IBNS 2.0 Intelligent Aging /w SISF based device-tracking Cat9k 16.x

JasonLeschnik — Sun, 06 Nov 2022 00:31:53 GMT

Hi all,

Problem description: Indirectly connected devices (e.g. PCs daisy-chained via. Phones) do not age out in an ISE + 802.1x (Monitor Mode) on Catalyst 3850/9300 switches environment. Configuration to fix this (subscriber aging) has changed between 3.x and 16.x code.

The current issue I'm facing is that the IPDT-based Device Tracking infrastructure has changed between IOS XE 3.x and 16.x yet the documentation is not clear about how this impacts the Intelligent Aging "probe" functionality in IBNS 2.0 (i.e. The command “subscriber aging inactivity-timer 60 probe”)

The original behavior of this command was when applied to a dot1X template it would age out STATIC MAC entries of clients, with the addition of the "probe" keyword it would ARP probe a device at around the 50-55 second mark before then declaring the host “state/dead” and removing its STATIC MAC address entry in the CAM table. This would ensure that if a host was “silent” during that time its dot1x session wouldn’t be prematurely cleared. I'm aware that in 16.x code and beyond that the Device tracking infrastructure has been changed from IPDT (old) => SISF (new) based tracking, but I cannot seem to get the same behavior for intelligent aging even though the commands still exist in the CLI parser.

Does anyone know how to get the “probe” behavior previously seen in 3.6.x code “subscriber aging inactivity-timer 60 probe” where the ARP probe Is sent from the access switch before evicting the dot1x session? This eviction appears to have been based on “traffic” through the session and was verified by an ARP probe to see if the host was really “alive”. Now, I need to modify the SISF policy and set something like “device-tracking binding reachable-lifetime 50” which results in the switch having to constantly ARP probe because SISF device tracking only checks for the presence of ARP, DHCPv4 packets and not generic session traffic.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+ Configuration snippets of what we’re running (Manually enabling device tracking with a custom Policy)
device-tracking policy dot1x
no protocol udp
tracking enable

vlan configuration 27
device-tracking attach-policy dot1x

+ dot1X configuration to enable the aging + ARP probe
subscriber aging inactivity-timer 60 probe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Not sure if there is something easy I'm missing. But long story short I'd just like to achieve the same functionality as 3.6.x (Intelligent Aging /w Silent host detection in >= 16.x code)

Any assistance would be appreciated.

Regards,
Jason.

Re: IBNS 2.0 Intelligent Aging /w SISF based device-tracking Cat9k 16.

jl — Mon, 07 Nov 2022 03:00:36 GMT

(Same person, Different CCO account).

So I think I might have figured it out, it seems to be a combination of the following configuration. I'm going to follow up with Cisco TAC to determine if this is correct. I cannot find any documentation that explains this 😞

Global Configuration:

ip dhcp snooping
ip dhcp snooping vlan x
device-tracking binding reachable-lifetime 60

Interface configuration:

subscriber aging inactivity-timer 60 probe

topic IBNS 2.0 Intelligent Aging /w SISF based device-tracking Cat9k 16.x in Network Access Control

IBNS 2.0 Intelligent Aging /w SISF based device-tracking Cat9k 16.x

Re: IBNS 2.0 Intelligent Aging /w SISF based device-tracking Cat9k 16.