AutoQos

Is this created via smartports in Cisco Network Assistant or does autoqos do this?
interface FastEthernet0/11
switchport access vlan 68
switchport mode access
switchport voice vlan 402
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast

autoqos is responsible for:
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
auto qos voip cisco-phone

Similar Messages

How can I tell that AutoQOS config is adequate on a video conference switch

I have a Tandberg video conference bridge and gateway connected to a 3750 switch. The audio is marked EF and the video CS3. I configured AutoQos on the switch and trust DSCP on the ports. When we reach a large video conference of 25 or more attendies, we begin to have problems. The Tandberg starts to ratchet some of the video streams down, some to below 180kps, and the conference quality begins to suffer.
The only change to the default AutoQOS config I've made is changing the "mls qos trust dscp" on the uplinks, adding a QOS policy on the Tandberg ports to mark the video with CS3 and trust the audio DSCP (Tandberg had a bug that didn't mark the video packets) and adding
queue-set 2
priority-queue out
to the uplinks.
Will the default AutoQOS queue/buffer/SRR share and shape commands be adequate for 25 to 30 simultaneous video streams? We allow about 500k per stream.
I read through the 3750 QOS guide, but am a bit confused with the explanations of the queuing and SRR workings. I know that CS3 is mapped to COS-3, but don't know which queue it goes in and whether or not it gets shaped/disgarded when too much video is present.
Once I am sure that the 3750 QOS is working OK, and not causing problems with our large conference calls, then I'll expand my troubleshooting to the rest of the network.
I've attached a text file with the 3750 config, and 'show mls qos int statistics' that show the packets are being marked.

I mistyped in my first post. I do indeed mark the video as AF41 (Cos4). It is the call control that I mark CS3 with the policy map to get around the old Tandberg bug that doesn't mark the call control.
So do you think the queue 3, where Cos4 goes to, is big enough to handle 30 video streams of 480k? If my calculation is correct that would be 14.4mbps of video on a 100mbps port.
With this config.....
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
...is it telling me that queues 1 & 2 get 10% bw, queue 3 gets 60% and queue 4 gets 20% bw and is shared? If that is correct than 60% is more than enough for 14.4mbps of video.
What happens if too much video overruns the queue?

VoIP & AutoQoS & frame/atm

I have 2 remote locations connected via frame/atm links currently with no QoS configs and potentially running VoIP. Is AutoQoS the simpliest and/or best solution, for voip communication across the WAN(frame/atm) if no other QoS is required ?
Thanks for your consideration -

I'll admit that I haven't used AutoQoS on a WAN link, and definitely not on a FR/ATM interface.
I normally associate appropriate use of the AutoQoS command with L2 switchports, since the queueing on the switches is much more complex.
For routers, it's very simple, and there is a wider variance in how people use it.
In a very bare-bones scenario, you can get away with this:
class-map match-all voice
match protocol rtp audio
policy-map LLQ
class voice
priority percent 50
class class-default
fair-queue
int s0/0
service-policy out LLQ
You could make it more well rounded by matching on your VoIP signaling and other high priority traffic, but that's specific to your needs.
-nick

AutoQoS Marking at CE done. PE router?

Hi there,
I've implemented an AutoQoS at managed CE router which is running MPLS VPN. At the PE router, I need to match the mpls experimental bits, kind of confuse to do at PE router.
BTW, is there a such for AutoQoS for PE router, particularly on MPLS VPN?
Thanks in advance.
Below is the config at CE:
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767

Hi Maher,
At this point in time, Cisco only supports AutoQoS for VoIP and for Enterprises. I don't think there are too many carriers out there who would be interested in such a feature since they would want to customise QOS parameters to their network and not use a boiler-plate automatiically-generated configuration.
Paresh

AutoQoS for voice traffic settings?

Hi Everybody,
I have enabled auto qos on switch and following are information
Voice is the most important traffic in network, must ensure voice traffic goes first
SW# show mls qos map dscp-output-q
Dscp-outputq-threshold map:
d1 :d2 0 1 2 3 4 5 6 7 8 9
0 : 04-03 04-03 04-03 04-03 04-03 04-03 04-03 04-03 04-01 04-02
1 : 04-02 04-02 04-02 04-02 04-02 04-02 03-03 03-03 03-03 03-03
2 : 03-03 03-03 03-03 03-03 02-03 02-03 02-03 02-03 02-03 02-03
3 : 02-03 02-03 03-03 03-03 03-03 03-03 03-03 03-03 03-03 03-03
4 : 01-03 01-03 01-03 01-03 01-03 01-03 01-03 01-03 02-03 02-03
5 : 02-03 02-03 02-03 02-03 02-03 02-03 02-03 02-03 02-03 02-03
6 : 02-03 02-03 02-03 02-03
SW# show mls qos queue-set
Queueset: 1
Queue : 1 2 3 4
buffers : 10 10 26 54
threshold1: 138 138 36 20
threshold2: 138 138 77 50
reserved : 92 92 100 67
maximum : 138 400 318 400
For the
DSCP 46 : it's 01-03 (voice)
DSCP 0 : it's 04-03 (general traffic)
From my understanding
- 01-03 means queue 1 and threshold3. (by default threshold3 is 100 and hidden)
- queue-set 1 is enabled by default on all interface and hidden
According to the above information,
- Does the Auto Qos is design for voice goes first?
- Why the Q1 buffer and maximum are less then Q4? isn't suppose to set more buffer on Q1 for voice traffic? or I have to re-distribute the queue buffer and threshold, etc...
- or I just use priority-queue out, then those queue setting will be ignored?
Thanks in advance
Sam

udp ports 16384 to 32767 for rtp traffic
1720 tcp for control (h323 protocol)

VXC 2100 series over VPN

So I found this in a Cisco article:
Note: The 99xx and 8961 phones can be upgraded to support VPN capabilities for VXC traffic. With this capability enabled, VXC voice and video traffic on the phone VPN are prioritized to ensure high quality.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VXI/AG/VXI_AG.html#wp1060858
I looked for a firmware release, but the newest for the phone firmware is from October. Does anyone have an idea when this feature will actually be available? I am working on a project for remote users and this is a perfect solution.

mybranch#sh int fa01 switchport
Name: Fa1
Switchport: Enabled
Administrative Mode: dynamic access
Operational Mode: dynamic access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 10,50
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: 50
Appliance trust: none
mybranch#
mybranch#sh run int vlan 50
^
% Invalid input detected at '^' marker.
mybranch#
mybranch#sh run int fa01
Building configuration...
Current configuration : 190 bytes
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 50
no ip address
auto qos voip trust
spanning-tree portfast
service-policy output AutoQoS-Policy-Trust
end
mybranch#sh run int vlan 10
Building configuration...
Current configuration : 162 bytes
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.200.200
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
end
Note: The ip address is 192.168.200.200 is the DHCP server at my main office. I posted some extras just in case.
Thanks.

ARP table not populating mac address for previously reachable IP address

Router has been online and working fine with one BGP neighbor for almost 2 years and no downtime. 2 weeks ago, added a 2nd BGP peer. Everything worked fine for 2 weeks, then all of a sudden yesterday the 2nd BGP peer is disconnected and does not come back. ISP checks and sees everything looks fine on their end. We cannot even ping each other now.
Upon investigation, the ARP table is not even populating the MAC address for the BGP peer IP anymore (same local subnet). Stays "incomplete" in the table no matter what we do, including clearing arp table, changing IP address, etc.
Plug a laptop directly into the 2nd BGP peer FE port and replicate the IP addressing. Laptop cannot ping Router, but Router CAN ping laptop. Check ARP table, but STILL no mac address assigned and now not even the ARP table showing "incomplete".
Thinking it could be the FE interface, switch to the 2nd FE interface and perform same laptop test, this time with arbitrary IP addressing. Now cannot ping each other, no MAC in ARP table.
End up rebooting the router and lo-and-behold, everything is working normally again. 2nd BGP peer peers up instantly.
I should also mention that the 1st BGP peer worked flawlessly throughout, taking all the Internet load and having no issues throughout.
Also, the FE ports for the 2nd BGP peer are on an HWIC FE card plugged into the router. The 1st BGP peer is plugged into the built-in GE interface. 2901 running: c2900-universalk9-mz.SPA.151-4.M4.bin
Lastly, no router resource issues, no error messages, no logs. Just the BGP peer disconnecting.
I have never, in 20 years working with Cisco routers seen something like this before. This is the most fundamental aspect of IP and Ethernet that was not working.
Has anyone ever seen this behavior before??
Here is the router config (IP's changed):
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
boot-start-marker
boot-end-marker
logging buffered 150000
aaa new-model
aaa authentication login LAUTHEN local
aaa authentication login TAUTHEN local group tacacs+ enable
aaa authorization console
aaa authorization exec LAUTHOR local if-authenticated
aaa authorization exec TAUTHOR local group tacacs+ if-authenticated
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
no ipv6 cef
no ip source-route
ip cef
no ip domain lookup
multilink bundle-name authenticated
username ubiadmin privilege 15 secret 4 .JbeuWXuZvchrG0OL.5BftFtqrrEyxcnVHn5rIuCnTk
username umitsnoc01 privilege 15 secret 4 cUmoRUjey9O1x.wk9S.kleX.iAAhCwihupr6Z98p6OA
redundancy
ip ssh version 2
track 1 interface GigabitEthernet0/0 line-protocol
class-map match-any AutoQoS-VoIP-RTP-Trust
match access-group name SIP-Media-INBOUND
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
class-map match-any Customer-Voice
match access-group name Customer-VPNs
class-map match-any media
match access-group name SIP-Media
class-map match-any signaling
match access-group name SIP-Signaling
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map queue
class signaling
bandwidth percent 5
class media
priority percent 50
class Customer-Voice
priority percent 40
class class-default
fair-queue
policy-map shape
class class-default
shape average 10000000
service-policy queue
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description BGP Peer 1
ip address 2.2.2.2 255.255.255.252
no ip redirects
ip flow ingress
ip flow egress
duplex auto
speed auto
service-policy output shape
interface GigabitEthernet0/1
description LAN
ip address 1.2.3.4 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
standby 255 ip 1.2.3.1
standby 255 priority 105
standby 255 preempt
standby 255 mac-address 1a2b.3c4d.5e6f
standby 255 track 1 decrement 10
duplex auto
speed auto
service-policy output AutoQoS-Policy-Trust
interface FastEthernet0/0/0
description BGP Peer 2
ip address 1.1.1.1 255.255.255.252
ip flow ingress
ip flow egress
duplex full
speed 100
service-policy output shape
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
router bgp 7777
bgp router-id 2.2.2.2
bgp log-neighbor-changes
network 1.2.3.0 mask 255.255.255.0
neighbor 1.1.1.2 remote-as 5555
neighbor 1.1.1.2 update-source FastEthernet0/0/0
neighbor 1.1.1.2 prefix-list L3-DEFGW in
neighbor 1.1.1.2 route-map L3-LPREF-IN in
neighbor 2.2.2.1 remote-as 6666
neighbor 2.2.2.1 ebgp-multihop 2
neighbor 2.2.2.1 update-source GigabitEthernet0/0
neighbor 2.2.2.1 send-community
neighbor 2.2.2.1 prefix-list COLO-DEFGW in
neighbor 2.2.2.1 route-map COLO-LPREF-IN in
neighbor 2.2.2.1 route-map COLO-OUT out
ip forward-protocol nd
ip bgp-community new-format
ip as-path access-list 5 permit _5555_
ip as-path access-list 5 deny .*
ip as-path access-list 10 permit ^6666$
no ip http server
no ip http secure-server
ip flow-top-talkers
top 50
sort-by bytes
ip route 0.0.0.0 0.0.0.0 1.1.1.2 254 name L3
ip route 0.0.0.0 0.0.0.0 2.2.2.1 255 name COLO1
ip route 10.0.0.0 255.0.0.0 10.10.10.10 name FW_OUTSIDE
ip tacacs source-interface GigabitEthernet0/1
ip access-list standard SNMP_SOURCES
permit 12.12.12.0 0.0.0.255
deny any log
ip prefix-list L3-DEFGW seq 5 permit 0.0.0.0/0
ip prefix-list COLO-DEFGW seq 5 permit 0.0.0.0/0
ip prefix-list COLO-LPREF-OUT seq 5 permit 1.2.3.0/24
route-map COLO-LPREF-IN permit 5
match as-path 5
set local-preference 250
route-map COLO-LPREF-IN permit 10
set local-preference 150
route-map COLO-LPREF-IN permit 20
route-map COLO-OUT permit 10
match ip address prefix-list COLO-LPREF-OUT
set as-path prepend 7777 7777 7777
set community 29795:1004
route-map COLO-OUT permit 20
route-map L3-LPREF-IN permit 10
match as-path 10
set local-preference 200
route-map L3-LPREF-IN permit 20
set local-preference 150
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification
snmp-server enable traps aaa_server
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server enable traps ipsla

When you were checking the ARP table was there an entry for Fast0/0/0?
HTH
Rick

[Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

Hi everyone,
After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
Let me show you what I have,
interface GigabitEthernet1/0/3
description AP
switchport trunk native vlan 999
switchport mode trunk
trust device cisco-phone
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
############################################# switch model - 3850 ##################################################
SW1#sh mac address-table interface GigabitEthernet1/0/3
          Mac Address Table
Vlan    Mac Address       Type        Ports
SW1#sh dot1x interface Gi1/0/3
Dot1x Info for GigabitEthernet1/0/3
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30
Switch Ports Model              SW Version        SW Image              Mode
*    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
############################################# Different switch model - 2960 ##################################################
interface GigabitEthernet1/0/1
description AP
switchport trunk native vlan 999
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x max-req 4
auto qos voip cisco-phone
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
SW1#$cation sessions interface GigabitEthernet1/0/1
            Interface: GigabitEthernet1/0/1
          MAC Address: xxxx.xxxx.4a38
           IP Address: 172.18.1.170
            User-Name: xx-xx-xx-xx-4A-38
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A18129D000060E39DAE8A8A
      Acct Session ID: 0x0000725D
               Handle: 0x0F00028C
Runnable methods list:
       Method   State
       mab      Authc Success
       Switch Ports Model              SW Version            SW Image
     1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M
SW2#sh dot1x interface Gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 4
TxPeriod                  = 30
Am I doing something wrong?
BR,

I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :)
Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it.
Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it.
Thank you for rating helpful posts!

How do you set up priority queueing on a 3400 metro switch?

running IOS 12.2(40)SE. This seem to do strict priority queueing only which means that that queue will be serviced until it is emptied, then other queues will be serviced.
We will be pumping lots of voice calls through a few of these 3400s on a metro fiber ring and I need to apply the appriopriate QOS for voice. I'm familiar with LLQ in the router world and autoqos in the 3750/3650 switch world, but not with this switch.
Is there a white paper that speaks directly to VoIP on the 3400? The QOS section of the config guide doesn't help when looking for config examples for voice except to state that voice can be mapped to the priority queue, but it is not LLQ based.
I don't want to police voice because the potential of dropped packets could affect all calls, but I need to make sure that voice traffic gets priority over all else - without starving out the other traffic.

I understand that - and thank you for responding. However I am extremely leary of policing voice traffic because any dropped packets will affect voice conversation.
Maybe I should set up a policer that is much larger than the total amount of voice traffic I ever expect to have on the link. Say I'll have a possible 100 G-711 calls at any given time. In the LLQ world I'd carve out a priority queue of 10meg to insure all those calls get prioritized. In the 3400 world should I police say at 12meg?
What I'm not clear on is the concept of strict priority queueing - that that queue will be serviced at the expense of all other queues whenever there is traffic in it. Would I expect there always to be voice traffic in the queue if the link is a gig link, and 10mb of voice traffic is going through that queue constantly? Or will the gig interface pull those packets out of the queue so fast that all other non-priority traffic will get transmitted from the other queues just fine?

2960-X vs 2960 QOS

I am configuring QOS for some 2960-X's for a new deployment that also has some 2960's. The current 2960's already have auto qos configured. When I configured auto qos voip trust for the 2960-X, I noticed there were not any ingress queues and the all of the numbers for the queues were different. Should this be a concern at all if the switches are trunked together or even if they aren't? I am not that proficient with QOS yet. See below for configs.
Thanks for your help!
From 2960
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
switchport voice vlan 110
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
From 2960-X
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 110
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
spanning-tree portfast

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
IMO, AutoQoS is always a concern (as are device defaults, without it).
If you're doing to "do" QoS, you should have a policy that serves your service needs, and configurations to support it. AutoQoS might, or might not, be exactly what you need.
If you're not proficient with QoS, on most LANs, you might actually be better off disabling it.

Catalyst 4500 Sup 7 DBL Drops

Hallo Guy´s.
I have a problem with a 4510 Switch with Sup 7 and VSS. sometimes i get from my management System a error message that i have drops. When i look at the Switch i see with a show interface the following output.
GigabitEthernet1/1/20 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet Port, address is fc5b.3981.00cb (bia fc5b.3981.00cb)
Description: Uplink >> DEISSW28 > 0/49
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 33588
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 3389000 bits/sec, 396 packets/sec
5 minute output rate 1373000 bits/sec, 375 packets/sec
259327531 packets input, 260486639929 bytes, 0 no buffer
Received 2197702 broadcasts (1237454 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
687620273 packets output, 171964900087 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
When i display the counters i see that i have DBL Drops:
Port InBytes InUcastPkts InMcastPkts InBcastPkts
Gi1/1/20 260445332225 257093813 1237385 960186
Port OutBytes OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/1/20 171951485588 586491305 47531837 53564908
Port InPkts 64 OutPkts 64 InPkts 65-127 OutPkts 65-127
Gi1/1/20 169938 2535840 73860043 571805902
Port InPkts 128-255 OutPkts 128-255 InPkts 256-511 OutPkts 256-511
Gi1/1/20 15065293 22890554 3761375 4726098
Port InPkts 512-1023 OutPkts 512-1023
Gi1/1/20 2832564 3570926
Port InPkts 1024-1518 OutPkts 1024-1518 InPkts 1519-1548 OutPkts 1519-1548
Gi1/1/20 2133852 7956164 161468319 74102567
Port InPkts 1549-9216 OutPkts 1549-9216
Gi1/1/20 0 0
Port Tx-Bytes-Queue-1 Tx-Bytes-Queue-2 Tx-Bytes-Queue-3 Tx-Bytes-Queue-4
Gi1/1/20 3885776852 36149774 129367770 772345869
Port Tx-Bytes-Queue-5 Tx-Bytes-Queue-6 Tx-Bytes-Queue-7 Tx-Bytes-Queue-8
Gi1/1/20 430894369 32739589 141604609 166522564649
Port Tx-Drops-Queue-1 Tx-Drops-Queue-2 Tx-Drops-Queue-3 Tx-Drops-Queue-4
Gi1/1/20 0 0 1 0
Port Tx-Drops-Queue-5 Tx-Drops-Queue-6 Tx-Drops-Queue-7 Tx-Drops-Queue-8
Gi1/1/20 0 0 0 6
Port Dbl-Drops-Queue-1 Dbl-Drops-Queue-2 Dbl-Drops-Queue-3 Dbl-Drops-Queue-4
Gi1/1/20 0 0 0 0
Port Dbl-Drops-Queue-5 Dbl-Drops-Queue-6 Dbl-Drops-Queue-7 Dbl-Drops-Queue-8
Gi1/1/20 0 0 0 16787
Port Rx-No-Pkt-Buff RxPauseFrames TxPauseFrames PauseFramesDrop
Gi1/1/20 0 0 0 0
Port UnsupOpcodePause
Gi1/1/20 0
Port CrcAlign-Err Dropped-Bad-Pkts Collisions Symbol-Err
Gi1/1/20 0 0 0 0
Port Undersize Oversize Fragments Jabbers
Gi1/1/20 0 0 0 0
Port Single-Col Multi-Col Late-Col Excess-Col
Gi1/1/20 0 0 0 0
Port Deferred-Col False-Car Carri-Sen Sequence-Err
Gi1/1/20 0 0 0 0
Port RxIslTagFrames TxIslTagFrames RxDot1qTagFrames TxDot1qTagFrames
Gi1/1/20 0 0 257135468 683431783
On the Interface is auto qos configured.
interface GigabitEthernet1/1/20
switchport trunk pruning vlan 2-1000
switchport mode trunk
auto qos trust
service-policy input AutoQos-4.0-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
Comes this behavior from the qos? Where can i see wich traffic is assigned to queue 8?
Regards Stefan

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yes, DBL is a (unique to) 4500 sup QoS feature. Likely configured in your egress service-policy.
I don't recall the sup7 QoS architecture, but switches often provide fixed egress queues that you map traffic to via either CoS or ToS markings. The QoS section of the User Guide, for your IOS version, should explain.

Cisco 2960x - auto qos voip cisco-phone on access ports

After configuring "auto qos voip cisco-phone" on a stack of 2960x switches, we later noticed that after a power cycle (config was saved first) it went missing when doing a "show run" from the interface configs, on one of the switches (g1/0/1-48 had it applied, then after power cycle it didn't show). However, doing a "show auto qos interface" shows it is still applied to all interfaces g10/1-48.
I try to do "auto qos voip cisco-phone" again on g1/0/1-48, and it shows this:
SwitchStack01(config-if-range)#auto qos voip cisco-phone
AutoQoS Error: AutoQoS already configured
% Range command terminated because it failed on GigabitEthernet1/0/1
If I attempt to remove "auto qos voip cisco-phone", it shows this:
SwitchStack01(config-if-range)#no auto qos voip cisco-phone
AutoQoS Error: AutoQoS not configured
% Range command terminated because it failed on GigabitEthernet1/0/1
When I do a "show run", it is no longer displayed for the first switch of the stack.So is it still applied to the interfaces or not? Is this a bug? Has anyone else experienced this? This has happened to at least a couple stacks of 2960x's we have.
Thanks!

It appears to be a bug in the code. Open a TAC ticket with Cisco and send them the output and the IOS version you are using so they can help you resolve the issue. Most likely, they recommend an upgrade.
HTH

Cisco ISE: Error 5411 No response received ...

Hi all,
we've been running Cisco ACS version 4.x half a year ago, but decided to upgrade to Cisco ISE. So we've made a fresh installation with our cisco partner. At the moment we're live with this equipment, but running in a lot of troubles, as we're receiving a lot of those errors each day. Once the users restart their PCs a few times the problem is solved, but at the moment its pretty annoying:
No response received during 120 seconds on last EAP message sent to the client
Steps from the detailed view:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client
Allowed Protocol: EAP-TLS and PEAP
Authentication Protocol : EAP-TLS
Actually I don't know which version we're running. Where can I check the proper release once on the webinterface?
Switches are 3750x with the following switchport configs (some things has been xxx-out), Firmware is Version 12.2(55)SE1:
interface GigabitEthernet1/0/1
description xxx
switchport access vlan xxx
switchport mode access
switchport voice vlan xxx
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan xxx
authentication event no-response action authorize vlan xxx
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
mab
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone | cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 15
dot1x timeout supp-timeout 15
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
Can someone introduce anything to solve the problem, maybe some misconfiguration or improvements before starting a TAC-Case.
Thanks in advance
regards
Marc

The Global Help icon is located in the bottom left corner of the Global Toolbar in the Cisco ISE window. You may check the ISE version there.
To launch Global Help, complete the following steps:
Step 1 On the global toolbar, move your cursor over the Help icon.
Step 2 Choose Online Help from the pop-up menu.
A new browser window appears displaying the Cisco ISE Online Help.
~BR
Jatin Katyal
**Do rate helpful posts**

Wired WebAuth only with NAC Guest Server (No ACS)

Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver
12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.
switch debug: No Attributes in swtich debug
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
Mar 22 12:56:00.448 CDT: RADIUS: User-Name           [1]   20 "[email protected]"
Mar 22 12:56:00.448 CDT: RADIUS: User-Password       [2]   18 *
Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address   [8]   6   199.46.201.231
Mar 22 12:56:00.448 CDT: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18
Mar 22 12:56:00.448 CDT: RADIUS:   A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0             [ WFq&T]
Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco       [26] 49
Mar 22 12:56:00.448 CDT: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C72EC91A000002FC0A6CD698"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port            [5]   6   50106
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/6"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address      [4]   6   199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
NGS log:
rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Framed-IP-Address = 199.46.201.231
    Service-Type = Outbound-User
    Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
    Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
    NAS-Port-Type = Ethernet
    NAS-Port = 50106
    NAS-Port-Id = "GigabitEthernet1/0/6"
    NAS-IP-Address = 199.46.201.26
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 199.46.201.26
[radius-user-auth]     expand: %{Calling-Station-Id} ->
Exec-Program output:                          Note: no attributes here
Exec-Program: returned: 1
++[radius-user-auth] returns reject
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Service-Type = Login-User
    NAS-IP-Address = 10.100.16.100
    NAS-Port = 13
    NAS-Identifier = "ICTWLC01"
    NAS-Port-Type = Ethernet
    Airespace-Wlan-Id = 514
    Calling-Station-Id = "10.198.12.211"
    Called-Station-Id = "10.100.16.100"
    Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 10.100.16.100
[radius-user-auth]     expand: %{Calling-Station-Id} -> 10.198.12.211
Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program: returned: 0
++[radius-user-auth] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql]     expand: %{User-Name} -> [email protected]
[sql] sql_set_user escaped user --> '[email protected]'
[sql]     expand: %{User-Password} -> 5rRmpPt9
[sql]     expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 12
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Sending Access-Accept of id 22 to 10.100.16.100 port 32770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
config:
aaa new-model
aaa authentication login default group radius
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ none
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip device tracking
ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:login.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:login.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission name web-auth-guest proxy http inactivity-time 60
dot1x system-auth-control
identity policy FAILOPEN
access-group PERMIT
interface GigabitEthernet1/0/6
switchport access vlan 301
switchport mode access
ip access-group pre-webauth-guest in
no logging event link-status
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
no snmp trap link-status
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip admission web-auth-guest
ip http server
ip http secure-server
ip access-list extended PERMIT
permit ip any any
ip access-list extended pre-webauth-guest
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any host 10.199.33.20 eq 8443
permit tcp any host 10.199.33.21 eq 8443
permit tcp any host 10.100.255.90 eq 8443
deny   ip any any log
ip radius source-interface Vlan301
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
radius-server vsa send authentication
I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?
Help!

Without the ACS, only with the NAC guest is possible?
They can send me sample configuration?

2960S - 15.0(2)SE MAB Issue

We have a Cisco 2960S configured for TrustSec (802.1x+MAB), with several
workstations/users connected to it through their Cisco IP Phones. The users are using
802.1x and their phones are being MAB'd.
Intermittently, the MAB functionality seems to stall, see by the output below. The issue
is not isolated to a given port, but does not occur on other switches (3560Gs) in the environment.
This switch is running 15.0(2)SE
Authentication Session command does not show a phone, only a workstation:
NFF-Cat2960S-off#sh authen sess int gi1/0/13
            Interface: GigabitEthernet1/0/13
          MAC Address: 082e.5f86.4345
           IP Address: 192.168.1.111
            User-Name: <removed>
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 10
              ACS ACL: xACSACLx-IP-ACL-PERMITALL-50bfa391
      Session timeout: 14400s (server), Remaining: 14353s
       Timeout action: Reauthenticate
         Idle timeout: N/A
    Common Session ID: C0A8011600000F4AFC60371C
      Acct Session ID: 0x000010D5
               Handle: 0xD6000F4B
Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run
CAM shows the phone as connected and communicating (even after a shut/noshut):
NFF-Cat2960S-off#sh mac add int gi1/0/13
          Mac Address Table
Vlan    Mac Address       Type        Ports
10    082e.5f86.4345    STATIC      Gi1/0/13
10    e804.6212.9903    DYNAMIC     Gi1/0/13
20    e804.6212.9903    DYNAMIC     Gi1/0/13
Total Mac Addresses for this criterion: 3
Interface Configuration: (same as others on this switch and others)
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 20
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 10
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
Phone has DHCP, but traffic is being blocked by ACL-DEFAULT, as the switch is not
performing MAB to download a more permissive dACL:
Jan 2 15:21:10.365 EST: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp
192.168.20.77(49858) -> 192.168.20.5(2000), 1 packet
Finally, the switch is reporting that MAB on this port is in an ACQUIRING state, even though the MACs are discovered:
MAB details for GigabitEthernet1/0/13
Mac-Auth-Bypass           = Enabled
MAB Client List
Client MAC                = Waiting
Session ID                = C0A8011600000FB006D7DCEA
MAB SM state              = ACQUIRING
Authen Status             = FAIL

Hi,
Just out of curiosity can you post your port configuration.
Thanks.
Sent from Cisco Technical Support Android App

AutoQos

Similar Messages

Maybe you are looking for