Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
1
Replies

IBNS 2.0 Intelligent Aging /w SISF based device-tracking Cat9k 16.x

Go to solution
JasonLeschnik
Level 1
Level 1

‎11-05-2022 04:11 PM - edited ‎11-05-2022 05:31 PM

Hi all,

Problem description: Indirectly connected devices (e.g. PCs daisy-chained via. Phones) do not age out in an ISE + 802.1x (Monitor Mode) on Catalyst 3850/9300 switches environment. Configuration to fix this (subscriber aging) has changed between 3.x and 16.x code. 

The current issue I'm facing is that the IPDT-based Device Tracking infrastructure has changed between IOS XE 3.x and 16.x yet the documentation is not clear about how this impacts the Intelligent Aging "probe" functionality in IBNS 2.0 (i.e. The command “subscriber aging inactivity-timer 60 probe”)

The original behavior of this command was when applied to a dot1X template it would age out STATIC MAC entries of clients, with the addition of the "probe" keyword it would ARP probe a device at around the 50-55 second mark before then declaring the host “state/dead” and removing its STATIC MAC address entry in the CAM table. This would ensure that if a host was “silent” during that time its dot1x session wouldn’t be prematurely cleared. I'm aware that in 16.x code and beyond that the Device tracking infrastructure has been changed from IPDT (old) => SISF (new) based tracking, but I cannot seem to get the same behavior for intelligent aging even though the commands still exist in the CLI parser.

Does anyone know how to get the “probe” behavior previously seen in 3.6.x code “subscriber aging inactivity-timer 60 probe” where the ARP probe Is sent from the access switch before evicting the dot1x session? This eviction appears to have been based on “traffic” through the session and was verified by an ARP probe to see if the host was really “alive”. Now, I need to modify the SISF policy and set something like “device-tracking binding reachable-lifetime 50” which results in the switch having to constantly ARP probe because SISF device tracking only checks for the presence of ARP, DHCPv4 packets and not generic session traffic.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+ Configuration snippets of what we’re running (Manually enabling device tracking with a custom Policy)
device-tracking policy dot1x
no protocol udp
tracking enable

vlan configuration 27
device-tracking attach-policy dot1x

+ dot1X configuration to enable the aging + ARP probe
subscriber aging inactivity-timer 60 probe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Not sure if there is something easy I'm missing. But long story short I'd just like to achieve the same functionality as 3.6.x (Intelligent Aging /w Silent host detection in >= 16.x code)

Any assistance would be appreciated.

Regards,
Jason.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jl
Level 1
Level 1

‎11-06-2022 06:55 PM - edited ‎11-06-2022 07:00 PM

(Same person, Different CCO account).

So I think I might have figured it out, it seems to be a combination of the following configuration. I'm going to follow up with Cisco TAC to determine if this is correct. I cannot find any documentation that explains this

Global Configuration:

  • ip dhcp snooping
  • ip dhcp snooping vlan x
  • device-tracking binding reachable-lifetime 60

 Interface configuration:

  • subscriber aging inactivity-timer 60 probe

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jl
Level 1
Level 1

‎11-06-2022 06:55 PM - edited ‎11-06-2022 07:00 PM

(Same person, Different CCO account).

So I think I might have figured it out, it seems to be a combination of the following configuration. I'm going to follow up with Cisco TAC to determine if this is correct. I cannot find any documentation that explains this

Global Configuration:

  • ip dhcp snooping
  • ip dhcp snooping vlan x
  • device-tracking binding reachable-lifetime 60

 Interface configuration:

  • subscriber aging inactivity-timer 60 probe
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents