Cisco 831 --- dot1x critical and MAB Support

Similar Messages

• Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay

  Hi,
  We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating  via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
  We have three different switches at the moment with the latest IOS version.
  1) WS-C4507R-E    =  15.1(2)SG,
  2) WS-C3560-48PS = 12.2(55)SE7
  3) WS-C3750X-24P = 15.0(2)SE1
  Could you anyone pitch the idea? or advise about the latest IOS for the switches.
  Let me know, if you need more information.
  Thanks,
  Regards,
  Mubahser

  It seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
  It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server.

• Cisco CPI 2.0 and TSM support.

  Hi, Is it possible to install TSM(Tivoli storage manager) on CPI 2.0 ?
  We would like to use it as a backup.

  It may be possible but would not be supported. You can backup the overall VM from your VMWare environment if you're running the soft appliance.
  You can backup the application settings using the built-in PI backup settings and specify a remote FTP repository.

• Dot1x - Difference between "mab" and "mab eap"

  Hi guys,
  can someone explain the difference between "mab" and "mab eap" to me?
  I`m trying to do dot1x with EAP-TLS with MAB as a fallback method.
  The explanations I found in the config-guides are very poor.
  Thank you for your help.
  Mathias

  Hello Mathias-
  This is an old post but I stumbled across it when trying to find another post that I answered before. In case you haven't found an answer yet, please take a look at this thread where I think you will find your answers.
  https://supportforums.cisco.com/message/3768500#3768500
  Regards,
  Thanks for rating!

• Cisco 831 and "Can't get video from the camera."

  I'm running a Cisco 831 router with ios 12.4(5a) installed. Every time I try to initiate a video chat with a computer going through the router, I get the "Can't get video..." error. It works fine with computers on my internal network and if I bypass the Cisco router and plug straight into my Cable modem.
  I've covered every conceivable TCP/UDP port being open (per numerous pages re: port 5060, 5190, etc.) and have even gone as far as testing with "permit UDP any any" and "permit TCP any any" at the top of the rules. No luck.
  I've been reading about the possibly needing to "unbind" SIP (port 5060). Is this something that a Cisco 831 router would require? The router doesn't seem to respond to any of the documented Cisco command re: VoIP and does not have any phone support that I'm aware of.
  If anyone has any info that can help me get his up-and-running, I'd be much obliged.
  Thanks,
  Matheau

  Hi Kcritchie,
  It will most likely look like that. But in this case it should be on the UDP protocol.
  The link looks useful (it takes a scroll down to see it for others looking)
  If I do nat bindlist in my Alcatel I get this
  Last login: Thu Jun 29 12:36:20 on console
  Welcome to Darwin!
  Ralph-G4:~ Ralph$ telnet 10.0.0.138
  Trying 10.0.0.138...
  Connected to speedtouch.johnshome.
  Escape character is '^]'.
  Username :
  (Pic line drawing edited out here )
  =>nat bindlist
  Application Proto Port
  ESP esp 1
  FTP tcp 21
  GRE gre 1
  H323 tcp 1720
  IKE udp 500
  ILS tcp 389
  ILS tcp 1002
  IP6TO4 6to4 1
  IRC tcp 6660-6670
  JABBER tcp 5222
  JABBER tcp 15222
  PPTP tcp 1723
  RAUDIO(PNA) tcp 7070
  RTSP tcp 554
  =>
  On my device this is because the SIP binding on UDP port 5060 is unbound.
  2:30 PM Thursday; June 29, 2006

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Cisco 831 Router to Configure VPN Access

  Hello,
  I need assistance in configuring a VPN in a Cisco 831 Router. I do not have any experience in configuring routers and VPN's, and would appreciate if any one could help out.
  I would like to connect three Laptops to the Cisco 831 via Cisco VPN Client. Three laptops must have 10.42.6.x Address assigned by the router on the VPN Connection. They will also need access to the internal network which is 192.168.x.x private network. The Cisco has a Static IP on the Internal Interface and External Interface. I have tried several different ways of doing this, however I must be doing something wrong in my config.
  Any help or suggestions would be appreciated.

  Hi Robert
  You can refer the below link in finding out the exact config to start with.
  do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
  http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
  regds

• Cisco 831 CRWS (web utility) not loading

  Greetings. I just unwrapped my new Cisco 831 router, and everything worked out of the box (my post in this newsgroup is proof). However, when I attempt to access the CRWS web setup utility, I get a "Please wait while we check router version, IOS version, ..." and a blue progress bar infinitely fills up and re-starts-- it never allows me to get past this point and actually access the utility. My only guess is that I'm using Firefox v1.5 and this browser isn't supported-- but this would surprise me. Has anyone had this happen to them before, and does anyone have any possible solutions? Thanks in advance!

  Hi
  The system requirements for CRWS are:
  * PC using the Microsoft Windows 95, Windows 98, Windows Me, Windows 2000, or Windows NT operating system.
  * Netscape 4.5 or better
  * IE 4.0 or better
  * Java enabled on the Web browser
  * Pentium II, 166 MHz or higher
  * 800 by 600 screen resolution with 256 or more colors
  It seems that Firefox isn't explicitly supported. Pls try IE or Netscape and see how you go.
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh,

• Cisco 831

  I am using Cisco 831 at many smaller remote offices with DHCP. What is the best way to both monitor and control access on the 4 fastethernet ports. Is there a way to secure all of the ports with a MAC address security, etc so only certain machines will be able to gain network and internet access via the router?
  Thanks - any help would be appreciated.
  Jamie

  Hello Jamie,
  the 831 does not support port-security on the FastEthernet ports. There is however a workaround you could use, if you have a limited number of know MAC addresses that you want to block. Basically, what you do is use the command:
  arp {ip-address | vrf vrf-name} hardware-address encap-type [interface-type]
  to manually blackhole MAC addresses by sending them to a Loopback or Null interface. Let's say you want to deny IP address 192.168.1.10 with MAC address 00ed.3456.7896, the entry would be:
  arp 192.168.1.10 00ed.3456.7896 arpa Loopback0
  This would effectively send all traffic for that IP and MAC address to the Loopback interface...
  HTH,
  GNT

• IMAC's Top graphics card frustration - Cheap and no support for Adobe Mercury Playpack Engine GPU Acceleration?

  If anyone has a solution for getting the Mecury Playpack Engine GPU acceleration to work with Premiere Pro CS6 on an iMAC 2011, please let me know. Like I wonder if you could Thunderbolt an External graphics card somehow? Or is an upgrade possible? Ahh...not worth the risk.
  Please, if you have a solution for me, let me know. Otherwise I find it pretty frustrating that I purchased a top-end iMAC, fully maxed-out in every way possible, and that the iMac doesn't support Adobe Premiere's Mercury Playback Engine GPU acceleration. Also, an old USB 2.0 Hub and thus the built-in SD card reader is slow. If you have SD cards with 95MB/s Transfer, Read and Write speeds, the iMAC will only transfer at around 30MB/s if you're lucky. Technically 480Mbs which is around 50MB/s but I haven't seen those speeds.
  I figured this could at least be circumvented with a Thunderbolt SD card reader or a Thunderbolt to USB 3.0 adapter but of course no such thing exists.
  Well, nothing with a reasonable price tag. This all might seem trivial to some but when you're uploading 24 hours of HD video footage from a 128GB SDXC card, the speed makes a big difference.
  And come on, no BluRay support? Ridiculous. I get the politics of why but still, just ridiculous. It would be nice to be able to burn a BluRay to watch in my home theater system. There are other methods but BluRay is convenient and great for backing up large Video Files. Unfortunately BluRay looks like it's not going to make it.  Maybe cable distribution companies will increase their Internet upload speeds one day and I can just store everything in the cloud and watch full length movies(that I've created) on Vimeo.
  Anyways, I went and took a look at the hardware Apple stuffed inside my fancy (3.4 Ghz i7, 16GB 1333 DDR3, 2GB AMD 6970M, 256 GB SSD Internal and 2TB 7200 Internal) machine and it appears to be pretty middle of the range stuff. It's an iMAC, not a Mac Pro so why am I griping? Because my 2009 PC(which I tricked out over the last two years) is faster and does support the Mercury Playback Engine. I spent $2100 total on this PC which includes all my upgrades. I spent around $3300 on the iMAC. I feel ripped off.
  Yes, I do love my iMAC on multiple levels but had I known my dated 2009 PC would render video projects faster, I would have gone with a MAC Pro or just a new PC. It seems that Mac is moving completely away from making high-end computers for niche markets(video editing) and focusing on their tiny laptops, IPADS and IPhones for the masses. Obviously smart from a capitalistic perspective(at present at least) but very frustrating for some.
  I was actually told to purchase a MAC for video editing. I've been a PC guy for 15 years. I went with the iMAC because I had read many good things about it(probably just Apple propaganda)  and also the MAC PRO was to be discontinued. Also the MAC Pro would have been triple the cost for what didn't seem like a whole lot more.
  It's one's thing to prepackage a computer with inferior hardware(the iMAC I have is fast for most things and more than enough for 99% of the population) but to not allow us to pop open the computer and make a quit upgrade to the machine is what really makes me feel like I'm using a computer built for Grannies. I mean there is a reason my mother loves iMacs and Iphones. Amazing that I was able to upgrade my memory from 4 to 16GB  but I've heard Apple has even done away with that. I get why they do it. Apple Warranty, Apple Care issues, Profit and World Domination: Apple wants a monopoly on everything.
  Was great to see Adobe bounce back after the whole Flash/HTML5 thing and knock Final Cut Pro off the face of the Earth for good. People are still buying it b/c of the brand name but Final Cut is done. David Fincher used Adobe's Workflow for everything when he made The Girl with The Dragon Tattoo. Hollywood is making the shift and the world will follow. The Adobe Workflow has finally come together and there is just no way Apple can compete with Adobe Creative Cloud and an Engine that can just swap from Premiere to After Effects to Prelude to SpeedGrade to Photoshop to Story with speed for $29 bucks a month(or $49 for some). Apple better start supporting Adobe's Mercury Engine or they may have a problem. And if you're using Final Cut X, you're severely handicapping yourself. Problem is that people don't want to take the time to learn Adobe's products(steep learning curve for sure) which is where Apple's Granny software, and perhaps computers, comes in to play. Arnold Schwarzenegger once said "Milk is for babies, Real Men Drink Beer".  I'm beginning to think that "Mac's are for Grannies, Real Men Use Adobe and PCs".
  The major problem with Apple is you're forced to use Apple. Not sure but history has proven that people don't like to be forced into anything. Autocracies don't work. These systems eventually topple, even in the corporate world.
  Amazon.com, now that's the company to emulate. What an amazing machine!
  I've read that Apple may even discontinue the iMAC after 2013. Who knows?
  If anyone has a solution for getting the Mecury Playpack Engine GPU acceleration to work with Premiere Pro CS6 on an iMAC 2011, please let me know. Like I wonder if you could Thunderbolt an External graphics card somehow? Or is an upgrade possible? Ahh...not worth the risk.
  1) Graphcis Card  - AMD Radeon HD 6970M 2048 MB (6990 would have been better or something from NVIDIA.
  2) USB 2.0 Hub with only 480 Mb/sec
  3) Seagate Baracude SATA I 7200 RPM drive with 3GB/s transfer rate and only a 32 GB Cach. It's ok. I would have expected at least a Western Digital Caviar Black 2 TB SATA III 7200 RPM 64 MB  or the Velociraptor at 10,000RPM.
  4)APPLE SSD TS256C  Flash Drive. As you can see, it doesn't stack up so well against other SSD Drive.
  Just average. http://www.harddrivebenchmark.net/hdd_lookup.phphdd=APPLE+SSD+TS256C

  Whining and ranting about how iMacs can't do this or iMacs/orMacs can't do that is not going to get you a lot of help here.
  Your "I love my MAC" is typical of the ever ubiquitous PC whiner.
  If your video work needs were that computer intensive and critical , you should've done some online research and you should have budgeted for a Mac Pro.
  Mac Pros are completely expandable and upgradeable unlike the iMac.
  Mac Pros have much more faster and more CPU cores than the iMac line.
  iMac line is limited to CPUs with 8 cores. The Mac Pros, I believe, are up to 16 core CPUs, now.
  The Mac Pros can have their GPU upgraded and you even add/expand to use specialty audio/video cards.
  Mac Pros are the defacto standard for real video work.
  iMacs, even the high end model, is not really designed to do really heavy and intensive video work.
  iMacs do do video creation and editing. Just not on the level that is needed from a more "Pro" computer.
  It seems to me you are asking your iMac to do more than it was originally designed for, in terms of professional video editing.
  You get a lot more out of a Mac Pro than an iMac for any real serious video, CGI or animation work.
  You just didn't want to spend that much cash on one.
  iMacs are not user upgradeable or friendly to user upgrades at all!!!
  If you purchased a Mac Pro, you could've had that better, faster HD, better faster SSDs.
  That said, I can offer no real help to but because of the nature of your post and the fact you just simply annoyed me, I feel some advice and explanations are in order
  First off, you picked Adobe video editing software suite as your video creation software on the Mac.  It's no secret to long-time video content creators on the Mac that Adobe products, especially those for video creation and editing are very user unfriendly on the Mac. Even though Macs are supported from Adobe, Adobe for a long time has treated the Mac and Mac users as second class citizens.
  Before purchasing and installing Adobe Premiere, did you even check Adobe's site for the preferred system hardware and software requirements? Hmmm?
  This is why you should KNOW what software you are going to be running on a computer first then research what computer make and model will run said software.
  That's why Apple has its own apps like Aoerture, Logic and Final Cut.
  Despite your ignorance in this matter, Final Cut Pro X is alive and doing well, thank you, and using this software on your iMac would kick Adobe Premier in the you know whats.
  Final Cut Pro X is a complete video solution for and completely designed around the Mac.
  Why are you using USB 2.0 connections for video work when you have a perfectly good FireWire 800 connection.
  In case you are not aware, FireWire 800 is called so because it has a max throughput of 800 Mbps.
  Your 2011 iMac can take up to 32 GBs of RAM. Not just 16 GBs.
  This changed when the 2010 model iMacs came out.
  Blu-ray? I believe you can buy external Blu-ray writers that work with Mac using said FW800 connection.
  So you cite one movie and one videographer using Adobe Premier for your premise that Final Cut is dead in Hollywood?
  Your argument that Apple locks you into everything in their world can be countered by saying Windows and Windows PCs lock you into the Windows world. What's your point?
  Apple is not discontinuing their computers platforms any time soon.
  All you are regurgitating is rumor. Probably from all of the PC crowd.
  iMacs and professional desktop Macs are not going anywhere.
  Currently, Apple is the only desktop/laptop computer maker that is still making a profit on their Macs and increasing their market share percentages for the last 5 years during which the PC market has continually slumped/dropped in its market share.

• Ask the Expert: Overview of Cisco Prime Service Catalog and Process Orchestrator Solutions

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco Prime Service Catalog and Process Orchestrator solutions.
  Cisco expert Jason Davis will discuss Cisco’s network management products offered under the Cisco Prime framework. If you have questions about Cisco Prime infrastructure or data center automation with our Cisco Prime Service Catalog and Process Orchestrator solutions, join us on the Cisco Support Community.
  Jason Davis is a distinguished services engineer in the Intelligent Infrastructure Practice team of Cisco Advanced Services. His role is to provide strategic and tactical consulting for hundreds of Advanced Services customers, lead service innovation, and assess new services and technologies. Jason's primary expertise areas are in network management systems, intelligent automation, virtualization, data center operations, software-defined networking, and network programmability.
  Based out of the Research Triangle Park (RTP) campus, Jason is also responsible for administering the Research Triangle Park Network Management Lab, Cisco's largest network management lab.
  Since joining Cisco in 1998, Jason has been a frequent speaker at Cisco's Networkers and CiscoLive conferences in the United States and Europe. In the past five years he has also been involved in the conference network setup and monitoring. He is a much sought-after resource by the field sales teams to assist with presales solutions and executive briefings. He has provided strategic and tactical network management consulting for several hundred customers.
  Jason is a subject matter expert with the following products and features:
  Cisco Prime LAN management solution
  Cisco Prime infrastructure
  CiscoSecure ACS
  Cisco Prime Network Registrar
  Cisco Process Orchestrator
  Cisco Prime Service Catalog
  Cisco IP SLA
  Embedded Event Manager
  SNMPv3
  onePK and OpenFlow
  Cisco UCS
  Device instrumentation
  VMware ESX, ESXi, and vCenter
  ITIL
  Jason received his bachelor of science degree in electrical engineering from the University of Miami (FL). He has been married for 20 years and has 4 children. His interests include providing audiovisual technical support for churches and conference venues, camping and biking with his family, remote-control helicopter piloting, paintball, and recreational shooting.
  Remember to use the rating system to let Jason know if you have received an adequate response.
  Because of the volume expected during this event, Jason might not be able to answer every question. Remember that you can continue the conversation in Data Center > Intelligent Automation under the subcommunity Cisco Prime Service Catalog shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Jason,
  Thank you very much for welcoming me to your expert discussion :) I feel to be in the right place, at the right time. Thank you also for answering question beyond your scope here, much appreciated. The information received will help me to go further as such I have submitted a 5 start rating for your first reply.
  That sounds promising about the LMS part so yes, I stay tuned and wait patiently.
  Ok, now let’s revert to the actual topic discussed here. Cisco Prime Service Catalog and Process Orchestrator solutions I have briefly read up on this on CCO (where elseJ) and picked out the following quote
  ---- Quote from the Cisco Prime Service Catalog Data Sheet
   Today’s end users want self-service and easy access to IT tools and services.
  Simultaneously, organizations are seeking ways to extend their cloud management
  platforms beyond self-service delivery of virtual machines and infrastructure resources
  while increasing their use of cloud-based solutions to enhance business agility and effectiveness.
  Cisco Prime™ Service Catalog offers tremendous benefits to organizations that want to unify the ways in
  which all types of IT services are ordered and fulfilled, not just infrastructure requests
  ---- un quote ---
  I try to understand what (at high level of course) happens in the back ground when an order is raised and which vendor solution your product can interact with.
  As mentioned in the quoted text, this service catalogue goes beyond the standard infrastructure.
  Let’s say, a user wants to deploy a new email services, or in your example,  extends or create a new web-portal (i.e. for HR to view and manage holiday, staff absence and benefits).
  Your solution will need to interact somehow with the 3rd party vendor application that is capable building such portal I believe.
  Without disclosing to many information, I assume the portal is linked to backend VM,s that spin up requested resources (and more magic of course). Perhaps I am mixing this up with another cisco product where a user can go on the portal and spin up virtual Firewalls, virtual Routers can be provisioned in now time.
  Out if interest; Is this product also known as Mozart? (project code within Cisco?)
  I hope query is ok.
  Best wishes
  Markus

• Uploading Cfg file to Cisco 831

  Really new here to Cisco. Our netwok administrator was let go and I am running the show now but am having a problem with uploading a config file to our Cisco 831 which is acting as a firewall to a T1 line. I am so newbie to Cisco so bear with me please! Our router was reset to defaults(yea, I know) and of course the config file was lost on the router but... I did find these files saved on one of our file servers. in a folder TFTP-Root
  c831-k9o3y6-mz.123-2.XC2.bin
  startup-config
  cisco831-config
  I can see the files were backed up and on this server there is a TFTP server that has been ran. Here are my questions.
  1. To get the router back to where it was with these files, which ones do I need to upload?
  2. Do I need to upload a boot file and config file or just one or the other?
  3. I did try to upload the startup-config file using telnet and got as far as the TFTP program trying to load it to the Cisco but an error came up about the security range for the TFTP didnt include 10.10.10.1??? The wierd thing is the TFTP server is 192.168.1.10 and the Cisco is 192.168.1.252. I can ping the Cisco but I cannot figure out why the Cisco is sending to the TFTP server that its IP is 10.10.10.1.
  I appreciate any help since right now our office netork has no email till I reset this.
  Thanks
  Jim

  Jim
  I do not think it is a stupid question. When you post to a public forum like this, all kinds of people will see what you post. It is wise to want to protect yourself.
  I would suggest that as a starting point that you replace any passwords with "" (or some silimar string which shows us what passwords were configured but disguises the actual password).
  I would suggest that you disguise any IP addresses that are in public address space (I believe that addresses in private space do not need to be disguised). Some people post configs with the address blanked out but I find this is sometimes counter-productive. I would suggest that you change the first octet of any public address in your config, and be careful that the first octet still shows whether this was class A, class B or class C address space. If you disguise the first octet then if the second, third, and fourth octet are the same as your config we will not have any real idea where you are, but there are valuable indications of what subnetting is being done, and perhaps other things that may be helpful.
  I believe that it is probably sufficient to disguise any passwords and disguise any public IP addresses. If you look through your config and find other things that concern you (perhaps there are comments on interfaces about what they connect to that you do not want to become public) feel free to remove or to alter/disguise them.
  And if you are really nervous about posting config details on the forum, you can email them to me privately. My email address is available through my forum profile. Some other forum contributors also make their email addresses available through their forum profile.
  HTH
  Rick

• Ask the Expert: Cisco Prime Infrastructure - Implementation and Deployment

  Welcome to the Cisco Support Community Ask the Expert conversation.
  This Ask The expert Session will cover questions spanning Cisco Prime Infrastructure on Implementation and Deployment on Wired and Wireless. This will be more specific to Customer’s and Partners questions product covering PI on configuration, Features and Menu, Network Monitoring, Maps, Implementation, High Availability and Maintenance and t/s parts.
  Monday, February 2nd, 2015 to Friday, February 13th, 2015
  Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Prime Infrastructure and Cisco Wireless products. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC) certifications.
  Afroz Ahmad is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS),CCIE (DC), and SCJP (Sun Certified Java Professional )
  Vinod Kumar Arya is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco NMS products like Prime Infrastructure, LMS, IP SLA and SNMP etc. He has over 8 years of industry experience working with large enterprise and service provider networks. He also holds VCP 5 and RHCE certifications.
  ** Remember to use the rating system to let the experts know you have received an adequate response.**
  Because of the volume expected during this event, the experts might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure community, > Network Management, shortly after the event. This event lasts through February 13th 2015. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

  Hello Wilson,
  Thanks for joining us.
  1841 should just work fine for net flow . Hope you have a valid "PI Assurance license" installed on the server.
  "PI Assurance license" is required for "net-flow"  feature
  Devices supporting Netflow in PI ::
  1400, 1600, 1700 & 1800
  2500, 2600 & 2800
  3600, 3700, 3750 & 3800
  4500 & 4700
  AS5300 & 5800
  7200, 7300, 7400 & 7500
  Catalyst 4500 ASCI
  Catalyst 5000, 6500, & 7600 ASCI
  ESR 10000 ASCI
  GSR 12000 ASCI
  Cisco IOS Software Release Version
  Supported Cisco Hardware Platforms
  11.1CA, 11.1CC
  Cisco 7200 and 7500 series, RSP 7200 series
  12.0
  Cisco 1720, 2600, 3600, 4500, 4700, AS5800 
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series
  12.0T, 12.0S
  Cisco 1720, 2600, 3600, 4500, 4700, AS5800 
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series, MGX8800RPM series, and BPx8600 series
  12.0(3)T, 12.0(3)S
  Cisco 1720, 2600, 3600, 4500, 4700, AS5300, AS5800
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series, MGX8800RPM series, and BPx8650 series
  12.0(4)T
  Cisco 1400, 1600, 1720, 2500, 2600, 3600, 4500,
  4700, AS5300, AS5800
  RSP 7000 and 7200 series
  uBR 7200 and 7500 series
  RSM series, MGX8800RPM series, and BPx8650 series
  12.0(4)XE
  Cisco 7100 series
  12.0(6)S
  Cisco 12000 series
  NetFlow is also supported by these devices Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300, 7600, 10000, CRS-1 and these Catalyst series switches: 45xx, 55xx, 6xxx.
  NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card (NFFC) or NFFC II and the Route Switch Module (RSM), or Route Switch Feature Card (RSFC). However, check whether version 5 is supported, as most switches export version 7 by default.
  You can check the below steps to diagnose the issue::
   To verify that NetFlow is exported from a device to PI, follow the steps below:
  1)    Browse to Administration > Data Sources page. Check the value in column ‘Last Active Time’  for the ‘Device Data Sources’ table. If the table is empty or  the value does not represent recent time, then
  it is possible that the device is not exporting NetFlow or PI Assurance license is not applied / expired.
  2)    Login to PI console ( via SSH) as root user and run the command:
                  netstat –an | grep 9991 – Output of this should be like :  udp        0      0 :::9991         :::*
                  Check the firewall settings on PI server using the command: firewall -L
  1)    Check the configuration on an IOS / IOS –XE device. Run the commands
  a)    sh running-config | inc destination
  1)    This should list the IP address of the PI SERVER ( along with other outputs if any)
  b)    sh running-config | inc 9991
  1)    This should list at least one entry.
  c)    If the above are fine, then verify that the flow monitor, flow exporter and the flow records are correctly configured on the device.
  Refer to the URLs below to configure NetFlow export.
  http://preview.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/2.0/user/guide/setup_monitor.html#wp1056427
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches

  with Cisco Expert Vinayak Sudame
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
  Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
  Remember to use the rating system to let Vinayak know if you have received an adequate response.
  Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  Hi Vinayak,
  Output of "show cfs internal ethernet-peer database"
  Switch 1
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b7:c2:80 [Local]
  20:00:54:7f:ee:b6:3f:80 16000005
  Total number of entries = 2
  Switch 2
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b6:3f:80 [Local]
  20:00:54:7f:ee:b7:c2:80 16000005
  Total number of entries = 2
  Output of "show system internal csm info trace"
  Switch 1 in which "show cfs peers" show proper output
  Mon Jul  1 05:46:19.145339  (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
  Mon Jul  1 05:46:19.145280  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Mon Jul  1 05:46:19.145188  (CSM_T) csm_sp_handle_local_verify_commit(4291):
  Mon Jul  1 05:46:19.145131  csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
  Mon Jul  1 05:46:19.145071  csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
  Mon Jul  1 05:46:19.145011  csm_tl_lock(737):
  Mon Jul  1 05:46:19.144955  (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
  Mon Jul  1 05:46:19.143819  (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
  Mon Jul  1 05:46:19.143761  (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
  Mon Jul  1 05:46:19.143699  (CSM_T) csm_sp_get_peer_sync_rev(315):
  Mon Jul  1 05:46:19.143641  (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
  Mon Jul  1 05:46:19.143582  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Switch 2 in which "show cfs peers" does not show proper output
  Mon Jul  1 06:13:11.885354  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
  Mon Jul  1 06:13:11.884992  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
  Mon Jul  1 06:13:11.884932  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
  Mon Jul  1 06:13:11.884872  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
  Mon Jul  1 06:13:11.884811  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
  Mon Jul  1 06:13:11.884750  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
  Mon Jul  1 06:13:11.884690  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
  Mon Jul  1 06:13:11.884630  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
  Mon Jul  1 06:13:11.884568  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
  Mon Jul  1 06:13:11.884207  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733916569.txt
  Mon Jul  1 06:13:11.878695  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:13:11.878638  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 06:12:29.527840  (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
  Mon Jul  1 06:12:29.513255  (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
  Mon Jul  1 06:12:29.513179  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733911262.txt
  Mon Jul  1 06:12:29.508859  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:12:29.508803  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 05:53:17.651236  Collecting peer info
  Mon Jul  1 05:53:17.651181  Failed to get the argumentvalue for 'ip-address'
  Mon Jul  1 05:40:59.262736  DB Unlocked Successfully
  Mon Jul  1 05:40:59.262654  Unlocking DB, Lock Owner Details:Client:1 ID:1
  Mon Jul  1 05:40:59.262570  (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
  Mon Jul  1 05:40:59.262513  DB Lock Successful by Client:1 ID:1
  Mon Jul  1 05:40:59.262435  Recieved lock request by Client:1 ID:1
  Mon Jul  1 05:40:41.741224  ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
  Mon Jul  1 05:40:41.741167  ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
  show cfs lock gives no output.
  Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
  These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
  Regards.