NIC config on ISE 3395
Hi,
I've read that the 3400-series is running Shared LOM in active/active. Does that mean that it will loadbalance the traffic between the two NICs?
Does the 3300-series have the same feature?
Regads,
Philip
You cannot load balance the Radius traffic on different ISE interfaces. At least not yet. I know it has been suggested in the past so perhpas Cisco will implement it in a future release.
With that being said, the additional interfaces can be used for:
- Dedicated connection for the "guest" network
- Deditaceted interface for different profiling probes
- Dedicated interfaces for span based connections
Hope this helps
Thank you for rating helpful posts!
Similar Messages
-
IPConfig shows multiple IPs, NIC config does not?
I'm not having a problem, but I am curious as to what is going on with my situation.
I have 4 servers (Win Server 2008 R2 SP1) with two NICs. The servers are in 2 Oracle RAC clusters, NOT Windows clusters. What I've noticed is, if I do an IPCONFIG /ALL at the command line, it shows two IPv4 addresses for one NIC, and one IPv4
for the second NIC. So far, so good.
However, if I pull up the NIC properties in the GUI, and look at the IPv4 settings (in the Advanced section,) it only shows one IP.
I'm really just curious as to why this is. I'm presuming that whoever set up these servers (said person was gone when I started, and left no documentation...) set the 2nd IP using netsh most likely. But I would still expect both IPs to show in
the GUI.
Thanks,
Jason A.
Jason A.Sorry, I should've been more clear in my description.
If I go to Control Panel -> Network Connections -> Right-click on one of the NICs -> Properties -> Highlight IPv4 -> Properties -> Advanced, the "IP Settings, IP Addresses" box only shows a single IP / Subnet listed.
If I drop to a command prompt and do "IPCONFIG /ALL," then the same NIC lists two IPs, two subnets.
ex: 192.168.1.xxx / 255.255.255.0 and 192.168.2.xxx / 255.255.255.0
Those are *NOT* the actual IPs, but examples (I'm not at work.)
There are two NICs shown in Network Connections, the second one only shows one IP in either of the situations above, and said IP is *NOT* the 2nd IP shown by the first.
Vivian: It's not a DNS issue. While I have no access to the DNS servers themselves, doing an NSLOOKUP on the servers names shows both the IPs listed for the NIC I'm curious about.
As I said, nothing is *broken* this is just me being curious as to how this was set.
Thanks,
Jason
Jason A. -
Hi,
I am getting ready to create my first Server 2012R2 Hyper-v failover cluster. I have 2 servers with 6 NICs each and a HP ISCSI SAN. My question is what is the best way to configure the 6 NICs on each machine to support this? There are some
choices that seem required:
2 NICs from each server to connect to the ISCSI SAN
Other than that I need the regular stuff. I have seen some posts where the author recommends using one nic for heartbeat and admin, others that say no to this, etc. If you were configuring this from scratch, what is the best way?
ThanksIf you were configuring this from scratch, what is the best way?
The operative word there is you. There is no universally correct way.
I would have two physical NICs set aside for iSCSI in MPIO configuration.
I would put the other four in a converged configuration and run all host, cluster, and VM networks on it. Because this organization does not overcommit resources, we have an intentionally low VM-to-host ratio and we have intelligent, redundant
switches, so I would configure the ports in a LACP team in Dynamic or Address Hash balancing mode, depending on what the expected needs were. Those are the best choices for
me.
You might have a high VM-to-host ratio with basic switches, in which case you might prefer a switch independent team in Dynamic or Hyper-V Port mode.
You might not want your management traffic sharing lines with your VM networks, so you might make two teams instead of one.
The answer really depends on what you want and what your systems need. About the only thing I can say is you're right to not team iSCSI NICs and that you should think hard before isolating any role on a single physical NIC when you have so many at your disposal.
I would definitely
read this to get an idea of what your options are. After that, test out some configurations and see.
IMO, people do a lot of unnecessary hand-wringing over these questions. Unless you're in an environment where every packet matters, just about any configuration you come up with will be just fine in day-to-day uses.
Eric Siron Altaro Hyper-V Blog
I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.
"Every relationship you have is in worse shape than you think." -
NIC config of VMware installation of Call Manager
System version: 8.6.2.22900-9
VMware Installation: 1 vCPU Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz, disk 1: 80Gbytes, 4096Mbytes RAM
A few month ago we had a vendor come in and upgrade our old VOIP system with a VMware solution of Call Manager. Versions are shown above.
I use Veeam to backup these VM's and it was taking hours to finsih so I starting digging into VCenter to look at the netwroking setup.
Even though the server has gigabit ethernet cards they "hard coded" the speed down to 100 Meg and changed the duplex to half.
Does anyone know of any reason why they might have done that? Will it fail if I change the speed to GB and utilze full duplex?
thanks...Joe...
Questions and a comments
Questions in the post above you mention...
"At this point, I would probably try the Hypervisor and Switchport hardcoded at 1000/Full to match CUCM. Check interface counters and watch for errors and runts."
When you refer to "Switchport" I am assuming you are you talking about the physical port on our physical switch?
which is interesting becasue I just looked only to discover that on our physical cisco switch (Catalyst 4506) that our phone system is physcally plugged into our 10/100 module and not into our gig module. So even if I made all of those changes I still would have been at a 100 MPs speed becasue of the physical connection to our switch. So obviously... I would need to change ports on the physical switch to the gig module, correct?
question 2...
monitoring the ports for errors and runts, again I am assuming you are talking about the physical Cat 4506 switch?
Assuming then I move the connections into gig ports 5/26 & 5/28, etc...
From a telnet session into physical switch... after enable mode type...
switch#show int gigeth5/26
and I will see stats from that interface correct? or do you look for these in a different mannor?
comments... first of all, thank you....
second....
I am not sure I quite understand anything about you very last post.... about the restricted UC and Cisco support..
yes, I am running USC C220 M3 servers... are you saying that if I have over 1000 users that TAC will not support performance issue? I ask becasue we only have about 125 users.... -
Dear folks,
Can I replace the hard disk directly while HDD status LED is solid amber with new hard disk? where can I find the related document for the replacement procedure? Thanks!
BR,
NickRemoval of the disk drive sounds like your only hope of recovery any data
You are probably going to need recovery software because it sounds like the directory is totally corrupted.
You can find information about a bunch of them at http://mac-data-recovery-software.esoftreviews.com
If the recovery software is not able to recovery enough of your data, there are services that can do that for you. But expect to pay big bucks for that, think like $$$$.
You are going to implement a backup plan after this episode? -
Secure Network Servers (SNS) in ISE version 1.1.4
Hi board,
I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
For example ISE Q&A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
What else is being released with ISE 1.2*?
A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The multiuse Cisco Secure Network Servers offer many improvements over current ISE, ACS, and NAC appliances, and are the platform recommended to deploy newer versions of these applications. During ordering, customers can specify which security application they would like to have installed. See the Product Details section for more information.
On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series appliance. For details on the installing and configuring the Cisco SNS 3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the following location:
What is true now? What HW appliance do I chose, if I want to order today?
I don't want to order the old appliances (33xx), because they are already EoL announced:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
Thanks!Hi Johanne,
Cisco ISE software is packaged with your appliance or image for installation. Cisco ISE, Release 1.2 is shipped on the following platforms. After installation, you can configure Cisco ISE with specified component personas (Administration, Policy Service, and Monitoring) or as an Inline Posture node on the platforms.
Supported Hardware and Personas:
Hardware Platform Persona Configuration
Cisco SNS-3415-K9
(small)
Any
•Cisco UCS 1 C220 M3
•Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
•16-GB RAM
•1 x 600-GB disk
•Embedded Software RAID 0
•4 GE network interfaces
Cisco SNS-3495-K92
(large)
Administration
Policy Service
Monitor
•Cisco UCS C220 M3
•Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
•32-GB RAM
•2 x 600-GB disk
•RAID 0+1
•4 GE network interfaces
Cisco ISE-3315-K9 (small)
Any
•1x Xeon 2.66-GHz quad-core processor
•4 GB RAM
•2 x 250 GB SATA3 HDD4
•4x 1 GB NIC5
Cisco ISE-3355-K9 (medium)
Any
•1x Nehalem 2.0-GHz quad-core processor
•4 GB RAM
•2 x 300 GB 2.5 in. SATA HDD
•RAID6 (disabled)
•4x 1 GB NIC
•Redundant AC power
Cisco ISE-3395-K9 (large)
Any
•2x Nehalem 2.0-GHz quad-core processor
•4 GB RAM
•4 x 300 GB 2.5 in. SAS II HDD
•RAID 1
•4x 1 GB NIC
•Redundant AC power
Cisco ISE-VM-K9 (VMware)
Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
•For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
•Hard Disks (minimum allocated memory):
–Stand-alone—600 GB
–Administration—200 GB
–Policy Service and Monitoring—600 GB
–Monitoring—500 GB
–Policy Service—100 GB
•NIC—1 GB NIC interface required (You can install up to 4 NICs.)
•Supported VMware versions include:
–ESX 4.x
–ESXi 4.x and 5.x
1 Cisco Unified Computing System (UCS)
2 Inline posture is a 32-bit system and is not capable of symmetric multiprocessing (SMP). Therefore, it is not available on the SNS-3495 platform.
3 SATA = Serial Advanced Technology Attachment
4 HDD = hard disk drive
5 NIC = network interface card
6 RAID = Redundant Array of Independent Disks
7 Memory allocation of less than 4GB is not supported for any VMware appliance configuration. In the event of a Cisco ISE behavior issue, all users will be required to change allocated memory to at least 4GB prior to opening a case with the Cisco Technical Assistance Center.
Please check the following link for fruther information.
https://supportforums.cisco.com/message/3986953#3986953 -
I have an ISE 3395 appliance that comes with ISE version 1.1.1.
I've decided to upgrade it to version 1.1.2 patch 5 (latest patch version) and played with it for a few days. I set it up as a stand-alone box.
Now, I need to deploy this box as administration and monitoring. So, I put in the command "application reset-factory" to set it back to factory.
Does it mean the ISE version of this box will still be at version 1.1.2 patch 5 and I will get a clean box to do whatever I want, similar to Cisco IOS of "write erase" and "reload" to have a clean box?
Thank you in advance.The command "application reset-config" is used to :
To reset the Cisco ISE application configuration and clear the Cisco ISE database, use the application reset-config command in the EXEC mode.
You can use the application reset-config command to reset the Cisco ISE configuration and clear the Cisco ISE database without reimaging the Cisco ISE appliance or VMware, and reset the Cisco ISE database administrator and user passwords. So you will have your version 1.1.2 with patch 5 intact even after using this command.
The network related commands which will remain unaffected are the initial chassis configuration settings like the IP address, netmask, administrator user interface password, and so on.) Part of this reset function requires you to enter new Cisco ISE database administrator and user passwords. -
Hi, all.
Anyone ever had this error on ISE :Hi,
no, this is not a VM, it is the big appliance:
deess01nise01/xia0wf# sh inventory
NAME: "ISE-3395-K9 chassis", DESCR: "ISE-3395-K9 chassis"
PID: ISE-3395-K9 , VID: V01 , SN: Kxxxxxxxx
Total RAM Memory: 3997824 kB
CPU Core Count: 8
CPU 0: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 1: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 2: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 3: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 4: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 5: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 6: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU 7: Model Info: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /dev/sda
Disk 0: Capacity: 597.90 GB
Disk 0: Geometry: 255 heads 63 sectors/track 72702 cylinders
NIC Count: 4
NIC 0: Device Name: eth0
NIC 0: HW Address: 5C:F3:FC:E6:F0:B4
NIC 0: Driver Descr: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver
NIC 1: Device Name: eth1
NIC 1: HW Address: 5C:F3:FC:E6:F0:B6
NIC 1: Driver Descr: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver
NIC 2: Device Name: eth2
NIC 2: HW Address: 5C:F3:FC:6A:D1:D0
NIC 2: Driver Descr: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver
NIC 3: Device Name: eth3
NIC 3: HW Address: 5C:F3:FC:6A:D1:D2
NIC 3: Driver Descr: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver
(*) Hard Disk Count may be Logical.
It is also running as a single instance setup, not as a distributed setup.
If the box and features turn out to work fine, additional boxes and vms will be added to the setup.
The services activtated on the machine are "profiling" (via dhcp, snmp and device-sensors from a few access switches) and radius authentication (from one wireless controller 5508).
The box also fires a lot of these alarms:
90 minutes later, this alarm seems to be cleared:
Rgs
Frank -
Show your .ncmpcpp/config with Screenshot
Hi there x)
I'm searching for a nice 'config' for my 'ncmpcpp'.
So here you can see my ncmpcpp + config (default)
Screenshot:
http://omploader.org/vMWJhbA
Config:
## this is example configuration file, copy it to ##
## ~/.ncmpcpp/config and set up your preferences ##
##### connection settings #####
## set it in order to make tag editor and renaming files work properly
mpd_host = "localhost"
mpd_port = "6600"
mpd_music_dir = "/home/sash/music"
#mpd_connection_timeout = "5"
#mpd_crossfade_time = "5"
##### delays #####
## delay after playlist highlighting will be disabled (0 = don't disable)
#playlist_disable_highlight_delay = "5"
## defines how long various messages are supposed to be visible
#message_delay_time = "4"
##### song format #####
## for song format you can use:
## %l - length
## %f - short filename
## %F - full filename
## %a - artist
## %t - title
## %b - album
## %y - year
## %n - track number
## %g - genre
## %c - composer
## %p - performer
## %d - disc
## %C - comment
## %r - begin right align
## you can also put them in { } and then it will be displayed
## only if all requested values are available and/or define alternate
## value with { }|{ } eg. {%a - %t}|{%f}
## text can also have different color than the main window has,
## eg. if you want length to be green, write $3%l$9
## available values:
## - 0 - default window color
## - 1 - black
## - 2 - red
## - 3 - green
## - 4 - yellow
## - 5 - blue
## - 6 - magenta
## - 7 - cyan
## - 8 - white
## - 9 - end of current color
## Note: colors can be nested.
song_list_format = "{%a - }{%t}|{$8%f$9}%r{$3(%l)$9}"
#song_library_format = "{%n - }{%t}|{%f}"
#media_library_album_format = "{(%y) }%b"
#tag_editor_album_format = "{(%y) }%b"
#browser_playlist_prefix = "$2playlist$9 "
#selected_item_prefix = "$6"
#selected_item_suffix = "$9"
## colors are not supported for below veriables
song_status_format = "{(%l) }{%a - }{%t}|{%f}"
#song_window_title_format = "{%a - }{%t}|{%f}"
##### columns settings #####
## syntax of song columns list format is "column column etc."
## - syntax for each column is:
## (width of column in %)[column's color]{displayed tag}
## - color is optional (if you want the default one, type [])
#song_columns_list_format = "(7)[green]{l} (28)[cyan]{a} (28)[]{b} (50)[red]{t}"
##### various settings #####
#playlist_display_mode = "classic" (classic/columns)
#incremental_seeking = "yes"
#seek_time = "1"
#autocenter_mode = "no"
#repeat_one_mode = "no"
#default_place_to_search_in = "database" (database/playlist)
#media_library_left_column = "a" (possible values: a,y,g,c,p, legend above)
#default_find_mode = "wrapped" (wrapped/normal)
#default_space_mode = "add" (add/select)
#default_tag_editor_left_col = "albums" (albums/dirs)
#default_tag_editor_pattern = "%n - %t"
#header_visibility = "yes"
#statusbar_visibility = "yes"
fancy_scrolling = "yes"
#follow_now_playing_lyrics = "no"
#ncmpc_like_songs_adding = "no" (enabled - add/remove, disabled - always add)
#display_screens_numbers_on_start = "yes"
#clock_display_seconds = "no"
#enable_window_title = "yes"
##### colors definitions #####
#colors_enabled = "yes"
#empty_tag_color = "cyan"
#header_window_color = "default"
#volume_color = "default"
#state_line_color = "default"
#state_flags_color = "default"
#main_window_color = "yellow"
#color1 = "white"
#color2 = "green"
#main_window_highlight_color = "yellow"
#progressbar_color = "default"
#statusbar_color = "default"
#active_column_color = "red"
#window_border_color = "green"
#active_window_border = "red"
To copy your ~/.ncmpcpp/config into clipboard just type:
cat ~/.ncmpcpp/config | xclip
You can download xclip from the extra repository.
Last edited by nu (2009-03-01 09:25:51)Zariel wrote:
http://omploader.org/vMWk0Nw/
## this is example configuration file, copy it to ##
## ~/.ncmpcpp/config and set up your preferences ##
##### connection settings #####
## set it in order to make tag editor and renaming files work properly
#mpd_host = "localhost"
#mpd_port = "6600"
mpd_music_dir = "/home/chris/music/"
mpd_connection_timeout = "5"
mpd_crossfade_time = "5"
##### delays #####
## delay after playlist highlighting will be disabled (0 = don't disable)
playlist_disable_highlight_delay = "0"
## defines how long various messages are supposed to be visible
#message_delay_time = "4"
##### song format #####
## for song format you can use:
## %l - length
## %f - short filename
## %F - full filename
## %a - artist
## %t - title
## %b - album
## %y - year
## %n - track number
## %g - genre
## %c - composer
## %p - performer
## %d - disc
## %C - comment
## %r - begin right align
## you can also put them in { } and then it will be displayed
## only if all requested values are available and/or define alternate
## value with { }|{ } eg. {%a - %t}|{%f}
## text can also have different color than the main window has,
## eg. if you want length to be green, write $3%l$9
## available values:
## - 0 - default window color
## - 1 - black
## - 2 - red
## - 4 - green
## - 4 - yellow
## - 5 - blue
## - 6 - magenta
## - 7 - cyan
## - 8 - white
## - 9 - end of current color
## Note: colors can be nested.
song_list_format = "{$8(%l)$9 }{%a - }{%t}|{$8%f$9}"
song_library_format = "{%n - }{%t}|{%f}"
media_library_album_format = "{(%y) }%b"
tag_editor_album_format = "{(%y) }%b"
browser_playlist_prefix = "$7playlist$9 "
selected_item_prefix = "$8"
selected_item_suffix = "$9"
## colors are not supported for below veriables
#song_status_format = "{(%l) }{%a - }{%t}|{%f}"
#song_window_title_format = "{%a - }{%t}|{%f}"
##### columns settings #####
## syntax of song columns list format is "column column etc."
## - syntax for each column is:
## (width of column in %)[column's color]{displayed tag}
## - color is optional (if you want the default one, type [])
song_columns_list_format = "(6)[white]{l} (15)[blue]{a} (35)[white]{b} (53)[blue]{t}"
##### various settings #####
playlist_display_mode = "columns"
browser_display_mode = "columns"
#search_engine_display_mode = "classic" (classic/columns)
incremental_seeking = "yes"
#seek_time = "1"
autocenter_mode = "yes"
#repeat_one_mode = "no"
#default_place_to_search_in = "database" (database/playlist)
#media_library_left_column = "a" (possible values: a,y,g,c,p, legend above)
#default_find_mode = "wrapped" (wrapped/normal)
#default_space_mode = "add" (add/select)
#default_tag_editor_left_col = "albums" (albums/dirs)
#default_tag_editor_pattern = "%n - %t"
header_visibility = "yes"
statusbar_visibility = "yes"
fancy_scrolling = "yes"
follow_now_playing_lyrics = "yes"
#ncmpc_like_songs_adding = "no" (enabled - add/remove, disabled - always add)
display_screens_numbers_on_start = "yes"
#clock_display_seconds = "no"
## Note: If below is enabled, ncmpcpp will ignore leading
## "The" word while sorting items in browser, tags in
## media library, etc.
ignore_leading_the = "yes"
#enable_window_title = "yes"
##### lyrics support #####
## supported lyrics databases:
## - 1 - lyricwiki.org
## - 2 - lyricsplugin.com
lyrics_database = "1"
##### colors definitions #####
colors_enabled = "yes"
empty_tag_color = "white"
header_window_color = "white"
volume_color = "white"
state_line_color = "blue"
state_flags_color = "blue"
main_window_color = "blue"
color1 = "blue"
color2 = "cyan"
main_window_highlight_color = "white"
progressbar_color = "blue"
statusbar_color = "white"
active_column_color = "white"
window_border_color = "white"
active_window_border = "magenta"
//offtopic
Nice music taste ! -
ISE CWA with COA not work on 3750X.
Hello.
I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client. In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x. All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.
Config:
3750X-ISE# sh running-configBuilding configuration...Current configuration : 9575 bytes!! No configuration change since last restart! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 3750X-ISE!boot-start-markerboot-end-marker!!!username admin privilege 15 secret 5 ----username radius-test secret 5 -----aaa new-model!!aaa group server radius end!aaa group server radius ise server name ise3 server name ise4!aaa authentication login default localaaa authentication login CON noneaaa authentication enable default noneaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization network ise group radiusaaa accounting dot1x default start-stop group radius!!!!!aaa server radius dynamic-author client 192.168.102.53 server-key P@ssw0rd client 192.168.102.54 server-key P@ssw0rd client 192.168.102.51 server-key P@ssw0rd client 192.168.102.52 server-key P@ssw0rd server-key P@ssw0rd!aaa session-id commonclock timezone GMT 0 0switch 1 provision ws-c3750x-24psystem mtu routing 1500ip routing!!ip dhcp snooping vlan 701-710ip dhcp snoopingip domain-name com.ruip device trackingvtp mode transparent!!device-sensor filter-list dhcp list DHCP-LIST option name host-name option name default-tcp-ttl option name requested-address option name parameter-request-list option name class-identifier option name client-identifier option name client-fqdn!device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name version-type tlv name platform-type tlv name power-type tlv name external-port-id-typedevice-sensor filter-spec dhcp include list DHCP-LISTdevice-sensor filter-spec cdp include list CDP-LISTdevice-sensor accountingdevice-sensor notify all-changes!license boot level ipservices!!!dot1x system-auth-control!spanning-tree mode rapid-pvstspanning-tree extend system-id!!!!!!!!!vlan internal allocation policy ascending!!vlan 102!vlan 701 name ISE-network1!!lldp run!!!!!!!!!!no macro auto monitor!interface FastEthernet0 no ip address no ip route-cache shutdown!interface GigabitEthernet1/0/1 switchport access vlan 701 switchport mode access switchport nonegotiate authentication event fail action next-method authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator spanning-tree portfast!interface Vlan102 ip address 192.168.102.60 255.255.255.0!interface Vlan701 ip address 192.168.107.1 255.255.255.240 ip helper-address 192.168.102.50 ip helper-address 192.168.102.53!ip http serverip http secure-server!ip route 0.0.0.0 0.0.0.0 192.168.102.1!ip access-list extended ACL-WEBAUTH-REDIRECT deny udp any any eq domain deny tcp any host 192.168.102.51 deny tcp any host 192.168.102.52 deny tcp any host 192.168.102.53 deny tcp any host 192.168.102.54 permit tcp any any eq www permit tcp any any eq 443!!!snmp-server community test ROsnmp-server community test2 RWsnmp-server trap-source Vlan102snmp-server source-interface informs Vlan102snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change movesnmp-server host 192.168.102.53 version 2c test2!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server dead-criteria time 5 tries 3radius-server host 192.168.102.53 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 key P@ssw0rdradius-server host 192.168.102.53 pac key P@ssw0rdradius-server key P@ssw0rd!!!line con 0 login authentication CONline vty 0 4 exec-timeout 60 0line vty 5 15 exec-timeout 60 0!ntp master 5ntp server 198.123.30.132 prefermac address-table notification changemac address-table notification mac-moveend
Please, help me.Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:
•debug radius
•debug aaa coa
•debug aaa pod
•debug aaa subsys
•debug cmdhd [detail | error | events]
•show aaa attributes protocol radius -
ISE Configuration in Distributed Environment
Hi All,
I have quick questions about ISE deployment in Distributed environment, as i have purchased 2 X Cisco ise 3395 - For Data Center and 3 X Cisco ISE 3355 for remote location with 3500 Base licences and 500 Advance licences.
i have some questions on this deployment
i will install 1 3395 in Primary Datacenter and other 3395 in Our secondary Data center as Primary admin+Primary Monitoring and Secondary Admin+Secondary Monitoring
and each 3355 will get installed in Remote location as policy server, My Question is it this will be correct deployment?
or while configuring 3395 do i need to configure Policy server as well in addition to Primary admin and monitoring?
or please suggest me best deployment stratagy!
Thanks,
SachinThanks for the reply,
all three sites are connected in MPLS with 100MB redundant band width
we are have 2 data center one is primary and other is secondary. and all client locations are connected with 100 Meg links where i am planning to install 3355 which will act as authentication server.
but now my question is
3395 - Primary Admin+Primary Monitoring - Primary DC
3395 - Secondary Admin+ Secondary Monitoring - Secondary DC
3355- will say for one remote location(PSN)
3355- Second remote Location(PSN)
3355- third Remote location (PSN)
thanks,
Sachin -
ISE 1.2 NAC solution for 12500 Persona Deployment
i have a deployment sceniro for NAC solution ( ISE ) must support 12500 users and must provide the ability to implement security policies onendpoints before they connect so should i order ISE-3395 with ISE -3315 or its not a workable solution please advice
Hi Shakeeb,
The total number of appliances needed in a deployment depends on multiple factors and not just the number of endpoints as described here :
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html
Refer to Step 2: Estimate the Number of Appliances or Servers Needed for the Deployment
We have a dedicated team at Cisco who deals with presales issues, I would advise you to contact them for more guidance. Here is their contact info :
• Phone: 408 902-4872
• Email: [email protected]
• Live chat: http://tinyurl.com/sacise
Thanks,
Aastha -
ISE - dot1x EAP TLS for Cisco IP Phones
Hi Gents,
I have a question about the CA configs for ISE or ACS.
As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
1. Cisco CA Certificate
2. CUCM Locally signed Certificate or CUCM Identity Certificate
And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
Is there any other configs needed?
I would highly appreicate if someone can clearify me this process.
Regards,I got the answer, for the first part of the EAP TLS authentication: Phone authentication
In an IEEE 802.1X authentication, the AAA server is responsible for validating the certificate provided by the phone. To do this, the AAA server must have a copy of the root CA certificate that signed the phone's certificate. The root certificates for both LSCs and MICs can be exported from the CUCM Operating System Administration interface and imported into your AAA server
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
What is needed for this? -
Hi All,
We have three ISE engines in a cluster but one of them consistently develops database error. It happened more than four times already to this ISE box since deployment, which is also the Secondary (Admin) and Pri (M&T) for the cluster. We upgraded the cluster to ver 1.1.1 in May 2013 and the same box crashed again yesterday. The Pri (A) and another model ISE-3315 have no issues at all.
The problematic box is an ISE-3395-K9, and it supports our main user site of about 2000-2500 endpoints. The error that appears in the Pri (A) engine is "Replication & Sync disabled". It appears that the database replication stops and doesn't recover.
Any tips and comments will be highly apprciated.
Thanks
SankungYou should post this in the AAA Identity forum.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Basic Small LAN Config Changes
I have a few questions on setting up (re-configuraing) a small business LAN. The network consists of 2 core switches, both cisco 3750G and a Microsoft Threat Management Gateway as the router / firewall. The TMG has 3 NIC, DMz, Internal LAN, and External. The 2 3750G's are in two separate rooms connected via trunked VTP. I have a number of vlan's: vlan 9 (DMz) int ip192.168.0.2 | vlan10 (INT_LAN) int ip 10.0.10.2 | vlan20 (vMotion) int ip 10.0.20.2 | vlan30 (iSCSI) int ip 10.0.30.2. ip routing is enabled on switch. I do not have ip default-gateway set.
Threat Management Gateway (TMG) Server NIC Config: DMz, IP: 192.168.0.9 connected to gi1/0/x switchport access vlan9. INT_LAN, IP: 10.0.10.1 connected to gi/1/0/x switchport access vlan10. Ext, IP: Public connected to ISP. All internal servers / workstations use the TMG INT_LAN IP as their gateway. Internal AD DNS server forwards to DMz DNS 192.168.0.9. DMz DNS forwards to External Public for all external resolution.
With the above configuration, I'm noticing SYN_PACKET_DROPPED error in the TMG firewall logs. I've come across some information that might relate to having the gateway set as the TMG instead of the VLAN those servers / workstations are in, vlan10. i.e. their gateway should be set to 10.0.10.2 with a route to the TMG INT_LAN IP. My question being what is the best way to go about configuring this? Since the TMG is essentially a router, should / can I change it's INT_LAN IP to say 10.0.1.1 and set ip default-gateway to 10.0.1.1? -or- would adding a route like 10.0.10.0 255.255.255.0 10.0.1.1 work -or- 0.0.0.0 0.0.0.0 10.0.1.1. What would the port settings for the TMG NIC INT_LAN be? Would it be a routed port or still remain a switchport in a vlan i.e. vlan1 10.0.1.2?
Any assistance would be greatly appreciated with this configration. Thank you!
-SKI've made the changes noted and I'm still experiencing a wrath of SYN_PACKET_DROPPED in the firewall logs still. I have to constantly refresh or press enter in the address bar of internet sites I'm trying to visit from clients in the Internal VLAN 10.
I think I need to have the TMG act as the router so-to-speak in the environment. What I'm trying to figure out is how to configure my core switch in this situation. What I'm thinking is configuring one of the interfaces on the 3750 as layer 3, no switch port. assigning it an IP address of say 201.1.1.2 with SN 255.255.255.248 Configuring the INT_LAN NIC of the TMG as IP 200.1.1.1 255.255.255.248 Would I need to add a route 0.0.0.0 0.0.0.0 200.1.1.1 on the 3750 for all internet traffic to end up at the TMG INT_LAN interface and most likely have the TMG routing set properly for the 200.1.1.x and 10.0.10.x subnets as part of the INT_LAN?
If the above scenario is taken, do I have to make any changes on the 2nd 3750? I have 3 VLAN's only. Management, VLAN 10, and VLAN 5. could the ip default-gateway of the 2nd 3750 be the management interface IP address with the core1 3750 having the static 0.0.0.0 route, or do both switches need a static route to the TMG 200.1.1.1 IP? Thanks.
-SK
Maybe you are looking for
-
HP Photosmart C5180 Will no longer feed 8x11 Photo paper from main tray
My C5180 all in one will no longer feed 8x11 photo paper from main tray. Rollers slip and will not pull paper in. Any suggestions? 583seve
-
Photo Library view with all pics
I have pics in separate folders synced to the iphone. Some for general viewing others for my viewing only. However, the photo library displays all of the pics. Any way to remove the photo library folder / view?
-
Camera raw 8.6 update fail and photoshop update
hi everyone i update my photoshop and camera raw but both of them prompts failure and i cannot open my sony a7s raw to edit... is there someone encountered the same? i'm using windows 7... thank you very much
-
I am really not idea,java:comp not bound?!
Hi everyone: I do this all the day but don't successful till now. :( I want to send a mail using Tomcat4.I setted the Mail Session JNDI in Tomcat console.Jndi is: mail/session , host: localhost But When I run the Servlet,Tomcat says:"java:comp not bo
-
Reader 10.1.4 / latest pdf tool kit / QTP 11 - QTP hangs sporadically or reader crashes
Hello , Following is the tool set we are using: Reader 10.1.4 Latest pdf tool kit for 10.1.x QTP 11 We are able to capture the objects in the PDF form and create a QTP script fine, but when we try to run the QTP script: -It either hangs at a random s