Storm Control

Hi,
What are the best values when configuring storm control on an interface (broadcast, multicast and unicast.
Thanks
reza

hi,
so in my scenario, it is not using multicast and broadcast for video / music streaming, right? as we only shared the network drive to access, and play the video and music.
1. so it will not influence my m/c or b/c percentage, right?
2. pls give me guideline, and to set m/c or b/c is good to help to prevent when there is a lot traffic such as broadcast storm/virus spreading, right?

Similar Messages

Storm Control on Port-Channel Interfaces (6500 platform)

Hello.
I cannot find it anywhere in the documentation for the Cisco 6500 platform (IOS). The question is this: When calculating the percentage of broadcast passing through a Port-Channel interface, which total bandwidth figure is used by the switch? For example:
a. If we have a bundle of 4 Gig interfaces in a PortChannel with Storm-Control applied, the threshold will be calculated over 4Gb/s or 1Gb/s?
b. If the same PortChannel for some reason loses 2 of the uplinks in the Bundle, will the calculation be made over 4Gb/s, 2Gb/s or 1Gb/s?
Thanks!

Hi Leo,
I can't find any reference to this at the moment, but my thoughts are that it will be based on a single member port of the port-channel.
Remember that a port-channel is logically a single link and so a broadcast is only sent on one of the links of the port-channel and not all of them. The decision as to which link is used will be the same as for any other frame i.e., the broadcast address is used within the hashing calculation to choose the physical port.
If the storm-control values are determined based upon the aggregate bandwidth, and changes as links are added/removed from the agregate, then the suppression threshold values for link carrying the broadcasts is never going to be correct.
Regards

OID of storm control trap

Hello everyone,
I have a question about Strom Control trap.
I configured "storm-control action trap" on cat2960-24
When broadcast storm occurred, my snmp server received the trap whose OID is "1.3.6.1.4.1.9.9.362.0.0.1" from cat2960-24.
What is this OID?
I think that ciscoPortStormControlMIBNotifs has two object.
One is cpscEvent(1.3.6.1.4.1.9.9.362.0.1.1) and the other is cpscEventRev1(1.3.6.1.4.1.9.9.362.0.2)
I don't find this OID(1.3.6.1.4.1.9.9.362.0.0.1) in SNMP object Navigator
My cat3560G-24 which configured similarly sent the correct trap(1.3.6.1.4.1.9.9.362.0.2)
Why my cat2950 sent undefined trap?
best regards.
Yusuke Matsumoto

hello
I receive also the trap 1.3.6.1.4.1.9.9.362.0.0.1 but I could not find the appropriate mib
Is someone could give an help
best regard
Serge

Broadcast Storm Control

Hi everybody,
Im suspected about broadcast storm control feature on switch. Could anyone please advice me?
1. When the broadcast storm control is triggered, can normal data packets (not broadcast packets) pass the switch?
2. If the network looping is occurred at unmanaged switch that doesnt support spanning tree protocol and it connects to the managed switch that broadcast storm control is turned on, does it help this issue?
Managed switch
|
|
Unmanaged switch
||
\/<--- network looping
Thanks for advance,
Nitass

1. Unicast packets and multicast packets are not affected when u enable broadcast storm control. Multicast packets will be affected only if you enable multicast storm control on the switchport.
2. I have no experience in a setup such as this but the behavior of the storm-control broadcast level command suggests that the switch port will drop all broadcasts headed through the port (in both directions) for a specified period of time.
This however, still does not stop the source of the broadcast (i.e. the multiple links running to the un managed switch) so I would presume that the broadcasts might die down for a small period of time but they will resurface as the unmanaged switch would continue generating broadcast packets.
Thus the port on the managed switch would come back to normal state, only to go back into broadcast storm control state and stop all broadcasts all over again.
HTH
Please rate posts that help.
Regards
Arvind

Broadcast Storm Control - Mac-address flooding

Hi Friends,
We would like to configure broadcast storm control in our LAN to detect/avoid mac-address flooding. What is the best way and Can I know how to decide the raising threshold & falling threshold values ?.. Please suggest.
Regards,
S.Tamilvanan

Hello,
the best way is to monitor your network fir 5-6 days in order to find out the normal pattern of broadcast traffic. Then based on results form this monitoring process you can set the thresholds of broadcast traffic.

Storm-Control Nexus Environment

Hello,
we want to configure storm-control in our network but we don´t understand the feature in all it´s details.
i understand that the switch can differenitate between broadcast/multicast and unicast by the I/G-Bit (if it 1 or 0). but how does a Nexus 5500 or nexus 7000 differentiate between broadcast and multicast? if the switch only checks the I/G-bit he is not able to determine if broadcast or multicast?
i couldn´t find anything about it in th documentation. can anybody explain the difference?
thx

Hello,
we want to configure storm-control in our network but we don´t understand the feature in all it´s details.
i understand that the switch can differenitate between broadcast/multicast and unicast by the I/G-Bit (if it 1 or 0). but how does a Nexus 5500 or nexus 7000 differentiate between broadcast and multicast? if the switch only checks the I/G-bit he is not able to determine if broadcast or multicast?
i couldn´t find anything about it in th documentation. can anybody explain the difference?
thx

Product bug: unknown unicast traffic storms from thunderbolt displays

Hi All -
Periodically, a random Thunderbolt display will launch a wire rate unknown unicast traffic storm into our LAN and only stop when unplugged from the network. This typically leads to unicast flooding or at least massive trunk congestion (we now use Cisco's storm-control and block (unknown) unicast).
In any given event the transmitted frames are all the same and appear to be random data from memory. They make no sense as traffic: they have garbage MAC addresses and hence the "unknown unicast traffic storm".
We have very roughly 100 and about 1% malfunction this way once a week. We don't think it's the MBP behind the display because we switched to Thunderbolt ethernet adapters (directly on the MPBs) and have not seen an incident for over 7 weeks.
Here is a LogicMonitor record; the trailing edge of the event was when we unplugged the display.
Here's what a packet capture looks like from the outage:
Here is trace data from a different event.
The destination MAC address is an ASCII string that spells out "vertcp". Although Wireshark identifies the frame type as LLC in the first example, we believe this to be a coincidence; it's a random 436-byte piece of firmware memory. A safe conclusion is that both the LLC tag and the completely invalid ethertype in the first event is just random. Nothing in the captured frames makes sense because they aren't ethernet frames, they are random data passed to the driver due to a bug.
Thanks
Branden

We have experienced the same issue with increasing frequency as more Thunderbolt displays are introduced into our environment in the last year. On a gigabit port, the display has no problem generating 800mbit/s or more of traffic (~500kpps) - which is then flooded to every port in the same VLAN (~400 user ports in our case). For 100mbit/s users, this essentially floods them off the network.
Here is a detail I don't see mentioned above -- this happens even when a laptop/computer is not connected to the display. The first case we had of this happening was with a display that had no thunderbolt parent device attached. Shutting down the switchport and no-shutting it (bouncing the link on the display) resolves this until the next time it happens.
It looks like whatever crap resides in various buffers is used to construct the resulting Ethernet frames. I did not perform a packet capture this time, but the last time it happened the entire Ethernet header was null bytes with the body being mostly-null but the same random-looking noise in the rest of the frame. The frame was interpreted by Wireshark and others as a type of Fiber Channel, but I think that was just the default case that matched many of the null characteristics. The exact same frame was reflected in each packet sent (as opposed to each frame being different/randomized from the predecessor)

Loop - broadcast storm in network

Good day to you all, i'm with some problem and i can't seem to find the right solution.
at our company we have arround 300 2960 switches, also in some areas of the factory they are using 3com hubs or other hub devices.
i am trying to take them all out, but the factory is to big and there are more then 100 on places i dont know.
My problem is that many times we have a broadcast storm or loop in the network.
users just put in 2 cables in a hub, or the cisco phone both cables in the hub.
the hub is connected to a 2960 switch.
My port configuration is:
interface FastEthernet0/3
switchport access vlan 27
switchport mode access
switchport voice vlan 244
spanning-tree portfast
spanning-tree bpduguard enable
end
the STP settings global are:
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
in my opinion the port that have the 3com connected should go in to err-disable when a loop is created because it receive BPDU packets.
unfortuinatly this does not happens and my whole network goes down.
the logging in the switch only indentify that there is mac flapping.
Mar 1 07:28:02: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:28:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:28:38: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:28:42: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:28:50: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:29:03: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:29:06: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Mar 1 07:29:16: %SW_MATM-4-MACFLAP_NOTIF: Host 0026.18d6.e3d6 in vlan 27 is flapping between port Fa0/2 and port Gi0/1
Mar 1 07:29:18: %SW_MATM-4-MACFLAP_NOTIF: Host e05f.b9e5.acba in vlan 27 is flapping between port Fa0/45 and port Gi0/1
Does someone have an idea to prefent this from happening ??
Thanks a lot!

Hello
My question is should i only set on the interface "storm-control broadcast level ??"
or do i also need to set multicast and unicast ? - All depends on what traffic you have traversing your links you need to be sure you dont set the levels to low has to prohibit legitimate IGP/broadcast/mulitcast/unicast traffic this includes any bespoke application traffic that utilzies any of the above
and why is the 3 to 5 %, so it will drop the storm when reach 95 % on interface ? - 5% of an 100mb link would be reached at 5 mb utilization of whatever traffic you define, the higher rate the less effective stom controll is.
To protect against layer 1 devices such are hubs and say access ports with attached switches(managed/unmanaged) you can also apply port-security running along side your current stp bpduguard.
switchport nonegotiate ( disables DTP)
switchport port-security ( enables port security)
switchport port-security aging type inactivity ( ageing of mac- address)
switchport port-security aging time xx ( mins the mac address will age out)
Switchport port-security violation restrict| shutdown ( violation action of port-security)
Switchport port-security max xx ( number of mac- address allowed on port)
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.

Broadcast storms

Hello,
I currently have 4 HP 2610 switches alongside a Cisco SG 300 28 Port POE. I have a few laptops that when I look on the old 2610's I can plainly see they are pushing out what may be excessive traffic (AKA broadcast storms) from the login page on the GUI...I am investigating this with the laptops in question by updating drivers, checking for malware etc..hopefully the nics aren't bad as that would be a board replacement. Anyways, if these laptops were on the Cisco is there a area that I can plainly see what ports or Macs are pushing out what may be a broadcast storm. Under logs I see I have a flash log etc...but where would I see who is actually in plain english pushing bad traffic similar to the old HP switches? The reason why I ask is I am retiring the old HP's over time and I want to be "in the know" how to see issues like this without having to go through alot of hoops.
Don

Hi Don
I know HP 2610 switches and thus remember about what messages are you talking about. Neither of Cisco switches (Small business or Enterprise) provides same kind of output in regards identification of unexpected traffic pattern on ports.
But on the other side they have options how to avoid and identify loops in switched networks. This means that instead of receiving "Excessive broadcasts received on the port X" you will get something like "STP Loopback Detection." in case there is really switching loop in network. Moreover with releasing firmware 1.4.0.88 new feature was introduced for avoiding loops in network: Loopback detection – Detects network loops using non-BPDU frames, and usually used where spanning tree cannot be used.
There is also Storm control feature on SG300 switches, but it is like prevention mechanism instead. More here.
I.e. in another words, Small business switches have resources and options how to detect switching loops with blocking of switch ports from where storms are coming from.
One more thing: "Excessive broadcasts received on the port X" on HP not always pointed to broadcast storms, but yes is usually caused by a network topology loop, but can also be due to a malfunctioning device, NIC, NIC driver, or software application.
hope this helps..

Re: iphone wi-fi calling causes broadcast/mulitcast storm?

It's shared. We just have 1 subnet currently. Maybe 125 devices total. I am definitely thinking it might be worth the time to divide the wi-fi and voip phones now....
The packet captures seems to show what I suggest. The fact that is has happened with two iphones both yelling for t-mobile on separate occasions seems an unlikely coincidence. It's very odd though.
I already banned the mac addresses from our wi-fi network. I have read about storm control and igmp snooping. Worthwhile to stop this kinda thing?

Hello.I've run into a very strange issue the last two days. I've had 2 mulitcast storms that shut down my entire network.I posted a snippet of the packet capture I took during the storm. The source IP is an iphone and the destination IP is a T-Mobile server. Today a different iphone did the same thing with a second T-Mobile server.I was thrown off as the Ethernet source is an Aastra voip phone. The source in all of these 500,000+ packets is different Aastra phones on our network. It appears the storm has caused the phones to send out these packets from the iphone looking for t-mobile.The packets are using port 4500 which i found is for T-Mobile wifi calling!Wondering if anyone has seen anything like this? How could an iphone shut the entire network down?What might one do to prevent this? I have spanning tree running with our core...
This topic first appeared in the Spiceworks Community

N2K port speed set

My N2K connected to N5K, why some ports can set the port speed, and some cann't set the port speed?
int eth102/1/25     ！！！No speed command
(config-if)# ?
beacon          Disable/enable the beacon for an interface
cdp             Configure CDP interface parameters
channel-group   Configure port channel parameters
description     Enter description of maximum 80 characters
inherit         Inherit a port-profile
ip              Configure IP features
ipv6            Configure IPv6 features
lacp            Configure LACP parameters
link            Configure link
lldp            Configure Interface LLDP parameters
logging         Configure logging for interface
mvr-group       MVR interface config
mvr-type        MVR interface config
mvr-vlan        Interface MVR Config
no              Negate a command or set its defaults
rate-limit      Set packet per second rate limit
service-policy Configure service policy for an interface
service-policy Policy Map
shutdown        Enable/disable an interface
snmp            Modify SNMP interface parameters
spanning-tree   Spanning Tree Subsystem
switchport      Configure switchport parameters
untagged        Default to use for untagged packets on interface
end             Go to exec mode
exit            Exit from command interpreter
pop             Pop mode from stack or restore from name
push            Push current mode to stack or save it under name
where           Shows the cli context you are in
(config-if)# int eth102/1/48       ！！！ include speed command
(config-if)# ?
bandwidth              Set bandwidth informational parameter
beacon                 Disable/enable the beacon for an interface
cdp                    Configure CDP interface parameters
channel-group          Configure port channel parameters
default                Set a command to its defaults
delay                  Specify interface throughput delay
description            Enter description of maximum 80 characters
duplex                 Enter the port duplex mode
fex                    Configure FEX fabric
flowcontrol            Configure interface flowcontrol
hardware               FEX Card type
inherit                Inherit a port-profile
ip                     Configure IP features
ipv6                   Configure IPv6 features
lacp                   Configure LACP parameters
link                   Configure link
lldp                   Configure Interface LLDP parameters
load-interval          Specify interval for load calculation for an interface
logging                Configure logging for interface
mac                    MAC
mac-address            Configure interface mac address
mvr-group              MVR interface config
mvr-type               MVR interface config
mvr-vlan               Interface MVR Config
negotiate              Configure link negotiation parameters
no                     Negate a command or set its defaults
priority-flow-control Enable/Disable PFC
rate-limit             Set packet per second rate limit
service-policy         Configure service policy for an interface
service-policy         Policy Map
shutdown               Enable/disable an interface
snmp                   Modify SNMP interface parameters
spanning-tree          Spanning Tree Subsystem
speed                  Enter the port speed
storm-control          Configure Interface storm control
switchport             Configure switchport parameters
untagged               Default to use for untagged packets on interface
vpc                    Virtual Port Channel configuration
vtp                    Enable VTP on this interface
end                    Go to exec mode
exit                   Exit from command interpreter
pop                    Pop mode from stack or restore from name
push                   Push current mode to stack or save it under name
where                  Shows the cli context you are in
1,N5K version:
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
BIOS:      version 3.6.0
loader:    version N/A
kickstart: version 6.0(2)N1(2)
system:    version 6.0(2)N1(2)
Power Sequencer Firmware:
             Module 1: version v5.0
Microcontroller Firmware:        version v1.0.0.2
SFP uC:    Module 1: v1.1.0.0
QSFP uC:   Module not detected
BIOS compile time:       05/09/2012
kickstart image file is: bootflash:///n5000-uk9-kickstart.6.0.2.N1.2.bin
kickstart compile time: 3/14/2013 1:00:00 [03/14/2013 16:53:55]
system image file is:    bootflash:///n5000-uk9.6.0.2.N1.2.bin
system compile time:     3/14/2013 1:00:00 [03/14/2013 19:28:50]
Hardware
cisco Nexus 5596 Chassis ("O2 48X10GE/Modular Supervisor")
Intel(R) Xeon(R) CPU         with 8262944 kB of memory.
2,N5K port
Eth102/1/1    --                 connected 101       full    1000    --
Eth102/1/2    --                 connected 101       full    1000    --
Eth102/1/3    --                 connected 101       full    1000    --
Eth102/1/4    --                 connected 101       full    1000    --
Eth102/1/5    --                 connected 101       full    1000    --
Eth102/1/6    --                 connected 101       full    1000    --
Eth102/1/7    --                 connected 101       full    1000    --
Eth102/1/8    --                 connected 101       full    1000    --
Eth102/1/9    --                 connected 101       full    1000    --
Eth102/1/10   --                 connected 101       full    1000    --
Eth102/1/11   --                 connected 101       full    1000    --
Eth102/1/12   --                 connected 101       full    1000    --
Eth102/1/13   --                 connected 101       full    1000    --
Eth102/1/14   --                 connected 101       full    1000    --
Eth102/1/15   --                 connected 104       full    1000    --
Eth102/1/16   --                 connected 104       full    1000    --
Eth102/1/17   --                 connected 104       full    1000    --
Eth102/1/18   --                 connected 104       full    1000    --
Eth102/1/19   --                 connected 104       full    1000    --
Eth102/1/20   --                 connected 104       full    1000    --
Eth102/1/21   --                 connected 104       full    1000    --
Eth102/1/22   --                 connected 104       full    1000    --
Eth102/1/23   --                 connected 104       full    1000    --
Eth102/1/24   --                 connected 104       full    1000    --
Eth102/1/25   --                 notconnec 102       auto    auto    --
Eth102/1/26   --                 notconnec 102       auto    auto    --
Eth102/1/27   --                 connected 106       full    1000    --
Eth102/1/28   --                 connected 106       full    1000    --
Eth102/1/29   --                 connected 104       full    1000    --
Eth102/1/30   --                 connected 104       full    1000    --
Eth102/1/31   --                 connected 104       full    1000    --
Eth102/1/32   --                 connected 104       full    1000    --
Eth102/1/33   --                 connected 104       full    1000    --
Eth102/1/34   --                 connected 104       full    1000    --
Eth102/1/35   --                 connected 104       full    1000    --
Eth102/1/36   --                 connected 104       full    1000    --
Eth102/1/37   --                 connected 104       full    1000    --
Eth102/1/38   --                 connected 104       full    1000    --
Eth102/1/39   --                 notconnec 1         auto    auto    --
Eth102/1/40   --                 notconnec 1         auto    auto    --
Eth102/1/41   --                 notconnec 1         auto    auto    --
Eth102/1/42   --                 notconnec 1         auto    auto    --
Eth102/1/43   --                 notconnec 1         auto    auto    --
Eth102/1/44   --                 notconnec 1         auto    auto    --
Eth102/1/45   --                 notconnec 1         auto    auto    --
Eth102/1/46   --                 notconnec 1         auto    auto    --
Eth102/1/47   --                 notconnec 1         auto    auto    --
Eth102/1/48   ZTC-Switch-48      connected 105       full    100     --
3,Fex
show fex 102 det
FEX: 102 Description: AO4-N2K-FEX102   state: Online
FEX version: 6.0(2)N1(2) [Switch version: 6.0(2)N1(2)]
FEX Interim version: 6.0(2)N1(2)
Switch Interim version: 6.0(2)N1(2)
Extender Serial: FOX1742G09B
Extender Model: N2K-C2248TP-E-1GE, Part No: 73-13671-02
Card Id: 149, Mac Addr: 64:e9:50:16:08:02, Num Macs: 64
Module Sw Gen: 21 [Switch Sw Gen: 21]
post level: complete
Pinning-mode: static    Max-links: 1
Fabric port for control traffic: Eth1/3
FCoE Admin: false
FCoE Oper: true
FCoE FEX AA Configured: false
Fabric interface state:
    Po102 - Interface Up. State: Active
    Eth1/1 - Interface Up. State: Active
    Eth1/2 - Interface Up. State: Active
    Eth1/3 - Interface Up. State: Active
    Eth1/4 - Interface Up. State: Active
Fex Port        State Fabric Port
       Eth102/1/1    Up       Po102
       Eth102/1/2    Up       Po102
       Eth102/1/3    Up       Po102
       Eth102/1/4    Up       Po102
       Eth102/1/5    Up       Po102
       Eth102/1/6    Up       Po102
       Eth102/1/7    Up       Po102
       Eth102/1/8    Up       Po102
       Eth102/1/9    Up       Po102
      Eth102/1/10    Up       Po102
      Eth102/1/11    Up       Po102
      Eth102/1/12    Up       Po102
      Eth102/1/13    Up       Po102
      Eth102/1/14    Up       Po102
      Eth102/1/15    Up       Po102
      Eth102/1/16    Up       Po102

show run int eth102/1/25 all
!Command: show running-config interface Ethernet102/1/25 all
!Time: Tue Apr 14 14:33:38 2009
version 6.0(2)N1(2)
interface Ethernet102/1/25
no description
lacp port-priority 32768
lacp rate normal
priority-flow-control mode auto
lldp transmit
lldp receive
no switchport block unicast
no switchport block multicast
no hardware multicast hw-hash
no hardware vethernet mac filtering per-vlan
cdp enable
switchport
switchport mode access
no switchport dot1q ethertype
no switchport priority extend
switchport access vlan 102
spanning-tree port-priority 128
spanning-tree cost auto
spanning-tree link-type auto
spanning-tree port type edge
spanning-tree bpduguard enable
no spanning-tree bpdufilter
speed auto
duplex auto
flowcontrol receive off
flowcontrol send on
no link debounce
no beacon
delay 1
snmp trap link-status
logging event port link-status default
logging event port trunk-status default
mdix auto
storm-control broadcast level 100.00
storm-control multicast level 100.00
storm-control unicast level 100.00
no shutdown lan
load-interval counter 1 30
load-interval counter 2 300
no load-interval counter 3
medium broadcast
channel-group 2025 mode active
no shutdown
show run int eth102/1/48 all
!Command: show running-config interface Ethernet102/1/48 all
!Time: Tue Apr 14 14:35:08 2009
version 6.0(2)N1(2)
interface Ethernet102/1/48
description ZTC-Switch-48
lacp port-priority 32768
lacp rate normal
priority-flow-control mode auto
lldp transmit
lldp receive
no switchport block unicast
no switchport block multicast
no hardware multicast hw-hash
no hardware vethernet mac filtering per-vlan
cdp enable
switchport
switchport mode access
no switchport dot1q ethertype
no switchport priority extend
switchport access vlan 105
spanning-tree port-priority 128
spanning-tree cost auto
spanning-tree link-type auto
spanning-tree port type edge
spanning-tree bpduguard enable
no spanning-tree bpdufilter
speed auto
duplex auto
flowcontrol receive off
flowcontrol send on
no link debounce
no beacon
delay 1
snmp trap link-status
logging event port link-status default
logging event port trunk-status default
mdix auto
storm-control broadcast level 100.00
storm-control multicast level 100.00
storm-control unicast level 100.00
no shutdown lan
load-interval counter 1 30
load-interval counter 2 300
no load-interval counter 3
medium broadcast
no shutdown
Ports are connected, there is no relationship with the speed option, such as port 102/1/1 is connected, but no speed option, port 102/1/47 is notconnected, there speed options.
show int eth102/1/1
Ethernet102/1/1 is up
Belongs to Po2001
Hardware: 100/1000 Ethernet, address: 64e9.5016.0802 (bia 64e9.5016.0802)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
full-duplex, 1000 Mb/s
Beacon is turned off
Input flow-control is off, output flow-control is on
Switchport monitor is off
EtherType is 0x8100
Last link flapped 1d02h
int eth102/1/1
(config-if)# ?
beacon          Disable/enable the beacon for an interface
cdp             Configure CDP interface parameters
channel-group   Configure port channel parameters
description     Enter description of maximum 80 characters
inherit         Inherit a port-profile
ip              Configure IP features
ipv6            Configure IPv6 features
lacp            Configure LACP parameters
link            Configure link
lldp            Configure Interface LLDP parameters
logging         Configure logging for interface
mvr-group       MVR interface config
mvr-type        MVR interface config
mvr-vlan        Interface MVR Config
no              Negate a command or set its defaults
rate-limit      Set packet per second rate limit
service-policy Configure service policy for an interface
service-policy Policy Map
shutdown        Enable/disable an interface
snmp            Modify SNMP interface parameters
spanning-tree   Spanning Tree Subsystem
switchport      Configure switchport parameters
untagged        Default to use for untagged packets on interface
end             Go to exec mode
exit            Exit from command interpreter
pop             Pop mode from stack or restore from name
push            Push current mode to stack or save it under name
where           Shows the cli context you are in
show int eth102/1/47
Ethernet102/1/47 is down (Link not connected)
Hardware: 100/1000 Ethernet, address: 64e9.5016.0830 (bia 64e9.5016.0830)
MTU 1500 bytes, BW 0 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is access
auto-duplex, auto-speed
Beacon is turned off
Input flow-control is off, output flow-control is on
Switchport monitor is off
EtherType is 0x8100
int eth102/1/47
(config-if)# ?
bandwidth              Set bandwidth informational parameter
beacon                 Disable/enable the beacon for an interface
cdp                    Configure CDP interface parameters
channel-group          Configure port channel parameters
default                Set a command to its defaults
delay                  Specify interface throughput delay
description            Enter description of maximum 80 characters
duplex                 Enter the port duplex mode
fex                    Configure FEX fabric
flowcontrol            Configure interface flowcontrol
hardware               FEX Card type
inherit                Inherit a port-profile
ip                     Configure IP features
ipv6                   Configure IPv6 features
lacp                   Configure LACP parameters
link                   Configure link
lldp                   Configure Interface LLDP parameters
load-interval          Specify interval for load calculation for an interface
logging                Configure logging for interface
mac                    MAC
mac-address            Configure interface mac address
mvr-group              MVR interface config
mvr-type               MVR interface config
mvr-vlan               Interface MVR Config
negotiate              Configure link negotiation parameters
no                     Negate a command or set its defaults
priority-flow-control Enable/Disable PFC
rate-limit             Set packet per second rate limit
service-policy         Configure service policy for an interface
service-policy         Policy Map
shutdown               Enable/disable an interface
snmp                   Modify SNMP interface parameters
spanning-tree          Spanning Tree Subsystem
speed                  Enter the port speed
storm-control          Configure Interface storm control
switchport             Configure switchport parameters
untagged               Default to use for untagged packets on interface
vpc                    Virtual Port Channel configuration
vtp                    Enable VTP on this interface
end                    Go to exec mode
exit                   Exit from command interpreter
pop                    Pop mode from stack or restore from name
push                   Push current mode to stack or save it under name
where                  Shows the cli context you are in

WLAN Clients not browsing on Cisco Wireless Controller WLC NME-AIR-WLC12-K9

HiI have a question and i need a solution and expert help.I have done a deployment which involves Security (ASA5540), Routing/voice gateway/wlc NME-AIR-WLC12-k9) and Switching (Cisco3845-ccme/k9)Below is the list of equipment used:1. Cisco ASA 5540 - which is connected at the edge to the ISP router
2. Core Switch WS-C4948E as core and DHCP Server for all VLANs
3. Access/Distribution Switches WS-C3560G-48PS-S connected as trunk to the core switch
4. Router/Voice Gateway/WLC Cisco3845-CCME/K9 - This is the voice gateway and also the WLC
5. Wireless APs AIR-LAP1242AG-E-K9 (12 qty)Here is the deployment scenario:1. G0/0 of the ASA is connected to a 7200 router from the ISP (Public IP Add)
2. G0/1 of the ASA is connected to gig 1/3 on the Core Switch on VLAN 2 which is the management VLAN (Local IP 10.1.1.2)
3. Port 3 of the Core switch is on vlan 2 connected to ASA - Management IP of Core Switch is 10.1.1.1. Core Switch is the DHCP Server for all VLANS on the network.
4. All the Access/Distribution switches are configured with IP Addresses on VLAN 2
5. Telephony Services is configured on the router and DHCP Pool for Access Points and Wireless Clients is running on the router.
6. Two DHCP pools were created on the router for APs and Wireless Clients.
7. G0/0 of the router is configured on the same network that issues dhcp ip to the AP and is connected to gig 1/1 on the core switch
8 G0/1 of the router is configured as the voice port for the IP Telephony Services and is connected to G 1/2 on the core switch1. Clients receiving DHCP IP on the Core Switch can communicate with all vlans and can browse to the Internet.
2. IP Telephony Services is running well.
3. Client on wireless can get IP from the DHCP on the router but cannot browse.I have pings from the router to the core switch and firewall, but clients connected to the wireless
cannot ping other vlans on the core switch and vice versa.The port connecting the router to the core switch is an Access Port, i have changed to to trunk but still no changes.My biggest problem now is how to make the clients on the wireless communicate with other clients on the network and be able to browse to the Internet.Below is the configs on the router and core switch.Router ConfigNimc_Voice_Router#sh run
Building configuration...
Current configuration : 10513 bytes
! Last configuration change at 13:03:55 Nigeria Mon Nov 29 2010 by admin
! NVRAM config last updated at 13:03:56 Nigeria Mon Nov 29 2010 by admin
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Nimc_Voice_Router
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/2
logging message-counter syslog
enable secret
aaa new-model
! aaa authentication login default local
aaa session-id common
clock timezone Nigeria 1
dot11 syslog
ip source-route
ip dhcp excluded-address 10.1.12.1 10.1.12.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool LWAAP-AP
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
option 43 hex f104.c0a8.0002
dns-server 83.229.88.30 4.2.2.2 193.238.28.249
option 60 ascii "Cisco AP c1240"
ip dhcp pool Wireless
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
ip cef
no ip domain lookup
ip domain name nimc.gov.ng
ip name-server 83.229.88.30
ip name-server 193.238.28.249
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface GigabitEthernet0/0
description Connection to AP
ip address 10.1.12.1 255.255.255.0
ip helper-address 192.168.0.2
load-interval 30
duplex auto
speed auto
media-type rj45
interface Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
interface Integrated-Service-Engine1/0
ip address 192.168.0.1 255.255.255.0
no keepalive
interface Integrated-Service-Engine1/0.15
encapsulation dot1Q 15
ip address 192.168.1.1 255.255.255.0
interface Integrated-Service-Engine1/0.100
encapsulation dot1Q 100
ip forward-protocol nd
ip forward-protocol udp 12223
ip route 10.1.0.0 255.255.255.0 10.1.1.1
ip route 10.1.1.0 255.255.255.0 10.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
ip route 10.1.3.0 255.255.255.0 10.1.1.1
ip route 10.1.4.0 255.255.255.0 10.1.1.1
ip route 10.1.5.0 255.255.255.0 10.1.1.1
ip route 10.1.6.0 255.255.255.0 10.1.1.1
ip route 10.1.7.0 255.255.255.0 10.1.1.1
ip route 10.1.8.0 255.255.255.0 10.1.1.1
ip route 10.1.9.0 255.255.255.0 10.1.1.1
ip route 10.1.10.0 255.255.255.0 10.1.1.1
ip route 10.1.11.0 255.255.255.0 10.1.1.1
ip route 10.1.12.0 255.255.255.0 10.1.1.1
ip route 192.168.0.0 255.255.255.0 10.1.1.1
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
ip http secure-server
!Core Switch Configsh run
Building configuration...Current configuration : 10622 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Nimc_Core
boot-start-marker
boot-end-marker!
aaa new-model
aaa authentication login default local
aaa session-id common
storm-control broadcast include multicast
ip subnet-zero
no ip domain-lookup
ip domain-name nimc.gov.ng
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.4.1 10.1.4.10
ip dhcp excluded-address 10.1.5.1 10.1.5.10
ip dhcp excluded-address 10.1.6.1 10.1.6.10
ip dhcp excluded-address 10.1.7.1 10.1.7.10
ip dhcp excluded-address 10.1.8.1 10.1.8.10
ip dhcp excluded-address 10.1.9.1 10.1.9.10
ip dhcp excluded-address 10.1.10.1 10.1.10.10
ip dhcp excluded-address 10.1.3.1 10.1.3.10
ip dhcp pool Voice
network 10.1.2.0 255.255.255.0
next-server 10.1.2.1
option 150 ip 10.1.2.2
default-router 10.1.2.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
ip dhcp pool SF_DGs_Office
network 10.1.3.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.3.1
dns-server 81.199.3.7
lease 10
ip dhcp pool Admin_Process_Fac_Mgt
network 10.1.4.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.4.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool SF_IDD
network 10.1.5.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.5.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool Finance_Fin_Inv
network 10.1.6.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.6.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool Finance_CS
network 10.1.7.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.7.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool FF_Human_Capital_Mgt
network 10.1.8.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.8.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool FF_Legal_Services
network 10.1.9.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.9.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool SF_Procurement_Serv
network 10.1.10.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.10.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip vrf mgmtVrf
errdisable recovery cause bpduguard
errdisable recovery interval 180
power redundancy-mode redundant
spanning-tree mode mst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree mst configuration
name xxxx
revision 1
instance 1 vlan 1-20
spanning-tree mst 1 priority 0
spanning-tree vlan 1-20 priority 0
vlan internal allocation policy ascending
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/2
switchport access vlan 4
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/3
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/4
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/5
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/6
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/7
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/8
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast!
interface GigabitEthernet1/9
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/10
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/11
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/12
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/13
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/14
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/15
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/16
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/17
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/18
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/19
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/20
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/21
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/22
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/23
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/24
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/25
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/26
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/27
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/28
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/29
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/30
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/31
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfastinterface GigabitEthernet1/32
switchport access vlan 2
switchport voice vlan 4
interface GigabitEthernet1/33
switchport mode access
interface GigabitEthernet1/34
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/35
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/36
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/37
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/38
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/39
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/40
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/41
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/42
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/43
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/44
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/45
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/46
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/47
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan1
no ip address
shutdown
interface Vlan2
description Management
ip address 10.1.1.1 255.255.255.0
interface Vlan3
description Enterprise
ip address 10.1.0.1 255.255.255.0
interface Vlan4
description Voice
ip address 10.1.2.1 255.255.255.0
interface Vlan5
description SS_DGs_Office
ip address 10.1.3.1 255.255.255.0
interface Vlan6
description Admin_Process_Fac_Management
ip address 10.1.4.1 255.255.255.0
interface Vlan7
description SF_National_Identity_Database
ip address 10.1.5.1 255.255.255.0
interface Vlan8
description Fin_Finance_Investment
ip address 10.1.6.1 255.255.255.0
interface Vlan9
description Fin_Corporate_Services
ip address 10.1.7.1 255.255.255.0
interface Vlan10
description FF_Human_Capital_Management
ip address 10.1.8.1 255.255.255.0
interface Vlan11
description FF_Legal_services
ip address 10.1.9.1 255.255.255.0
interface Vlan12
description SF_Procurement_Services
ip address 10.1.10.1 255.255.255.0
ip default-gateway 10.1.1.2
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 10.1.1.0 255.255.255.0 10.1.1.2
ip route 10.1.2.0 255.255.255.0 10.1.1.2
ip route 10.1.3.0 255.255.255.0 10.1.1.2
ip route 10.1.4.0 255.255.255.0 10.1.1.2
ip route 10.1.5.0 255.255.255.0 10.1.1.2
ip route 10.1.6.0 255.255.255.0 10.1.1.2
ip route 10.1.7.0 255.255.255.0 10.1.1.2
ip route 10.1.8.0 255.255.255.0 10.1.1.2
ip route 10.1.9.0 255.255.255.0 10.1.1.2
ip route 10.1.10.0 255.255.255.0 10.1.1.2
ip route 10.1.11.0 255.255.255.0 10.1.1.2
ip http server
--More--
control-plane
line con 0
stopbits 1
line vty 0 4
end
Please i need somebody to help me

I wouldn't configure an ip address on the service engine subinterface.
Try setting up a vlan interface on the router with that ip address and the subinterface will be linked to the vlan interface through the encapsulation command. A vlan interface will better work as a gateway for the wireless clients
Nicolas

Switch and Broadcast filtering

I read this article in the cisco curriculum, but I did not understand it well :
" Occasionally, a device will malfunction and continually send out broadcast frames, which are copied around the network. This is called a broadcast storm and it can significantly reduce network performance.
A switch that can filter broadcast frames makes a broadcast storm less harmful.
Today, switches are also able to filter according to the network-layer protocol. This blurs the demarcation between switches and routers. A router operates on the network layer using a routing protocol to direct traffic around the network. A switch that implements advanced filtering techniques is usually called a brouter. Brouters filter by looking at network layer information but they do not use a routing protocol ".
Can the switch filter the broadcast ? Yes, it can,,,,as Cisco says :"This filtering is achieved through the implementation of virtual local-area networks or VLANs ".,,,,,Is there any other type of filtering ?
What is the main difference between router and brouter

hi
if u would like to control the broadcast and multicast storms you can refer the link for configuring the storm control for both broadcast and multicast.
you can define up the values and shut the port if it exceeds the threshold limit..
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hif_r/int_s4h.htm#wp1229258
About the difference between a router and a Brouter afaik BROUTER u use in most of the SP network where you got customers in either DSL or Metro ethernet network where you will have the aggregation of the whole network traffic and from where it will be forwarded to upstream.
It depends on the ios code too which is available to serve the purpose for the same..
you got to have something like 7200 or 7300 in place to serve your purpose of brouter.
regds

ISE Endpoint losing IP after transition to Low-Impact-Mode

I've recently moved an ISE implementation into the low-impact authentication phase, and the client's security cameras are having a rough go of it. In monitor mode, they were able to stay connected as they should but in low-impact mode they are losing their IP addresses as evidenced in the auth session output below:
SWITCH-1#sh auth sess int g4/0/6            Interface: GigabitEthernet4/0/6          MAC Address: 0040.8cc7.4822           IP Address: 10.92.6.3            User-Name: 00-40-8C-C7-48-22               Status: Authz Success               Domain: DATA       Oper host mode: multi-domain     Oper control dir: both        Authorized By: Authentication Server          Vlan Policy: N/A              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c      Session timeout: 3600s (local), Remaining: 338s       Timeout action: Reauthenticate         Idle timeout: N/A    Common Session ID: 0AFF320A000661C965742D42      Acct Session ID: 0x00067E9F               Handle: 0x72000982Runnable methods list:       Method   State       dot1x    Failed over       mab      Authc SuccessSWITCH-1#sh auth sess int g4/0/6            Interface: GigabitEthernet4/0/6          MAC Address: 0040.8cc7.4822           IP Address: 169.254.45.196            User-Name: 00-40-8C-C7-48-22               Status: Authz Success               Domain: DATA       Oper host mode: multi-domain     Oper control dir: both        Authorized By: Authentication Server          Vlan Policy: N/A              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c      Session timeout: 3600s (local), Remaining: 338s       Timeout action: Reauthenticate         Idle timeout: N/A    Common Session ID: 0AFF320A000661C965742D42      Acct Session ID: 0x00067E9F               Handle: 0x72000982Runnable methods list:       Method   State       dot1x    Failed over       mab      Authc Success
This is happening approx. every 10 seconds which curiously is the timer value of my dot1x tx-period. As well, the host never has its reauthentication timer restarted but I can see the following in ISE approx. every 10-15 seconds:
Why is it going through Dynamic Authorization? Why am I losing my legitimate IP address every 10 seconds and getting an APIPA address in its place? The port configuration is as follows:
interface GigabitEthernet4/0/6 description Security switchport access vlan 292 switchport mode access ip access-group ACL-DEFAULT in power inline auto max 15400 authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 storm-control broadcast level 2.00 storm-control action shutdown spanning-tree portfast spanning-tree bpduguard enableend
And my ACL-DEFAULT is...
Extended IP access list ACL-DEFAULT    10 permit udp any eq bootpc any eq bootps    20 permit udp any any eq domain    30 permit icmp any any    40 permit udp any any eq tftp    50 deny ip any any log
Upon switch log review, I'd noticed that the ACL-DEFAULT is blocking the cameras from certain igmp and tcp/554 (RTSP) communications. To see if it would help, even though I shouldn't have to, I placed ACE's into my ACL-DEFAULT to permit this traffic and would still drop my IP address every 10 seconds. I shouldn't have to do this because the "xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" is a simple "permit ip any any" ACL which should allow all of the traffic to flow.
Ideas?
Kind Regards,
Kevin

As well, the dACL is properly replacing the first "any" with the endpoint's IP:
SWITCH-1#show ip access-lists interface g4/0/6
     permit ip host 169.254.45.196 any
SWITCH-1#show ip access-lists interface g4/0/6
     permit ip host 10.92.6.3 any
Kind Regards,
Kevin

Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

Hi,
We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
Swith port configuration looks likt this:
interface FastEthernet0/31
description 802.1x Poort
switchport access vlan xxx
switchport mode access
switchport nonegotiate
switchport voice vlan xxx
no logging event link-status
priority-queue out
authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity 120
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout supp-timeout 300
dot1x max-reauth-req 3
dot1x timeout held-period 300
dot1x timeout auth-period 3
no mdix auto
storm-control broadcast level 10.00
storm-control multicast level 10.00
no cdp enable
spanning-tree portfast
service-policy input xxxx
end
Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
ISE Version: 1.2.0.899
Patch Information: 5,6,8
Help would be much appreciated

Hi Jan,
Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
"authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

Storm Control

Similar Messages

Maybe you are looking for