I have Prime compliance working to check to make sure the expected config is present. But how can I use Prime compliance to find additional config that is not needed? For example, I have a switch with the following config, and 'length 0' is not supposed to be there. How can I get Prime to report this?   line vty 0 4 access-class ADMINS in logging synchronous login authentication vtylogin length 0 transport input ssh transport output ssh line vty 5 15 access-class ADMINS in logging synchronous login authentication vtylogin transport input ssh transport output ssh ... View more

I have a template that will make an addition to all GigabitEthernet interfaces on a switch. What I need though, is how can I change a line of config under an interface ONLY if it exists?   ONLY if it exists, I want to change 'authentication timer reauthenticate 7200' to 'authentication timer reauthenticate server'.   I'm thinking nested if statements, but I'm not sure what to put in the second if statement. I dont know how to write the syntax for the logic "if 'authentication timer reauthenticate 7200' exists, then change to 'authentication timer reauthenticate server'.   #foreach( $interfaceName in $interfaceNameList ) #if( $interfaceName.startsWith("GigabitEthernet") ) interface $interfaceName #if( ???????? ) authentication timer reauthenticate server #end #end ... View more

I'm wondering if it's valuable for me to remove applications from a policy that I am not interested in (even in the irrelevant column) in an effort to make the policy smaller? I'm not worried about TCAM or overhead, more so about the number of lines of config. Would it help much for me to go in and remove certain applications from the policy? I am running 1.6.3 ... View more

I am planning an EasyQos deployment. I love the tool, but I don't like how it identified each voice endpoint on the switch, then adds each IP as an ACE in the voice ACL. So I'm hoping that one of two things could happen...   1) Can I somehow substitute the voice subnet (always known) instead of each individual IP? I know I could do this manually, but that kind of defeats the point. 2) Can I have APIC-EM automatically re-apply the policy on a regular basis to make sure the ACL is kept up to date? I am running 1.6.3 ... View more

ISE 2.2 patch 7   In my endpoint database, I see > 800 endpoints that show up in the 'Profiled' identity group with the Endpoint-Profile 'Cisco-Switch'. The attributes show these devices as my actual LAN switches gained from the SNMPQuery probe. I don't even have the SNMPQuery probe enabled. Maybe these got added at a time when I did? I'm seeing them with an inactivedays count of >200 days. Any reason I shouldn't remove these from the endpoint database?   I also have a bunch of endpoints showing up as 'Cisco-Device' where they were entered because of the CTS client login. Can these be regularly purged as well? ... View more

ISE 2.2 Patch 6   I just noticed I had over 20,000 endpoints that had not been purged by my GuestEndpoint purge rule. Further investigation shows that the guests hitting the portal were not getting added to teh guestEndpoints identity group as instructed in the hotspot portal configuration.    I have 3 authorization rules for this process. 1) If GuestEndpoints then allow ("Remember Me") 2) If from guest SSID and using Guest Flow then allow 3) If call check and from guest SSID then redirect to hotspot (only using AUP) deny   Looking back at this, I honestly don't remember why i put that second rule. A couple years ago, I was using a CWA with un/pw before switching to a hotspot. I'm thinking that is old configuration that I don't need. Regardless, I don't think that's the reason that users are hitting the hotspot rule, but not getting put in the GuestEndpoints group. Could they be hitting the AUP and not accepting, therefore are stuck in limbo? That's the only thing I can think of.  ... View more

I have been troubleshooting a TCAM exhaustion issue on a 4500 (v3.6.3). The issue resolves itself when I remove 'cts role-based enforcement' from my global config. My question, do I really need that command for a L2 only switch? I still have the command 'cts role-based enforcement vlan-list all' enabled. Do I need both commands or just the vlan-list command? I am trying to do SGTs with SGACL enforcement. Thanks. ... View more

Can someone show me what a healthy live log looks like with a roaming wireless client? Particularly a client roaming between different controllers. I can't seem to get a clear answer on this. Thanks.  ... View more

I am using ISE (1.4 patch 8) to auth clients on my wireless guest network. Most are done via web portal with a registered device group. I am getting a lot of CoA failures and Radius drops. The cause seems to be from roaming clients. I have four WISMs. All my WAPs are located on a WISM based on their building. So all WAPs in a particular building are on the same WISM. But people walking around campus still transfer to different controllers, which causes a bunch of re-auths (and CoA failures) in ISE. Screenshot attached.  I'm trying to find a way to stop this behavior. Any help is appreciated.  Also, could someone tell or show me what a live log SHOULD look like when there are roaming clients? ... View more