I would like to use multi-factor authentication for admin access to my switches and routers. Currently TACACS and an ISE (2.4) are being used. My first question is the switch commands. Does anything in the switch or router configuration need to change to support multi-factor authentication? I am used to enter a username and being prompted for a password. I am assuming the ISE configuration will trigger the switch/router to prompt me (the admin) for additional info (a token). The multi-factor solution selected (Centrify) allows for multiple methods for the second authentication: text message, email or a phone call. For example, when I log into a server, I get an option to select the 2nd method authentication. I might select text message, then enter the received code. Does a switch or router support this? below are my aaa commands, as originally asked....do I need something else? I will address ISE at a later point. aaa new-model aaa authentication login default group tacacs+ local aaa authentication dot1x default group radius aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 2 default group tacacs+ local aaa authorization commands 3 default group tacacs+ local aaa authorization commands 4 default group tacacs+ local aaa authorization commands 5 default group tacacs+ local aaa authorization commands 6 default group tacacs+ local aaa authorization commands 7 default group tacacs+ local aaa authorization commands 8 default group tacacs+ local aaa authorization commands 9 default group tacacs+ local aaa authorization commands 10 default group tacacs+ local aaa authorization commands 11 default group tacacs+ local aaa authorization commands 12 default group tacacs+ local aaa authorization commands 13 default group tacacs+ local aaa authorization commands 14 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa accounting update newinfo periodic 1440 aaa accounting identity default start-stop group radius aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default stop-only group tacacs+ aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 2 default stop-only group tacacs+ aaa accounting commands 3 default stop-only group tacacs+ aaa accounting commands 4 default stop-only group tacacs+ aaa accounting commands 5 default stop-only group tacacs+ aaa accounting commands 6 default stop-only group tacacs+ aaa accounting commands 7 default stop-only group tacacs+ aaa accounting commands 8 default stop-only group tacacs+ aaa accounting commands 9 default stop-only group tacacs+ aaa accounting commands 10 default stop-only group tacacs+ aaa accounting commands 11 default stop-only group tacacs+ aaa accounting commands 12 default stop-only group tacacs+ aaa accounting commands 13 default stop-only group tacacs+ aaa accounting commands 14 default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default start-stop group radius aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group radius
... View more
I having difficulty with EIGRP route distribution. I do NOT want static routes to be redistributed into EIGRP yet both 10.0.0.0/8 and 192.168.0.0/16 are being redistributed.
router eigrp 100
network 192.168.100.232 0.0.0.3
redistribute connected route-map redistro_conn
redistribute bgp 65100 metric 300000 100 255 1 1500
There are no static routes. I want to add two static routes
10.0.0.0 255.0.0.0 null 0 254
192.168.0.0 255.255.0.0 null 0 254
When I add the above routes, my EIGRP neighbor has an external route for 10.0.0.0/8 and 192.168.0.0/16. As a test, I added two additional routes
10.3.64.0 255.255.255.0 null 0 254
192.168.100.0 255.255.255.0 null 0 254
As expected, neither of these routes are advertised to the EIGRP neighbors.
This feels like a classful issue. Why are the 10 and 192.168 networks redistributed?
Auto-summary is disabled.
ip prefix-list redistro_conn seq 5 permit 192.168.105.3/32
ip prefix-list redistro_conn seq 20 permit 192.168.100.16/30
ip prefix-list redistro_conn seq 30 permit 192.168.100.20/30
ip prefix-list redistro_conn seq 40 permit 192.168.106.0/30
ip prefix-list redistro_conn seq 50 permit 192.168.106.4/30
ip prefix-list redistro_conn seq 60 permit 192.168.106.8/30
ip prefix-list redistro_conn seq 70 permit 192.168.106.12/30
ip prefix-list redistro_conn seq 80 permit 192.168.106.16/30
ip prefix-list redistro_conn seq 90 permit 192.168.106.20/30
ip prefix-list redistro_conn seq 100 permit 192.168.106.28/30
ip prefix-list redistro_conn seq 110 permit 192.168.106.32/30
ip prefix-list redistro_conn seq 120 permit 192.168.106.36/30
ip prefix-list redistro_conn seq 130 permit 192.168.106.40/30
ip prefix-list redistro_conn seq 140 permit 192.168.106.44/30
ip prefix-list redistro_conn seq 150 permit 192.168.106.48/30
ip prefix-list redistro_conn seq 160 permit 192.168.106.52/30
ip prefix-list redistro_conn seq 170 permit 192.168.106.56/30
... View more
I am building a dot1x configuration for my switches. I am using the new-style (authentication display config-mode). I have built the configuration to work correctly for MAB and dot1x authenticates successfully. I am at the point of creating the configuration to handle the exceptions. Currently I am focused on if the AAA server is down.
So does any have any sample configurations on how to fail open when the AAA server is down? Possibly try retry authentication after a period of time.
The current configuration is below. My (failed) attempts to included proper handling of the AAA being down are included.
class-map type control subscriber match-all DOT1X_NO_RESP match method dot1x match result-type method dot1x agent-not-found class-map type control subscriber match-all MAB_FAILED match method mab match result-type method mab authoritative class-map type control subscriber match-all SERVER_DOWN match result-type aaa-timeout class-map type control subscriber match-all dot1x_FAILED_PASSWORD match method dot1x match result-type authoritative
policy-map type control subscriber user_default event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first 10 class SERVER_DOWN do-until-failure 10 authorize 20 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template null_vlan 30 authentication-restart 60 30 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 activate service-template null_vlan 40 authentication-restart 60 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x priority 10 event timer-expiry match-all 10 class SERVER_DOWN do-until-failure 10 authorize event absolute-timeout match-all 10 class SERVER_DOWN do-until-failure 10 authorize
... View more
I am testing AnyConnect's "always on" feature. The connect failure policy is working as I expected. I thought I would others input. The Automatic VPN policy has been in place for sometime. Trusted - disconnect. Untrusted - connect At this point, I enable Always On, Allow VPN disconnect and set the failure policy to Open. Connection failure policies - grey out. From Cisco documentation. http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#pgfId-1205144 The fail-open policy permits network connectivity. Regardless of the connect failure policy, AnyConnect continues to try to establish the VPN connection. From the "advantage" section of the table. Grants full network access, letting users continue to perform tasks where access to the Internet or other local network resources are needed. I successfully disconnected and canceled my VPN session. I expected to be able to continue browsing the internet. I was not. I also expected AnyConnect to prompt me again for a username/passwd (from AnyConnect continues to try to establish the VPN connection - above). What am I missing?
... View more
Any show commands you can suggest? show ppp multilink - the weight of each serial interface (equal). Ultimately, I am trying to figure why my 4.6 Mbps (3 T1's) are not fully utilized during afterhours system backups. Some offices use the maximum bandwidth, other do not. Multilink1 Bundle name: 5B3EA11C45316A0B294597F30000002800000065 Remote Endpoint Discriminator:  5B3EA11C45316A0B294597F30000002800000065 Local Endpoint Discriminator:  220.127.116.11cpa Bundle up for 8w0d, total bandwidth 4608, load 17/255 Receive buffer limit 36000 bytes, frag timeout 1000 ms Interleaving enabled 0/0 fragments/bytes in reassembly list 1190 lost fragments, 87647793 reordered 0/0 discarded fragments/bytes, 0 lost received 0x4E59EB received sequence, 0x4BA5B0 sent sequence Member links: 3 active, 0 inactive (max 255, min not set) Se0/0/0:0, since 8w0d, 5760 weight, 1496 frag size Se0/0/1:1, since 3w3d, 5760 weight, 1496 frag size Se0/1/0:2, since 01:45:23, 5760 weight, 1496 frag size No inactive multilink interfaces
... View more
More information I am thinking CEF will be involved. I but I haven't seen how CEF is balancing the load. interface Multilink1 bandwidth 4608 ip address 18.104.22.168 255.255.255.252 ip flow ingress ip flow egress no peer neighbor-route ppp chap hostname * ppp multilink ppp multilink interleave ppp multilink group 1 no cdp enable service-policy output qos_pm hold-queue 256 in hold-queue 4096 out interface Serial0/0/0:0 no ip address encapsulation ppp ppp chap hostname * ppp multilink ppp multilink group 1 hold-queue 256 in hold-queue 4096 out interface Serial0/0/1:1 no ip address encapsulation ppp ppp chap hostname * ppp multilink ppp multilink group 1 hold-queue 256 in hold-queue 4096 out interface Serial0/1/0:2 no ip address encapsulation ppp ppp chap hostname * ppp multilink ppp multilink group 1 hold-queue 256 in hold-queue 4096 out Multilink1 is up (if_number 43) Corresponding hwidb fast_if_number 43 Corresponding hwidb firstsw->if_number 43 Internet address is 22.214.171.124/30 ICMP redirects are never sent Per packet load-sharing is disabled IP unicast RPF check is disabled Input features: Ingress-NetFlow Output features: CCE Post NAT Classification, QoS Marking, Post-Ingress-NetFlow, Egress-Netflow IP policy routing is disabled BGP based policy accounting on input is disabled BGP based policy accounting on output is disabled Interface is marked as point to point interface Hardware idb is Multilink1 Fast switching type 7, interface type 105 IP CEF switching enabled IP CEF switching turbo vector IP Null turbo vector IP prefix lookup IPv4 mtrie 8-8-8-8 optimized Input fast flags 0x0, Output fast flags 0x10004000 ifindex 41(41) Slot Slot unit 1 VC -1 IP MTU 1500 IPv4 CEF is enabled and running VRF Default 491 prefixes (490/1 fwd/non-fwd) Table id 0x0 Database epoch: 0 (491 entries at this epoch) 0.0.0.0/0, epoch 0, flags cover dependents, rib only nolabel, rib defined all labels, default route, RIB[B], refcount 7, per-destination sharing sources: RIB, DRH feature space: IPRM: 0x00018000 NetFlow: Origin AS 0, Peer AS 0, Mask Bits 0 subblocks: Covered dependent prefixes: 1 notify cover updated: 1 ifnums: Multilink1(43) path 1BCB1E0C, path list 1BBB5A38, share 1/1, type recursive, for IPv4 recursive via 126.96.36.199[IPv4:Default], fib 1BBC2038, 1 terminal fib, v4:Default:188.8.131.52/32 path 1BCB2FFC, path list 1BBB5CB8, share 1/1, type recursive, for IPv4, flags doesnt-source-via, cef-internal recursive via 184.108.40.206/30<nh:220.127.116.11>[IPv4:Default], fib 1BBC70A8, 1 terminal fib, v4:Default:18.104.22.168/30 path 1BCB0CFC, path list 1BBB4688, share 1/1, type connected prefix, for IPv4 connected to Multilink1, adjacency IP adj out of Multilink1 1BB465A0 output chain: loadinfo 0233303C, per-session, 1 choice, flags 0183, 260 locks flags: Per-session, for-rx-IPv4, 2buckets, indirection 1 hash bucket < 0 > IP adj out of Multilink1 1BB465A0 Subblocks: None
... View more
TCP Window Size and Network Bandwidth I am learning TCP window size and the impact window size has on data transfer and bandwidth. I have captured traffic between my field office server (over WAN) to a HQ backup server. I have noticed that some offices do not consume all available bandwidth (1, 2 or 3 T1's at each office). I captured traffic to investigate. I selected a series of 4 packets for analysis. First packet (of the series) - HQ server to field office server – this packet is acknowledging the previous set of data and (I assume) is setting the stage for the next set of data (using window size). Window size value = 1129 Window size scaling factor is 128 Calculated window size is 144,512 Next 3 packets – field office server to HQ server (the packet represent the data this being backed up). For these packets, I don’t believe window size is relevant. Instead the bytes in flight are important. Each of the 3 packets has a length of 1380. The bytes in flight increments by 1380 for each packet (1380, 2760 and 4140). Next packet is from HQ server to field office server. This packet acknowledges the previous set. The cycle begins again. Should the field server send more data between acknowledgements? Instead of 3 packets, I was thinking more like 13 packets (1380x13=17,940bytes * 8 bits = 143,520 which is pretty close to 144,512). Am I missing something?
... View more
I am moving a network from a n7k to an ASA. With the network on the ASA, the clients on the local subnet are not getting IP addresses from the DHCP server. Years ago, I moved the network a 6500 to the N7k. I recall adding "ip dhcp relay subnet-broadcast" to the n7k SVI to make DHCP to work. I am now trying to move the network from the n7k to the ASA. On the ASA... interface net995 description netmotion nameif net995 security-level 70 ip address 172.18.0.1 255.255.0.0 standby 172.18.0.2 dhcprelay server 192.168.200.14 outside dhcprelay server 192.168.200.15 outside dhcprelay enable net995 Other networks needing DHCP are working correctly. I can't help but feel the ASA is missing something similar to the n7k from years ago.
... View more
I upgraded from 6.0.2.n2.2 to 6.0.2.n2.6. My ping test was to the SVI (not mgmt). I have discovered a couple of items since the upgrade. First, each n2k takes 10 to 12 minutes to upgrade. I have almost 20 Nexus 2k. That's over 3 hrs. I waited about 1 hour. It is likely the upgrade was happening as expected but I didn't wait. Second, the interface I was testing with (SVI) can become non-responsive during upgrades but production traffic still passes through the Nexus.
... View more
I am opening this post OS upgrade for my Nexus 5k devices. The upgrade completed successfully but I am not comfortable with events during the upgrade. I have a pair of 5596 with 17 fex connected to both 5596. Prior to issuing the “install all” command, I set up an extended ping to both 5596. I begin the upgrade with the primary vPC device. After the initial check, I answered “yes” to begin the disruptive upgrade. After answering “yes”, both 5596 stopped responding to ping. After 10 minutes, the other 5596 (not install all) began responding to ping. I connected to the device and began monitoring vPC and fex status. After another 5 to 10 minutes passed, the original 5596 (install all) begin responding to ping. I was now connected to both 5596. I monitored the status of the fex for the next hour. The status for each fex varied between online, offline, connected, downloading, and AA mismatch. After waiting an hour and without any apparent progress in the upgrade of the fex, I decided to “install all” the 2 nd 5596. Again, 10 minutes of no ping response for each 5596 before the original 5596 (the first install all) began responding. Another 5 to 10 and the 2 nd 5596 (second install all) began responding to ping. At this point, I connected to both 5596. I monitored the fex status. Within 20 to 30 minutes all 17 fex had come “online” for both 5596. In addition to loss of ping, I also experienced significate loss of server resources. Services connected to the 5596 and n2k were not available. Is what I experienced normal? What I was expecting… Install all the first 5596 Loss of ping during upgrade of 5596 (about 10 minutes) Once 5596 is up Each fex upgrades sequentially No network outage. 90+% of my infrastructure is dual connected. During the fex upgrade, I expect to see. Upgraded 5596 – shows each fex downloading then “online”. The not yet upgraded 5596 – shows each fex as AA mismatch Once all fex have stabilized Assuming 30 minutes but I don’t know how long it takes the fex to upgrade (17 total). Upgrade the second 5596 No network impact Expect loss of ping to the upgrading 5596
... View more
I spoke with TAC this morning. I discovered Prime was not associated with my CCO. TAC associated Prime with my CCO. I decided not to open a case and wait; let Cisco's back-end databases update. I will test again later today.
... View more
I am getting started with AnyConnect and profiles. I have multiple profiles on my laptop. Is there a way to prioritize the profiles on my laptop? Of my 3 profiles, one is the more or less the default. This default profile will automatic connect on untrusted networks. The other 2 profiles will rarely be used. I am finding that when I disconnect from one of the less used profiles, the auto connect from the "default" profile is not active.
... View more