We are running ISE 2.1. I’ve created a new Exception Rule for our Wired MAB Enforcement Policy Set called: “EFK_Misc”, and have my condition  and permissions set. However, I’m seeing some anomalies during the initial rollout of these devices onto our network. After manually adding their MAC address via Context Visibility; I can find the MAC on the main page of Context Visibility, but if I select it to go into the “Endpoints” screen, it shows the description I’ve given, that the Static Group Assignment is “True”, but shows nothing for Identity Group Assignment. If I edit it, it does show an Identity Group Assignment of “EFK_Misc”. This is not a java or browser issues as I’ve tried two different jump servers to access the Admin node… When I try to do an import of additional MAC addresses, I get an error message that the Group Assignment is unknown. I noticed that at least one device during the initial 5 devices had shown proper authentication on the switch via the “Show auth session int g 1/0/25 det”, but Context Visibility did not show the device authenticated. Initial roll-out of these paging devices are mired in some “problems communicating” which I’m still trying to get better information regarding.   I’m not well versed in ISE, and am wondering if my new Exception for my MAB wired policy set may be missing something, or if this just a ghost in the machine.   Thanks for any input.   Mike ... View more

I have a C3560 Switch running IPServices. I never setup vrf's on a LAN switch so I know I'm missing basic config and concepts. All I want to do is set up a separate vrf from default (everything else is in default) and call it Labs; and have a couple of L3 VLANs (and default route) belong to it. It connects up to a firewall in a "Labs" security zone.  My current config- I can only PING a Labs VLAN if I precede the host IP with "vrf Labs" 10.34.48.62, so this works as expected. However, this VLAN is a point-to-point link to the FW with a 10.34.48.61 address. I can ONLY Ping it if I use default VRF...   (FW 10.34.48.61)----------------connects to -----------C3560 (VLAN598 10.34.48.62 vrf LABS)   Please see below for partial switch config and steps: (THANKS for any/all help!!!)   sho run int vlan 598 Building configuration... Current configuration : 191 bytes ! interface Vlan598 description LAN-to-FW Labs Zone vrf forwarding Labs ip address 10.34.48.62 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp load-interval 30 end NRDUOFFMDFSITSW02#ping 10.34.48.62 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.34.48.62, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) NRDUOFFMDFSITSW02#ping vrf Labs 10.34.48.62 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.34.48.62, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms NRDUOFFMDFSITSW02#ping vrf Labs 10.34.48.61 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.34.48.61, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) NRDUOFFMDFSITSW02#ping 10.34.48.61 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.34.48.61, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms sho run | be definition vrf definition Labs description HSS Lab rd 65000:1 NRDUOFFMDFSITSW02#sho vrf det VRF Labs (VRF Id = 3); default RD 65000:1; default VPNID <not set> Description: HSS Lab New CLI format, supports multiple address-families Flags: 0x180C Interfaces: Vl598 Vl3885 Address family ipv4 unicast (Table ID = 0x3): Flags: 0x0 No Export VPN route-target communities No Import VPN route-target communities No import route-map No global export route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix Address family ipv6 unicast not active VRF Mgmt-vrf (VRF Id = 1); default RD <not set>; default VPNID <not set> New CLI format, supports multiple address-families Flags: 0x1808 Interfaces: Gi0/0 Address family ipv4 unicast (Table ID = 0x1): Flags: 0x0 No Export VPN route-target communities No Import VPN route-target communities No import route-map No global export route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix Address family ipv6 unicast (Table ID = 0x1E000001): Flags: 0x0 No Export VPN route-target communities No Import VPN route-target communities No import route-map No global export route-map No export route-map VRF label distribution protocol: not configured VRF label allocation mode: per-prefix   ... View more

We have Nexus 5020s running 5.1(3) on our server Access Tier which show excessive Input Discards on several interfaces going up to the Distribution 7000s, but also on several of our interfaces connecting to the servers. This is in the magnitude of 120,000 discards in 80 minutes and 30,000 discards/80 minutes on two uplinks into the Dist Tier, but also 12,000/80 Min, 8,000/80 Min on several ports connecting to servers. I understand that this could be indicative of Head-of-Line-Blocking (switch egress congestion causing backup on the switch ingress), so when attempting to address the large number of input discards on the interfaces facing the Dist Tier, I'm looking for signs of egress congestion going to the servers, IE: high TX Interface Load, High output errors, etc. However, I do not see ANY signs of egress congestion. The below was a great doc, but I think I need to look elsewhere. http://www.sysadmintutorials.com/cisco-nexus-5500-input-packet-discard-troubleshooting/   Does anyone have any ideas, thoughts, insights or suggestions on where else to look?   Thanks!   Mike ... View more

Can I have a 40 Gbps link with a QSFP-40G-LR4 on one end and a QSFP-40G-LR4-S on another? It is my understanding that the -S is less tolerant of humidity/temperature extremes than the standard QSFP. Thanks ... View more

New installation (and I'm new on the N9500s).......Attempting to do some failover testing before going into production. When I commanded a "system switchover" from active SUP to backup SUP, switchover occurred, but what was the primary SUP now shows "powered-up" and never reloaded completely. Manual "reload mod 27" has no affect. Vers 7.0(3) I3. Redundancy status shows it is configured. Is there something I'm missing? Please see below, and thanks! NFC9975MDFFCSSW21A# show boot auto-copy Auto-copy feature is enabled NFC9975MDFFCSSW21A# show mod Mod Ports Module-Type Model Status --- ----- ------------------------------------- --------------------- --------- 1 52 48x1/10G-T 4x40G Ethernet Module N9K-X9464TX2 ok 2 52 48x1/10G SFP+ 4x40G Ethernet Module N9K-X9464PX ok 3 52 48x1/10G SFP+ 4x40G Ethernet Module N9K-X9464PX ok 22 0 Fabric Module N9K-C9508-FM ok 23 0 Fabric Module N9K-C9508-FM ok 24 0 Fabric Module N9K-C9508-FM ok 26 0 Fabric Module N9K-C9508-FM ok 27 0 Supervisor Module powered-up 28 0 Supervisor Module N9K-SUP-B active * 29 0 System Controller N9K-SC-A active 30 0 System Controller N9K-SC-A standby Mod Sw Hw Slot --- ---------------- ------ ---- 1 7.0(3)I3(1) 1.1 LC1 2 7.0(3)I3(1) 1.3 LC2 3 7.0(3)I3(1) 1.3 LC3 22 7.0(3)I3(1) 2.4 FM2 23 7.0(3)I3(1) 2.5 FM3 24 7.0(3)I3(1) 2.4 FM4 26 7.0(3)I3(1) 2.4 FM6 28 7.0(3)I3(1) 1.0 SUP2 29 7.0(3)I3(1) 1.5 SC1 30 7.0(3)I3(1) 1.5 SC2 Mod MAC-Address(es) Serial-Num --- -------------------------------------- ---------- 1 00-a6-ca-5c-89-e4 to 00-a6-ca-5c-8a-27 SAL2033UJBB 2 84-3d-c6-b0-aa-94 to 84-3d-c6-b0-aa-d7 SAL2031TY6H 3 84-3d-c6-af-c3-54 to 84-3d-c6-af-c3-97 SAL2030TMBB 22 NA SAL2023RHP1 23 NA SAL2028T66Z 24 NA SAL2021QPXL 26 NA SAL2021QPWL 28 e0-0e-da-36-89-b0 to e0-0e-da-36-89-c1 SAL2029TEUE 29 NA SAL2031UA5Z 30 NA SAL2031U61L Mod Online Diag Status --- ------------------ 1 Pass 2 Pass 3 Pass 22 Pass 23 Pass 24 Pass 26 Pass 28 Pass 29 Pass 30 Pass * this terminal session NFC9975MDFFCSSW21A# show redundancy status Redundancy mode --------------- administrative: HA operational: None This supervisor (sup-28) ----------------------- Redundancy state: Active Supervisor state: Active Internal state: Active with HA standby Other supervisor (sup-27) ------------------------ Redundancy state: Standby Supervisor state: Unknown Internal state: Other System start time: Mon Jan 30 23:16:22 2017 System uptime: 19 days, 3 hours, 41 minutes, 22 seconds Kernel uptime: 19 days, 3 hours, 54 minutes, 59 seconds Active supervisor uptime: 2 days, 19 hours, 36 minutes, 17 seconds NFC9975MDFFCSSW21A# ... View more

I have a special requirement for a serverfarm where the ACE would need to load-balance a server farm based upon a response from a DNS query to a delegated DNS server. This delegated DNS server is a "smart connect" node that decides which sub-node should be the active node in the serverfarm, and responds to the DNS query with that sub-node address. There are many application/node architectural reasons why the ACE simply can't be used for making that decision, so I won't muddy the waters with that. Essentially, the ACE would only have one node in it's serverfarm at one time, based upon the reponse from the Smart-Connect to the DNS query.   Thanks for any input.   Mike. ... View more

We have a new Prime Collaboration Manager 10.0 deployment, and have Polycom Immersive end-points (ISX3xx) which I'd like to manage via CM. I've successfully added several of Polycom's infrastructure components and they are "Managed", however, the Immersive end-points (codec 700 series) come up "Unsupported". Documentation states 3rd-party devices are supported, so I'm thinking I just need to provide the MIB from the Seriess 700 codecs (which I can download right from the device) and install into CM so it knows the SysObjectID. I cannot find anywhere in CM doc, as to how/where to install new MIBs. Can someone point me in the right direction?   Thanks!   Mike. ... View more