Duplex mismatch in Cisco IOS devices

You might need to identify duplex mismatches on your Cisco devices when doing the following:

• Managing Cisco devices

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

• Cisco Networks Add-on for Splunk Enterprise
• Syslog data collection tier. The Cisco IOS system message logging process uses the syslog protocol to send important messages to remote logging services, such as Splunk. The required add-on expects the data stream to be assigned the syslog sourcetype by the input configuration and will rename it to cisco:ios in the transformation configuration. For details on how the transformation is implemented, see the props.conf and transforms.conf in the add-on and the Splunk documentation. For more information on syslog and Splunk, see the (SYSLOG) Syslog Data Collection section of the Splunk Validated Architectures white paper.

Example

Duplex mismatches occur when two physically connected devices have been configured in different duplex modes. A Cisco IOS device can detect a duplex mismatch between it and another device and emits a message when found. You want to identify duplex mismatches and investigate their cause.

NOTE: To optimize the search shown below, you should specify an index and a time range. 

1. Run the following search: 

sourcetype=cisco:ios 
mnemonic="DUPLEX_MISMATCH" 
| rename dvc AS local_host cdp_local_duplex AS local_setting cdp_neighbor AS dest_host cdp_remote_duplex AS dest_setting 
| table local_host local_setting dest_host dest_setting dest_interface

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Result

The following sample result from the search shows hosts that are connected but with mismatched duplex settings. Use this table to identify which hosts and ports need to be corrected.