02-25-2014 11:21 AM - edited 03-10-2019 09:27 PM
Hi, I am trying to clear up a VLAN change/IP addressing conflict and have configured the profile's associated CoA type to 'port bounce'. I also created an exception action to force CoA with an associate rule in the policy.
I can see the device hit the correct profile upon MAB, and the correct VLAN is applied to the port. However, I never see the port bounce occuring, so the deviec does not know to release/renew it's IP address.
Is there something I'm missing to get the CoA port bounce to happen? Here is my switchport config...
interface GigabitEthernet1/5
description ISE_TEST
switchport access vlan 32
switchport mode access
switchport voice vlan 64
ip access-group ACL-ALLOW in
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 2700
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 600
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
end
03-11-2014 11:06 PM
please see the Port Bounce Configuration guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#wp2021892
05-31-2014 03:28 PM
06-04-2014 08:38 AM
I did, but my issue was not related to the port bounce itself. It was because arp inspection was identifying the arp based off the ports initial VLAN. Once ISE changed the VLAN, ip arp was denying the port because the address had changed. I disabled arp inspection and it cleared up the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: