Re: ISE host mode multi-domain

Anthonize Rajaratne · ‎01-15-2025

Hello All,

Here is the question. Since we know remove native port security commands on ISE ports, if I want to restrict only to data and voice vlans ( 2 Macs) on a port that I need to configure port host-mode to multi-domain.

I was testing and found out, Cisco phone initially grab ip and find Calls Manager via Data vlan and change to voice vian. Which creates 3 Mac address bindings ( 2 - for desk phone and 1 - for the pc). See below. . According what I read this is normal behavior.

Vlan Mac Address Type Ports

---- ----------- -------- -----

2320 2c31.246b.7f99 STATIC Gi1/0/1

2320 c45a.b1e1.22e5 STATIC Gi1/0/1

2321 2c31.246b.7f99 DYNAMIC Gi1/0/1

Question is, how can I restrict only two Mac address ( 1 voice , 1 data) when port has ISE config? or Am I missing something on switch config.

Thanks in advance.

MHM Cisco World · ‎01-15-2025

It known issue especially in SW 3000 series.

The ipphone is shown in voice and data vlan.

If it not effect your network' keep as it no need to port secuirty or other l2 secuirty

MHM

Anthonize Rajaratne · ‎01-17-2025

Thanks for your reply @MHM Cisco World .

I have seen this behavior on Cat 4500,3850 and 9300 switches.

What I found was that it put the switch port to err-disable . Have you encountered the same with multi-domain? if it's the normal behavior from Cisco what is the real purpose of multi-domain?

MHM Cisco World · ‎01-17-2025

It move port to err-disable in case you config port secuirty max 2

Make it 3 and it will be OK.

MHM

Aref Alsouqi · ‎01-18-2025

Could you please share the switch port config and ISE authorization profile of the phones for review? I don't believe what you are seeing is a normal behaviour because the switch should move the phone MAC to the voice VLAN and flush it from the data VALN. But regardless, I would probably recommend moving away from using multi-domain and use multi-auth instead. Multi-auth will still allow one voice device and unlimited number of data hosts connected to the port and each device will still need to authenticate on its own.

Arne Bier · ‎01-19-2025

I have observed this same phenomenon with Cisco and with Avaya desk phones. I didn't spend much time looking into whether there is a way to achieve a clean solution involving multi-domain, because these phones have this unfortunate transient condition where untagged frames arrive at the switch.

Things to look out for on switch and phone:

CDP configured
LLDP configured

I believe that these L2 protocols are essential to communicate the voice VLAN to the phone. If the phone does not receive the CDP/LLDP in time, then it might send an untagged frame to the switch, which then would cause the situation of the MAC address landing in the DATA domain (because the frame was untagged). If there is an active PC attached to the phone, whose MAC address is already in the DATA domain, and a few milliseconds later, the phone's tagged frame arrives - then it's too late because the port is err-disabled due to violation in the DATA domain.

I gave up at this point and used multi-auth. Multi-auth is not a bad thing, because every MAC address must be authorized - if you connect something to the phone that you don't trust, then your RADIUS server should not authorize it.

The phone 'misbehaviour' is only a transient thing - it should only show the MAC address in the DATA domain for a short while and then disappear eventually (time out).