06-29-2016 06:01 AM
Hello,
How does the switch detect link status for endpoints when they are disconnected behind IP-Phones on a multi-auth port ?
We have an issue where an endpoint is moved from one multi-auth port to another multi-auth port (both behind Polycom phones) but the authentication session still remains on the old port. The MAC-Address table however is updated.
Issue is faced on CAT 6K and CAT 4K switches only for Polycom phones. No issue is seen for Cisco IP Phones.
After clearing authentication session on both the interfaces the authentication session is correctly applied.
Is this a known issue on Polycomm Phones ?
Solved! Go to Solution.
06-29-2016 11:52 PM
Thomas/Tim,
Thanks for the response
On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets
Polycom phones can also send proxy EAPoL on behalf of the machine.
However it seems both these are not enabled by default and we need to make changes to the XML configuration file.
Please check the link below
06-29-2016 08:21 AM
Utkarsh,
The switch detects new endpoints on a switchport by MAC address. I suspect the polycom phones are not telling the switch about the disconnection when the endpoint moves. This would explain why the session remains but the MAC address table is being updated.
Regards,
-Tim
06-29-2016 09:16 PM
Cisco IP Phones have a special feature called CDP 2nd Port Disconnect which tells the switch when the endpoint behind it is Disconnected. Polycoms don't have this feature.
06-29-2016 11:52 PM
Thomas/Tim,
Thanks for the response
On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets
Polycom phones can also send proxy EAPoL on behalf of the machine.
However it seems both these are not enabled by default and we need to make changes to the XML configuration file.
Please check the link below
06-30-2016 08:06 AM
Thank you for the followup on this, Utkarsh!
Glad to hear they do have the capability so it will work for you!
06-30-2016 08:57 AM
Another common option is to enable the inactivity timer on the port: Wired 802.1X Deployment Guide - Cisco.
That will remove authenticated MAC addresses that don't transmit any data over a certain period of minutes.
Additionally, you can allow MAC addresses to move between ports using this command: authentication mac-move permit. This command will remove a MAC address session if the same MAC address pops up on another port.
Thanks
07-07-2016 02:59 AM
Thanks Viktor
I tried to capture this behaviour for Cisco IP phone 9971 (running 1.9.4) but could not find any CDP disconnect packet.
However I did find proxy EAPoL as below although with an frame check sequence incorrect error.
I am sure this is the expected behaviour. I think the error is due to checksum offloading explained as Ethernet Frame Check Sequence set to 0x00000000 | VMware Communities
07-08-2016 05:42 PM
Maybe these phones don't support CDP second port notification. This is what I see on my 9971. EAPOL Logoff would accomplish the same thing though.
Device ID: SEPD0C282D00906
Entry address(es):
IP address: 10.118.97.3
Platform: Cisco IP Phone 9971, Capabilities: Host Phone Two-port Mac Relay
Interface: GigabitEthernet0, Port ID (outgoing port): Port 1
Holdtime : 153 sec
Second Port Status: Unknown
Version :
sip9971.9-4-2SR2-2
advertisement version: 2
Duplex: full
Power drawn: 12.804 Watts
Power request id: 1547, Power management id: 2
Power request levels are:12804 0 0 0 0
07-11-2016 09:05 PM
I was able to get the Polycom Phone working with EAPoL proxy logoff.
Adding the line <sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1"> in the configuration file made it work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide