07-07-2022 07:39 AM - edited 07-07-2022 07:39 AM
Hi all,
i'm stuck with a problem related to DHCP packets. The architecture is composed by:
Below is reported the config of g1/0/46
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access switchport voice vlan 201 device-tracking attach-policy DeviceTrackingPolicy ip access-group WELCOMEACL in authentication event fail retry 3 action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer restart 10 authentication timer inactivity server mab dot1x pae authenticator dot1x timeout quiet-period 18 dot1x timeout tx-period 1 dot1x max-reauth-req 3 spanning-tree portfast end
When a device (or IP phone) connect to this interface, it is assigned to a welcome VLAN (200 = DATA, 201 = VOICE). This VLAN has not be configured with ip dhcp relay or SVI. So it is only an empty container. Messages transmitted in this VLAN are not passed on trunk link (VLAN 200 and 201 are not allowed on trunk interface g1/0/48).
After the device is authenticated (ISE pass both ACL and VLAN information) the IP phone is placed into VLAN 701. Without NAC config, the IP phone is able to receive an IP address from within this VLAN. Tha ACL passed from ISE has a "permit ip any any".
After authentication IP phone transmit DHCP discover packets. At this point the switch doesn't forward the packet (received from g1/0/46) to the trunk interface (g1/0/48).
I've done some troubleshooting using SPAN ports configuring
From wireshark (installed on a PC attached to g1/0/45) i see only discover packets from g1/0/46 but not going out to g1/0/48.
Does someone has any idea? The switch seems to drop discover packets.
07-07-2022 09:32 AM
After the phone is authenticated, do you actually see the right dACL applied to that session? please share the output of the command "sh authentication session interface gi1/0/46 det" for review. Also, could you please try to remove the command "ip access-group WELCOMEACL in" from under the interface config and try again?
07-07-2022 12:54 PM
Hi Aref, thanks for your support.
Unfortunately, at this moment I don't have access to the equipment. However I can confirm that the output of the command "show authentication session interface g1 / 0/46 detail" shows that the IP phone has been associated to VLAN 701. Doing some troubleshooting, I saw that removing the ACL the problem remained.
So I tried to unassign the VLAN 701 from ISE, and I configured it on the interface. By doing this, the phone was able to communicate with the DHCP server.
The problem is that the DHCP discover packet from the client does not traverse the trunk interface. It almost seems then that the switch is no longer accepting packets from the IP phone interface.
By reconfiguring the VLAN in ISE(dVLAN) I tried to repeat the process. Leaving the phone connected, I saw that after 4-5 minutes it was able to contact the DHCP server and therefore the switch allowed the flow of DHCP messages.
What problem could there be?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide