cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

746
Views
0
Helpful
2
Replies
Beginner

802.1x, Catalyst 3560,

Hi all,

we have rolled out 802.1x enterprise-wide. As RADIUS-servers, we have deployed ACS 1121 (5.3.0.40). Currently we are rolling-out  Win7-clients

The access layer is built on switches of type Catalyst 3560G-48-PoE, running IOS 2.2(53)SE2.

On certain switches we have the problem (only Win 7 clients; XPs do not cause this problem) that client MAC addresses are registered in VLAN 4 (Data-VLAN) as well as in VLAN 996 (Quarantine-VLAN).

switch#sh mac- int gi0/27

               Mac Address Table

-----------------------------------------------------------------------------------

Vlan         Mac Address                     Type             Ports

------          -------------------                     -------             -------- 

     4         2c27.d71d.6279                 STATIC         Drop     

996          2c27.d71d.6279                 DYNAMIC     Gi0/27

Total Mac Addresses for this criterion: 2

Unfortunately the MAC addresses never will age-out, which means that they keep this status until the switch is rebooted, which is basically not an ideal solution.

We are not abel to connect another client to port showing tha above mentiones status.

Has anyone faced something similar to this ? What is causing this problem ? How can we get rid of these MAC addresses without rebooting the switch ?

Any hints are very much appreciated.

Best regards

RHUB

Everyone's tags (4)
2 REPLIES 2
Highlighted
Beginner

802.1x, Catalyst 3560,

A quick fix is to enable "IP device tracking".

BTW, how are this Change of VLAN performed, CoA ?? and if CoA then reauth or port-bounce?

Port-bounce should also resolve this multiple mac entires

Thanks

Highlighted
Beginner

802.1x, Catalyst 3560,

good evening,

many thanks for your reply. "ip device tracking" would be the solution - thats exactly what I thought too but we have enabled it since we rolled-out the 3560's many month ago.

This status will happen after a clients is not able to authenticate successfully against ACS and therefore should be moved to the quarantine-VLAN. The majority of clients, not authenticating successfully are moved without any problems but some of them show the problem.

Thanks and best regards

Roman