QoS on Cisco 7206VXR DMVPN

Hello

one of my clients wants to implement VoIP into its existing DMVPN network topology. I read about the "by-Tunnel QoS for DMVPN" but when it comes to set it up on my hub router (Cisco 7206VXR with c7200p-advsecurityk9 - mz.124 - 15.T14.bin) I'm missing the option to set the command "ip PNDH the group mapping.

Now, my question is, is it generally not supported by the platform of 7206VXR? Where can I get the option to update the IOS to a newer version? If so, that one could I use?

Kind regards

Thomas

Software consultant / Cisco Feature Navigator

Tags: Cisco Security

Similar Questions

Cisco 1941 DMVPN and Ipsec

Hello

You start to replace all of our ISA Server with with DMVPN cisco routers. So far, we are happy with everything, but I ran into a problem. I've just set up one of our agencies and the DMVPN works very well, but this location also has a VPN tunnel to another branch that we have not replaced with Cisco equipment yet. The problem I have is that as soon as I associate an ipsec site-to-site VPN on the router, the DMVPN drops.

I create the Ipsec VPN:

map VPN_Crypto 1 ipsec-isakmp crypto

game of transformation-ESP-3DES-SHA

the value of aa.aa.aa.aa peer

match address 103 (where address is allow remote local IP subnet the IP subnet)

and everything works fine. As soon as I do the following:

interface GigabitEthernet0/1

card crypto VPN_Crypto

The DMVPN drops. If I can connect to and run:

interface GigabitEthernet0/1

No crypto card

The DMVPN happens immediately.

What could I do it wrong? Here is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

192.168.10.31 IP address 255.255.255.0

no ip redirection

IP 1400 MTU

authentication of the PNDH IP DMVPN_NW

map of PNDH IP xx.xx.xx.xx multicast

property intellectual PNDH card 192.168.10.10 xx.xx.xx.xx

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 192.168.10.10

dmvpn-safe area of Member's area

IP tcp adjust-mss 1360

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel CiscoCP_Profile1 ipsec protection profile

If you need anything else the config for help just let me know. Our main site router, I had no problem with him being the DMVPN hub and also having a handful of Ipsec VPN set up on it well. I appreciate a lot of help, I really need to get both of these tunnels running simultaneously as soon as possible.

Yes, but I don't see anything looking for strange (well, configs generated by CCP always sound strange...).

Maybe you run into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I have to. You can try 15.0 (1) M8 and see if it works.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

SA - VAM unsupported in Cisco 7206VXR

Hello

I have a 7206VXR with NPE-400 Cisco. The IOS version is 12.4 (24) T3. I installed a SA - VAM in the router in slot 6, but do the following on the console.

AP-Pune-RT #.
23 Feb 11:16:34.484: % PA-3-NOTSUPPORTED: PA in slot6 (unknown (type 650)) is not
supported on this chassis
23 Feb 11:16:34.484: % PA-3-DISABLED: in the Bay [6] port adapter turned off.
23 Feb 11:16:34.584: % PA-2-PABRIDGE: failure of config bridge for 6 PA
23 Feb 11:16:35.384: % PA-4-IMPROPER_REMOVAL: incorrect deletion for Groove 6.
23 Feb 11:16:35.384: % PA-3-DISABLED: in the Bay [6] port adapter turned off.
23 Feb 11:16:35.468: CRYPTO-4-PKT_REPLAY_ERR %: decrypt: re-read the verification failed
connection ID = 975, sequence number = 677864

SA - VADM is not supported in the 7206VXR router?

Thanks in advance.

Kind regards

Anand

It should be supported.

Perhaps the last IOS stop supporting this card EoS.

You can try to downgrade your IOS to 12.3 T or 12.2 T to see if it makes any diff.

Profile of Cisco 42 '' question marking QoS DCSP for signage package

Hello

We have 42 profile Cisco with below specifiction.

Software version: TCNC4.2.1.265253 product: TANDBERG profile 42 C20

All the call made by Gatekeeper (VCS 7.1)

DiffServ QoS is configured on the device.

During the sip call or SIP registration, regardless of the package comes from video endpoint. I see the value DSCP is 0x00

But any package from VCS, I see the DCSP value is AF31 0x1a.

But we have configured singnaling (value 26) QoS on Cisco profile 42 end point. Screenshot is attached.

Also, we have configured VCS Diffserv QoS and value 26.

In this case, why we are not able to see any marking signs of Cisco profile 42?

I have attached the screenshot of output wiresark. Also, I downloaded wireshark message output.

For the RTP stream, we can see package is marked as being configured IE AF41.

There is no other device does not change the marking.

Please suggest.

Rgds

Rajesh

Thanks teak: it's mactching DDT allright!

If moving to TCNC5.1.6 or even TCNC6.0.0 (just released) should solve the problem.

Help with logs on Cisco router

First of all: if I'm in the wrong place, please let me know.

Question: I'm digging orders Cisco, but the help of Cisco, Googe, Yahoo Sites and other types of resources can not give me the answer I wanted.

Router: Cisco 7206VXR (NPE - G1) processor (revision C) with 983040K / 65536K bytes of memory.

My question is simple and pleasant: I need to learn from the history of the Interface of one of our routers and not being is not in the domain of Cisco for a few years I can't find command. If I can find a command that draws a complete history that would be great.

The commands I used:

history

history of show

car1. Ash #sh interfaces se1/0/23:0 history
^
Invalid entry % detected at ' ^' marker.

car1. Ash #show interface se1/0/23:0 60 minutes story
^
Invalid entry % detected at ' ^' marker.

I need to find the command that gives newspapers the following type:

00:00:46: % LINK-3-UPDOWN: Interface Port-Channel, 1 changed State to
00:00:47: % LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed State to
00:00:47: % LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed State to
00:00:48: % LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, state change downstairs
00:00:48: % LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed
State down 2 * 1 Mar 18:46:11: % SYS-5-CONFIG_I: configured from console by vty2
(10.34.195.36)
18:47:02: % SYS-5-CONFIG_I: configured from console vty2 (10.34.195.36)
* 18:48:50.483 Mar 1 UTC: % SYS-5-CONFIG_I: configured from console vty2 (10.34.195.36)

What you are looking for is not available using interface show orders but would be available using the show log command. You want something that could look like this

view Journal | include 1/0/23:0

Note that this is the search through the buffer of logging on the router. The amount of memory allocated to the record buffer and the volume of messages generated will determine how far back you can go. If the router sends syslog messages to a syslog server (or another feature of management that archive messages) then you can search the logs it and to go further back. Also note that the logging buffer is cleared when the router reloads.

HTH

Rick

Setup QOS SG300 - 28 p

Hi all. I tried to configure my SG300 - 28 p for my 2960S, but using the following commands:

conf t

int row item in gi1-28

Auto qos voip cisco-phone

But there is no other command I can find on the SG300. Did someone familiar with a similar command? Or is a completely manual process on the SG300-QOS?

I'm on the 1.3.7.18 firmware version

Hi Ksuchewie,

There is no auto qos in Cisco small business switches. This feature of routers, catalyst and enterpirce. Cisco small business voice switch vlan by default use DSCP 46 and CoS 5

This average DSCP EF 46 mode

My adivce replace DSCP 26 so it will match AF31 drops low. Also I'll leave CoS in 5 locations.

I'll give you an example how config qos voice vlan siwtch small business

my example is DATA vlan 1 and vlan VoIP is 100

quick order

config t

ID of the vlan 100 voices

Voice vlan cos 5

Voice vlan dscp 26

WR mem

Thank you

Ministry of health

MAB with Cisco Phone - authorization failed

Hello everyone,

I use MAB to authenticate customers and Cisco IP phones against a NPS Microsoft Radius server. Everything works perfectly, except for 1 phone Cisco. The phone is successfully authentication but authorization fails. The switch port has the following configuration.

switchport access vlan 500

switchport mode access

switchport nonegotiate

switchport voice vlan 92

no logging event link-status

srr-queue bandwidth share 1 30 35 5

priority-queue out

authentication control-direction in

authentication event server dead action authorize voice

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

authentication timer reauthenticate 10800

authentication timer inactivity 1800

mab

no snmp trap link-status

mls qos trust device cisco-phone

mls qos trust cos

macro description mab

auto qos voip cisco-phone

storm-control broadcast level 5.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

I get the following RADIUS logging of the client authentication process.

May 7 15:24:53.349: RADIUS: 4D 8F 05 AB 00 00 01 37 00 01 02 00 0A 19 0A 84 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 47 DF 2A A4 B3 70 00 00 00 00 00 00 5F 79 [ M7G*p_y]

May 7 15:24:53.349: RADIUS: Vendor, Cisco [26] 34

May 7 15:24:53.349: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"

May 7 15:24:53.358: RADIUS(00002749): Received from id 1645/128

May 7 15:24:53.366: %MAB-5-SUCCESS: Authentication successful for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

May 7 15:24:53.374: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

SER-02-SW01#clear authentication

May 7 15:24:53.383: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (442b.03a2.f9e8) on Interface Gi1/0/39 AuditSessionID 0A194B0400002706ED82EB13

I checked online and blogs and forums suggest to check the use of the downloadable access list, but they are not used in the switch. As mentioned, all Cisco IP phones works perfectly, except this one. I have already removed the Active Directory object and created a new object from scratch, but the same result. I also tried another port in the switch, yet an authorization failure.

Currently, I don't know where to look further, then maybe some of you can help me!

Thanks for the update of René. I have suggested for deactivation and reactivation of the dot1x in the world to see where it got stuck somewhere. However, it seems the thought is not okay. Would appreciate if you mark it resolved so that someone else can take advantages out of it.

Your welcome

Good day!

Jatin kone

-Does the rate of useful messages-

Command switchport mode access

Hello

I was curious about the switchport mode access command and its interoperability with the switchport command in vlan voice.

If I set up a switchport with the switchport mode access commmand, which will make it impossible for the switchport create a trunk special cases with the IP phone? Even if I set up switchport vlan speech?

And if so, the port should be configured as switchport mode dynamic auto? Or desirable?

Thank you, Pat

Pat, you can configure a port as an access port, add the configuration of vlan voice and connect a phone and another device. The trunk will form. With the "vlan voice" Cisco obscures the fact that forms a trunk. I don't necessarily agree with this strategy, and it wasn't always in this way. I remember configuration of phones on a 3500XL and ports have been configured in trunks.

You made me think, so I issued a few commands on a WS-C3560V2-48PS-S running IOS 12.2 (58) SE2 who has 12 phones connected on it.

Here is the config for a port that has a connected phone:

Switch #sho int f0/2nd round

Building configuration...

Current configuration: 475 bytes

!

interface FastEthernet0/2

switchport access vlan 11

switchport trunk encapsulation dot1q

switchport trunk vlan 11 native

switchport trunk allowed vlan 2, 10-19

switchport mode access

switchport nonegotiate

switchport voice vlan 12

SRR-queue bandwidth share 1 30 35 5

priority queue

MLS qos trust device cisco-phone

MLS qos trust cos

Auto qos voip cisco-phone

No auto mdix

spanning tree portfast

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

end

If I show the status of the trunk for an individual port that IOS recognizes that the port with the attached telephone is actually a trunk:

Switch #sho int f0/2 trunk

VLAN Mode Encapsulation native port State

FA0/2 off 802. 1 q non-gaine 11

Port VLAN allowed on trunk

FA0/2, 11-12

Port VLAN authorized and active in the field of management

FA0/2, 11-12

VLAN port extending on transmission State and no tree pruned

FA0/2, 11-12

However if I do a "sho int trunk" to display all the ports on the switch IOS trunk does not include telephone ports in the output.

Trunk switch #sho int

VLAN Mode Encapsulation native port State

FA0/45 on 802. 1 q 12 trunking

FA0/46 / 802. 1 q 12 trunking

Gi0/1 on 802. 1 q sheath 11

Gi0/2 of 802. 1 q sheath 11

Port VLAN allowed on trunk

FA0/45 2: 10-19

FA0/46 2: 10-19

Gi0/1, 2, 10-19

Gi0/2, 2, 10-19

Port VLAN authorized and active in the field of management

FA0/45 13, 16-2, 11-17

FA0/46 13, 16-2, 11-17

Gi0/1, 2, 11-13, 16-17

Gi0/2 13, 16-2, 11-17

VLAN port extending on transmission State and no tree pruned

FA0/45 13, 16-2, 11-17

FA0/46 13, 16-2, 11-17

Gi0/1, 2, 11-13, 16-17

Gi0/2 13, 16-2, 11-17

So firstly IOS says "Yes, it is a trunk" and on the other hand it is said ' Nope, no trunks here! So notice that 'spanning-tree portfast' is configured on f0/2, no 'portfast spanning-tree trunk. PortFast is still active on this port.

Switch #sho span int f0/2 selection

VLAN0011 enabled

VLAN0012 enabled

Conversely on 45 port, we have a VG-224 connected and it is configured with "switchport mode trunk" and "trunk spanning-tree portfast '. If I change than just "spanning-tree portfast' we see this:

Switch #sho span int f0/45 selection

VLAN0002 disabled

VLAN0011 disabled

VLAN0012 disabled

VLAN0013 disabled

VLAN0016 disabled

VLAN0017 disabled

Cisco has confused the issue here. I would prefer if we called a trunk, a trunk, but for some reason, they do not.

See you soon,.

-Jeff

---

Posted by Jeff Davis of the Cisco support community App WebUser

BGP announcement: How do I remove the attributes "next hop" and "metrics" inherited from OSPF?

Hello

I use a router THAT WAN Cisco ASR1001 connected via BGP AS65075 with our ISP.

This router is connected through OSPF with our Cisco 7206VXR/NPE-G2 firewall.

Topology:

ISP <- bgp="" -="">RT 1001 <- ospf="" -="">FW 7206 <->LAN

On the WAN router, static routes are set to null0 to always announce our class C networks.

Route IP 192.168.10.0 255.255.255.0 Null0 250

...

Network guidelines are placed in our BGP configuration:

router bgp 65075

The log-neighbor BGP-changes

neighbor EBGP-PEER-IPv4-peer group

EBGP-PEER-IPv4 neighbor fall-over bfd

neighbour 192.168.88.138 distance - as 65200

192.168.88.138 a neighbor EBGP peers PEERS-IPv4

192.168.88.138 ISP IPv4 neighbor description

next password 192.168.88.138 7 unknown

!

ipv4 address family

...

network 192.168.10.0

...

a neighbor EBGP-PEER-IPv4 soft-reconfiguration inbound

EBGP-PEER-IPv4 neighbor distribute-list prefix-v4 on

an EBGP-PEER-IPv4 neighbor prefix-maximum 100

neighbor EBGP-PEER-IPv4-1 filter list out

neighbor 192.168.88.138 activate

neighbor 192.168.88.138 filter-list 2

output-address-family

A part of these networs are also learned through OSPF. If these routes are present in the routing table:

RT-01 #sh ro ip 192.168.10.0

Routing for 192.168.10.0/24 entry

Known via "ospf 1", distance 110, metric 20, type extern 2, metric 1 forward

Published by bgp 65075

Last update to 192.168.0.79 on Port - channel1.28, 7w0d there is

Routing descriptor blocks:

* 192.168.0.79, from 192.168.0.71, 7w0d there is, through Port - channel1.28

See metric: 20, number of share of traffic is 1

Because these roads are active in the rounting table. Announcing BGP based on his and attributes "next hop" and "metric" are inherited from OSPF:

RT-01 #sh ip bgp neighbors 192.168.88.138 announced-routes

...

Network Next Hop path metrics LocPrf weight

...

* > 192.168.10.0 192.168.0.79 20 32768 I

...

Is it possible to remove the legacy of OSPF into BGP attributes?

How to set the "next hop" to the value 0.0.0.0 and "metric" to 0?

Thank you

Best regards

Jérôme

Hello Berthier,

NEXT_HOP is a hill & attribute mandatory path including the eBGP value is the IP address of the BGP peer (specified in the neighbor's remote control) where the router learns the prefix. Thus, your peers (eBGP) will still see the IP 192.168.88.138 in your BGP Next Hop as updates. I agree you the output of the command ' sh ip bgp neighbors 192.168.88.138 roads announced "can be confusing, but not worried about it.

Metric 20 is cause of path must be acquired by OSPF. Copy in default atributte MED BGP metric. So I see that you have only a peer is very important change this value because MED is not transitive, if this value is not propagated by other ACE access your provider. Anyway, if you want to change, you must:

1. create a list of prefixes with one or more prefixes that you want to "reset" the MED value:

list of prefixes prefix-to-reset-MED seq 5 permit 192.168.10.0/24

list of prefixes prefix-to-reset-MED seq 10 permit X.X.X

2. create a roadmap

allowed to reset - MED card route 5

match of prefix-to-reset-MED IP prefix-list

the metric value 0

road map provided to zero-MED allowed 10

!

The last road map is necessary to ensure that the rest of the prefixes are sent.

3. apply the road map

a neighbor EBGP-PEER-IPv4-roadmap given to zero-MED on

Concerning

802. 1 x authentication and phones

I have just begun to roll authentication of 802. 1 x and found that although I got the authentication for the PC the data VLAN to work, phones on the VOICE VLAN are not unless I put 'host-mode authentication' to 'stream '.

We did turn not authenticated for 7 years with phones and both work of the PC.

What I want to do (i.e. what management told me to move), is to have phones connect not authenticated (CDP agreeing to handle correct assignment of VLANS) but require PC to authenticate.

I guess the simple question is; is it still possible? If this is the case, any advice is greatly appreciated. (config switch is below).

Thank you

Arch

!
version 12.2
no service button
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
switch to hostname
!
boot-start-marker
boot-end-marker
!
emergency logging console
emergency logging monitor
enable secret 5 *.
!
AAA new-model
!
!
Group AAA dot1x default authentication RADIUS
!
!
!
AAA - the id of the joint session
clock timezone cst - 6
clock to summer time recurring cdt
1 supply ws-c3750g-24ps switch
mtu 1500 routing system
VTP transparent mode
no ip domain-lookup
!
!
interface ip igmp snooping mrouter vlan 41 item in gi1/0/27
interface ip igmp snooping mrouter vlan 41 item in gi1/0/28
!
QoS omitted MLS
!

pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
VLAN 13
name data - VLAN
!
VLAN 857
name - VLAN VoIP
!
VLAN 1611
name comments - VLAN
LLDP run
!
!
class-map correspondence AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map correspondence AutoQoS-VoIP-control-Trust
match ip dscp cs3 af31
!
!
Policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
DSCP ef Set
320000 8000 exceed-action of the police controlled-dscp-transmit
class AutoQoS-VoIP-control-Trust
DSCP Set cs3
32000 8000 exceed-action of the police controlled-dscp-transmit
!
!
!
GigabitEthernet1/0/1 interface
switchport access vlan 13
switchport mode access
switchport voice vlan 857
security breach port switchport protect
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
priority queue
authentication-sense in
no response from the authentication event action allow vlan 1611
stream of host-authentication mode
Auto control of the port of authentication
protect the violation of authentication
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x EAP authenticator
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 13,857,1611
switchport mode trunk
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
MLS qos trust cos
Auto qos voip trust
!
RADIUS-server host 10.1.2.10 auth-port 1645 acct-port 1646
Server RADIUS 7 key *.
RADIUS vsa server send authentication
end

Hello

authentication with PC and phone needs "multi-domain of authentication host mode. You con use MAC address or 802. 1 X (username & password) for authentication of IP phone.

Profile authenticatipo must send "device-traffic-class = voice" to the switch. PC fits the DATA cross-domain and phone VOICE-field.

See attachment:

Balancing of VMware with Nexus 1000v

With the vmware puts vDS or vSS, I see many designs use the asset-liability approach for binding rising consolidation of NETWORK cards, IE a vmnic is active will fabric and a vmnic is passive will fabric B. This setting is configured in vSphere.

Se this article: http://bradhedlund.com/2010/09/15/vmware-10ge-qos-designs-cisco-ucs-nexus/

Is this correct, that we can put in place a regime with the 1000V? All the network is on the 1000V config, and as far as I know, we can only configure the uplink in these 3 modes:

1. LACP 2. vPC-Host Mode 3. vPC-Host Mode Mac pinning

and they are all 'active' based.

Post edited by: Atle Dale

Yes. All uplinks are used. Each VM virtual interface is pinned to one of of the uplinks. If one uplink goes down, all interfaces pinned gets dynamically likes to remaining uplinks. A mac address will only see on a single interface at a time. This is how MAC pinning prevents STP loops.

Robert

When ISE goes down, none of the computers can get to shared network or the Internet.

We only run Cisco ISE 1.4 with only computer authentication and recently had a power outage for about 6 hours. When the batteries of the UPS drained EHT servers are connected to the, none of the computers could connect what either. The NETWORK card on the computers had an error authentication failed. We "Rescue of unauthorized network access", selected on each computer. Is there a way to allow all computers access to the network and the internet as usual when the ISE servers are down?

The port configuration is less to:

switchport access vlan 77
switchport mode access
switchport voice vlan 777
IP access-group ACL by DEFAULT in
authentication event fail following action method
action of death event authentication server allow vlan 77
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
Server to authenticate again authentication timer
inactivity timer 180 authentication
restrict the authentication violation
MAB
no link-status of snmp trap
Auto qos voip cisco-phone
dot1x EAP authenticator
dot1x tx-time 10
QoS trust device cisco-phone
spanning tree portfast
spanning tree enable bpduguard
service-policy input AutoQos-VoIP-entry-Cos-policy
service-policy output AutoQos-VoIP-output

You must use a script of EEM to change the ip access list that you assigned to the interface, to something with "permit ip any any" inside.

'action dead event server authentication allows vlan 77' won't work that in configurations in closed mode, do not use an acl of pre approval.

Mac-auth-bypass fails MAC: 0000.0000.0000

I have an old JetDirect which does not support 802.1 x. I enabled MAB on the port where it connects, but for some reason fails any MAB. I activated the debug dot1x and stick the output in a few here. I know that my config to dot1x is good... I have clients who authenticate via RADIUS to my ACS server. I also have a different port using MAB, not a JetDirect, however, the two ports are configured in the same way. Debugging, it seems that the switch can glean from the CMA of the JetDirect. Any ideas? It is a 3750 with 12.2 (44) SE2. I tried to close/no close the interface, reset the JetDirect, nothing seems to work. I see no request on my ACS server for the MAC address of the device.

Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS

host 192.168.x.x auth-port 1645 1646 RADIUS server acct-port

interface FastEthernet2/0/31
Description white A002
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
aging of the switchport port security 2
security violation restrict port switchport
inactivity of aging switchport port-security type
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x EAP authenticator

self control-port dot1x
multi-domain host-mode dot1x
restrict the dot1x mode violation
dot1x tx-timeout 2
dot1x timeout supp-timeout 10
spanning tree portfast
spanning tree enable bpduguard

012729: 5 May 14:51:31.672: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012730: 5 May 14:51:32.586: % LINEPROTO-5-UPDOWN: Line protocol Interface FastEthernet2/0/31, changed State to
012731: 5 May 14:51:33.727: dot1x-package: from a package of EAP EAP request for mac 0000.0000.0000
012732: 5 May 14:51:33.727: dot1x - sm:Posting EAP_REQ client = 4219220
012733: 5 May 14:51:33.727: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 7 (eapReq) event
012734: 14:51:33.727 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_request
012735: 14:51:33.727 may 5: request_action called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_
012736: 14:51:33.727 5: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: 5 May 14:51:33.727: dot1x-package: dot1x_mgr_send_eapol: code EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0 x 1 data:
012738: 5 May 14:51:33.727: dot1x - ev:FastEthernet2/0/31: package EAPOL to the address of the EAP group
012739: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_pre_process_eapol_pak: determination of role not required on FastEthernet2/0/31.
012740: 5 May 14:51:33.727: dot1x-registry: registry: dot1x_ether_macaddr called
012741: 5 May 14:51:33.727: dot1x - ev:dot1x_mgr_send_eapol: on FastEthernet2/0/31 EAPOL packet is sent
012742: 14:51:33.727 may 5: dump of pak EAPOL Tx
012743: 14:51:33.727 may 5: Version EAPOL: 0 x 2 type: 0 x 0 length: 0 x 0005
012744: 5 May 14:51:33.727: code of the EAP: id 0 x 1: 0 x 2 length: 0 x 0005 type: 0x1
012745: 5 May 14:51:33.727: dot1x-package: dot1x_txReq: EAPOL packet sent to the default authenticator
012746: 5 May 14:51:35.791: dot1x-ev: received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: 5 May 14:51:35.791: dot1x - sm:Posting EAP_TIMEOUT client = 4219220
012748: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: during the auth_bend_request State, had 12 (eapTimeout) event
012749: 14:51:35.791 may 5: @ dot1x_auth_bend fa2/0/31: auth_bend_request-> auth_bend_timeout
012750: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter
012751: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action
012752: 14:51:35.791 5: dot1x_auth_bend fa2/0/31: idle during the auth_bend_timeout State
012753: 5 May 14:51:35.791: @ dot1x_auth_bend fa2/0/31: auth_bend_timeout-> auth_bend_idle
012754: 5 May 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: 5 May 14:51:35.791: dot1x - sm:Posting AUTH_TIMEOUT client = 4219220
012756: 14:51:35.791 may 5: dot1x_auth fa2/0/31: during the auth_authenticating State, had 15 (authTimeout) event
012757: 14:51:35.791 may 5: @ dot1x_auth fa2/0/31: auth_authenticating-> auth_fallback
012758: 14:51:35.791 may 5: called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit
012759: 5 May 14:51:35.791: r called dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente
012760: 5 14:51:35.791: dot1x_auth_mab: mab_initialize of the initial State has enter
012761: 5 14:51:35.791: dot1x_auth_mab: during the mab_initialize State, had 2 (mabStart) event
012762: 14:51:35.791 may 5: @ dot1x_auth_mab: mab_initialize-> mab_acquiring
012763: 5 14:53:08.831: dot1x_auth_mab: during the mab_acquiring State, had 3 (mabResult) event (ignored)

HQ_1stFlr_3750 #sh int dot1x fa2/0/31 det

Dot1x Info FastEthernet2/0/31
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = MULTI_DOMAIN
Violation mode = RESTRICT
A re-authentication = off
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = active (EAP)
Timeout = None

Authenticator Dot1x customer list empty

Port status = not ALLOWED

The jetdirect card uses DHCP to get an IP address? If this isn't the case, then the Jetdirect will produce any traffic out to the auhenticate switch. To test this using the front panel of the printer to send a ping packet and see if it triggers the MAB.

ISE has not found any AAA Client or network devices

During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address. Could it be the cause of the problem?

Here is the config of the port that I have tested on:

interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 30 35 5
queue-series 2
priority queue
authentication event fail following action method
action of death event authentication server reset vlan 4
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
restrict the authentication violation
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
dot1x EAP authenticator
dot1x tx-time 10
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

Regardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.

If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).

Thank you for evaluating useful messages!

rejected mac addresses are not placed in vlan comments

Hi all

I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.

Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.

If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.

12/21/10
4:23:19.000 PM

Dec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Host=10.1.1.207
SourceType=syslog
source=udp:514
client_mac=((f0de.f119.9870))
client_action=FAIL
LINEPROTO_LINK=AUTHMGR-5

12/21/10
4:23:19.000 PM

Dec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Host=10.1.1.207 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
SourceType=syslog
source=udp:514
client_mac=((f0de.f119.9870))
client_action=NOT http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
LINEPROTO_LINK=MAB-5

12/21/10
4:23:18.000 PM

Dec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Host=10.1.1.207
SourceType=syslog
source=udp:514 http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
client_mac=(f0de.f119.9870) http://olsplunk:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search%20host%3D%2210.1.1.207%22#
client_action=START
LINEPROTO_LINK=AUTHMGR-5

Can someone tell me where I'm wrong?

Thank you

Chris

Relevant parts of the running-config:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!
AAA - the id of the joint session

!
control-dot1x system-auth
!
interface GigabitEthernet0/29
235 a description
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
authentication event failure action allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
IP 10.1.1.207 255.255.255.0
!
interface Vlan2
IP 10.1.10.207 255.255.255.0
!
default IP gateway - 10.1.1.201
IP classless
!
activate the IP sla response alerts
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS timeout 10 Server
Server RADIUS # 7 button wouldn't you know
RADIUS vsa server send accounting
RADIUS vsa server send authentication
!
end

Information of VLAN:

Ports of status for the name of VLAN
---- -------------------------------- --------- ------------------------------
1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
Gi0/18, Gi0/21, Gi0/29, Gi0/30
Gi0/34, Gi0/36, Gi0/37, Gi0/49
Gi0/50, Gi0/51
2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/42, Gi0/43, Gi0/44, Gi0/45
Gi0/46, Gi0/47, Gi0/49
3 active video
4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/7, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/22
Gi0/23, Gi0/24, Gi0/25, Gi0/26
Gi0/27, Gi0/28, Gi0/31, Gi0/32
Gi0/33, Gi0/35, Gi0/38, Gi0/39
Gi0/40, Gi0/41, Gi0/42, Gi0/43
Gi0/44, Gi0/45, Gi0/46, Gi0/48
5 active transfer
6 active Test ESX
7 COMMENTS-VLAN active
999 native active
1002 fddi-default law/unsup
default trcrf 1003 act/unsup
1004 default fddinet law/unsup
1005 trbrf default law/unsup

Network type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 100001 1500 enet - 0 0
2 enet 100002 1500 - 0 0
3 100003 1500 enet - 0 0
4 100004 1500 enet - 0 0
5 enet 100005 1500 - 0 0
6 100006 1500 enet - 0 0
7 100007 1500 enet - 0 0
999 100999 1500 enet - 0 0
1002 101002 1500 fddi - 0 0
1003 trcrf 101003 4472 1005 3276 - srb 0 0
1004 etnbdf 101004 1500 - ieee - 0 0
1005 trbrf 101005 4472 - 15 ibm - 0 0

VLAN AREHops STEHops backup RTC
---- ------- ------- ----------
1003 7 7 off

VLAN SPAN remote
------------------------------------------------------------------------------

Ports of secondary primary Type
------- --------- ----------------- ------------------------------------------

Hello

Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.

Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.

Debug RADIUS

debug all EMP

debugging authentication feature mab all
debugging authentication feature mda all

Nicolas

===

Remember responses of the rate that you find useful

QoS on Cisco 7206VXR DMVPN

Similar Questions

Maybe you are looking for