Catalyst 3650 drop DHCP discover packets coming from Polycom VXX 201

Marco__89 · ‎07-07-2022

Hi all,

i'm stuck with a problem related to DHCP packets. The architecture is composed by:

VXX 201 IP phone which is connected to the catalyst 3650 on gigabit 1/0/46(it authenticate via MAB)
Catalyst 3650 which has a trunk interface (gigabit 1/0/48)
ISE which has the role of authenticator

Below is reported the config of g1/0/46

interface GigabitEthernet1/0/46
 switchport access vlan 200
 switchport mode access
 switchport voice vlan 201
 device-tracking attach-policy DeviceTrackingPolicy
 ip access-group WELCOMEACL in
 authentication event fail retry 3 action next-method
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer restart 10
 authentication timer inactivity server
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 18
 dot1x timeout tx-period 1
 dot1x max-reauth-req 3
 spanning-tree portfast
end

When a device (or IP phone) connect to this interface, it is assigned to a welcome VLAN (200 = DATA, 201 = VOICE). This VLAN has not be configured with ip dhcp relay or SVI. So it is only an empty container. Messages transmitted in this VLAN are not passed on trunk link (VLAN 200 and 201 are not allowed on trunk interface g1/0/48).

After the device is authenticated (ISE pass both ACL and VLAN information) the IP phone is placed into VLAN 701. Without NAC config, the IP phone is able to receive an IP address from within this VLAN. Tha ACL passed from ISE has a "permit ip any any".

After authentication IP phone transmit DHCP discover packets. At this point the switch doesn't forward the packet (received from g1/0/46) to the trunk interface (g1/0/48).

I've done some troubleshooting using SPAN ports configuring

g1/0/46 and g1/0/48 as source interfaces
g1/0/45 as destination interface
no filter of any type has been configured

From wireshark (installed on a PC attached to g1/0/45) i see only discover packets from g1/0/46 but not going out to g1/0/48.

Does someone has any idea? The switch seems to drop discover packets.

Aref Alsouqi · ‎07-07-2022

After the phone is authenticated, do you actually see the right dACL applied to that session? please share the output of the command "sh authentication session interface gi1/0/46 det" for review. Also, could you please try to remove the command "ip access-group WELCOMEACL in" from under the interface config and try again?

Marco__89 · ‎07-07-2022

Hi Aref, thanks for your support.

Unfortunately, at this moment I don't have access to the equipment. However I can confirm that the output of the command "show authentication session interface g1 / 0/46 detail" shows that the IP phone has been associated to VLAN 701. Doing some troubleshooting, I saw that removing the ACL the problem remained.
So I tried to unassign the VLAN 701 from ISE, and I configured it on the interface. By doing this, the phone was able to communicate with the DHCP server.

The problem is that the DHCP discover packet from the client does not traverse the trunk interface. It almost seems then that the switch is no longer accepting packets from the IP phone interface.

By reconfiguring the VLAN in ISE(dVLAN) I tried to repeat the process. Leaving the phone connected, I saw that after 4-5 minutes it was able to contact the DHCP server and therefore the switch allowed the flow of DHCP messages.

What problem could there be?