update with anything new after the upgrades are complete Cheers Andy
... View more
08-21-2019
04:48 AM
Hi I'm looking at upgrading cisco Nexus5548 switches (vPc) from 5.2(1)N1(4) to 7.3(5)N1(1). The cisco documentation suggests the upgrade path should be: 5.2(1)N1(4) > 5.2(1)N1(6) > 7.0(8)N1(1) > 7.1(4)N1(1) > 7.3(5)N1(1) The ISSU verify install for 5.2(1)N1(4) > 5.2(1)N1(6) fails due to the Nexus 5k uplinks (connecting to 6500 VSS) having a spanning-tree type of normal. As a result I'm looking to do a disruptive upgrade. Is it possible to do a single disruptive upgrade from 5.2(1)N1(4) directly to 7.3(5)N1(1) or do I still have to follow the Cisco recommended path. If this is possible, when the first Nexus is upgraded to 7.3(5)N1(1) will the vpc peer-link to the Nexus still running 5.2(1)N1(4) come up ok? The Nexus setup is pretty basic - no fex, just vpc's connecting fabric interconnects and some NAS. Thanks Andy
... View more
Labels:
Created by
andrewswanson
in Policy and Access
in Policy and Access
04-15-2019
04:08 AM
04-15-2019
04:08 AM
After a bit more testing I found that I couldn't enforce Trustsec policy for traffic destined to any Distribution switch owned IP Address (virtual or physical) when the source endpoint is in a Distribution switch VLAN. This was the case whether the endpoint was connected to the Access switch or the Distribution switch (distribution switch had both SRC and DST SGTs in its table). I resolved this by creating an SXP connection between Access (listener) and Distribution (speaker) so that the Access switch learned all distribution switch owned IP addresses (SGT of 2) - see below. With this in place, the Trustsec policy worked as expected with policy enforced on egress from the access switch. Not sure if this is related to the 3k hardware limitation or a bug but I'll mark thread as resolved. It'll be interesting to see if I have the same problem when the Distribution switch is a Catlayst 6880 Cheers Andy DISTRIBUTION SWITCH cts sxp filter-enable ! cts sxp filter-list SGT2 permit sgt 2 ! cts sxp filter-group speaker SGT2 peer ipv4 <ACCESS-SWITCH-MGMT-IP> ! cts sxp connection peer <ACCESS-SWITCH-MGMT-IP> source <DISTRIBUTION-SWITCH-MGMT-IP> password default mode local speaker ACCESS cts sxp connection peer <DISTRIBUTION-SWITCH-MGMT-IP> password default mode peer speaker
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
04-13-2019
03:34 AM
04-13-2019
03:34 AM
Thanks for that - I wasn't aware of that 3k hardware limitation. I was testing the trustsec policy with Distribution switch SVI and loopback ip addresses (all with the SGT tag of 2). I can confirm that I'm running into this hardware limitation by testing the policy with a Distribution switch IP Address on a physical interface (which also has an SGT tag of 2). I'll check that next week and update the thread. Cheers Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
04-12-2019
10:30 AM
04-12-2019
10:30 AM
Hi Damien - thanks for the reply: Do you see the ip sgt mappings for both svi and pc in "sh cts role-based sgt-map all" on a single switch? No - I see ip-sgt binding for the pc only on the access layer switch and the ip-sgt binding for the vlan svi only on the distribution layer switch Within ISE, is the trustsec egress policy in "monitor mode"? No Is anything showing denied in "sh cts role-based counters"? No - I'm seeing zero hits for SGT tag 3100 (PC) to SGT 2 (SVI) I'll double check the configs and try different ios to see if that makes a difference. Thanks Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
04-12-2019
08:00 AM
04-12-2019
08:00 AM
Hi I'm working on a TrustSec dev environment using ISE for SGT assignemnt and Policy enforcement. I started looking at a policy that would restrict authenticated clients on a vlan to only ping their default gateway (vlan svi) The Distribution switch (WS-C3650-48FQM 16.8.1a) hosting the vlan SVI shows the vlan SVI as having SGT 2 (source INTERNAL) The Access switch (WS-C3650-48PD 16.9.2) connecting the PC shows the PC as having SGT 3100 (source LOCAL) ISE is configured with a policy permitting icmp only from SGT 3100 to SGT 2 - the switches download the cts environment data successfully and can be viewed from the switch cli IPv4 Role-based permissions from group 3100:TEST to group 2:TrustSec_Devices: SGACL_ICMP-01 Deny IP-00 These permissions aren't being enforced - I can still SSH to the SVI. If I set permissions to just Deny IP-00 I can still ping/ssh to the SVI. From cisco documentation: "SGACL enforcement can be applied to packets switched within a VLAN or forwarded to an SVI associated with a VLAN, but enforcement must be enabled explicitly for each VLAN" I have the command "cts role-based enforcement vlan-list <vlan>" on both access/distribution switch but policy is still not enforced. All other ISE policies work as configured but not this one - I've checked that SGT propagation (manual inline) between access/distribution is working ok. Does anyone have any idea why I can't enforce policy for SVI bound traffic? I don't think I had this issue in the past (with same/similar config) when the distribution switch was a VSS 6880. Thanks Andy
... View more
Labels:
Created by
andrewswanson
in Policy and Access
in Policy and Access
04-04-2019
01:59 AM
04-04-2019
01:59 AM
Hi David Thanks for the response. CTS cache isn't supported on Catalyst 3ks so that wasn't an option. Currently, I have periodic authentication enabled for all clients - during a Critical Authentication event, all clients are re-authenticated before the cts environment data times out. Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
01-17-2019
06:57 AM
01-17-2019
06:57 AM
Just tried version 16.9.2 and the above config works - not sure if this is related to bug CSCvn80164. This is listed as fixed but gives no details of fixed software.
My scenario differs from the bug in that:
interface control policy downloads and activates a service-template when a session starts to apply an SGT from ISE to the unauthenticated client
Once client authenticates successfully, the downloaded service-template is deactivated and ISE assigns a new SGT for the client
Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
01-17-2019
06:11 AM
01-17-2019
06:11 AM
Hi
I'm looking at implementing a TrustSec SGT policy using ibns 2.0 on some 3650 switches. The policy is intended to apply a "pre-authentication" SGT to clients until they have been authenticated successfully by ISE and has been assigned an SGT by ISE. I setup the following on switches running 03.07.05E.
1 When a session starts, the ibns 2.0 control policy applies a "pre-authentication" SGT tag to the clients traffic. This was done with a locally configured service-template on the switch. Once the client had successfully authenticated, the service-template was deactivated and the client was assigned an SGT from ISE (2.3 patch 5)
policy-map type control subscriber TEST_POLICY event session-started match-all 10 class always do-until-failure 5 activate service-template PRE-AUTH 10 authenticate using mab priority 10 ... event authentication-success match-all 10 class always do-until-failure 10 deactivate service-template PRE-AUTH 20 authorize
2 As the above worked well, I looked at moving the pre-authentication service-template onto ISE as a downloadable service-template. The ISE authorization profile ISE-PRE-AUTH was configured as a service-template with Access-Reject along with the attributes required to assign an SGT. This also worked as expected
policy-map type control subscriber TEST_POLICY event session-started match-all 10 class always do-until-failure 5 activate service-template ISE-PRE-AUTH aaa-server ISE 10 authenticate using mab priority 10 ... event authentication-success match-all 10 class always do-until-failure 10 deactivate service-template ISE-PRE-AUTH 20 authorize
3 The problem started when I tried to migrate this setup onto 16.x - I've tried this with 16.3.7 and 16.6.4a
On 16.x, applying the "pre-authentication" SGT with locally configured service-templates works as expected. The problem occurs when I move to downloadable service-templates:
The downloadable service template works as expected by applying the pre-authentication SGT However, once the client has been authenticated successfully the switch shows the client as unauthorized with no SGT tag - the client is not tagged with either the pre-authentication SGT nor the SGT assigned by ISE on successful authentication. A debug shows the message %SESSION_MGR-5-FAIL: Switch 1 R0/0: smd: Authorization failed or unapplied for client
Has anyone come across this issue with ISE downloadable service-templates on 16.x?
Thanks Andy
... View more
Labels:
11-29-2018
07:53 AM
These letters refer to the licenced feature set ordered with the switch - L (LAN Base), S (IP Base) and E (IP Services)
See switch data sheet: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3650-series-switches/data_sheet-c78-729449.html
hth Andy
... View more
Created by
andrewswanson
in Switching
in Switching
09-20-2018
01:40 PM
09-20-2018
01:40 PM
Hi
What mode are you using for your mutichassis etherchannels? From the document below:
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109547-vss-best-practices.html
Do not use on and off options with PAgP or LACP or Trunk protocol negotiation.
PAgP Run Desirable-Desirable with MEC links.
LACP Run Active-Active with MEC links.
Trunk Run Desirable-Desirable with MEC links.
hth
Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
08-28-2018
02:10 PM
08-28-2018
02:10 PM
Hi
Originally, the ISE nodes each had a separate certificate with unique cn e.g. ise-psn.example.com which was used for EAP/admin. The new single certificate with cn=radius.example.com (with all the ISE nodes hostnames as SANs) replaced all the old certificates so it wasn't technically a certificate renewal.
Cheers
Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
08-23-2018
01:07 AM
08-23-2018
01:07 AM
Hi
I recently done a similar csr for a 5 node 2.3 deployment - when you choose "all nodes" a csr is created for all nodes.
As my csr was for a single certificate for all 5 nodes (cn=radius.example.com with the 5 node's hostnames as SANs) I submitted 1 of these csrs to be signed. When I got the signed certificate back I imported it and bound it to the ISE node the csr came from.
I then exported this certificate/key and imported it onto the other ISE nodes.
Cheers Andy
... View more
Created by
andrewswanson
in Policy and Access
in Policy and Access
08-21-2018
01:35 AM
08-21-2018
01:35 AM
Thanks for that Ayden. I'm testing 16.9.1 at the moment and interim accounting works as expected - interesting to know it also works with 16.8.1a
Cheers
Andy
... View more
08-21-2019
Hi Reza - yes, I was planning to do the "impact" verification before
each upgrade. The impact of the...
08-21-2019
Thank you both for the replies. I'll go down the non-ISSU disruptive
upgrade path recommended by Cis...
08-21-2019
HiI'm looking at upgrading cisco Nexus5548 switches (vPc) from
5.2(1)N1(4) to 7.3(5)N1(1). The cisco...
Created by
andrewswanson
in Policy and Access
04-15-2019
04-15-2019
After a bit more testing I found that I couldn't enforce Trustsec policy
for traffic destined to any...
Created by
andrewswanson
in Policy and Access
04-13-2019
04-13-2019
Thanks for that - I wasn't aware of that 3k hardware limitation. I was
testing the trustsec policy w...
Created by
andrewswanson
in Policy and Access
04-12-2019
04-12-2019
Hi Damien - thanks for the reply:Do you see the ip sgt mappings for both
svi and pc in "sh cts role-...
Created by
andrewswanson
in Policy and Access
04-12-2019
04-12-2019
HiI'm working on a TrustSec dev environment using ISE for SGT assignemnt
and Policy enforcement. I s...
04-04-2019
HiDo the affected windows machines have the correct time/date when they
reject the ISE certificate? ...
Created by
andrewswanson
in Policy and Access
04-04-2019
04-04-2019
Hi DavidThanks for the response. CTS cache isn't supported on Catalyst
3ks so that wasn't an option....
02-01-2019
Hi No, I don't see the vlan-id under ISE (2.3 patch 5) context
visibility but I can see it listed as...
02-01-2019
Hi I overlooked another method of ISE getting cdp/lldp attributes (as
well as dhcp and vlan id) - I ...
01-18-2019
Hi Device Sensor attributes (dhcp/cdp and lldp) are only sent in
accounting packets after a client h...
01-18-2019
Hi What profiling probes do you have enabled on your ISE PSN nodes?
Adding ISE PSN as a helper addre...
Created by
andrewswanson
in Policy and Access
01-17-2019
01-17-2019
Just tried version 16.9.2 and the above config works - not sure if this
is related to bug CSCvn80164...
Created by
andrewswanson
in Policy and Access
01-17-2019
01-17-2019
Hi I'm looking at implementing a TrustSec SGT policy using ibns 2.0 on
some 3650 switches. The polic...
Public Statistics
| Date Registered | 05-02-2006 05:16 AM |
| Date Last Visited | 08-27-2019 06:58 AM |
| Total Messages Posted | 532 |
| Total Helpful Votes Received | 293 |
Helpful Votes Given To
.jpg "Hall of Fame Cisco Employee"){kind=icon}
Helpful Votes From
.png "rwehe"){kind=avatar}
