Mac estaticas WS-C2960S

Hola
Tengo problemas con varios switches que sin haber configurado presentan macs estáticas en su tabla, este problema se soluciona al reiniciar el switch, alguien me puede ayudar a saber porque sucede esto??
gracias por sus comentarios.

Hi,
To troubleshoot memory please follow the below steps:
First, please check if the memory usage is genuine or not, this can be checked by checking the memory status of any other similar switch in the network having similar devices attached. This check is important because even a 95% of memory usage could be normal depending upon the requirements of your network.
If the memory usage is really abnormal and the switch is crashing then note the time between the two crashes.
If the two crashes are in a GAP of 7 days then take the outpust of "show process memory sorted" 5 times at a gap of 24-36 hours.
It will give you an idea about the process which is constantly holding more and more memory without releasing it.
Once you know the process, you can track the relevant bug.
Moreover, on the 2960 switch the 15.X train has a lot of memory bugs, I would recommend you to downgrade it to 12.2(55) train as it is one of the most stable IOS images on this platform.
Thanks.

Similar Messages

CNA 5.5 and show mac address-table

When trying to Monitor/Search for MAC address in C2960 network I got an error reply that a CLI command is not supported. Analyzing network traffic shows that CNA 5.5 is issueing 'show mac-address-table' command but the latest Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE does not support 'show mac-address-table' anymore but does support 'show mac address-table' command. How can I change the command for showing mac address tables in CNA 5.5?
M.

hi john,
the show mac-address-table command should be valid.
check if you've got MAC learning enabled on the ASA interface using show mac-learn command.
edit: could you post show firewall? the above command works on transparent firewall only.

802.1x authentication problem on C2960S-48TS-L with Linux clients

Hi,
Due to implementing wired 802.1x in my company I fased with problem of authentication of some Linux computers (Ubuntu 13.10+) via mab at the one of my Access switches(C2960S-48TS-L). The problem exist on IOS 12.55 and 15.0(2)SE6.
It seems that Authenticator can't detect MAC address of supplicant. In debug the MAC address is (Unknown MAC) or (0000.0000.0000).
Before authentication I could see registered MAC address on the switchport interface(without 802.1x settings on the port):
sh mac address-table interface g1/0/2 "before 802.1x authentication"
Vlan Mac Address Type Ports
2 0015.990f.60d9 STATIC Gi1/0/2
The host should get to Vlan 2 after failed authentication(according to port settings). But actually after trying to authenticate the host on this port
loses connection with network and doesn't get in 2 Vlan
sh mac address-table interface g1/0/2 "after 802.1x authentication"
Vlan Mac Address Type Ports
sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/24 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000000023E32
Gi1/0/25 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000200024193
Gi1/0/2 (unknown) mab UNKNOWN Running 6A7D1FAF000000280011BA1A
sh dot1x interface g1/0/2 details
Dot1x Info for GigabitEthernet1/0/2
PAE = AUTHENTICATOR
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 3
sh run int g1/0/2
interface GigabitEthernet1/0/2
description ## User Port ##
switchport access vlan 2
switchport mode access
switchport voice vlan 5
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
ip arp inspection limit rate 120
authentication event fail retry 0 action authorize vlan 2
authentication event server dead action authorize vlan 2
authentication event no-response action authorize vlan 2
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 3900
authentication timer inactivity 300
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 3
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
I have tried to change authentication host-mode to multi-domain but the problem remains.
"debug dot1x all" in the attached file.
Please help me to resolve this issue

I have removed port security but still have failed authentication on the port
002262: Mar 26 16:23:26.516: dot1x-ev(Gi1/0/2): Deleting client 0x9A000053 (0000.0000.0000)
002263: Mar 26 16:23:26.516: dot1x-ev:Delete auth client (0x9A000053) message
002264: Mar 26 16:23:26.516: dot1x-ev:Auth client ctx destroyed
002265: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: initial state auth_initialize has enter
002266: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_initialize_enter called
002267: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_initialize, got event 0(cfg_auto)
002268: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_initialize -> auth_disconnected
002269: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_disconnected_enter called
002270: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: idle during state auth_disconnected
002271: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_disconnected -> auth_restart
002272: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_enter called
002273: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Sending create new context event to EAP for 0x6D000054 (0000.0000.0000)
002274: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has enter
002275: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_initialize_enter called
002276: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has idle
002277: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: during state auth_bend_initialize, got event 16383(idle)
002278: Mar 26 16:23:26.715: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_initialize -> auth_bend_idle
002279: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002280: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Created a client entry (0x6D000054)
002281: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Dot1x authentication started for 0x6D000054 (0000.0000.0000)
002282: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): Posting !EAP_RESTART on Client 0x6D000054
002283: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_restart, got event 6(no_eapRestart)
002284: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_restart -> auth_connecting
002285: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_enter called
002286: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_connecting_action called
002287: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting RX_REQ on Client 0x6D000054
002288: Mar 26 16:23:26.721: dot1x_auth Gi1/0/2: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
002289: Mar 26 16:23:26.721: @@@ dot1x_auth Gi1/0/2: auth_connecting -> auth_authenticating
002290: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_enter called
002291: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_authenticating_action called
002292: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting AUTH_START for 0x6D000054
002293: Mar 26 16:23:26.721: dot1x_auth_bend Gi1/0/2: during state auth_bend_idle, got event 4(eapReq_authStart)
002294: Mar 26 16:23:26.721: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_idle -> auth_bend_request
002295: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002296: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002297: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Role determination not required
002298: Mar 26 16:23:26.721: dot1x-registry:registry:dot1x_ether_macaddr called
002299: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002300: Mar 26 16:23:26.721: EAPOL pak dump Tx
002301: Mar 26 16:23:26.721: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002302: Mar 26 16:23:26.721: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002303: Mar 26 16:23:26.721: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002304: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_request_action called
002305: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002306: Mar 26 16:23:29.814: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002307: Mar 26 16:23:29.814: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002308: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002309: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002310: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002311: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Role determination not required
002312: Mar 26 16:23:29.814: dot1x-registry:registry:dot1x_ether_macaddr called
002313: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002314: Mar 26 16:23:29.814: EAPOL pak dump Tx
002315: Mar 26 16:23:29.814: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002316: Mar 26 16:23:29.814: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002317: Mar 26 16:23:29.814: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002318: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002319: Mar 26 16:23:32.907: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002320: Mar 26 16:23:32.907: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002321: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002322: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002323: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002324: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Role determination not required
002325: Mar 26 16:23:32.913: dot1x-registry:registry:dot1x_ether_macaddr called
002326: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002327: Mar 26 16:23:32.913: EAPOL pak dump Tx
002328: Mar 26 16:23:32.913: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002329: Mar 26 16:23:32.913: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002330: Mar 26 16:23:32.913: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002331: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received an EAP Timeout
002332: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting EAP_TIMEOUT for 0x6D000054
002333: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 12(eapTimeout)
002334: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_timeout
002335: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_timeout_enter called
002336: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_timeout_action called
002337: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: idle during state auth_bend_timeout
002338: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_timeout -> auth_bend_idle
002339: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002340: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting AUTH_TIMEOUT on Client 0x6D000054
002341: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authenticating, got event 14(authTimeout)
002342: Mar 26 16:23:36.001: @@@ dot1x_auth Gi1/0/2: auth_authenticating -> auth_authc_result
002343: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_exit called
002344: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authc_result_enter called
002345: Mar 26 16:23:36.001: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002346: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Sending event (2) to Auth Mgr for 0000.0000.0000
002347: Mar 26 16:23:36.001: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002348: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received Authz fail for the client 0x6D000054 (0000.0000.0000)
002349: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Deleting client 0x6D000054 (0000.0000.0000)
002350: Mar 26 16:23:36.001: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002351: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting_AUTHZ_FAIL on Client 0x6D000054
002352: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authc_result, got event 22(authzFail)
002353: Mar 26 16:23:36.006: @@@ dot1x_auth Gi1/0/2: auth_authc_result -> auth_held
002354: Mar 26 16:23:36.006: dot1x-ev:Delete auth client (0x6D000054) message
002355: Mar 26 16:23:36.006: dot1x-ev:Auth client ctx destroyed
002356: Mar 26 16:23:36.006: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

802.1x multiple sessions with same LOGIN+MAC on single-host port

We have 802.1x with radius server.
c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.
From time to time user seems to get multiple authentications on single port with single mac-address.
So we get several sessions on port with the same login, mac (but different session-id).
Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.
Happens with different users.
Anybody seen this issue?
IOS 12.2(46)SE

Sure. Tried to make it short.
Config for 802.1x-aaa:
aaa new-model
aaa group server radius default
server X.X.X.X auth-port 12345 acct-port 12346
aaa authentication login default group radius enable
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default local group radius
aaa authorization reverse-access default group radius
aaa accounting suppress null-username
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
dot1x system-auth-control
interface FastEthernet0/48
switchport access vlan 1398
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode shutdown
spanning-tree portfast
spanning-tree link-type point-to-point
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 188 format non-standard
radius-server attribute 218 mandatory
radius-server attribute 32 include-in-accounting-req format %i %h %d
radius-server attribute 55 include-in-acct-req
radius-server attribute list att
attribute 30-31,44
radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey
radius-server vsa send accounting
sh dot1x int fa 0/48 det
Dot1x Info for FastEthernet0/48
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = SHUTDOWN
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Dot1x Authenticator Client List Empty
Port Status               = UNAUTHORIZED
And right now, while port is UNAUTHORIZED we have 2 sessions as follows:
sh aaa user all
Unique id 34974 is currently in use.
Accounting:
log=0x208241
Events recorded :
    CALL START
    ATTR REPLACE
    NET UP
    INTERIM START
    VPDN NET UP
update method(s) :
    PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
    0244DC34 0 00000001 connect-progress(44) 4 Auth Open
    0244DC48 0 00000001 pre-session-time(272) 4 0(0)
    0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
    0244DC70 0 00000001 input-giga-words(111) 4 2(2)
    0244DC84 0 00000001 output-giga-words(250) 4 8(8)
    024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
    024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
    024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
    024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
    024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
    024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
    024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
    024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
    Session Id=000088AD Unique Id=0000889E
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      024CAA00 0 00000001 session-id(336) 4 34989(88AD)
      024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
    Session Id=000088AD Unique Id=0000889E
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=226B3E4 : Name = default
    Attribute list:
      0244DB94 0 00000001 session-id(336) 4 34989(88AD)
      0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
      0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032FD8
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
    Start Bytes In = 993512241     Start Bytes Out = 3867828098
    Start Paks In = 23586320      Start Paks Out = 28511581
Byte/Packet Counts till Service Up:
    Pre Bytes In = 993519614     Pre Bytes Out = 3867836302
    Pre Paks In = 23586388      Pre Paks Out = 28511642
Cumulative Byte/Packet Counts :
    Bytes In = 1112561235    Bytes Out = 3160900227
    Paks In = 69526526      Paks Out = 75491430
StartTime = 16:22:08 GMT+5 Jan 23 2012
AuthenTime = 16:22:08 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 0000889E
Session Id = 000088AD
Attribute List:
    024A8C10 0 00000001 port-type(174) 4 Ethernet
    024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
    024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
    024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
Unique id 34976 is currently in use.
Accounting:
log=0x10000208241
Events recorded :
    CALL START
    ATTR REPLACE
    NET UP
    INTERIM START
    VPDN NET UP
    SESSION INFO
update method(s) :
    PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
    024CAA00 0 00000001 connect-progress(44) 4 Auth Open
    024CAA14 0 00000001 pre-session-time(272) 4 2(2)
    024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
    024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
    024CAA50 0 00000001 output-giga-words(250) 4 8(8)
    024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
    024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
    024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
    024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
    024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
    0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
    0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
    0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
    Session Id=000088AF Unique Id=000088A0
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
      024A8C10 0 00000001 session-id(336) 4 34991(88AF)
      024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
    Session Id=000088AF Unique Id=000088A0
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=226B3E4 : Name = default
    Attribute list:
      024CAA00 0 00000001 session-id(336) 4 34991(88AF)
      024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
      024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032F58
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
    Start Bytes In = 993533200     Start Bytes Out = 3867849339
    Start Paks In = 23586534      Start Paks Out = 28511761
Byte/Packet Counts till Service Up:
    Pre Bytes In = 993539419     Pre Bytes Out = 3867856344
    Pre Paks In = 23586593      Pre Paks Out = 28511812
Cumulative Byte/Packet Counts :
    Bytes In = 1112561235    Bytes Out = 3160900227
    Paks In = 69526526      Paks Out = 75491430
StartTime = 16:22:18 GMT+5 Jan 23 2012
AuthenTime = 16:22:19 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 000088A0
Session Id = 000088AF
Attribute List:
    0244DB94 0 00000001 port-type(174) 4 Ethernet
    0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
    0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
    0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
PS. Have no command "show authentication"

Help required - mac address table, virtual pc/ip addressing issue

Hi, hope someone out there can help?
This is the scenario
SW1 (WS-C2960G-48TC-L) port gig0/1 has a PC connected to it with ip address 10.182.8.6 and a Virtual IP address 10.182.8.107
SW2 (WS-C2960-24TT-L) port gig 0/1 has a PC connected to it with ip address 10.182.8.106
The system is designed so that if there is an issue with the PC connected to SW1, the PC on SW2 will take over the Virtual IP address and continue working.
We have a couple of other PC's in different subnets to the above PC's that use the Virtual IP (VIP) address to communicate with the PC that is 'on line'.
Unfortunately, the vendors software doesn't currently gratuitously refresh the arp to advertise the change of mac address for the VIP.
Is there anyway we can get the 2 dcnsw to 'refresh' on a regular time period to capture when the VIP changes to the other PC?

Hi Stephen
Without meaning to sound rude, the software which uses a VIP is not very well designed if it is not capable of sending a Gratuitous ARP one the Active one fails.
The default ARP cache timeout is 4 hours so an ARP entry will remain in the table and once the timeout is up, the switch will send an ARP to check if the device is still alive and if not, remove the entry from the table.
You could look at reducing the ARP timeout on a per port basis:
#interface gi1/0/1
#arp timeout 60
This will change the ARP cache timeout to 60 seconds for that port but having not used this before, I am not 100% this will address your issue. I would not advise trying to change the global ARP cache timeout for a production switch as this will increase ARP traffic and could cause problems if reduced to a small value.

Catalyst 2960 mac filtering

Good day!
Have a
* 1 26 WS-C2960-24TT-L 12.2(58)SE2 C2960-LANBASEK9-M
interface FastEthernet0/11
description -ND to Netgear flor 1 ---
switchport trunk native vlan 7
switchport trunk allowed vlan 3,7
switchport mode trunk
mac access-group wifi-secure in
no cdp enable
spanning-tree bpdufilter enable
end
Extended MAC access list wifi-secure
deny host 844b.f5bd.4393 any
deny any host 844b.f5bd.4393
permit any any
My question:
Is it possible to prohibit the passage of MAC address on port 7 vlan?
Already available conf Notices prohibits the passage of MAC address per port for any vlan.

Just a couple of options might work , you could setup private vlans and isolate the ports so they can only comminucate with what you allow or try a PACL or VACL if your software supports it
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/port_acls.html#wp1110659
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html

WS-C2960S-24TS-S and WS-C2960S-24TS-S Basic Security configuration.

Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and a WS-C2960S-24TS-S switch that needs to be securely configured. I've done the basic of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
I wanted step-by-step guidance of:
1. Locking down ports by MAC address.
2. DDoS protection.
3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
4. Shutting down any services on the switch.
5. Shutting down password recovery.
Any other recommended security steps to secure the switch.
Thanking in advance,
Parth

Hi Parth,
I'm not sure if you got this figured out or not but a lot of the stuff you need can be found here: Cisco Guide to Harden Cisco IOS Devices
Regarding the "locking down ports by MAC address", you should think about Port-security.

MAC flapping on WLC ports

Hi all,
I've been getting
.Feb 23 10:59:50: %C4K_EBM-4-HOSTFLAPPING: Host 7C:E9:D3:9A:DC:99 in vlan 1 is flapping between port Gi3/2 and port Fa4/14
.Feb 23 11:00:01: %C4K_EBM-4-HOSTFLAPPING: Host B8:EE:65:71:55:12 in vlan 1 is flapping between port Fa4/14 and port Gi3/2
.Feb 23 11:01:14: %C4K_EBM-4-HOSTFLAPPING: Host 18:CF:5E:FD:41:B8 in vlan 1 is flapping between port Gi3/2 and port Fa4/14
entries on my core switch.
I get the same error for different MACs but always the same 2 ports - Gi3/2 and Fa4/14
The topology looks like this:
both WLC are connected to the same core switch:
Core 2 has WLC-2 connected to Gi 3/2 and Core 2 has C2960S connected to Fa4/14, C2960S has WLC-1 connected to Gig 0/24
Any idea on why the WLC links are showing MAC Flaps?
thanks for the support,

Hi mgonzalez15,
MAC flapping logs within a wireless environment is an expected behavior. The reason of these messages is that wireless hosts (as opposed to wired hosts) are able to roam and can be connecting to other APs/WLCs across your campus in matter of seconds.
HTH,
Julio

Mac-flap issue

Hi,
I have 16 switches and 3 servers in my network.In server room,i have one cisco WS-C2960S-48TS-L and one WS-C2960S-24TS-L connected to each other.Two eth ports of each server are being timmed and connected to the 2 switches.Every thing is fine but i am getting mac-flap log in both switches.can anyone tell me how can i stop this?
48TS-L is the root bridge of the network and there is only 1 vlan in the network.all the ports are in same vlan of both switches.
here is a sample of the logs of both siwitches :-
*Feb 1 08:24:28.382: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d07.1903 in vlan 101 is flapping between port Gi1/0/48 and port Gi1/0/3
*Feb 1 08:26:34.992: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d07.1e01 in vlan 101 is flapping between port Gi1/0/48 and port Gi1/0/6
*Feb 1 08:25:40.351: %SW_MATM-4-MACFLAP_NOTIF: Host 0015.5d07.1e05 in vlan 101 is flapping between port Gi1/0/24 and port Gi1/0/15
Thanks in advance.

Hello
It occurs when you have a loop between the switches relating to ports bypassing the stp process and enter forwarding state either due stp being turned off or having portfast enabled.
when you have a server connectiing itself to two switches on portfast enabled ports, this can cause this type of issue you are seeing- Check if this is the case and disable the portfast feature on those ports
For trunk ports or if port aggregation check the link negotiation type (usually LACP for servers) is applied the same on both sides of the etherchannel and teamed server nics
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.

Catalyst 2960 for my LAN WS-c2960-48TC-S vs WS-c2960-48TC-L

Hello
I want buy a Catalyst 2960 but i don't now which is great for my situation.
Model : WS-c2960-48TC-S (LAN Lite - 400 euro) vs WS-c2960-48TC-L (LAN Base - 900 euro) the difference of price is half.
I need 3 VLAN (2 VLANs with data and other VLAN (3th only voice).All security options want applied on ports.(MAC,ACCESS..etc)
Between switch and router will be a TRUNK channel...
The network design parts: lan printers - 4, desktop - 16, phone IP - 10.
I have only ISP .
So..what i need? LAN Lite or LAN Base
Another question: In LAN Lite i have all commands?
thank's

Q. What are the advantages of Cisco Catalyst 2960 Series Switches with the LAN Base software relative to Cisco Catalyst 2960 Series Switches with the LAN Lite software?
A. Cisco Catalyst 2960 LAN Base switches deliver intelligent services for branch offices and wiring closets. The LAN Base IOS software supports enhanced Layer 2+ security, quality of service (QoS), availability, and scalable management to enable new converged applications. Catalyst 2960 LAN Base switches include both 10/100 Fast Ethernet and 10/100/1000 Gigabit Ethernet connectivity in 8-, 24-, and 48-port configurations.
Cisco Catalyst 2960 LAN Lite switches are for entry-level branch office and wiring closet networks. They simplify the migration from nonintelligent hubs and unmanaged switches to a fully scalable and reliable network. The LAN Lite IOS software supports standard Layer 2 security, QoS, and availability while lowering the network total cost of ownership. Catalyst 2960 LAN Lite switches deliver 10/100 Fast Ethernet connectivity in 24- and 48-port configurations.
All Cisco Catalyst 2960 Series Switches have technical support service options available through Cisco SMARTNet ® service. All come with a Limited Lifetime Hardware Warranty, and LAN Base and LAN Lite software updates are provided at no additional cost.
Information came from the below link:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/prod_qas0900aecd80322c37.html
Will all commands be available? No...if they were then what would be the point of having different software levels? Will the switch meet all basic to intermediate needs? Yes. If you are looking for a set of specific commands to see if they are available then check out the command reference tools available from Cisco.
http://www.cisco.com/c/en/us/support/switches/catalyst-2960-series-switches/products-command-reference-list.html

WS-C2960S-24TS-S and WS-C2960X-24TS-L Basic Security configuration.

Greeting's, I would like to start by apologizing as I would require hand-holding, given my lack of experience in Cisco (or any other switches). I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and WS-C2960X-24TS-L switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures
I wanted step-by-step guidance of:
1. Locking down ports by MAC address.
2. DDoS protection.
3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
4. Shutting down any services on the switch.
5. Shutting down password recovery.
6. Enabling highest supported encryption for sensitive (passwords). While I'm posting this I've just read that level 7 encryption can be cracked.
Any other recommended security steps to secure the switch.
Thanking in advance,
Parth

Hello, Parth Maniar.
1. look at the command "switchport port-security" inside interfaces (documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf ).
2. There is not much you can do for DDoS protection. Also it depend on IOS version (is your IOS lite or base). You can use a command from 1 point, also use a commands of "storm-control" (inside interface), "switchport block [type]" (inside interface), and if your IOS is not lite you can also use arp-spoofing protection and dhcp-spoofing protection.
3. To turn off ssh and telnet:
line vty 0 4
transport input none
exit
line vty 5 15
transport input none
exit
For turning off http access: no ip http server
To limit access only from 1 IP address to HTTPS server:
access-list 1 remark ------- ACL for HTTPS access ------------------------
access-list 1 permit [permited IP]
access-list 1 deny any log
access-list 1 remark ------- END of ACL for HTTPS access -----------------
ip http access-class 1
And for configuration HTTPS server: http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.pdf
4. Use the command "service ?" to see all possible services for your swith. And with "no" before the command you can turn off all service that is no need for you (for example "no service dhcp").
5. You can't shut it down because you can recover password only by rebooting switch and pushing "mode" button after this. Here is procedure for recovery password: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
After reading it you can undenstand why you can't turn it off.
6. Yes, level 7 encryption can be cracked. So you can store your passwords as md5. You can use commands:
enable secret [password]
username [name] secret [password]
After this cisco will encrypt your password by md5 hash and at configuration you'll see it as "username [name] secret 5 [md5 hash]"
What else you can use for securety matters:
- logging (command "login on-failure log every [numbers of fails]" must be!). Documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html
Also you can use a configuration bellow to log all changes at configuration:
archive
log config
exit
exit
- turn off lldp and cdp protocols to the end users sides (you can google it).
- use SNMP for getting status of the switch and ports and analyse it for anomalies.
- use a command inside interfaces: "spanning-tree guard root" (don't use this connamd at the ports where is connected your another switches) and "spanning-tree bpduguard enable" (use a second command if you are not planing to connect another switch to this port).
- use a command " switchport nonegotiate" at the all ports.
- also you can use this commands:
no ip source-route
ip arp proxy disable
no ip icmp redirect

Cat 2960 shows mac address port as "Drop"

Hi all
I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB. On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan. However, I then see no traffic from the phone on the switch. I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked. There is no static mac address table blocking configured on the switch.   Can anyone suggest why this is happening?
Switch Version
Switch Ports Model              SW Version            SW Image
*    1 50    WS-C2960-48TC-L    15.0(1)SE3            C2960-LANBASEK9-M
Port configuration
interface FastEthernet0/1
description "Standard user port"
switchport access vlan 9
switchport mode access
network-policy 1
no logging event link-status
srr-queue bandwidth share 5 10 40 55
priority-queue out
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab eap
mls qos trust dscp
no snmp trap link-status
macro description vanilla_port
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
end
LLDP-MED network-policy
network-policy profile 1
voice vlan 835
Authentication (debug radius) result
Jul 30 11:42:19.600: %AUTHMGR-5-START: Starting 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:19.650: %MAB-5-SUCCESS: Authentication successful for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:19.650: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:20.682: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Resulting Switchport config - voice vlan is 835
CLBdg640Test-AS2960-0#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 9 (NATIVE-DISCARD)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 835 (VOICE)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
LLDP neighbor info showing voice vlan 835
CLBdg640Test-AS2960-0#sh lldp neighbors fa0/1 detail
Chassis id: 0.0.0.0
Port id: 0004.f297.6668
Port Description - not advertised
System Name - not advertised
System Description - not advertised
Time remaining: 3558 seconds
System Capabilities: T
Enabled Capabilities: T
Management Addresses - not advertised
Auto Negotiation - supported, enabled
Physical media capabilities:
    100base-T2(HD)
    100base-TX(FD)
    100base-T4
    10base-T(FD)
Media Attachment Unit type - not advertised
Vlan ID: - not advertised
MED Information:
    MED Codes:
          (NP) Network Policy, (LI) Location Identification
          (PS) Power Source Entity, (PD) Power Device
          (IN) Inventory
    Inventory information - not advertised
    Capabilities: NP
    Device type: Endpoint Class III
    Network Policy(Voice): VLAN 835, tagged, Layer-2 priority: 5, DSCP: 46
    PD device, Power source: PSE, Power Priority: High, Wattage: 6.5
    Location - not advertised
Total entries displayed: 1
MAC address table showing "Drop" port for learned address in VLAN 835
CLBdg640Test-AS2960-0#sh mac address-table address 0004.f297.6668
          Mac Address Table
Vlan    Mac Address       Type        Ports
   9    0004.f297.6668    STATIC      Fa0/1
835    0004.f297.6668    DYNAMIC     Drop
Total Mac Addresses for this criterion: 2

Thanks for updating the problem raarons!

Apple Mini-DVI to Video Adapter and Mac mini (2009)

Can anyone tell me whether the Apple Mini-DVI to Video Adapter listed here:
http://store.apple.com/ca/product/M9319G/A
works with the latest Mac mini (early 2009)?
If it does not what other solutions are there to connect to composite, component or s-video?

KC from Ann Arbor, MI had this to say as a review on the page to which you have linked;
10-May-2009
I bought a Mac Mini (May 2009) and this Mini-DVI to Video adapter with plans to use it to send an S-video signal to an analog TV. Though the sales staff at the Apple store said it should work, it does not. The graphics card apparently should support it, and it may be addressed with a future driver update, but as of now this does not work. I have used a mini-DVI to VGA adapter and monitor to verify that the port is working, and also verified that the S-video cable and TV input work. There are third party VGA to S-video/RCA adapters available so I plan to use one of those for my purposes. This is probably a 5-star product when used with the right Mac; however, Apple should have made it clear that having a mini-DVI port on your Mac is necessary but not sufficient for this to work - hence the 3 stars.

Multiple Family Members using a MAC

Hello,
Can someone give me an overview of how family members all use 1 MAC and ICloud so that each person gets their own "stuff"? For example, I would like to get my calendar, my songs, my contacts, my apps synced with my devices--iphone and ipad. And my wife would like her own stuff synced. Seems pretty fundamental but I could not find any info from Apple. Is there a way to do this if each person has a separate Apple ID? What are other people doing?
Thanks,
Matt

If each person has a separate Apple ID, as you stated, it should be no problem. However, i'm not sure exactly how you have your computer set up, if you have separate User accounts set up, or if you just use one User account.
You should create a separate User account for each family member. Decide if you want those User accounts to be Administrator accounts, or if they are Standard accounts, and set your Parental Controls as desired. You can also find the Parental Controls settings in the System Preferences as well.
So once each User account is established, you can copy over only the information for them (i.e. contacts, iCal events, iTunes music, etc).
Set up to sync their iOS devices with iTunes with their information on their User accounts, with their own separate Apple IDs, and everything should work smoothly.

Install Windows 8.1 Pro on Mac Mini Late 2014

I'm trying to install Bootcamp on my Mac Mini. Windows reports that it cannot install or create a partition on the drive after formatting the BOOTCAMP partition as NTFS.
This is my setup:
1. Mac Mini Late 2014 with 2TB Fusion Drive.
2. Windows 8.1 Pro x64 full version ISO downloaded from Microsoft Store.
3. Sandisk Extreme Flash Drive (I have tried both 16GB and 64GB).
4. Bootcamp partition = 500GB.
5. Other USB devices plugged in: Corded USB Mouse and Apple Extended Keyboard (both of which are required to enter the serial number and navigate the installer window).
6. No additional storage devices of any kind are connected aside from the internal Fusion drive and the installer drive.
7. Booting from the EFI portion of the Bootcamp created Windows installer.
I have read that I should try using a USB 2 flash drive rather than a USB 3 flash drive, so I will try that next. I fail to understand how this could make any difference.
If you have any other tips, please let me know.
I have installed or helped other people install bootcamp many times over the course of the past 2 years. Every single time it has caused endless headaches and literally weeks of wasted time.
I have read endless posts on what is causing these problems. I will consider summarising these for anyone else having the same problems. Everyone has their theory so far about this Bootcamp nightmare, but so far there doesn't appear to be any one magic solution.
Apple's inability to address the issue suggests that the problem may be with the Windows installer. Perhaps Microsoft is deliberately causing this?
I suspect the two most likely causes of these issues are the downloaded ISO or the Thumb Drive.
If you have any better idea, please let me know.
On another topic, how to I rename the NTFS partition back to BOOTCAMP? All options to rename this partition are greyed out in Disk Utility...
Cheers,
Paul

Paul@Sydney wrote:
7. Booting from the EFI portion of the Bootcamp created Windows installer.
The FAT32/NTFS partition is usually not adequate for an EFI install. You can delete the BCA-created partition and create a Disk Utility partition which is formatted as Free Space. This will be split into an MSR and MSD. Fusion drives create problems, especially if the BC partition lies outside the traditional MBR 2TB boundary.
Before you delete the BCA-created partition, please post the output of
diskutil list
diskutil cs list
sudo gpt -vv -r show /dev/disk0
sudo gpt -vv -r show /dev/disk1
I have read that I should try using a USB 2 flash drive rather than a USB 3 flash drive, so I will try that next. I fail to understand how this could make any difference.
Windows installers up to W8.1 do not have USB3 drivers. These are installed after Windows is installed and BC drivers are in place.
Apple's inability to address the issue suggests that the problem may be with the Windows installer. Perhaps Microsoft is deliberately causing this?
The requirements are pretty strict when installing Windows. Any deviations cause headaches and grief.
I suspect the two most likely causes of these issues are the downloaded ISO or the Thumb Drive.
The USB is usually the issue.
On another topic, how to I rename the NTFS partition back to BOOTCAMP? All options to rename this partition are greyed out in Disk Utility...
After Windows is fully installed and BC drivers are in place, log into Windows, right click on it and rename it on the Windows side. It cannot be renamed on the OSX side with diskutil renameVolume. Here is an example sequence. You cannot rename volume during the installation process.

Mac estaticas WS-C2960S

Similar Messages

Maybe you are looking for