Cisco Security :: Catalyst 4510 / Switch Port In Dot1x Multi-auth Mode Stops Passing Traffic?
May 6, 2010
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
!interface GigabitEthernet2/34 switchport mode access ip arp inspection limit rate 30 authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 6 spanning-tree portfast ip verify source vlan dhcp-snoopingend
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
I need to support a bunch of security cameras mounted on poles in our parking lot and an IP intercom system mounted on some gates. Because of environmental factors the switches at the poles need to be hardened and the spec from the vendor installing the gear is for GarretCom Industrial unmanaged switches which would make sense.
However when Information Security got wind of this scheme they (probably correctly) are requiring me to secure the ports that these unmanaged switches connect to. I have 2 choices: port security w/ MAC filtering or 802.1x. Because all the devices at the poles and gates support 802.1x and because I may need to go out there to troubleshoot stuff (and will invariably forget to add the MAC of whatever device I am using) I would prefer 802.1X multi-auth mode.
Problem: When I ran a quick test on a test 3560 running some 15.0.1 code I could get a laptop to connect via 802.1x EAP-TLS successfully if it was directly connected but when I connected the same laptop via a dumb Netgear switch I confiscated from a luser it would not connect. The 3560 error said that the laptop never responded.
Question: Before I spend a whole lot of time on this, is this something that should work? I don't see any practical use for the feature if it won't however the documentation I am using specifically mentions downstream hubs but I am not sure if they mean real hubs (which I don't think are even made anymore) or if they mean unmanaged switches.
I plan to try a couple of different unmanaged switches tomorrow and digg a little but I would like to know if I am wasting my time on something that will never work or if there is a little gotcha somewhere.
We have a managed service provider voip network that requires us to use our own router for the data network. We wanted to use the RV042 for it's easy vpn setup. After installing it worked great for about 10 min. then the WAN port stopped passing traffic. 3 min. later it started working again. We tested the RV042 on a different network and it works fine. We tested an older Pix on the managed network and that works fine. But the RV042 will not work on the managed service provider voip network. The service provider says that on their end it shows our WAN port going up and down.
I have configured multicast (ip pim dense-mode) on two 2911 routers that are connected by a Multilink (3Mbps) Wan connection.The configuration work fine for awhile and sometimes all day but at some point one of the Multilink interfaces stop passing multicast traffic.I perform a sh multilink 1 on the interfaces and one interfaces show the multicast packets incrementing and the other does not, it just stops.The only fix for this is to hard reboot both routers and the multicast traffic begins to flow once again.
I have created an L2L tunnel between my self and a 3rd party. I am using a Cisco ASA 5520 and the other end is using a Cisco 3005 VPN concentrator. The tunnel will get established and pass traffic both ways for a little while, it varies, sometimes 1 hour or last time we built it it was working for 17 hours, but at some point my ASA will stop transmitting but it will still be receiving packets. These errors start to show up when I look at the traffic going through my ASA interfaces:
713042 IKE Initiator unable to find policy: Intf Outside, Src: 192.168.xx.16, Dst: 10.1.xx.30
Then when I try to ping their hosts .30 and .27 I get:
713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.30, Crypto map (Outside_map) 713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.27, Crypto map (Outside_map) 713050 Group = 68.23.xx.xx, IP = 68.23.xx.xx, Connection terminated for peer 68.23.xx.xx. Reason: Peer Terminate Remote Proxy 10.1.xx.27, Local Proxy 192.168.xx.16
When I first configured this tunnel it was with 3DES and SHA for phase 1 & 2, but when the tunnel would come up my phase 1 would negotiate to an MD5 hash, even though I specifically entered SHA, so me and the 3rd party decided to bring all the hashes for phase 1 & 2 down to MD5, and that was when it was up for the longest, but the problem still came back eventually. My ASA config posted below:
ASA Version 8.2(3) name 192.168.xx.16 Server description Server name 10.1.xx.27 XYZ_01 name 10.1.xx.28 XYZ_02 name 10.1.xx.29 XYZ_03
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
I am looking to find a command or counter to tell me if a cisco switch port on a 4510 was ever up and passed traffic. I want to shutdown all unused switchports on our access switches. But before I do that I need to make sure device is just not off or the person is away on vacation. If I do sh int interface, is there a counter I can reference.
Trying to authenticate a Wireless 1242 AP to a switch port with Dot1x enabled. It seems like the switch can't get the mac or doesn't ever start authentication for the port when I plug in an ap. The ap is configured to pull dhcp on start for fa 0, however never gets an address, even though the port should fail into guest network after auth fails.Any thoughts,, a debug only shows this...
*Mar 1 00:19:27.127: %IF-3-VLAN_NOT_CONFIGURED: Received dot1Q VLAN tagged packet on interface which does not have VLAN configured.
I have an Cisco ME3400-24TS-A Switch with is not behaving normal.
I have already erased its flash, uploaded new IOS but could not fix the issue. However it boots normally and pass all tests show in boot process. Issue is this the i cant access or ping the computers attached to its ports from one to other.
However i can ping the switch vlan 1 IP from all computers attached to it.
When i tried Debug All Command, its shows the following:
debug all This may severely impact network performance. Continue? (yes/[no]): yes All possible debugging has been turned on Switch# *Mar 1 00:03:41.467: special_oce_change_vectors: select debug vectors
I have setup a 5515-X in transparent multi-mode and setup 5 security contexts with inside and outside ports, one admin and 4 others. The problem I have run into is setting up a management IP for each context. On one of my other transparent firewalls in production we were able to apply an IP to the security context (not interface) however the new firewall is running the latest software and this same functionality is not available. The only options for IP in context mode is IP AUDIT. So my next plan was to create sub-interfaces of the management interface and assign one to each context however the 5515-x does not allow sub-interfaces on the management interface. How I setup a management IP on each context?
Another interesting thing i read is that the managment IP assigned to a context (if i could figure out how to set it up), has to be in the same subnet as the data interface which if fine but it also says that the management interface should not be connected to the same switch as the data interface because of MAC address table update issues, meaning that i could not use a sub-interface of one of the already configured context ports.
I just purchased a new SF-300 managed switch for the purpose of using it on the DMZ, so we can mirror the internet port and monitor traffic for my company. I have set it up from the web interface to miror port 1 to port 2 and that's pretty much it. I decided to test it before putting it in production, by hooking it up to one of my core network switches, connecting a laptop to it and trying to get online. It doesn't even connect to my DHCP server to get an IP address. If I put the laptop back on the same subnet as the switch management IP, I can still connect to the switches web interface. Isn't the basic functionality of a switch to pass traffic?
I should also mention that I'm not a network engineer, so there might just be something I'm missing with regard to a default setting that needs to be switched off?
we have a scenario that consists of a Cisco 4507 series core switch with more than 20 vlans which is connected to a C2960G switch( in a nearby building) using a trunk by a fiber connection. Up to this point everyhting is fine . VTP domain is configured on the core switch and we have all of the 20 vlans present correctly on the edge 2960G wich is part of course of this same VTP domain.the fiber connection goes from core switch to a "in the middle location" where we have a fiber patch panel that is connected in a jumper style to another fiber patch panel going to the destination building where the C2960G sits.
Now imagine that Fiber connection from this middle location to the destination C2960 edge switch is down for any possible reason meanwhile the fiber connection from Core switch 4507 to the middle location is still intact.In the same time, in this middle location , we do have a wireless connection which links 1 Cisco 3750G switche ( a different infrastructure and different VTP domain) to another C3560G switch which sits on the same Room in the nearby destination building where we have the edge C2960G, An idea came to me is to connect one of the fiber port (core) in the intact fiber patch panel coming from Core switch 4507 TO an access vlan configured switchport in the 3750G switch ( this switchport will belong to a vlan designed only to trasmit the vlans on the trunk coming from 4507 core switch say VLAN 10) then connect one VLAN 10 access switchport to the destination C2960 edge switch ( the switchport on the c2960G is still a trunk)Will this solution work and all of the 20- 4507 core switch vlans arrive to the destination C2960G ? Or we do need something that tags the 2 VLAN 10 switchports like switchport dot1q tunnel like QinQ
I came across this Multichassis EtherChannel Features when read about information from Cisco Smart Business Architecture.After checking further, knowing that Cataly stwitch 6500 supports this feature.provide information that beside Catalyst 6500, is there any other model of Catalyst switch can support this feature?
We want to get L2 traffic amount (bit/byte) passing through a cisco switch (6500/3560 ...) for a specific VLAN. it can be via SNMP or CLI ...How can we do that?
I received the following info from Cisco's TAC and wanted to inquire further before I start reconfiguring the switch:
In a redundant Sup-6E setup, the following configuration is supported :
- 1 TenGig uplink on Active Sup and 1 TenGig uplink on Standby Sup - 1 TenGig uplink on Active Sup and 2 Gig uplinks on Standby Sup - 2 Gig uplinks on Active Sup and 1 TenGig uplink on Standby Sup - 2 Gig uplink on Active Sup and 2 Gig uplinks on Standby Sup
If you invoke shared backplane mode, the following configuration can also be supported:
- 2 TenGig uplinks(blocking) on Active Sup and 2 TenGig uplinks on Standby Sup - 2 TenGig uplink(blocking) on Active Sup and 4 Gig uplinks on Standby Sup - 4 Gig uplinks on Active Sup and 2 TenGig uplinks(blocking) on Standby Sup - 4 Gig uplink on Active Sup and 4 Gig uplinks on Standby Sup
Here's the command and information about the "shared-backplane" mode :- [URL]
Currently, we have 2 SUP 6-Es(Module 5 - Active and Module 6 - Stand-by) setup in a redundent mode. I am planning on changing the redundent mode to the shared backplane mode so I can use 2 TenGig converters to uplink 2 access-switches. We purchased 2 TenGig converters and here is how I am planning on using them:
1- One will be used to uplink to two 3750 switches(stacked) 2- One will be used to uplink to a 2960 using a Gig SFP
My questions are:
1- Do I have to install the 2 TenGig converters(4-Gig Uplinks) in the same Module? Or can I use one one in module 5 and the second one in module 6? 2- Will changing the redundant mode to the shared backplane mode require rebooting the switch or disrupt the funtionality of the other linecards?
Every so ofter, the switch of the router just stops moving traffic between the LAN and to/from internet, though the WiFi keeps working and can still use internet.
I can still use the router's switch, and ping other computers on the local LAN, what happens is that the router stop routing wired traffic from/to internet, the rest of the issue is still the same, I opened reddit on my smartphone and there it was working via WiFi, but the would have none of it for the computers on wired LAN, not even accessing the router's page or telnet.
It is like some service or bridge between the switch LAN and the router itself dies... I'm still clueless.
The only "pattern" that I see is that my desktop is on line, because I can be not at home for 12+ HS and I can connect remotely to the server (rd p and trans droid) so I know it has internet access, but sometimes I think this happens when I turn on my desktop, like just now, this morning, but again, I feel is not every morning, trying to be more scientific about it I come here after every time it happens to record it, and also set the record straight about the issue description.
So, assuming it is not a hardware issue, because I did not had this problem in all 2011 and 2012, I do not overclock the router neither use other than default TX power level.
- How do I begin diagnosing this issue? - If it is a known issue with this builds? I could no find it.
My goal is to be able to provide info for debugging the problem and possible finding a fix/workaround it. If it is indeed hardware failing, how do I even begin to diagnose it from that POV? The message is empty...
Even with the new build r21061 still happened two more times. Now the real problem to me, is that I cant even revert it to stock firmware, I tried even with:
- unplug router - press and hold reset - plug router - keep pressing until power led blinks orange - enter 192.168.0.1 (PC must have static IPA, i use 192.168.0.200)
Can't open 192.168.0.1 in FF nor chrome and does not even ping. [URL]. I just want to get it back to stock or do not hang up the switch-to-router(ing).
I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
Our customer use catalyst switch that spanning tree be PVST+ mode.I take SG300 connect with this catalyst switch.Does it support ?If it support,how to config on SG 300 ?
I'm fairly new to Cisco products am in the process of developing my network knowledge on a deeper level. I have a 3825 with a HWIC-4ESW and I'm struggling to fully understand how the two "see" each other. I've setup a V LAN with a layer 3 address on the HWIC and added the switch ports to it. This seemed to allow devices connected to the switch ports to talk to the built-in router ports. I thought this was all making sense until i applied an access-list to the router port. It's a simple ACL i'm just using for testing and the only thing it does is blocks telnet from anywhere. I know the ACL is setup properly because if I connect a device directly to the router port i cannot telnet to the port. However, if i connect a device to one of the switch ports, i am able to telnet to the router port successfully.
It seems that I'm missing something with how traffic flows from the switch port to the router ports and how the two "see" each other.
I'm part way through trying to set a Catalyst 4510R to factory defaults, One thing I'm stumped on is how do i remove the Customer Disclaimer eg what commands do i need to remove this and any other customer text within the switch, below is copy of text from the switch with customers details omitted.
We have an existing network with a Catalyst 4510 core switch and departmental 3560 switches connected via fiber. Due to company restructure we can no longer afford to buy new 3560's when anything goes wrong so this week I purchased an SG200-26 which I'm trying to get onto the network.
This is a legacy network which I didn't setup so my Cisco skills are somewhat limited (another reason for the SG200's hopefully), anyway have been looking at the configs on the existing switches and trying to match settings in the SG200 setup however not getting anywhere! I have the config from the dead switch so I can show what needs to be achieved, any experience in downgrading environment in a similar way?
Im trying to follow along documentation i see via train single videos and some online resources. I am trying to enable port security.I have a Catalyst 3546 XL when i type in "rtr1# switchport ?""port-security" is not only of the options to choose from. I have already set this as an access port.
I have connected a 10BaseT device to a CISCO Catalyst 3560xPOE switch with dynamic port security. All seems to work fine when the distance between the two devices is closer then 200ft. When I connect to 10BaseT devices farther out near 300ft the response from the attached device is lost. It works ok on unmanaged switches at the longer distance. Is there a minimum response time from attached devices for dynamic port security to work properly? Is there any other explanation why it would work on cheaper switches, but not on the Port Secured Switch?
I'm trying to configure Catalyst 2960 series 8 port switch in my office. I have just plugged in switch and started and then put Ethernet cable (which is coming from the wall port (LAN) into CONSOLE (switch). and connected my laptop's ethernet cable to switch's 1x por
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
I have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
My internet link is connected on Internet Router & below downwards Cisco ASA 5520 is connected.ASA is connected with core switch cisco 4510 on downwards. our web based mail [URL] is hosted outside.
Lets suppose ISP pool is 4.4.4.0/28.suppose owa server is Static natted on ASA with 4.4.4.4. my machine traffic is going to internet with same ISP with PAT on Cisco ASA & internet is working on my machine. if i want to access {URL} or ip base for mail access, its not working & also it is not pinging. i suppose to ASA is blocking for returning traffic.
is there any way to traffic will go via same Firewall & comeback on same firewall port?
I've looked at many others having this same problem, but can't seem to figure out what my problem is. Same issue as most, I can connect fine, I get an IP, but it won't pass any traffic, I can't ping anything or access anything.
I have configured Span port on our 4510. We have an application 5view server to monitor trafic connected to G9/17 Since we have changed the network connection from physical Giga port and add a Port-channel instead, we don't see any more trafic from the new Port-channel to G9/17
I want to configure switch port bandwidth limit for my Catalyst 2960-48, is there any hardware / ios limitation? can I configure it at all 48 switch ports?
I have a vendor that currently uses a Cisco 871 as a VPN router in our company network, they use it connect to provide services to one of the servers in our LAN for our customers. Recently, we are going to be setting up a 24/7 call center with this vendor, they will be accessing a server in our network through the VPN to provide customer service during after hour periods.We have a problem however, with an application that is hosted by another vendor that is critical for our regular company call center. Access is reached with this application through this vendor by way of IPSec VPN tunnel that is built in our company's Cisco ASA 5510. This application is accessed via Internet Explorer that goes across to access the application at the endpoint
I need to figure a way by which the vendor that will be running the 24/7 call center coming through their tunnel in our network to connect over to the tunnel on the vendor on my ASA. Im likely going to have to set some routing of traffic in my internal default gateway router for this to work.
