cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1413
Views
5
Helpful
6
Replies
Highlighted

double arp entries for the same mac address problem.

Hello 

 

I have a problem relating to my client switch.

In my L3 Switch there is two entries for the same mac address.

 

In my network the ISE authenticate endpoints using 802.1x.if the endpoint failes to authenticate it will land in a quarante VLAN and get an quarante IP from quarante DHCP server and if they succeeded they will access the Fatclient VLAN. with a differnct IP from the Fatclient DHCP server.

sometimes the PC takes a long time to authenticate so it gets its IP from quarante and after a time it get the right IP from the Fatclient DHCP server.

fyi i am using L3 switch for my fatclients and a routed based network.

the Problem is I see in the show arp-cache in my L3 Switch two different IPs for the same MAC address in two diffrent VLANs and the PC does not have a network access untill i clear the arp cache.

is there a way to automate this using ISE?

or is the problem soultion is somewhere else.

Thank you for reading 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Ohh no you are using CPL which is going to make your problem even worse. In CPL, MAB and Do1x happen at the same time. MAB happens almost instantly so the devices have a good chance to getting moved to the quarantine VLAN. If I were walking into this customer, I would explain they have set themselves up for failure with the quarantine VLAN concept.



If you don't want to do that you can using profiling, like the AD profiler, to profile the domain computers and have them not get sent to the quarantine VLAN. You don't have to give them network access, just don't send them to the quarantine VLAN.


View solution in original post

6 REPLIES 6
Highlighted
VIP Advocate

In my opinion, using a quarantine VLAN for unknown devices is setting yourself up for problems like this.  VLAN moves in general can be problematic with DHCP devices.  If the device gets an IP address in one VLAN and then is sent to another VLAN by ISE you can strand the device.  I generally avoid doing VLAN assignments in favor of DACLs/SGTs.  If the devices have static IP then VLAN moves are not a problem.  

 

If you are going to keep doing a VLAN move what is your switchport config?  Are you doing dot1x first then MAB for order?  If so what is your Dot1x timeout.

 

The layer 3 switch have two ARP entries for the same MAC address is correct.  The ARP tables are maintained per interface/VLAN.  So if it sees the MAC on VLAN X and it moves to VLAN Y it will have ARP entries on both VLANs.

Highlighted

Hello Paul 

 

First thank you for taking the time to answer my question.

the Problem is i cant really propose a different topology for my client for his exsiting network all i can do is trying to find a work around where he does not generate a ticket for each time one of his PCs is not getting a network access .

the config for my port is a standerd 802.1x 

 interface GigabitEthernet1/0/1
 network-policy 20
 switchport access vlan 15
 switchport mode access
 device-tracking attach-policy DEVICE_TRACK
 authentication timer reauthenticate server
 access-session port-control auto
 mab
 dot1x pae authenticator
 storm-control broadcast level pps 100 90
 storm-control action trap
 auto qos trust dscp
 spanning-tree portfast
 service-policy type control subscriber 802.1X_POLICY
 service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy.

and thank you agian!  

Highlighted

Ohh no you are using CPL which is going to make your problem even worse. In CPL, MAB and Do1x happen at the same time. MAB happens almost instantly so the devices have a good chance to getting moved to the quarantine VLAN. If I were walking into this customer, I would explain they have set themselves up for failure with the quarantine VLAN concept.



If you don't want to do that you can using profiling, like the AD profiler, to profile the domain computers and have them not get sent to the quarantine VLAN. You don't have to give them network access, just don't send them to the quarantine VLAN.


View solution in original post

Highlighted

Hello Paul

 

I forgot to mention that we are not using mab even though it is present in the config.

we are using a centeral CA which is using the certificate to authenticate the PCs.

and i didnt understand your alternate soution for quarantine VLAN.

Would you explain or refer me to some links?

Highlighted

The switch is going to run a MAB transaction.  What does ISE do with it?  Deny it?  Or is that what gets the device sent to the quarantine VLAN. 

 

Check out the different profilers.  The AD profiler can take the DHCP hostname of the device of the FQDN (currently broken in 2.4) and check it against AD to see if the hostname exists in AD.  If it exists you have a decent idea that the device is a domain joined computer and maybe don't quarantine VLAN it.

Highlighted

Also you could use the MAR cache as well.  If the PC does do computer authentication correctly you can set the MAR cache entry and use that in MAB rules to allow the device not to get quarantined.  Set your MAR cache timer to something like 30 days.

Content for Community-Ad