i'm stuck with a problem related to DHCP packets. The architecture is composed by:
- VXX 201 IP phone which is connected to the catalyst 3650 on gigabit 1/0/46(it authenticate via MAB)
- Catalyst 3650 which has a trunk interface (gigabit 1/0/48)
- ISE which has the role of authenticator
Below is reported the config of g1/0/46
switchport access vlan 200
switchport mode access
switchport voice vlan 201
device-tracking attach-policy DeviceTrackingPolicy
ip access-group WELCOMEACL in
authentication event fail retry 3 action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer restart 10
authentication timer inactivity server
dot1x pae authenticator
dot1x timeout quiet-period 18
dot1x timeout tx-period 1
dot1x max-reauth-req 3
When a device (or IP phone) connect to this interface, it is assigned to a welcome VLAN (200 = DATA, 201 = VOICE). This VLAN has not be configured with ip dhcp relay or SVI. So it is only an empty container. Messages transmitted in this VLAN are not passed on trunk link (VLAN 200 and 201 are not allowed on trunk interface g1/0/48).
After the device is authenticated (ISE pass both ACL and VLAN information) the IP phone is placed into VLAN 701. Without NAC config, the IP phone is able to receive an IP address from within this VLAN. Tha ACL passed from ISE has a "permit ip any any".
After authentication IP phone transmit DHCP discover packets. At this point the switch doesn't forward the packet (received from g1/0/46) to the trunk interface (g1/0/48).
I've done some troubleshooting using SPAN ports configuring
- g1/0/46 and g1/0/48 as source interfaces
- g1/0/45 as destination interface
- no filter of any type has been configured
From wireshark (installed on a PC attached to g1/0/45) i see only discover packets from g1/0/46 but not going out to g1/0/48.
Does someone has any idea? The switch seems to drop discover packets.