Messages

hi
i see different speed on switch ports.part of ports have 10 Mbps speed, but all switchports have default 1 Gbps speed
why I do not see 1 gbps speed for all ports?

Depends on the connected device's config, the cable spec or quality, etc.

i see but all devices have the same config

hi
i see different speed on switch ports.part of ports have 10 Mbps speed, but all switchports have default 1 Gbps speed
why I do not see 1 gbps speed for all ports?

That's a Microsoft MAC address, so the MAC given for the LACP is likely software-configured to override the physical MAC addresses on the server.

yes this is mac address of physical server but when i look at the details ,this server's ip address seems to belong to the virtual server

hi everyone
i have a server host on cisco switch.its interfaces configured as LACP.when i use "sh cdp" command i see  interfaces of server, its contain numeric device id for example 00155d1e9822
Do you have any idea about this issue?

BPDU guard acts like a gate, it lets traffic though and it will send BPDUs out, but if it sees a BPDU come in it slams the gate and doesn't let anything else come in

BPDU filter on the port acts like a sniper on a tower that was bullied by BPDUs when it was a kid, it kills all BPDUs: going in or coming out effectively disabling spanning-tree

BPDU filter at the global level basically stops interfaces with portfast from doing spanning-tree.  If a port with portfast on it gets a BPDU in this state it drops the portfast stuff and operates normally.

thanks
your answer is very obvious
well Which approach is better for us?

hi everyone
i want to use bpduguard or bpdufilter on my cisco devices. but when i use bpduguard ,switchport(PC) has sent bpdu message still. when i use bpdufilter switchport hasnt sent bpdu messages.
are there any idea about this issue

i used this commands

SPANNING-TREE PORTFAST DEFAULT
SPANNING-TREE PORTFAST BPDUGUARD DEFAULT

SPANNING-TREE PORTFAST DEFAULT
SPANNING-TREE PORTFAST BPDUFILTER DEFAULT

unfortunately the same method did not work on 3850
i am trying different ioses  one by one but i couldnt find the suitable ios 

Have you tried 12.2(53) or 12.2(55)? Those IOS versions are quite reliable.

ios of my 3850s is new version,ios-xe 03.06.06E

in this page last compatible ios is 15.0(1)EX

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-1611/200419-IOS-XE-to-IOS-mapping-and-Feature-set-no.html

i tried 03.06.07E, 03.06.00E even 15.0(2) for 3750

unfortunately the same method did not work on 3850
i am trying different ioses  one by one but i couldnt find the suitable ios 

yes this is a sweet bug.

i removed

login on-failure log
login on-success log

and log on problem is resolved and authentication success with Radius after a long effort.but all solutions for 2960x with ios 15.0(2a)EX5.

my issue updated that

which ios xe compatible with 15.0(2a)EX5? i cant find anywhere. or can i update 3850 with 15.0(2a)EX5?

hi
finally i resolved this issue. i have got another switch 2960x ios 15.2.6E with same problem.when i downgrade to 15.0(2a)EX5 radius problem is resolved.I have not tried it on the 3850.
but after downgrade new problem occured.when i try to connect to switch via ssh or telnet ,switch is unexpected reload. i look into to crash logs.do you have an idea about the source of the problem?

[SERVER HOSTNAME]

What's in the RADIUS logs, are you able to share those?

hi deanwebb
this logs are belonging to failed pc

<Event><Timestamp data_type="4">09/26/2017 16:14:07.616</Timestamp><Computer-Name data_type="1">SERVER HOSTNAME</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Service-Type data_type="0">2</Service-Type><Framed-MTU data_type="0">1500</Framed-MTU><Called-Station-Id data_type="1">C4-44-A0-FF-86-8B</Called-Station-Id><Calling-Station-Id data_type="1">C8-5B-76-FA-C3-6D</Calling-Station-Id><Framed-IP-Address data_type="3">PC IP</Framed-IP-Address><NAS-IP-Address data_type="3">SW IP</NAS-IP-Address><NAS-Port-Id data_type="1">GigabitEthernet1/0/11</NAS-Port-Id><NAS-Port-Type data_type="0">15</NAS-Port-Type><NAS-Port data_type="0">50111</NAS-Port><Client-IP-Address data_type="3">SW IP</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">SW HOSTNAME</Client-Friendly-Name><Cisco-AV-Pair data_type="1">method=dot1x</Cisco-AV-Pair><Cisco-AV-Pair data_type="1">service-type=Framed</Cisco-AV-Pair><Cisco-AV-Pair data_type="1">audit-session-id=C0A8621F0000003204D2ADEE</Cisco-AV-Pair><User-Name data_type="1">PC HOSTNAME</User-Name><Proxy-Policy-Name data_type="1">Local Wired 802.1X</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">PC HOSTNAME</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">PC HOSTNAME</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Local Wired 802.1X</NP-Policy-Name><Class data_type="1">311 1 SERVER IP 09/15/2017 20:11:23 117420</Class><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

I am here to help.

OK, a few questions for you -
0. What switch is *supposed* to be the stack master? Which switch is *currently* the stack master? Sometimes, things happen in a stack and the stack master loses its status. If you reboot the stack, you can get the stack master back to the correct switch. This is important because some communications with the stack are supposed to be handled by the switch that is supposed to be the stack master and if it's not the master, the communications don't work as desired.

1. What do the RADIUS logs say on the RADIUS server? If you don't have logging on, turn it on and do a test client. The most important part of the log for the test client will be towards the end, where it shows both the error message and the cause of the error. If you can post that after scrubbing IP addresses, that would be great.

2. Is this when you also try to change VLAN with CoA? If so, do your switches support CoA changes in their firmware version? It won't be just the version number, but also version type.

3. If you are doing CoA and the firmware supports CoA, then the next question is if the RADIUS server is passing the correct vendor-specific attributes (VSAs) to the switch to change the VLAN. What VSA settings is the RADIUS server set up to send to the switches?

thanks your post deanwebb
i reviewed Nps event logs and i noticed that
there are the following differences between success and fail authentication

<Cisco-AV-Pair data_type="1">service-type=Framed</Cisco-AV-Pair>
<Cisco-AV-Pair data_type="1">audit-session-id=C0A862290000102C3D9E5538</Cisco-AV-Pair>
<Cisco-AV-Pair data_type="1">method=dot1x</Cisco-AV-Pair>

[dot1x-5-result override authentication result overridden for client]

Hi

We have got four cisco 3850 switch as stack.

Versions



WS-C3850-48T 03.06.06E

WS-C3850-48T 03.06.06E

WS-C3850-48T 03.06.06E

WS-C3850-48P   03.06.06E



I configured aaa on 3850 as following



aaa new-model

aaa group server radius x

server name x

server name x

deadtime 1

aaa authentication login default group radius local

aaa authentication login NO none

aaa authentication dot1x default group x

aaa authorization exec default group x local if-authenticated

aaa authorization network default group x

aaa accounting dot1x network start-stop group x

aaa session-id common





I configured switchport as following



switchport access vlan x

switchport mode access

authentication control-direction in

authentication port-control auto

dot1x pae authenticator

storm-control broadcast level 50.00

storm-control action shutdown

spanning-tree portfast



i have got Microsoft NPS server and other switchs have same config

there is no problem



but clients on 3850 dont authenticate and I get an error like this in the logs



dot1x-5-result override authentication result overridden for client



i updated ios to 03.03.07E but the problem is still going on




is there anyone to help me



thanks