Auto smartports on 3750
Following this DOC:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/116515-configure-autosmartports-00.html
c3750e-universalk9-mz.152-2.E.bin
It works fine for cisco phones, switches routers, but when I try to define a custom macro as shown in the example, it does not recognize an Avaya 1140E phone - it still applies the ciso phone macro to this. The doc is not really clear about what exactly the trigger is for recognizing this phone. Does anyone have this working for Avaya phones?
I managed to get it working - the phones are advertising themselves as Nortel-IP-Phone-2000-Series
macro auto trigger AVAYA_IP_PHONE
profile Nortel-IP-Phone-2000-Series
macro auto execute AVAYA_IP_PHONE {
if
then conf t
interface $INTERFACE
macro description $TRIGGER
description ***** AVAYA PHONE *****
switchport access vlan 100
switchport mode access
switchport voice vlan 200
exit
fi
if
then conf t
interface $INTERFACE
no macro description $TRIGGER
no description ***** no more avaya phone *****
no switchport access vlan 100
no switchport mode access
no switchport voice vlan 200
exit
fi
end
Similar Messages
-
I am testing ISE and Auto Smartports and i got the execution of the macro via ISE working.
However, it seems i MUST enable globally "macro auto global processing " before it the macro is really executed.
I would like to avoid this, as enabling this globally, it will automatically run all standard cisco macros for phones, AP, etc.
To prevent this, i need to configure "no macro auto processing" on each and every interface...
Isn't there another way to enable macros but not run the default macros on all ports. Only run -custom- macros when triggered by ISE ?
regards,
GeertYou may need to create a Cisco TAC case for this.
If not, then move this thread to the EEM section. If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
EEM is supported up to the 3560/3750. -
Auto Smartports with non-Cisco devices
I have used auto smartports in the past and have been successful creating macros that use mac-addresses.
My question is can I create a macro that works with non-Cisco devices that are CDP capable?
We have Motorolla access points that use CDP and I would like to use auto smartports to put them on their own VLANs.
Can it be done using CDP? What version of the IOS would I need to be on? Currently the 3750-Xs are on 12.2.(55).
Are there any guides or configuration examples? I've searched but have been unsuccessful in find anything so far.
I have seen some articles that reference device sensors and device profiles, but have no idea where to begin.
Thanks in advance for your support.You may need to create a Cisco TAC case for this.
If not, then move this thread to the EEM section. If the Moto AP supports CDP then you can get someone (like Joe Clark) to build a small EEM script.
EEM is supported up to the 3560/3750. -
I'm looking for a little advice.
Background
I've got Auto SmartPort Macros working on the newest firmware for my 2960x switches for all of my devices. 15.2(3)E
However I'm having some buggy issues with 15.2(3)E. If it's a small stack of 2 switches, no problems at all. However I tested on a 7 switch stack and repeatedly lost connectivity to the stack. Here are more details on that specific issue.
Cisco Suggested Firmware
The "Cisco Suggested" firmware is 15.0(2)EX5 (Based on what the download section tells you)
However when I'm running 15.0(2)EX5 the switch is unable to automatically detect my Cisco 7821/7841/8841/8831 phones and my CAP702i APs.
I'm assuming it's because the devices are actually newer than the Suggested Firmware.
Here is a 7821 Example, it knows the model but not that it should fall in the Cisco IP Phone category...
Here is a CAP702i:
The actual questions
Is there a way (besides updating the firmware) to add to the known devices list? "sh macro auto monitor"
I've considered adding all of the OUIs, there are about 6 that I've found. Is that my best solution?
If I start filling the switch up with OUIs to detect, am I going to have a performance hit?
Is anyone running 15.2(3)E in production? Feedback? Should I stay with the Cisco Suggested?
Is there any indication of when the next firmware rev will be released?
Thanks for any input and advice you can give.
-MikeHi Brademeyer29,
what you see unfortunately it is not configuration issue. This has been reported to the engineering team and should be fixed in the next release firmware 1.4.1.
For now you will have to use workaround such as not changing native VLAN or not to use smartport.
Regards,
Aleksandra -
VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related
Hello expert,
I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
[Cisco Catalyst 3750 Switch]
interface GigabitEthernet1/0/45
description NCC-CC-1stFlr
no switchport trunk encapsulation dot1q
no switchport trunk allowed vlan 101-103
spanning-tree portfast
[Cisco SF300-48P Switch]
interface fastethernet48
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 101-103
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
interface fastethernet29
switchport mode general
switchport general allowed vlan add 103 tagged
switchport general pvid 103
Are these are correct? Kindly advice!
Thank you very much!
Regards,
AlexHi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers -
Catalyst 3750 interface explaination
Dear Sir,
I don't understand as follows :-
1.) why on Catalyst3750 interface fastethernet 1/0/1 ?? <--- what's the meaning of 1/0/1 ?
2.) what's the meaning of no mdix auto?
Please explain and advise.
Thank you.The 3750 has many interesting features, I recommaned you go through before you connect your switches in a production environment.
Basically, you should provision your stack master with the number of switches and their types. You could provision as well the interfaces with their corresponding configurations, even though the other elements are still not connected yet. This way, you ensure, when you add a provisioned element with the right number, it will take exactly the provisioned configuration you've already set on the master,... as well when changing an element with an other, when moving it,... you will have just to provision its number and then connect it to the stack while is not yet powered on.
Second, it is recommanded to set priority to each element, this way you will have a deterministic configuration and you know in advance which one will be reelected as master in any sitution.
If no provision is set on the stack master, when you connect a switch, it has by default the number "1", in this case the newly added switch will take the lowest switch number available (2).
1.) 1/0/1 --> so the second will be 2/0/1.
And to address its ports you tape: 2/0/1, 2/0/2, 2/0/3,2/0/4,...2/0/24,...
How to stacked both of the catalyst 3750? just purchase one stackable cable to link both of them and will it automatically configure the 2nd switch from 1/0/1 to 2/0/1 after we plug in the stackable cable into the 2nd switch.
For large deployment I recommand the switches to be provisioned manually: Before stacking the switches:
1/ power on the switch that will be the stack master, then wait till it will be in "Ready" state by issuing "show switch detail" command.
2/ Provision the stack master with the desired stack configuration (numbers of switches, types of switches and interfaces configurations).
3/ Reload the stack master.
4/ Provision the second switch with its number and type.
5/ Power off the second switch afetr having saved its configuration.
6/ Stack the second switch to the stack master.
7/ power it on. It will take the provisioned configuration on the stack master.
The advantage of this procedure is that switches could not be renumbered while stacked and running.
Repeat steps 4 to 7 for each new element having been provisioned in the stack master.
Do not forget to save after each step.
2.) so i put "no mdix auto" on catalyst 3750, what's the meaning and impact?
no mdix-auto will disable the advanced feature of abstructing the type of cable (staight throu or cross over). You will downgrade to the standard interfaces specifications. In fact, mdix-auto (activated by default) permits to not to have the "overhead" of distinguishing crossover and straight throu cables, the interfaces will adapt automatically to the type of cable.
An other advantage of this function is that it opimises (combined with other functions) error and recovery procedures in layers 1 and 2.
Mohamed BEN HASSINE -
SG-300 52p POE and the case of Native vlan forgotten on a Port-channel
Hi
We have recently changed our access switched to Cisco Small Business SG-300 52p on which is working firmware
SW version 1.3.5.58
We found out a very annoying problem on Port-channel and default vlan topic.
Our switch have a default vlan diffrent to the vlan 1 that depends on the floor they are, and this native vlan is at first defined on the portchannel of our central switch, a Cisco 3750
Example of a central switch port-channel with a define native vlan:
interface Port-channel2
description TO 1F
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 4-6,11,13
switchport mode trunk
on the SG300 side the configuration is this:
interface Port-channel2
description 1F
switchport trunk allowed vlan add 4-5,11,13
!next command is internal.
macro auto smartport dynamic_type switch
As you can see there is no "switchport trunk native vlan 6" simply because the SG300 once i write it on the command line, it accepts the command but the command sentence is not written on the conf (why?!)
the result is that everytime the SG300 is restarted on the port-channel i got two AUTO CREATED commands on the configuration "
switchport trunk native vlan 1
switchport default-vlan tagged
that let not work the network on that floor until i manually write on the SG300
no switchport default-vlan tagged
switchport trunk native vlan 6
These command, as said, works once i write them but are not viewed on a "sh run" and so saved on the conf so every time SG 300 is restarted i need to re-write them.
Is this a bug?
have i made some mistake?
Please let me know
regards
PietroFigure out!
the problem was on macro i have to write this:
macro auto processing type switch disabled
and then everything starts going as it should be
Regards
Pietro -
Problems with IP Phones registration to CUCME on SG200-50P
Problems with IP Phones registration to CUCME on SG200-50P
System setup:
- Router Cisco 2811 with IOS 12.4(24)T5 Advanced IP Services, CUCME 7.1, DHCP Server
with HWIC-4ESW
- Switches:
- old - SLM224P
- new - SG200-50P (SLM2048PT), OS v1.3.2.02
- IP Phones 7911 and 7931, OS v8.4.2
One VLAN (for desktops and IP Phones) and one IP subnet, no voice VLAN.
Network diagram:
C2811---HWIC-4ESW---SWITCH---IPPhones
Problem description:
1. In the old setup with SLM224P everything works fine.
Connected phones almost immediately (1-2 sec. after power up) get ip address, configuration and registers to CUCME.
2. When switch is changed to new SG200-50G:
- ip phones get their ip address and tftp configuration very slowly - about 10-20 seconds
- ip phones cant register to CUCME at all. On the router with SCCP debugging turned on there is no sing of registration attempt
- after reconnecting the old SLM224P situation backs to normal
Things that have been checked or tried without success:
- ports speed and duplex auto, correct detection - although not tested with manual settings
- CDP/LLDP on/off
- smartport mode auto and most static settings, also with disabled smartport
- power cycle / reset
- spanning tree and port security settings
- solutions from that post - https://supportforums.cisco.com/thread/2232161
None of the above methods worked.
The only action that allowed ip phones to register was changing smartport role to static IPPhone + Desktop.
After that when phone was disconnected and then reconnected the problem exists again - no registration (IP Phone status DECEASED in CUCME). Same with power cycle/reset.
Please advice.
Thanks in advance.1 - You have created the voice vlan?
Nope, flat network, one ip subnet (10 hosts and 10 phones)
2 - Have you set a phone on an untagged access port for the voice vlan to see if it works?
Yep, phones are connected to untagged access ports of the one and only vlan
3 - Have you tried to set the auto voice vlan on the switch so it dynamically assigns the role for ip phone + desktop?
Not sure about auto voice vlan setting, although there was no triggers to AVV - no static voice vlan, no CDP/VSDP advertisements of voice vlan.
We've tested static and auto smartport roles (independently of auto voice vlan feature) with successful auto-detection.
The switch was pretty much in default out-of-the-box config (beside management parameters).
4 - When rebooting the switch, you did ensure to save the start up to running config?
Yes, running to startup
5 - Have you manually set spanning tree PORT FAST for the phone ports?
No, we haven't tested that. But portfast should be set automatically for the desktop and ip phone smartport roles. -
Good morning,
I'm observing what appears to be a bug in the smartport feature on our SG300 switches. We use this for our Auto Voice VLAN. We are using our own user defined macro's in place of the ip_phone and ip_phone_desktop as we use native vlans different than what these macro's allow. I believe this to be a bug.
Reproducing steps:
1. Define user based macro - including anti macro:
macro name user_ip_phone
#macro description user_ip_phone
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
switchport mode trunk
smartport switchport trunk allowed vlan add $uservoice_vlan
spanning-tree portfast
macro name no_user_ip_phone
#macro description no_user_ip_phone
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
smartport switchport trunk allowed vlan remove $uservoice_vlan
spanning-tree portfast
macro name user_ip_phone_desktop
#macro description user_ip_phone_desktop
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
switchport mode trunk
smartport switchport trunk allowed vlan add $uservoice_vlan
spanning-tree portfast
macro name no_user_ip_phone_desktop
#macro description no_user_ip_phone_desktop
#macro keywords $uservoice_vlan
#macro key description: $uservoice_vlan: The voice VLAN ID
#Default Values are
#$uservoice_vlan = 30
smartport switchport trunk allowed vlan remove $uservoice_vlan
spanning-tree portfast
2. Apply these to the built in macros:
macro auto user smartport macro ip_phone user_ip_phone $uservoice_vlan 30
macro auto user smartport macro ip_phone_desktop user_ip_phone_desktop $uservoice_vlan 30
3. Set an interface to the following:
int gig1
switchport mode trunk
switchport trunk native vlan 10
spanning-tree portfast
spanning-tree bpduguard enable
4. Apply an IP phone to the interface and it will apply the user_ip_phone macro:
int gig1
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk allowed vlan add 30
switchport trunk native vlan 10
macro description user_ip_phone
!next command is internal.
macro auto smartport dynamic_type ip_phone
5. This is normal behaviour and is what we are expecting. We also expect that when the switch reboots or the interface is changed, the anti macro no_user_ip_phone should be used.
6. Two strange behaviours occur throughout the course of a reboot.
On firmware 1.4.XX, when the switch reboots the anti macro is performed on the interface - however, the no_ip_phone macro is used instead of the no_user_ip_phone. This removes the native vlan information which is what we do not want and we are left with:
int gig1
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk allowed vlan add 30
macro description "user_ip_phone | no_ip_phone | user_ip_phone"
!next command is internal.
macro auto smartport dynamic_type ip_phone
On firmware 1.3.5X, when the switch reboots - the same occurs and the anti macro no_ip_phone is run but the config remains the same for some strange reason:
int gig1
spanning-tree portfast
spanning-tree bpduguard enable
switchport trunk allowed vlan add 30
switchport trunk native vlan 10
macro description "user_ip_phone | no_ip_phone | user_ip_phone"
!next command is internal.
macro auto smartport dynamic_type ip_phone
However on firmware 1.3.5X, I have observed on multiple occasions on different switches, the statement: "macro auto user smartport macro ip_phone user_ip_phone $uservoice_vlan 30" being removed from the config after reboot which sees the default ip_phone and no_ip_phone macro run.
Impact
This is causing a massive impact on our environment. We've had the last few years on version 1.3.5 and the user macros have worked apart from when the switch has rebooted after being in operation for a few months, this is when the "macro auto user smartport macro ip_phone user_ip_phone $uservoice_vlan 30" gets removed and users cannot get data on their port. This has been hard to debug and investigate and seems to happen randomly.
This is why I have tried upgrade to the 1.4.XX firmware, but have discovered the behaviour is even worse and the behaviour I outlined above happens on every reboot of the switch.
We have about 20 to 25 SG300's in production, only one of which is still within it's 12 months, and I cannot troubleshoot with this switch as it's heavily used. Therefore I cannot approach Support directly with this as there are no switches to troubleshoot on - however, I do feel the above behaviour can be reproduced and I suspect there must be some sort of bug in the macro (anti-macro) application on ports following a reboot.Hi Tim,
I saw this problem in 1.4 while not in 1.3.5.
Now there is a solution for this issue, which is to add the trunk native vlan setting to the user defined macro so that it will finally be recovered after reboot.
no macro auto user smartport macro ip_phone_desktop
# disassociated the user macro
macro name u_ip_phone_desktop
#macro keywords $u_native_vlan $u_voice_vlan
#macro key description: $u_native_vlan: The native VLAN for trunk
# $u_voice_vlan: The voice VLAN ID
#Default Values are
#$u_native_vlan = 10
#$u_voice_vlan = 30
#the default mode is trunk
smartport switchport trunk allowed vlan add $u_voice_vlan
smartport switchport trunk native vlan $u_native_vlan
no macro description
spanning-tree portfast
macro name no_u_ip_phone_desktop
#macro keywords $u_voice_vlan
#macro key description: $u_voice_vlan: The voice VLAN ID
#Default Values are
#$u_voice_vlan = 30
smartport switchport trunk allowed vlan remove $u_voice_vlan
no macro description
spanning-tree portfast auto
macro auto user smartport macro ip_phone_desktop u_ip_phone_desktop $u_native_vlan 10 $u_voice_vlan 30 -
teams administration software
· Support display 30 network devices such as routers and switches
· Display the network topology structure type tree and access to equipment from this window.
· Monitoring of switches including packet errors, temperature, bandwidth, CPU and memory.
· Alarm notification (by network errors or threshold) by email.
· Allow the computer to update the software without the need for command line usage or TFTP server application.CNA is a great tool and have a lot of features, but LMS/CPI is full fledged NMS application which suits all your requirements.
Following are the benefit of CNA :
Cisco Network Assistant facilitates:
Network discovery and convenient display in a topology map
Configuration management of Cisco products fitting small and medium businesses
Single-click Telnet or access to device manager
Front panel view of devices, clusters and stacks
Inventory reports and health monitoring
Troubleshooting of common network issues
Event notification of network errors and alarm thresholds
Drag-and-drop Software upgrades saves time in maintaining your network
Direct access to lifecycle information using Cisco Active Advisor
Following is the benefits and features of LMS/CPI:
Primary Functional Areas and Benefits
Monitoring and Troubleshooting
Proactively identify and quickly fix network problems before they affect end users and services with out-of-the-box preconfigured monitoring dashboards.
Configuration Management
Simplify the roll-out of new technologies and network changes through guided workflows based on Cisco best practices with built-in configuration templates that help reduce errors.
Compliance and Audit Management
Upgradable compliance engine offers extensive modeling of industry, corporate, IT, and technology policies and quick visibility into compliance status of the network.
Comprehensive Reporting
Get immediate up-to-date information about the network through flexible reporting for inventory, user tracking, compliance, switch port usage, end-of-sale, PSIRT, and other critical areas.
Work Centers
Easily manage all phases of the end-to-end lifecycle of Cisco value-added technologies and solutions, such as medianet, EnergyWise, TrustSec and Identity, Auto Smartports, and Smart Install.
Cisco Prime LMS manages the deployment of the latest Cisco technologies and services such as Cisco TrustSec, and EnergyWise. Get started today with new Cisco Prime LAN Management Solution, and the related resources on this page.
There is a similar discussion in past :
https://supportforums.cisco.com/thread/180485
-Thanks -
Phones not getting IP address via DHCP server on same VLAN
Hello....we have a new series of Cisco SF-200s and one new Cisco SF-300. All switches are operating in layer 2 mode currently. Let's say for all intents and purposes, all ports are in VLAN1....pretty much default setup. There is a fiber backbone between uplink ports...and it is working correctly it appears.
There is a DHCP server allocating addresses 192.168.0.60 thru 192.168.0.79. Subnet mask is 255.255.255.0.
PCs and laptops successfully receive an IP address and can access things.....such as surfing the internet. Tested that from multiple switches....all seems to work just fine.
However, it seems that some newly purchased phones (Digium models) simply will not acquire an IP address like the PCs and laptops do.
Pretty broad question....but just wondering.
Thanks!Hi Greg,
Might be interesting to goto the following sections of the GUI disable the discovery protocols;
1. Administration>Discovery -LLDP >properties
2. Administration>Discovery -CDP >Management interface
3 Smartports >Properties > Admministrative Auto Smartports is disabled.
the switches are real smart and may pre-empt what you are trying to achieve.
regards dave -
Cisco SG300 and LLDP with Yealink Phones.
I am currently trying to setup a Cisco SG300 switch with a hosted VoIP solution using the SG300's at the customer's premise. The Yealink phones I am not able to get them to pull an IP address and believe the problem is related to LLDP. We also use Polycom phones and they work just fine. Here is the configuration that I am currently using ( I have tried several different configurations and none of them work with the Yealinks. Any help would be greatly appreciated.
DLC#show run
config-file-header
DLC
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 2,88
exit
voice vlan id 88
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname DLC
interface vlan 2
name Data
interface vlan 88
name FlexVoice
interface gigabitethernet1
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet2
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet3
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet4
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet5
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet6
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet7
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet8
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet9
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet10
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet11
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet12
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet13
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet14
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet15
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet16
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet17
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet18
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet19
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet20
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet21
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet22
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet23
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet24
switchport trunk allowed vlan add 88
switchport trunk native vlan 2
no macro auto smartport
interface gigabitethernet27
switchport mode access
switchport access untagged vlan 2
no macro auto smartport
interface gigabitethernet28
switchport mode access
switchport access untagged vlan 88
no macro auto smartport
exit
DLC#Here is the latest configuration that I tried, Polycom phone worked, Yealink didn't.
co-test#show run
config-file-header
co-test
v1.4.0.88 / R800_NIK_1_4_194_194
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 2,88,881
exit
voice vlan id 88
voice vlan state oui-enabled
voice vlan cos 6 remark
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 0004f2 Polycom
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 001565 Yealink
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname co-test
interface vlan 2
name data
interface vlan 88
name flexvoice
ip address 172.16.88.2 255.255.255.0
no ip address dhcp
interface gigabitethernet1
voice vlan enable
interface gigabitethernet2
voice vlan enable
interface gigabitethernet3
voice vlan enable
interface gigabitethernet4
voice vlan enable
interface gigabitethernet5
voice vlan enable
interface gigabitethernet6
voice vlan enable
interface gigabitethernet7
voice vlan enable
interface gigabitethernet8
voice vlan enable
interface gigabitethernet9
voice vlan enable
interface gigabitethernet10
voice vlan enable
interface gigabitethernet11
voice vlan enable
interface gigabitethernet12
voice vlan enable
interface gigabitethernet13
voice vlan enable
interface gigabitethernet14
voice vlan enable
interface gigabitethernet15
voice vlan enable
interface gigabitethernet16
voice vlan enable
interface gigabitethernet17
voice vlan enable
interface gigabitethernet18
voice vlan enable
interface gigabitethernet19
voice vlan enable
interface gigabitethernet20
voice vlan enable
interface gigabitethernet21
voice vlan enable
interface gigabitethernet22
voice vlan enable
interface gigabitethernet23
voice vlan enable
interface gigabitethernet24
voice vlan enable
interface gigabitethernet27
switchport mode access
switchport access vlan 2
no macro auto smartport
interface gigabitethernet28
switchport mode access
switchport access vlan 88
no macro auto smartport
exit
co-test# -
RADIUS packet-id not incrementing, called-station-id missing
I am running v1.3.5.58 on an SG300-20. I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy. It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication.
1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation. The packet identifier is always 0x00.
2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP). Instead, it is left blank.
Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot. Have I done something in the config to cause this to happen (see below)? Is this a known bug? Does it have a workaround? Will our hero save defeat the villain and save the day? ;-)
config-file-header
ausoff-sw-test1
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
spanning-tree priority 40960
port jumbo-frame
vlan database
vlan 2-3,12,14,16,99,600,1000,1010
exit
voice vlan id 1010
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
dot1x traps authentication failure 802.1x
dot1x traps authentication success 802.1x
hostname ausoff-sw-test1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=
encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x
radius-server host 172.18.58.58 usage dot1.x
radius-server timeout 10
logging host 172.18.58.50
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted
username nac password encrypted *** privilege 15
username admin password encrypted *** privilege 15
username cisco password encrypted *** privilege 15
username readonly password encrypted ***
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308cc68423f4d
snmp-server location "***"
snmp-server contact "***"
snmp-server community *** rw 172.18.58.58 view DefaultSuper
snmp-server community *** rw 172.18.14.105 view DefaultSuper
snmp-server host 172.18.58.58 traps version 2c nac
snmp-server host 172.18.58.58 version 3 auth nac
snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
encrypted snmp-server user nac nac v3 auth sha ***
encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***
ip http timeout-policy 1800
clock timezone " " -6
sntp anycast client enable ipv4
sntp broadcast client enable ipv4
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 0.pool.ntp.org poll
sntp server 1.pool.ntp.org poll
ip domain name blah.net
ip name-server 172.18.19.232
ip domain timeout 2
ip domain retry 1
ip telnet server
interface vlan 2
name NACRegistration
interface vlan 3
name NACIsolation
interface vlan 12
name Users
interface vlan 14
name Dev
interface vlan 16
name LAN
interface vlan 99
name Mgmt
ip address 172.18.58.61 255.255.255.128
interface vlan 600
name "Core Test"
dot1x guest-vlan
interface vlan 1000
name Guest
interface vlan 1010
name Voice
interface gigabitethernet1
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet2
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet3
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet4
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet5
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet6
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet7
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet8
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet9
dot1x host-mode single-host
dot1x violation-mode protect trap 10
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet10
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet11
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet12
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet13
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet14
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet15
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet16
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet17
dot1x host-mode multi-sessions
no snmp trap link-status
port monitor GigabitEthernet 20
spanning-tree disable
spanning-tree bpduguard enable
switchport mode general
switchport general acceptable-frame-type untagged-only
switchport forbidden default-vlan
interface gigabitethernet18
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet19
switchport trunk native vlan 600
interface gigabitethernet20
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
exit
ip default-gateway 172.18.58.1Thank you for your response, Tom. I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300. There is not an issue with capitalization, the value is simply not provided at all. Here is an example of a tcpdump decode of such a packet. Please note the missing attribute:
15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)
172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114
Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000
NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61
0x0000: ac12 3a3d
NAS Port Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
NAS Port Attribute (5), length: 6, Value: 57
0x0000: 0000 0039
Username Attribute (1), length: 12, Value: SSO\dalewl
0x0000: 5353 4f5c 6461 6c65 776c
Accounting Session ID Attribute (44), length: 10, Value: 050000DF
0x0000: 3035 3030 3030 4446
Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C
0x0000: 4530 2d44 422d 3535 2d42 332d 3144 2d35
0x0010: 43
EAP Message Attribute (79), length: 17, Value: ..
0x0000: 0201 000f 0153 534f 5c64 616c 6577 6c
Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.
0x0000: bed3 b19e c70f 52e0 ec31 afcb d545 55ad -
SG300: MAC authentication with Radius VLAN assignment problems
Hi,
I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
Here's the final switch config:
config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
interface gigabitethernet6
switchport mode access
switchport access vlan 110
interface gigabitethernet9
switchport mode access
switchport access vlan 12
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
exit
ip default-gateway 192.168.99.1
On the switch side I would expect VLAN 666 to be set but it's not there:
switchf460dc#show dot1x users
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
gi5 0090dca15880 00:90:dc:a1:58:80 MAC Remote 01:09:25
This is the radius users file. It's a simple file for test.
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 666
I am attaching a screenshot of the Radius reply sent by the server.
I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
It may be that the tag is missing in the Radius reply? If yes, how do I add it?
Any ideas?
Thanks.
Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too. -
Not getting ONE domain via APE
I'm using APE to run my whole network here at home. So far I've loved it.
Until about 3 days ago, we had access to everything running just fine, but for some reason, my University's domain (everything for under uwosh.edu) will not come up for us, and I've narrowed it down to the APE. Here's the troubleshooting I've done so far:
1. Tested other domains (i.e. google.com, apple.com, hp.com, etc.) and have had absolutely no problems with access.
2. Restarted the APE, this had no effect on access whatsoever.
3. Restarted my modem. Again, no effect.
4. Restarted my computer w/ the Airport utility installed. No effect.
5. Shut everything down uninstalled Airport utility, and rebooted my computer, then turned on my modem, connected my modem directly to my computer and voila, I'm getting connectivity to the entire uwosh.edu domain. I held down the APE reset button until it reset, and plugged everything back in, and re-installed it on my main computer, and now I'm still getting access to everything BUT uwosh.edu again.
ARGGGGGHHHHHH!!!!!!!!!
Not sure what to do here since I have access to the entire domain when using just my modem (we have road runner btw) but NOT when connecting via my APE. If you need further details, i.e. DNS, DHCP, etc., to help troubleshoot, please let me know.Hi Greg,
Might be interesting to goto the following sections of the GUI disable the discovery protocols;
1. Administration>Discovery -LLDP >properties
2. Administration>Discovery -CDP >Management interface
3 Smartports >Properties > Admministrative Auto Smartports is disabled.
the switches are real smart and may pre-empt what you are trying to achieve.
regards dave
Maybe you are looking for
-
my mac air died, after i reinstall from dvd drive, when i boot up again, i saw a prohibit sign showing up on the screen, then get to my logon screen. After logon, it takes very long time to load any application. pls help
-
On a non-Web publishing, what would the following parameter be set as in the RUN_REPORT procedure Gateway,Server & CMDkey I have a report created and I want to call this in the PL/SQL block using SEW package, can I do that without having the HTTP ser
-
NWDI: Rolling back to previous version
Hello All, Is there a way you can tag the whole workspace or a project before I release my changes? (tagging is a feature available in version control systems like RationalRose Clear Case). This feature is important so I can go back to the version of
-
How to put webi report onto the web
Hi All, I have created a webi report in the web rich client and then i need to put on the web. Can some body tell me how to do it . Thanks & Regards, Anjna Goyal.
-
I use Lightroom2. I had been under the impression that raw/dng files had issues when taken into iPhoto to be used on AppleTV. If my experimenting is indicative, it now appears that I may reference a DNG file within my existing file structure (and mai