Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
0
Replies

CSCvr44755 - <no access-session mac-move deny > removed after reboot

samuel.heinrich
Level 1
Level 1

‎07-14-2022 12:51 AM

We encountered this bug yesterday in a dot1x deployment with some old 2960x switches running 15.2(7)E.

the problem occurred when the ISE sent a AAA VLAN Overwrite to a switchport configured with portsecurity, which is enabled per default on dot1x switchports.

 

example: 

 

 

 

interface GigabitEthernet1/0/1
switchport access vlan 1000
switchport mode access
switchport voice vlan 2000
source template ISE_DOT1_MAB

 

 

 

 

When ISE tries to overwrite the VLAN eg. with VLAN1001, the client MAC address moves from VLAN 1000 to 1001, which triggers portsecurity to err-disable the port.

 

the port does not go into err-disable when removing the mac-move deny feature from the running config "no access-session mac-move deny"

to workaround this bug, we created the following EEM script, wo remove the config automatically, after a reload.

 

 

 

event manager applet REMOVE_MAC-MOVE-CONFIG authorization bypass
event syslog pattern "SYS-5-RESTART"
trigger delay 60
action 1.0 cli command "en"
action 2.0 cli command "conf t"
action 3.1 cli command "no access-session mac-move deny"
action 3.2 cli command "end"
action 3.3 cli command "wr"
!

 

 

 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents