I am testing using automartport macros to enable a port for trunking to support Ap's in flexconnect mode (NEAT with templates doesn't work for us because you can't change to multi-host). This is generally all working ok with macros, however I have noticed that with macros enabled on the switch the trunk port to the uplink switch (not the trunk to the AP) is creating an authentication session for every single mac address that appears on the port.
Even on my little test switch there are over 30 sessions showing. Enabling this on our production switches would cause hundreds if not thousands of sessions to be created.
I have tried applying a device-tracking policy that disables device-tracking to the uplink trunk, and also the "no macro auto processing" command on that interface as well to no avail.
While it is not causing any actual issues on my test switch, because the port has no policy for ISE authentications, having this amount of unecessary auth sessions makes troubleshooting harder and may be affecting the switch in other ways I have not noticed yet.
Does anyone know how to disable this?
switch config snippets:
macro auto global processing
no macro auto global control device
no macro auto global control trigger
!
device-tracking policy TRUNK
trusted-port
device-role switch
tracking disable
!
interface GigabitEthernet1/1/1
switchport mode trunk
device-tracking attach-policy TRUNK
no macro auto processing
no macro auto control device
end
Most of the macro config has been following this chap's blog here:
https://www.wiresandwi.fi/blog/cisco-ise-flexconnect-access-point-auto-smartport-trunk-via-macro-configuration
