09-03-2015 03:49 AM - edited 03-10-2019 11:01 PM
Hi, all.
I have been testing the new IBNS2.0 features for some days now, testing equipment is this:
Model number : WS-C3750X-48PF-S
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 54 WS-C3750X-48P 15.2(3)E2 C3750E-UNIVERSALK9-M
What I am trying to do is the following:
Having a static access-port-config (using an "standard-port-config" interface template), I try to overwrite/overlay
this standard template with another one (that is configured locally on the switch) by sending down the template name using the
radius server (in this case: ISE 1.4 Patch 3 after authentication of an access point (in FlexConnect mode) .....
Here are the templates:
template TEMPLATE_INTERFACE_standard_dot1x_mod_0_1_2
dot1x pae authenticator
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard enable
spanning-tree guard loop
switchport access vlan x
switchport mode access
switchport nonegotiate
switchport voice vlan y
storm-control broadcast level 5.00
storm-control action shutdown
mab
access-session host-mode multi-domain
access-session port-control auto
authentication periodic
ip dhcp snooping limit rate 10
load-interval 60
This is the template that is sent down by the radius:
template TEMPLATE_INTERFACE_access_points
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
switchport trunk encapsulation dot1q
switchport trunk native vlan x
switchport trunk allowed vlan x,y,z
switchport mode trunk
storm-control broadcast level 5.00
storm-control action shutdown
ip dhcp snooping limit rate 20
ip dhcp snooping trust
load-interval 60
When the access point is connected, it gets authenticated (via mab) and authorized, the authorization profile contains the template-name:
cisco-av-pair=interface-template-name=TEMPLATE_INTERFACE_access_points
The template gets applied to the port and everything looks good, but:
When the template is applied, the access port is turned into a trunk (.1q) port, and allowed vlans are specified in the template, but even if the vlans are allowed, no traffic is going over the port.
After troubleshooting I have found the reason why:
sh interfa trunk:
Port Mode Encapsulation Status Native vlan
Gi1/0/5 on 802.1q trunking x
Port Vlans allowed on trunk
Gi1/0/5 none
Port Vlans allowed and active in management domain
Gi1/0/5 none
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/5 none
Although the trunk has an allowed vlan range applied to the config, no vlans are allowed !!!!
The port config looks like this:
sh deriv int gig1/0/5
interface GigabitEthernet1/0/5
description [Land]/[Stadt]/[Standortkennziffer]/[Gebaeude]/[Verteilerraum]/[Schrank]
switchport access vlan x
switchport trunk encapsulation dot1q
switchport trunk native vlan y
switchport trunk allowed vlan x,y,z
switchport mode trunk
switchport nonegotiate
switchport voice vlan 409
no logging event link-status
load-interval 60
authentication periodic
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
dot1x pae authenticator
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
spanning-tree guard loop
service-policy type control subscriber POLICYMAP_standard_dot1x_port
ip dhcp snooping limit rate 20
ip dhcp snooping trust
Is this working as designed ??? Maybe I did miss something ??
Or could this be a bug ???
Any ideas ?
Rgs
Frank
09-03-2015 10:56 AM
You probably already made sure, but are those vlans you are allowing and the native vlan actually created on the switch ?
Why are you having dhcp snooping trust on the AP port, is the DHCP server somehow located on that port ?
Have you tried to manually apply the template on the port and then connecting the AP, what happens then?
09-04-2015 05:46 AM
Hi,
yes, all the vlans do exist on the switch, if I configure this exact trunk by hand, it works...
It also works when I configure the AP template directly on the port (using "source template ..."), it only does not work when the template is sent by the radius and overlays the original one ...
Yes, we have a dhcp-server connected via wireless on this access point .......... :-) Just kidding !!!
The "ip dhcp snooping trust" is only a "left-over" from troubleshooting, yes, it makes no sense at this place, but it should not have any impact on turning the port mode into trunk .....
Rgs
Frank
09-04-2015 07:05 AM
Hmm, sounds like the template is fine, do you see the AP's mac address in the native vlan once the port has been changed to a trunk ? Does the AP get an ip address and start to communicate with the WLC, but then all the tagged vlan communication fails?
09-04-2015 08:38 AM
Hi,
no, the mac address of the ap is not in the native vlan (which is sent down with the AP template), but in the access vlan that is configured in the "standard" template ....
In this state the AP cannot communicate with its wlc ...
Seems to me, that the "sent-template-down-by-radius-attribute-and-temporary-overwrite-all-other-port-config"-feature does not work as expected right now .....
12-14-2015 10:11 AM
Any progress with this? Here's what I've learned trying to do the same thing.
When the AP authenticates - before the TEMPLATE_INTERFACE_access_points template gets applied the MAC address of the AP will be staticly bound to the access-mode VLAN that is assigned to the port.
When you change native VLAN via the template, it will break because of this static MAC binding. Therefor you CANNOT change Native VLAN from Access-Mode VLAN via a template like you try.
Second issue is a FlexAP must have host-mode set to "multi-host", so unlimited clients will be let in once the AP have authenticated.
If the original host-mode is anything else (very likely, multi-host makes no sense in a default template/config), you'll require two additional commands to the AP-template:
access-session host-mode multi-host
access-session interface-template sticky
The reason can be found in the documentation here http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-autoconf.html
The access-session interface-template sticky command is mandatory to apply an inbuilt template that contains access-session commands on an interface.
This limitation breaks the concept of completely dynamic configurations which is what you want to achieve, however it is better than a macro solution since this sticky template do not get written to startup-config, it only being stuck in the running-config.
10-21-2016 07:23 AM
04-19-2017 12:56 AM
Hi,
Did you find any solution for this problem ?
Once device is authenticated there is no way to remove the sticky config, the only solution that we have for the moment is to reload the switch ….
Hw 2960x running 15.2(4)E3
Thanks, Marwen
04-21-2017 04:54 AM
Hello,
No solution. The only way is to use macro with the event link UP / link down.
For example:
macro auto execute AP_MACRO {
if [[ $LINKUP == YES ]]
then conf t
interface $INTERFACE
macro description $TRIGGER
no source template Port_Access
no spanning-tree portfast
switchport mode trunk
switchport trunk native vlan 3
exit
fi
if [[ $LINKUP == NO ]]
then conf t
interface $INTERFACE
no macro description
source template Port_Access
no switchport mode trunk
no switchport trunk native vlan 3
spanning-tree portfast
fi
}
macro auto global processing
I hope it will help.
10-22-2015 04:54 AM
UPDATE:
Does not work with update 15.2(4)E either ......
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide