dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
536

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle

Premium Member

[Info] Cisco ACS question of functionality

In short I was just wondering if the Cisco ACS that we use can provide a audit trail of commands enter based on a particular date.

Reason our Senior Engineer was implementing a Change and had to roll it back.

Were i come in is the Noc Engineer (ie the junior b$%#$) i just want to know if he missed a simple command as I did a little research in some items with some OLD as hell IOS.

Trying to get rid of our native vlan mis-match snmp trap messages that hogg the log all day

Getting them between or Core 6509 1 and 2 (VSS group) --> old cisco catalyst 3524 XL.

Basically the change resulted in complete loss of connectivity between core and this other network segment that serves particular purposes for external clients. Good news is its a seldom used segment, so client noticing or impact is low.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

Depends on what your ACS is configured to log. (and if you have access to said log.)

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle

Premium Member

Okay so the ACS "can" log entered commands. Access to it, i sure as heck don't.

Simple email should suffice.

Thanks
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to Bigzizzzle

Premium Member

to Bigzizzzle
Unless I'm missing something, native VLAN mismatch means one end of a trunk (or an access link for that matter) has a different native VLAN from the other end.
I routinely make VLAN 99 my native VLAN and routinely forget until I see the mis-match message, so yes it's entirely possible the engineer forgot to add
 switchport trunk native vlan xxx
 
to his config...

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle

Premium Member

Not sure exactly what he did when he made the change but as it stands.

Core 1 (switchport trunk native vlan xx ) --- > 1 switchport access on second switch segment
Core 2 no (switchport trunk native vlan xx ) ----> another port on said secondary switch segment.

Another thing about the other old as hell switch is im sure it defaults to ISL mode by default for trunking. So a trunk encap dot1q will be needed on each of the ends of the 2 pairs.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Encapsulation mismatch doesn't cause error messages IIRC, but that must be one old switch if the default is ISL! It really is waaaaaay past time to bin it off.

Core 1 (switchport trunk native vlan xx ) --- > 1 switchport access on second switch segment
Core 2 no (switchport trunk native vlan xx ) ----> another port on said secondary switch segment.
 

Not sure what that means! Has the Core 2 link had no switchport trunk native vlan xx command executed?
Is Core 1 trunk connected to an access port?
Clarity and precision is required for accurate diagnosis.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer to Bigzizzzle

Premium Member

to Bigzizzzle
Disable CDP. Then it won't be able to tell what the native vlan(s) are. *grin*

Bigzizzzle
Premium Member
join:2005-01-27
Beverly Hills, CA

Bigzizzzle to markysharkey

Premium Member

to markysharkey

Not sure what that means! Has the Core 2 link had no switchport trunk native vlan xx command executed?
Is Core 1 trunk connected to an access port?
Clarity and precision is required for accurate diagnosis.

What I mean on the Core 2 Link ---> Shitty Switch ; is that there is no command under the interface saying anything to a trunk native vlan xx command.

Core sides are operationally in trunk mode, port side oh ole' shitty switch are in static access mode. - Vlan 1 Defaults
Bigzizzzle

Bigzizzzle to cramer

Premium Member

to cramer
eh i like CDP; hate to lose it for those connections to that switch segment.
networx88
CCNPACE
join:2001-05-02
Newark, OH

networx88 to Bigzizzzle

Member

to Bigzizzzle
Logging is a function of TACACS+

On a cisco router or switch you can setup TACACS+ accounting audit / record all commands entered back to the ACS server.

You can also give users a list of commands they are permitted to enter on a device. I.e. they have show commands only, or maybe can enter config mode, but not use shut or go into a specific interface.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to Bigzizzzle

Premium Member

to Bigzizzzle
quote:
Core sides are operationally in trunk mode, port side oh ole' shitty switch are in static access mode. - Vlan 1 Defaults
I think you've answered your own question...