Solved: double arp entries for the same mac address problem.

amhish@netfox.de · ‎09-17-2018

Hello

I have a problem relating to my client switch.

In my L3 Switch there is two entries for the same mac address.

In my network the ISE authenticate endpoints using 802.1x.if the endpoint failes to authenticate it will land in a quarante VLAN and get an quarante IP from quarante DHCP server and if they succeeded they will access the Fatclient VLAN. with a differnct IP from the Fatclient DHCP server.

sometimes the PC takes a long time to authenticate so it gets its IP from quarante and after a time it get the right IP from the Fatclient DHCP server.

fyi i am using L3 switch for my fatclients and a routed based network.

the Problem is I see in the show arp-cache in my L3 Switch two different IPs for the same MAC address in two diffrent VLANs and the PC does not have a network access untill i clear the arp cache.

is there a way to automate this using ISE?

or is the problem soultion is somewhere else.

Thank you for reading

paul · ‎09-17-2018

Ohh no you are using CPL which is going to make your problem even worse. In CPL, MAB and Do1x happen at the same time. MAB happens almost instantly so the devices have a good chance to getting moved to the quarantine VLAN. If I were walking into this customer, I would explain they have set themselves up for failure with the quarantine VLAN concept.

If you don't want to do that you can using profiling, like the AD profiler, to profile the domain computers and have them not get sent to the quarantine VLAN. You don't have to give them network access, just don't send them to the quarantine VLAN.

View solution in original post

paul · ‎09-17-2018

In my opinion, using a quarantine VLAN for unknown devices is setting yourself up for problems like this. VLAN moves in general can be problematic with DHCP devices. If the device gets an IP address in one VLAN and then is sent to another VLAN by ISE you can strand the device. I generally avoid doing VLAN assignments in favor of DACLs/SGTs. If the devices have static IP then VLAN moves are not a problem.

If you are going to keep doing a VLAN move what is your switchport config? Are you doing dot1x first then MAB for order? If so what is your Dot1x timeout.

The layer 3 switch have two ARP entries for the same MAC address is correct. The ARP tables are maintained per interface/VLAN. So if it sees the MAC on VLAN X and it moves to VLAN Y it will have ARP entries on both VLANs.

amhish@netfox.de · ‎09-17-2018

Hello Paul

First thank you for taking the time to answer my question.

the Problem is i cant really propose a different topology for my client for his exsiting network all i can do is trying to find a work around where he does not generate a ticket for each time one of his PCs is not getting a network access .

the config for my port is a standerd 802.1x

interface GigabitEthernet1/0/1
network-policy 20
switchport access vlan 15
switchport mode access
device-tracking attach-policy DEVICE_TRACK
authentication timer reauthenticate server
access-session port-control auto
mab
dot1x pae authenticator
storm-control broadcast level pps 100 90
storm-control action trap
auto qos trust dscp
spanning-tree portfast
service-policy type control subscriber 802.1X_POLICY
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy.

and thank you agian!

paul · ‎09-17-2018

Ohh no you are using CPL which is going to make your problem even worse. In CPL, MAB and Do1x happen at the same time. MAB happens almost instantly so the devices have a good chance to getting moved to the quarantine VLAN. If I were walking into this customer, I would explain they have set themselves up for failure with the quarantine VLAN concept.

If you don't want to do that you can using profiling, like the AD profiler, to profile the domain computers and have them not get sent to the quarantine VLAN. You don't have to give them network access, just don't send them to the quarantine VLAN.

amhish@netfox.de · ‎09-18-2018

Hello Paul

I forgot to mention that we are not using mab even though it is present in the config.

we are using a centeral CA which is using the certificate to authenticate the PCs.

and i didnt understand your alternate soution for quarantine VLAN.

Would you explain or refer me to some links?

paul · ‎09-18-2018

The switch is going to run a MAB transaction. What does ISE do with it? Deny it? Or is that what gets the device sent to the quarantine VLAN.

Check out the different profilers. The AD profiler can take the DHCP hostname of the device of the FQDN (currently broken in 2.4) and check it against AD to see if the hostname exists in AD. If it exists you have a decent idea that the device is a domain joined computer and maybe don't quarantine VLAN it.

paul · ‎09-18-2018

Also you could use the MAR cache as well. If the PC does do computer authentication correctly you can set the MAR cache entry and use that in MAB rules to allow the device not to get quarantined. Set your MAR cache timer to something like 30 days.