Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5705
Views
15
Helpful
8
Replies

802.1x, MAC addresses with status DROP

rhub
Level 1
Level 1

‎05-28-2012 11:46 PM - edited ‎03-10-2019 07:08 PM

Hi all,

we have rolled out 802.1x enterprise-wide. RADIUS-servers are ACS 1121 (5.3.0.40). Currently we are rolling-out Win7-clients.

The access-layer is built on Catalyst 3560g-48-poe, (IOS 12.2(53)SE2).

On certain switches we have the problen (only Win7-clients; XPs do not cause it) that client MAC-addresses are registered in VLAN4 (Data-VLAN) as well as in VLAN 996 (Quarantine-VLAN)  according to the screen-shot below:

switch#sh mac- int gi0/27

Mac Address Table

----------------------------------------------------------------------------------------

Vlan Mac Address    Type         Ports

------ -------------------     -------         -------

4     2c27.d71d.6279 STATIC     Drop

996 2c27.d71d.6279 DYNAMIC Gi0/27

Total Mac Addresses for this criterion: 2

Unfortunately the MAC address in VLAN 4 will never age-out, which means that they keep the above status. To wipe-out the MAC addresses we have to reboot the switch, which is no solution for us.

Has anyone faced something similar to this problem ? What is causing this problem ? How can we get rid of these MAC addresses without rebooting the switch ?

Any hints are very much appreciated

Best regards

RHUB

    

            

4 people had this problem
Labels:
0 Helpful
8 Replies 8

nspasov
Cisco Employee
Cisco Employee

‎06-26-2015 08:04 AM

Did you ever get this resolved?

0 Helpful

rhub
Level 1
Level 1
In response to nspasov

‎07-01-2015 02:43 AM

Hi Neno,

This has been resolved by upgrading the switches to the newest release.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to rhub

‎07-01-2015 09:42 AM

Thanks for the reply! Can you give me the specific version. I am dealing with an issue now and running 150-2.SE6. It is not exactly the latest but pretty recent and I want to confirm 100% before I request a change control window for the upgrade.

Thanks!

0 Helpful

esteban0477
Level 1
Level 1
In response to nspasov

‎04-25-2016 02:30 PM

Hi Neno and rhub. 

I'm dealing with the same issue running c2960-lanlitek9-mz.150-2.SE5, could you give please more info about your advance in this topic, maybe if you have get some documentation about it, it would be really useful for me.

Best Regards.

Juan Esteban  

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to esteban0477

‎04-26-2016 08:06 AM

It looked like this was a bug with the version of code. So I would suggest upgrading your code. Also, please note that LAN Lite is does not support many 802.1x features. 

Thank you for rating helpful posts!

rhub
Level 1
Level 1
In response to nspasov

‎04-26-2016 08:22 AM

Hi Juan and Neno,

we upgraded all 3560-switches with IOS 15.0.2. but I did not have the possibility to test it; I will do it asap and let you know abut the results.

Best regards

Roman

nspasov
Cisco Employee
Cisco Employee
In response to rhub

‎04-26-2016 09:06 AM

Sounds good! Let us know :)

davinci
Level 1
Level 1

‎03-02-2020 10:37 AM

I have a similar problem. 

 

switch model/IOS: WS-C2960X-48FPD-L 15.2(7)E0a 

 

What is the solution?

 

switch#sh mac address-table interface gigabitEthernet 1/0/29
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
16 0004.f25d.947d DYNAMIC Drop
16 10e7.c670.cbdd DYNAMIC Drop

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents