Hello, Thank you very much for your quick answer. I reenabled "no otv suppress arp-nd" after my tests. The action that solved the problem was "no mac access-group otv_filter_fhrp in" So as you said the problem was the access-group which I didn't suspect mac access-list extended otv_filter_fhrp
deny 0000.0c07.ac00 0000.0000.00ff host 0000.0000.0000
deny 0000.0c9f.f000 0000.0000.0fff host 0000.0000.0000
deny 0007.b400.0000 0000.0000.00ff host 0000.0000.0000
deny 0000.5e00.0100 0000.0000.00ff host 0000.0000.0000
permit host 0000.0000.0000 host 0000.0000.0000 Thank you
... View more
Hello, I'm trying to use OTV to extend my vlan 101 C3850West Gi1/1/2 <-> Gi0/0/1 ASRWest Gi0/0/0.900 <-> ISP <-> Gi0/0/0.900 ASREast Gi0/0/1 <-> Gi2/0/24 C3850East On both C3850 I created an interface vlan101 West ---- interface Vlan101 ip address 10.216.101.2 255.255.255.0 ! interface GigabitEthernet1/1/2 description ASRWest_Gi0/0/1_OTV switchport trunk native vlan 999 switchport trunk allowed vlan 101 switchport mode trunk ! East ---- interface Vlan101 ip address 10.216.101.1 255.255.255.0 interface GigabitEthernet2/0/24 description NET-RTSUR002_Gi0/0/1 switchport trunk native vlan 999 switchport trunk allowed vlan 101 switchport mode trunk They are connected to ASR routers West ---- interface GigabitEthernet0/0/1 description C3850West_Gi1/1/2_OTV_Internal no ip address carrier-delay msec 0 negotiation auto cdp enable service instance 101 ethernet description ---- OTV ---- encapsulation dot1q 101 mac access-group otv_filter_fhrp in bridge-domain 101 storm-control broadcast cir 1000000 ! interface GigabitEthernet0/0/0.900 description To_ISP encapsulation dot1Q 900 vrf forwarding ISP ip address 10.216.2.1 255.255.255.248 ip pim passive ip igmp version 3 ! otv site bridge-domain 101 ! otv fragmentation join-interface GigabitEthernet0/0/0.900 otv site-identifier 0000.0000.0002 otv isis Site log-adjacency-changes ! interface Overlay1 no ip address otv join-interface GigabitEthernet0/0/0.900 otv vpn-name OTV-1 no otv suppress arp-nd otv use-adjacency-server 10.213.2.1 unicast-only otv adjacency-server unicast-only service instance 101 ethernet encapsulation dot1q 101 bridge-domain 101 ! East ---- interface GigabitEthernet0/0/1 description C3850East_Gi2/1/24_OTV_Internal no ip address carrier-delay msec 0 negotiation auto cdp enable service instance 101 ethernet description ---- OTV ---- encapsulation dot1q 101 mac access-group otv_filter_fhrp in bridge-domain 101 storm-control broadcast cir 1000000 ! interface GigabitEthernet0/0/0.900 description To_ISP encapsulation dot1Q 900 vrf forwarding ISP ip address 10.213.2.1 255.255.255.248 ip pim passive ip igmp version 3 ! otv site bridge-domain 101 ! otv fragmentation join-interface GigabitEthernet0/0/0.900 otv site-identifier 0000.0000.0001 otv isis Site log-adjacency-changes ! interface Overlay1 no ip address otv join-interface GigabitEthernet0/0/0.900 otv vpn-name OTV-1 no otv suppress arp-nd otv adjacency-server unicast-only service instance 101 ethernet encapsulation dot1q 101 bridge-domain 101 ! ============================== Now, the adjacency seems ok #show otv adjacency Overlay Adjacency Database for overlay 1 Hostname System-ID Dest Addr Site-ID Up Time State ASREast 7070.8b39.9b00 10.213.2.1 0000.0000.0001 00:34:37 UP MAC address from C3850East is learnt ASREast#show otv route vlan 101 OTV Unicast MAC Routing Table for Overlay1 Inst VLAN BD MAC Address AD Owner Next Hops(s) ---------------------------------------------------------- 0 101 101 50f7.227c.d441 40 BD Eng Gi0/0/1:SI101 ASRWest#show otv route vlan 101 OTV Unicast MAC Routing Table for Overlay1 Inst VLAN BD MAC Address AD Owner Next Hops(s) ---------------------------------------------------------- 0 101 101 50f7.227c.d441 50 ISIS ASREast C3850West# show ip arp vlan 101 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.216.101.2 - 50f7.2297.56c1 ARPA Vlan101 Internet 10.216.101.1 26 50f7.227c.d441 ARPA Vlan101 PROBLEM Mac address from C3850West is not learnt on ASRWest, ASREast and C3850East. I have no idea why. So my OTV seems all ok except one side is not learning and sending the Mac on the OTV tunnel. Does anyone has an idea ?
... View more
On the C3850 platform QoS cannot be disabled.
I don't get why a C3850 would drop traffic with such a small load
... View more
I'm seeing output drops on an interface connected to a Wifi AP
The switch uplink is 10G and the AP is connected to 2x1gi => Po
N9K <-- Po=2x10G --> C3850 <-- Po=2x1G --> AP2802i
My understanding is there's a kind of speed mismatch and too many packets want to exit the port.
I tried to reallocate buffers but I still see these drops (see end of the post for configuration).
The traffic has no DSCP and the second port in the Po has no error
Users seem to feel disconnections even when the traffic is not high 10Mbit/s (or even lower)
What am I missing, I read the Cisco documentations
On the switch
#show int gi6/0/24 | i drops|error Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 1569626 1569626 output errors, 0 collisions, 0 interface resets
No other error such as CRC, collisions
#show int gi6/0/24 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Gi6/0/24 0 0 1569626 0 0 1569626
#show policy-map int gi6/0/24 GigabitEthernet6/0/24 Service-policy output: NODROP Class-map: class-default (match-any) 0 packets Match: any Queueing (total drops) 1569626 (bytes output) 33589434502 bandwidth 100% (1000000 kbps) queue-buffers ratio 100
#show platform qos queue config gi 6/0/24 DATA Port:6 GPN:956 AFD:Disabled QoSMap:1 HW Queues: 48 - 55 DrainFast:Disabled PortSoftStart:2 - 10000 ---------------------------------------------------------- DTS Hardmax Softmax PortSMin GlblSMin PortStEnd --- -------- -------- -------- --------- --------- 0 1 4 0 8 10000 7 800 3 300 2 10000
Priority Shaped/shared weight shaping_step -------- ------------ ------ ------------ 0 7 Shared 50 0 Weight0 Max_Th0 Min_Th0 Weigth1 Max_Th1 Min_Th1 Weight2 Max_Th2 Min_Th2 ------- ------- ------ ------ ------ ------ ------ ------ ------ 0 0 7968 0 0 8906 0 0 10000 0
#show platform qos queue stats gi 6/0/24 DATA Port:6 Enqueue Counters ------------------------------- Queue Buffers Enqueue-TH0 Enqueue-TH1 Enqueue-TH2 ----- ------- ----------- ----------- ----------- 0 0 0 0 33589711669 DATA Port:6 Drop Counters ------------------------------- Queue Drop-TH0 Drop-TH1 Drop-TH2 SBufDrop QebDrop ----- ----------- ----------- ----------- ----------- ----------- 0 0 0 1569626 0 0
interface GigabitEthernet6/0/24 switchport access vlan 10 switchport mode access storm-control broadcast level 1.00 0.50 storm-control action trap channel-group 4 mode active spanning-tree portfast service-policy output NODROP end
policy-map NODROP class class-default bandwidth percent 100 queue-buffers ratio 100
... View more
Hello, Thank you for your reply. That document is very interesting. I've just read the chapter regarding the profiling with APs so far and got them working properly the way they showed it. However I'm not a big fan of MAB and profiling. Because ISE retieves CDP informations collected through SNMP. - You need CDP (or LLDP) enabled and you might not want that for different reasons (Security, Interoperability...) - A machine could lie about its identity and pretend through CDP that it's a controller, an AP, a printer and so on. That's why the best option, in my opinion would be that the AP sends its credentials and ISE accept it or reject is. It's possible to do this with the Cisco APs http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99791-eapfast-wlc-rad-config.html I'm wondering why Cisco chooses a different EAP method for each of their devices (EAP-MD5 -> Cisco Phones, EAP-FAST -> AP) So in my humble opinion, the mab/profiling solution is good but not optimal.
... View more
Hello, First thank you for your participation in this question. I've read a couple of times all the answers but I'm not sure I get it all. The goal is of course to make sure a legitimate user uses a legitimate device without using Anyconnect (EAP chaining) a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed. b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work. z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing. Thank you
... View more
Version: ISE 1.2p12 Hello, I have trouble authenticating devices that use different protocols: - Cisco IP Phones: EAP-MD5 - Windows machines: EAP-PEAP - Cisco APs: EAP-FAST 1) I'm able to authenticate the IP Phones individually with a authentication rule: IP PHONES If Wired_802.1X allowed protocols EAP-MD5 For EAP-MD5 I selected only EAP-MD5 Now if I use a generic rule DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5 with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work ISE says that there's a protocol mismatch: "Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning" ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5 I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5 2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue" Does any of you have hints ?
... View more
Hello, Thank you very much for your answer. Why do you say that AP should be authenticated via MAB and profiling instead of dot1x. Why is it better ? Using dot1x seems to work fine for me except what I talked about and also that ISE thinks my AP is a router. Regards
... View more
Cisco ISE: 1.2 Switch IOS: 15.0.2.EX4 Hello, I have configured the APs to authenticate with 802.1X via the switch. When I shut the port on which the AP is connected and then no shut it, the port comes up a few seconds later and the switch sends a dot1x authentication. I feel that the AP has not finished to boot and that's why it fails because the AP doesn't answer that authentication request. I was wondering if it's possible to delay the first authentication message the switch sends just after a port comes up ? When I use debug commands I see %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9 %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9 %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9 %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9 %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (Unknown MAC) on Interface Gi3/0/18 AuditSessionID 00000000000006567DDB81C9 NB: you'll see exhausted all authentication methods because I only configured dot1x on the port (no mab or anything else) Thank you for all answers
... View more
Hello, I have one done (not finished) one deployment with 150 clients. And one guy I know is doing a very large scale deployment. To me it's very interesting but very challenging. I really under estimated the time it would take. I did this project because my client wanted it. From a technical point of view it's very positive for me, from a financial point of view it's really bad as I've spent a lot of time. The client is so far very happy although some implemented features are missing. I would recommend to start with Wifi only and once you understand ISE and know how to troubleshoot make Wire to work. I have not tried remote access though. Some hints: - You're full Cisco or you have other vendors (I'm thinking about IP Phones but the question can also be asked for switches and wlc) - You have a PKI or not. - You have devices (endpoints) and they are not 802.1X capable. All of us have, but the important is to list them. It's also difficult because it involves a lot of components and protocols: - Components: The radius server (ISE), the NAS (Switch or WLC), the endpoints (PC, APs, printers), the host (in my case VMWare) - Protocols: EAP protocols, Snmp/DHCP for profiling, Wifi etc. So I wouldn't see a guy with a little experience in networking dealing with something like this. I was more than familiar with many of these things. And before ISE I also tried Freeradius and made is work with Wifi and Vlan assignement and a LDAP server. If by chance I make the whole thing to work I need to give the skills to someone else to do a troubleshooting. So this is my experience so far. Some other have much more experience of course.
... View more
Buongiorno Massimo, Thank you for your answer. It's really helpful, I didn't know where to start that troubleshooting. I'm surprised by the number of hotfixes in Windows 7 SP1. I would have expected that 802.1X was quite mature on that platform.
... View more