Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3378
Views
0
Helpful
2
Replies

MAC address table showing drop on Voice VLAN when critical template applied

Go to solution
dodgerfan78
Level 1
Level 1

‎06-11-2020 02:11 PM - edited ‎06-11-2020 02:12 PM

Testing an AAA down scenario. The service template gets applied, but the mac address table shows drop and I cant pass traffic on the voice vlan. If I switch to "open" mode it will work. Any ideas? Switch is a 3850 16.12.3a.

 

Config:

 

service-template CRITICAL
 voice vlan
 vlan 13

interface GigabitEthernet1/0/13
description ISE_TEST_PORT
switchport access vlan 999
switchport mode access
switchport voice vlan 12
access-session host-mode multi-domain
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
spanning-tree portfast
service-policy type control subscriber POLICY_DOT1X
end

 

Show commands showing the critical template is applied:

 

3850-01#sho mac address-table
12 aaaa.bbbb.cccc DYNAMIC Drop

PDXL-3850-01#sho access-session int g1/0/13 details
Interface: GigabitEthernet1/0/13
...
Current Policy: POLICY_DOT1X
Local Policies:
Service Template: CRITICAL (priority 150)
Voice Vlan: Vlan: 12
Vlan Group: Vlan: 13

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-11-2020 04:53 PM

It's difficult to say without seen the entire policy and NAC config on the switch, but I would first suggest using separate critical templates for the data and voice VLANs and check your configuration against the examples in the Closed Mode section of the Secure Wired Access Prescriptive Deployment Guide.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-11-2020 04:53 PM

It's difficult to say without seen the entire policy and NAC config on the switch, but I would first suggest using separate critical templates for the data and voice VLANs and check your configuration against the examples in the Closed Mode section of the Secure Wired Access Prescriptive Deployment Guide.

0 Helpful

Go to solution
KelvinT
Level 1
Level 1

‎11-14-2022 12:28 PM

Hello,

To fix this you need to do the following on ISE.

From ISE....Policy --> Policy Elements --> Results --> Authorization --> Authorization Profile

Whichever profile you create for the phone/voice you check the box for "Voice Domain Permission".

It's failing/dropping because the voice traffic isn't getting tagged correctly.  It needs the below AV-pair.

 

KelvinT_3-1668457560872.png

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1072518442

Hope this help.

 

0 Helpful
Customers Also Viewed These Support Documents