ISE - 802.1X - Loop not detected by spanning-tree

Hello,
I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
The loop created has not been detected by the switch !
I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard 20 seconds after the port up).
Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
Switch port with 802.1X is following :
interface GigabitEthernet1/0/9
switchport access vlan 950
switchport mode access
switchport nonegotiate
switchport voice vlan 955
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 950
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast
If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
Is there any reason for spanning-tree not works properly with 802.1X ?
Thanks,
Olivier

Hello Olivier
When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
https://learningnetwork.cisco.com/thread/21103
http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
Please rate if this helps

Similar Messages

SF 300 Serires switch not participating in spanning tree?

I just purchased an SF300-24 managed switch and I am running it in layer3 mode. I am testing it out right now and have it connected to two 2950 switches. The SF300 is connected to each 2950 with a four port etherchannel running LACP. When looking at spanning tree all three switches are configured the same when it comes to hello, forward, max age and all three are in RSTP mode. I adjusted the priorities so that the SF300 would be the root but that is not happening.
I only have one VLAN as of right now set up and connectivity between the three switches is fine. The only problem seems to be that the two 2950 switches are the only two switches involved in the determination of the root bridge. Additionally it was the same way before I configured the etherchannel and had the switches connected over single trunk lines.
I would appreciate if someone can expain to me why this is?
Thanks in advance.

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Thanks for your help but know I still cannot get the three devices to talk MST either,it is getting frustrating. If i add a redundant link and directly connect the two 2950's they immediately talk and configure MST. But when I remove that link no info is passed and both 2950's think they are the root even though the SF 300 priority is 0 on all three MST instances. On the SF300 I have the following settings:
Spanning tree: enabled
STP Operation Mode: Multiple STP
BPDU Handling: Flooding
Path Cost: Long
Region name: test
Revision: 1
Max Hops: 20
Max-age: 20
Hello Time: 2
Forward Delay: 15
MST instance 1 Vlan 100
Bridge Priority 0
Designated Root Bridge: Self
Root port: 0
Root path cost: 0
MST instance 2 Vlan 2-5
Bridge Priority 0
Designated Root Bridge: Self
Root port: 0
Root path cost: 0
MST instance 0 all vlans not in instance 1 and 2
Bridge Priority 0
Designated Root Bridge: Self
Root port: 0
Root path cost: 0
For MST interface Settings (both LAGs/instances are thesame)
Int Priority: 128
Path Cost: 20000
Port State: Boundary
Mode: RSTP
Type: Boundary
Designated port ID: 128
Designated Cost: 0
Remain Hops: 20
Forward Transitions: 1
The 2950 switches: (The only difference on the other switch is that the priority is 8192, and the MACs of course)
MST00 is executing the mstp compatible Spanning Treeprotocol
Bridge Identifierhas priority 4096, sysid 0, address 000b.460e.e040
Configured hello time 2, max age 20, forward delay 15
Current root haspriority 0, address 6c50.4dcb.334b
Root port is 65 (Port-channel1), cost of root path is 50000
Topology change flag not set, detected flag not set
Number of topology changes 7 last change occurred 00:18:54 ago
          from Port-channel1
Times: hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0
Port 65 (Port-channel1) of MST00 is root forwarding
   Port path cost 50000, Port priority 128, Port Identifier 128.65.
   Designated roothas priority 0, address 6c50.4dcb.334b
   Designatedbridge has priority 0, address 6c50.4dcb.334b
   Designated port id is 128.1000, designated path cost 0
   Timers: message age 4, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type ispoint-to-point by default, Boundary RSTP
   BPDU: sent 571,received 568
MST01 is executingthe mstp compatible Spanning Tree protocol
Bridge Identifierhas priority 4096, sysid 1, address 000b.460e.e040
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 9 last change occurred 00:18:55 ago
          from Port-channel1
Times: hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0
Port 65 (Port-channel1) of MST01 is boundary forwarding
   Port path cost 50000, Port priority 128, Port Identifier 128.65.
   Designated root has priority 4097, address 000b.460e.e040
   Designated bridge has priority 4097, address 000b.460e.e040
   Designated port id is 128.65, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type ispoint-to-point by default, Boundary RSTP
   BPDU: sent 598,received 0
MST02 is executingthe mstp compatible Spanning Tree protocol
Bridge Identifierhas priority 4096, sysid 2, address 000b.460e.e040
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 9 last change occurred 00:19:50 ago
          from Port-channel1
Times: hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0
Port 65 (Port-channel1) of MST02 is boundary forwarding
   Port path cost 50000, Port priority 128, Port Identifier 128.65.
   Designated root has priority 4098, address 000b.460e.e040
   Designated bridge has priority 4098, address 000b.460e.e040
   Designated port id is 128.65, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type ispoint-to-point by default, Boundary RSTP
   BPDU: sent 611,received 0
I notice that on MST01 and 02 they are not receiving BPDU’s,but I am not sure why or if that is the problem. It appears that the SF 300 is not sending BPDU packets for MST01 and 02, but is sending them for MST00. I also attached a capture. I captured the VLAN info for VLAN 100 which is in MST1. on the SF300, it appears that the SF 300 is recieving STP traffic but not generating any.

Zen Micro is NOT detected by Creative MediaSource Organizer or Windows Media Pla

Well, I have read through a good part of the message forum and have found nothing to help my case and I believe, truly believe that I have tried everything!

My Zen Micro is detected by my computer and when plugged in I am prompted by MTP Media Player to
Launch Windows Media Player and synchronize files </LI>
Take no action</LI>

If choose to launch Windows Media Player it does not detect the portable device
If I choose to take no action and launch Creative MediaSource Organizer instead, the device is still not detected.

I have checked my Device Manager and it says that the device is working properly, drivers are installed (this is the most common problem ? but for me this is the part that is working correctly).

When I open the Zen Micro Media Explorer it tells me that the device is not connected. I cannot transfer music files with Windows Media Player or Creative MediaSource because both programs do not detect the Zen Micro.

I should note that the Zen Micro does work properly on another computer in my household.

Can someone please offer suggestions?
Thanks

Ha ha ha! Sucess at last!
I got it working now!
I was missing a step in the second suggestion (link posted by DM) to edit the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\U SB and add "EVERYONE." Plus I didn't reboot right away! I guess that would help too. Sorry forgot to do that.
THANK YOU! The support on this fourm is wonderful! Glad to see the help is here for Creative products.

Spanning tree bpdu

Hi all, can anyone tell me 2 things, firstly do only the uplinks on a switch send out bpdu's ? secondly if I disabled spanning tree on the uplink ports would the switch not send any bpdu's out thus the switch not participating in spanning tree to the rest of the network ?

Concept says, by default all switchports are in trunk mode. So if any switch is connectd to a port, it tries to negotiate the trunk & once established, send BPDUs. Thus, all access ports have portfast turned on which denies any BPDUs received on port.
Coming to your point, Yes uplinks will share BPDUs. If ur topology has redundant connections, then you are prone to loops if stp is turned off. However, if ur only concern is to limit the diameter of stp, prefer using "vlan allowed" comand on trunks for stp to limit to specific vlans & thus not flooding entire network.

Mono spanning-tree and PVST

Refering to these two links
http://www.cisco.com/en/US/tech/tk389/tk390/technologies_tech_note09186a0080094665.shtml
http://www.experts-exchange.com/Hardware/Routers/Q_21349385.html
IEEE 802.1Q defines a single instance of spanning tree running on the native VLAN for all the VLANs in the network which is called Mono Spanning Tree (MST). This lacks the flexibility and load balancing capability of PVST available with ISL. However, PVST+ offers the capability to retain multiple Spanning Tree topologies with 802.1Q trunking.
IEEE 802.1Q defines a single instance of spanning tree running on the native VLAN for all the VLANs in the network which is called Mono Spanning Tree (MST). This lacks the flexibility and load balancing capability of PVST available with ISL. However, PVST+ offers the capability to retain multiple Spanning Tree topologies with 802.1Q trunking.
http://networking.ringofsaturn.com/Certifications/BCMSN.php
Per-VLAN Spanning Tree (PVST) ? A Cisco proprietary method of connecting through 802.1Q VLAN trunks, the switches maintain one instance of the spanning tree for each VLAN allowed on the trunk, versus non-Cisco 802.1Q switches which maintain one instance for ALL VLANs. This is the default STP used on ISL trunks.
http://www.informit.com/content/images/1587051427/samplechapter/1587051427content.pdf
The 802.1Q standard defines one unique Spanning Tree instance to be used by all VLANs in the network. STP runs on the Native VLAN so that it can communicate with both 802.1Q and non-802.1Q compatible switches. This single instance of STP is often referred to as 802.1Q Mono Spanning Tree or Common Spanning Tree (CST). A single spanning tree
lacks flexibility in how the links are used in the network topology. Cisco implements a protocol known as Per-VLAN Spanning Tree Plus (PVST+) that is compatible with 802.1Q CST but allows a separate spanning tree to be constructed for each VLAN. There is only one active path for each spanning tree; however, in a Cisco network, the active path can be
I could not get exactly what these Terminology (PVST, instance, PVST+, MST, etc) trying to achieve ?
Any URL and online resource help me to do some extar reading to clarify these terminology

Hi,
The URLs that you have provided all explains the same technical details in different fashion.
I will summarise them here for better clarity.
There are two separate technologies that needs clarity.
1) Method of Trunking many vlans across a link
2) Spanning tree
Now for point 1, we have the IEEE standard 802.1q, which mentions how multiple vlans can be carried across a link. As per this standard a 4 byte tag will be inserted in the ethernet packet, ( inserted between the Destination mac address field and the ethertype field)
This tag will contain the vlan identifier info and some other details ( available in the urls that you have highlighted)
Cisco has a proprietary technology called ISL which effectively does the same job in a different fashion but can only be used in cisco devices.
Now for point 2, again we have IEEE standards like 802.1d ( common/mono spanning tree), 802.1w/RSTP ( Rapid spanning tree) and 802.1s/MSTP.
In 802.1d, there will be only one spanning tree process/instance running for the whole network, irrespective of how many vlans are involved in the network. Hence the whole network is treated as one common domain by the STP protocol.
So, there can be only one root bridge in the network and other bridges will intelligently block the redundant links, we wont have much control to effectively utilise the redundant links.
IEEE 802.1w/RSTP also works in the same fashion, but the convergence time is very fast in this protocol.
Here also there is only one spanning tree instance involved.
In both the above STP protocols, there is only one instance/process of the protocol running in the network, which is common for all vlans. Hence these protocols consume only very less CPU utilisation.
In 802.1s/ MSTP ( multiple spanning tree), extends the 802.1w Rapid Spanning Tree Protocol (RSTP) to have multiple STP instances. In this protocol, we can group the desired vlans in to one Instance of the protocol.
Say for example, lets assume a typical campus network with multiple access switches, 2 distribution/core switches.
Access switches having dual connectivity to the distribution/core switches.
In this topology if we deploy 802.1d or 802.1w, the redundant links from the access switches to the distribution/core switches will be blocked. Only one uplink from the access switch to the distribution layer will be working at any point.
In this network, only one distribution/core switch will be root bridge for the entire network.
But if we deploy 802.1s for this network, we can design it as follows.
We can split the vlans in to two groups,
Group1 => vlan 1 to 50
Group2 => vlan 51 to 100
We can create two instance of MSTP protocol with the following mappings
Instance 1 => for Group 1, with one distribution/core switch as the root bridge
Instance 2 => for Group 2, with another distribution switch as the root bridge
--Continued

Dlsw spanning-tree

Hi, my name is fabio and i´ve a problem with dlsw.
When i´ve configured de dlsw in a router 3600 the router 7206 that has the conection with mainframe, the same lost the comunication e appears the messagem in 3600 router, look at below:
Note: A random Spanning Tree Bridge Identifier address of 0000.0cfe.6628
has been chosen for Bridge Group 50 since there is no mac address
associated with the selected interface.
I´am putting the scheme in .ppt.
Can i sending configurations of 3600 and 7200 to help you.
thanks

Fabio
I'm not sure what the issue is here. The mac-address of the end-stations will not be visible in the 4948 as the SNA traffic is encaps'd in ip. Can you supply sh vers, sh runn, sh dlsw pe, sh dls reach, sh dls circuit, sh bri from the 3640 and the 7206. What is the mac-address of the end-station to which mac-address is it trying to connect ?
Matthew

2960X 15.0(2)EX5 Stack Bug? Master Switch Ports link in Orange, no spanning Tree

Is anyone aware of a bug in version 15.0(2)EX5 for 2960X Switches that would cause a switch in the master role to stop linking in new ports in green (and passing traffic). I have 2 2960X-48FPD-L Switches in a stack and whichever switch I designate master will only link new connections in orange and not pass traffic. All ports linked in show up/up and can be seen in a show cdp neighbor but won't pass any other traffic.
If I unplug the Stacking cables both switches become masters and ports linked in green on the previous member switch stay green, but after it switches to master any new connections plugged in only link in orange.
If I switch priorities and reboot the problem switches to the new master switch and the problem goes away on the member switch.
Also, a switch in the master role does not show any spanning tree instances for ports in the orange link state.
Has anyone seen this issue and do you know of a solution?
Jim

A quick update for those with this same problem.
1. 15.2(3)E turned out to be very unstable causing my switch stack to randomly lockup/reboot one of the switches about once a week.
2. I downgraded back to 15.0(2)EX5 but found a workaround. It turns out the switch stack with the 15.0 versions does not like the switchport voice vlan command on any of the interfaces on the master switch. I simply removed the voice vlan configuration on the interfaces and all the switch ports linked in just fine. I would prefer to run the phones on a voice vlan, but it still works without, just the PC's and phones are on the same vlan.
Jim

Spanning-Tree MST

Hi,
we have the following configuration on our switches
spanning-tree mode mst
spanning-tree extend system-id
spanning-tree mst configuration
name test
spanning-tree mst forward-time 4
when we have a failover convergence time was about 8-10 seconds outage is there anything on the above config that suggest's this could be causing the delay? i thought MST was fast convergence times?
Thanks

i will try and you this later on. Not sure it was already in place what are the difference's between them both i thought MST can have multiple vlans per region so better design. Is RSTP not the same as PVST? not done much spanning tree as of yet. so not had chance to look at the differences?
Thanks

Ralink RT3290 802.11bgn Wi-Fi Adapter is not detecting wifi

i am using HP PAVILION 15-E015TX. i reset my windows 8 OS recently because of some corruption of data. after resetting the OS everything is reinstalled to its original state. But the Ralink RT3290 802.11bgn Wi-Fi Adapter is not detecting the wifi which is worked properly before resetting the OS. when i run the troubleshoot option under HP SUPPORT ASSISTANT it shows a red mark while resetting the adapter.
i want to know how can i fix it.
This question was solved.
View Solution.

Rats.
I hope the replacement card fixes the problem. Over the years I have had just one bad network card -- and it drove me nuts tracking down that it was, indeed, a failed card.
Good Luck - post back if you like and let us know the results!
Click the Kudos Star!
It is a nice way to say “Thank You” for the help.
Although I strive to reflect HP's best practices, I do not work for HP.
Kind Regards,
Dragon-Fur

Iwlwifi does not detect present 802.11n networks

I just got a new laptop, and the iwlwifi driver it's using is not detecting 802.11n networks that I know are there. My old laptop, which is also using the iwlwifi driver, is currently connected to that network less then 2 feet away. The old laptop has kernel 3.4.4, whereas the new one has kernel 3.4.7. Is that the problem, or is it the card?
New laptop:
03:00.0 Network controller: Intel Corporation Centrino Wireless-N 2200 (rev c4)
iwconfig wlan0 says "IEEE 802.11bgn"
Old laptop:
03:00.0 Network controller: Intel Corporation PRO/Wireless 5100 AGN [Shiloh] Network Connection
Last edited by Daenyth (2012-08-08 19:35:17)

Gusar wrote:
.:B:. wrote:You're reading things that are not there mate. 802.11n is both a 5 GHz and a 2,4 GHz standard. The old IPW 2200 only does 802.11bg. Had one myself.
I know that. Are you saying the new 2200 only does N at 2.4GHz?
Oh, and I not only had an IPW 2200, I still have it! . Actually, I have an IPW 2915, which also does 802.11a in addition to 802.11bg. It uses the same ipw2200 driver though.
Edit: Did a bit of googling, the new 2200 indeed only does N at 2.4GHz. Let me just say that this is totally and completely insane. It's so insane I couldn't imagine such a thing could even exist.
It's a billion dollar company. What do you expect? I found out yesterday Microsoft actually has a 16 GB memory limit on Windows 7 Home Premium. You need a Pro version to use more. There I was, telling my friend to get 32 GB for his video editing rig.
As for daenyth's card, convention has it that bgn is 2,4 GHz only. An a(b)gn card can do both 2,4 GHz and 5 GHz. You don't need to check specs for that. It's sad indeed, but there are still plenty 2,4 GHz-only 802.11n cards around. This new laptop I got a few months back came with one, and that wasn't a 300 EUR netbook.
Last edited by .:B:. (2012-08-09 11:48:55)

New Airport Extreme -802.11 ac model is not detecting my USB Hard drive

My new Airport Extreme -802.11ac model is not detecing my External USB HDD when connected via the USB port in the Airport Extreme.
I'm using a Seagate USB HDD 3TB, and it's working when i connect my previous generation Airport Extreme router.
Looks like the new version is not detecting my HDD.
Please help.
Cheers
SK

What version of firmware are you running on the 802.11ac?
There is a 7.7.1 update with USB fixes - http://support.apple.com/kb/DL1665
After my update to 7.7.1, I still cannot see the Seagate 3TB HDD.
The disk works on a 2nd Gen 802.11n Extreme.
This is

ISE 1.2 does not do HTTP profiling ???

Hi, guys.
Has anyone ISE 1.2 Patch 1 successfully enabled to do profiling using HTTP on a monitor session/span port ???
I have tried the following:
- DMZ switch, which holds a vlan where (only) the central proxy server resides
- ESX 5.1 host, one nic connected to the DMZ switch
- configured a virtual switch/network on this host, which uses the nic connected to the DMZ switch (enabled promiscious mode on the vswitch and network)
- ISE 1.2 Patch 1 installed on the ESX host, two interfaces (Gig 0 and 1), Gig 1 connected to the vswitch and virtual network
- configured virtual ISE to do http profiling on Gig 1
Here are some shows:
#sh moni
Session 1
Type                   : Local Session
Source VLANs           :
    Both               : xx
Destination Ports      : Gi2/0/48
    Encapsulation      : Native
          Ingress      : Disabled
#sh run int gig2/0/48
interface GigabitEthernet2/0/48
description *** ISE Proxy SPAN Port
switchport access vlan xx
The span destination port shows lots of outgoing packets:
#sh int gig2/0/48
GigabitEthernet2/0/48 is up, line protocol is down (monitoring)
Hardware is Gigabit Ethernet, address is 588d.0941.7130 (bia 588d.0941.7130)
Description: *** ISE-Riker Proxy SPAN Port
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 10/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:22:36, output hang never
Last clearing of "show interface" counters 03:03:20
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14352300
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 42962000 bits/sec, 13051 packets/sec
     33 packets input, 2436 bytes, 0 no buffer
     Received 33 broadcasts (18 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 18 multicast, 0 pause input
     0 input packets with dribble condition detected
    223104868 packets output, 98731284385 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
But the interface on ISE hardly shows any incoming packets:
# sh int gig 1
GigabitEthernet 1
          Link encap:Ethernet HWaddr 00:50:56:8D:4A:C1
          inet6 addr: fe80::250:56ff:fe8d:4ac1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:3810 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:347928 (339.7 KiB) TX bytes:936 (936.0 b)
          Interrupt:67 Base address:0x20a4
I have tested if the vmware virtual network makes the packets disappear, therefore I have connected a windows virtual machine to the same network as ISE
Running Wireshark on this windows machine shows me LOOOOOTS of http packets on this virtual network, seem like the ISE nic just doesn't see them ......
Any ideas ???
Rgs
Frank

1. it is vm, right?
Yepp !!
can you get netstat -i?
Executed where ?? On the esx host ?? On the ise vm ??
What do you expect to see ??
2. Did you configure an ip for the span receive interface?
No, why should this be necessary ?? (switchport, wireshark, etc. don't need an ip to capture
packets on a promiscuous interface, even ISE 1.1.4 didn't need one on the http profiling interface .....)
Configuration guide doesn't say so anyway ......
if not, you must configure one to make it work.
looks like you don't have one,,, pls configure one...
Ok, ok ..., configured an ip address, checked the profiling attributes ...
Result: did not make any difference ..... (tadaaaahhhhh !!!)
tcpdump: WARNING: eth1: no IPv4 address assigned
Right, but tcpdump shows dozens of live packets as they arrive live on ise, they are just not reflected in the "sh int gig 1" counters
and furthermore not picked up by the application, that is why I would suspect a nic driver malfunction on the underlying linux os ......
3. on vswitch make sure the port is in promiscuous mode.
As I already mentioned before in this thread, it is.
If the vmware virtual network inbetween ise and the non-virtual network would swallow the packets, why would "tech dumptcp 1" show anything at all ??
(see screenshots above)
Rgs
Frank

802.1X authentication not happening in Voice Domain for IP Phone

I am trying to lab as many scenarios as I can for 802.1x. I seem to have hit a problem with IP Phones running EAP-MD5 authentication. The phone sare always being authenticated in the Data Domain. This is regardless of whether or no the port configuration is in: host-mode multi-auth ,or, host-mode multi-domain. After a while of both ports appearing to authenticate in the data VLAN, neither the PC or Phone will work
I have checked that my ACS5.1 server is sending the appropriate AV pair of "device-traffic-class=voice" as I can see it in a wireshark trace.
What other aspects might i need to check to get the phone to authenticate itself properly?
The problem shows itself as:
C3750G#sh authentication sessions int gi 1/0/16
 Interface: GigabitEthernet1/0/16
 MAC Address: 001d.452d.53e0
 IP Address: Unknown
 User-Name: CP-7942G-SEP001D452D53E0
 Status: Authz Success
 Domain: DATA
 Security Policy: Should Secure
 Security Status: Unsecure
 Oper host mode: multi-domain
 Oper control dir: both
 Authorized By: Authentication Server
 Vlan Group: N/A
 Session timeout: N/A
 Idle timeout: N/A
 Common Session ID: C0A8FE2500000014000F6B8F
 Acct Session ID: 0x00000036
 Handle: 0xC8000014
Runnable methods list:
 Method State
 dot1x Authc Success
 Interface: GigabitEthernet1/0/16
 MAC Address: 0014.c209.896f
 IP Address: 192.168.10.2
 User-Name: TEST\TestAdmin
 Status: Running
 Domain: UNKNOWN
 Security Policy: Should Secure
 Security Status: Unsecure
 Oper host mode: multi-domain
 Oper control dir: both
 Session timeout: N/A
 Idle timeout: N/A
 Common Session ID: C0A8FE2500000013000F5A42
 Acct Session ID: 0x00000034
 Handle: 0x27000013
Runnable methods list:
 Method State
 dot1x Running
My port config is:
interface GigabitEthernet1/0/16
description * 802.1x Multi Domain (1Phone + 1PC) *
switchport access vlan 10
switchport mode access
switchport voice vlan 11
priority-queue out
authentication host-mode multi-domain
authentication port-control auto
udld port aggressive
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast
end

For information, the debugs you request are:
Jan 29 10:58:46.317: %ILPOWER-7-DETECT: Interface Gi1/0/16: Power Device detected: IEEE PD
Jan 29 10:58:46.770: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/16: Power granted
Jan 29 10:58:50.377: AAA/BIND(0000001D): Bind i/f
Jan 29 10:58:52.373: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:53.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:54.789: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A 8FE2500000018002FB1D0
Jan 29 10:58:56.920: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:56.920: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:56.920: RADIUS(0000001D): sending
Jan 29 10:58:56.920: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/52, len 237
Jan 29 10:58:56.920: RADIUS: authenticator 89 81 92 2C AA 6B E6 E6 - CA 2C 3A 0D E1 C5 28 ED
Jan 29 10:58:56.928: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:56.928: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:56.928: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:56.928: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:56.928: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:56.928: RADIUS: EAP-Message [79] 31
Jan 29 10:58:56.928: RADIUS: 02 01 00 1D 01 43 50 2D 37 39 34 32 47 2D 53 45 50 30 30 31 44 [CP-7942G-SEP001D]
Jan 29 10:58:56.928: RADIUS: 34 35 32 44 35 33 45 30 [ 452D53E0]
Jan 29 10:58:56.928: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.928: RADIUS: 83 AF F8 DB 44 0D 0A 46 70 2F 1E 8D 67 CE BC DD [ DFp/g]
Jan 29 10:58:56.928: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:56.928: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:56.928: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:56.928: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:56.928: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:56.928: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:56.928: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:56.928: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:56.928: RADIUS: Received from id 1645/52 192.168.254.51:1645, Access-Challenge, len 76
Jan 29 10:58:56.928: RADIUS: authenticator DA 45 B9 F8 80 48 A0 4B - F7 99 9B 1F DE 4F B2 9E
Jan 29 10:58:56.928: RADIUS: State [24] 30
Jan 29 10:58:56.937: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:56.937: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:56.937: RADIUS: EAP-Message [79] 8
Jan 29 10:58:56.937: RADIUS: 01 51 00 06 0D 20 [ Q ]
Jan 29 10:58:56.937: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.937: RADIUS: 3C F4 D9 93 82 EA FB 25 A7 9D C4 8F 14 3F 33 4F [ <??3O]
Jan 29 10:58:56.937: RADIUS(0000001D): Received from id 1645/52
Jan 29 10:58:56.937: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 10:58:57.046: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.046: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.046: RADIUS(0000001D): sending
Jan 29 10:58:57.046: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/53, len 244
Jan 29 10:58:57.046: RADIUS: authenticator BE 9B 32 59 45 BF 15 45 - E4 43 02 B5 B5 D7 ED 83
Jan 29 10:58:57.046: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.046: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:57.046: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:57.054: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.054: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.054: RADIUS: EAP-Message [79] 8
Jan 29 10:58:57.054: RADIUS: 02 51 00 06 03 04 [ Q]
Jan 29 10:58:57.054: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.054: RADIUS: E0 B5 99 82 7E 9E 35 0F 78 D9 BD 4B 96 97 34 47 [ ~5xK4G]
Jan 29 10:58:57.054: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:57.054: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:57.054: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.054: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:57.054: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:57.054: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.054: RADIUS: State [24] 30
Jan 29 10:58:57.054: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.054: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.054: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:57.054: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.054: RADIUS: Received from id 1645/53 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 10:58:57.054: RADIUS: authenticator D9 62 B7 27 8F 55 E9 88 - 41 01 D0 83 52 DF 36 29
Jan 29 10:58:57.054: RADIUS: State [24] 30
Jan 29 10:58:57.054: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.063: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.063: RADIUS: EAP-Message [79] 27
Jan 29 10:58:57.063: RADIUS: 01 52 00 19 04 10 AA 6A A2 BC 63 1A C0 93 B8 58 67 F7 1A A5 FD 45 41 43 53 [ RjcXgEAC S]
Jan 29 10:58:57.063: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.063: RADIUS: 29 D2 66 87 4A 2F B3 9E B5 EC F9 4E 9F 62 82 5E [ )fJ/Nb^]
Jan 29 10:58:57.063: RADIUS(0000001D): Received from id 1645/53
Jan 29 10:58:57.063: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 10:58:57.079: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.079: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.079: RADIUS(0000001D): sending
Jan 29 10:58:57.079: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/54, len 284
Jan 29 10:58:57.079: RADIUS: authenticator 91 F4 7C C1 4E 79 27 AB - 2F 36 20 A8 9C 3F A9 76
Jan 29 10:58:57.079: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.088: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:57.088: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:57.088: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.088: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.088: RADIUS: EAP-Message [79] 48
Jan 29 10:58:57.088: RADIUS: 02 52 00 2E 04 10 45 2F B1 FC 60 CF 09 08 7B C4 F9 56 74 AF 44 E9 43 50 2D 37 39 34 32 [R.E/ `{VtDCP-7942]
Jan 29 10:58:57.088: RADIUS: 47 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45 [G-SEP001D452D53E]
Jan 29 10:58:57.088: RADIUS: 30 [ 0]
Jan 29 10:58:57.088: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.088: RADIUS: 45 42 58 9F 75 14 09 A1 FC DD CD 26 B4 88 42 CF [ EBXu&B]
Jan 29 10:58:57.088: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:57.088: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:57.088: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.088: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:57.088: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:57.088: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.088: RADIUS: State [24] 30
Jan 29 10:58:57.088: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.088: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.088: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:57.088: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.222: RADIUS: Received from id 1645/54 192.168.254.51:1645, Access-Accept, len 126
Jan 29 10:58:57.222: RADIUS: authenticator 7B A5 E0 B2 D6 15 90 26 - 8F 8F 64 B0 E6 94 D8 C7
Jan 29 10:58:57.222: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.222: RADIUS: Class [25] 22
Jan 29 10:58:57.222: RADIUS: 43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31 [CACS:ACS/8567051]
Jan 29 10:58:57.222: RADIUS: 38 2F 33 33 [ 8/33]
Jan 29 10:58:57.222: RADIUS: EAP-Message [79] 6
Jan 29 10:58:57.222: RADIUS: 03 52 00 04 [ R]
Jan 29 10:58:57.222: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.222: RADIUS: E8 2E 9B FD C2 A8 D7 5E 86 DD 3C 67 FF 37 75 02 [ .^Jan 29 10:58:57.222: RADIUS: Vendor, Cisco [26] 34
Jan 29 10:58:57.222: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
Jan 29 10:58:57.222: RADIUS(0000001D): Received from id 1645/54
Jan 29 10:58:57.222: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 10:58:57.222: AAA/AUTHOR (0000001D): Method list id=0 not configured. Skip author
Jan 29 10:58:57.222: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess ionID
Jan 29 10:58:57.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interfac e Gi1/0/16 AuditSessionID C0A8FE2500000018002FB1D0
Jan 29 10:58:57.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 10:58:58.262: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess ionID C0A8FE2500000018002FB1D0

ISE 802.1x and Windows Logoff

Hi Guys,
i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.
This happens just using logoff windows.
could someone help me about it?
thanks a lot

Hi Rik,
I am using this configuration.
interface GigabitEthernet3/33
switchport access vlan 22
switchport mode access
switchport voice vlan 23
ip access-group ACL-DEFAULT in
logging event link-status
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
the client are using the NAC Agent the way to perform a posture.
If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.
thanks a lot

Spanning-tree not working: SG500 to Cat3650

Hi All,
Trying to turn up a new site. I have 2 switches: Cat 3650 & SG500-52P. I want to connect up two ethernet cables between these switches in the event one fails, STP will put the blocked one in forwarding. However, when I connect up the 2nd ethernet cable, I get the following:
IPADTBL-N-IPDUPLICATE: Duplicate IP address 192.168.5.232 from MAC a0:ec:f9:ef:6a:18 was detected on VLAN 1, port gi1/1/24
This log message is then followed by the network locking up & crashing until I remove the 2nd cable (i.e. STP Loop). Removing the redundant cable solves the problem. This is because STP is allowing both links to transitioning to forwarding state (confirmed in show spanning-tree & show cdp neighbor).
Why is spanning-tree not correctly blocking one of the lines? Is that type of architecture not supported when there is an SG300/500 in the equation?
Configs below:
Core 3650: (box configs basically)
Switch#show run
Building configuration...
Current configuration : 2686 bytes
! Last configuration change at 10:01:53 UTC Thu Jan 22 2015
! NVRAM config last updated at 09:24:03 UTC Thu Jan 22 2015
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Switch
boot-start-marker
boot-end-marker
vrf definition Mgmt-vrf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
logging console emergencies
enable secret 5 $1$Qi5N$u/5q1HESY/TyQsPFNKVah1
no aaa new-model
clock timezone UTC -6 0
clock summer-time UTC recurring
switch 1 provision ws-c3650-24ts
ip device tracking
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1 priority 24576
redundancy
mode sso
class-map match-any non-client-nrt-class
match non-client-nrt
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface Vlan1
ip address 192.168.5.230 255.255.255.0
ip default-gateway 192.168.5.1
ip http server
ip http secure-server
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
line vty 0 4
password scrubbed
login
line vty 5 15
password scrubbed
login
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https
ap group default-group
end
SG500 Switch:
switchff1182#show run
config-file-header
switchff1182
v1.3.0.62 / R750_NIK_1_3_647_260
CLI v1.0
set system mode switch queues-mode 4
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname switchff1182
no passwords complexity enable
username cisco password encrypted scrubbed privilege 15
ip ssh server
snmp-server server
no ip http server
ip telnet server
interface vlan 1
ip address 192.168.5.231 255.255.255.0
no ip address dhcp
exit
ip default-gateway 192.168.5.1

Hi Peter,
Thanks for replying. Unfortunately (or fortunately if it worked), STP is running and BPDU's are flooding below:
SW500A#show spanning-tree
Spanning tree enabled mode RSTP
Default port cost method: long
Root ID Priority 24577
Address a0:ec:f9:ef:6a:00
Cost 20000
Port gi1/1/43
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address 2c:3e:cf:ff:11:82
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
SW500A#show spanning-tree bpdu
Global: Flooding
I guess I'm doing etherchannels instead of redundant links :-/
This is one of many reasons why I regret these small business models being made; A lot of things that are polished and functional in the enterprise grade (i.e. real switches) just don't seem to work on these units. But unfortunately, as the price is significantly cheaper, companies will continue purchasing these over the better quality units, and engineers like myself will be stuck working with the cut-corners version of a Cisco switch.

ISE - 802.1X - Loop not detected by spanning-tree

Similar Messages

Maybe you are looking for