08-23-2022 11:34 PM
Hi
Is there a way to stop IBNS 2 running on the switch or completely remove it so i can rebuilt it again, we have 2 switches in our environment showing a few status unknowns in the access sessions table for ports that are not even configured for IBNS2 and even if i reboot the switch or "clear access session" it still populates in the access session table. See below the port is defaulted wtih no config but its still picks up the session after shutting and unshutting the port.
We have multiple of the same switches running with the same firmware and only 2 are giving this problem after we did a fail-over test of the ISE cores.
thanks
Solved! Go to Solution.
08-29-2022 04:55 PM
Years ago, I saw similar on one of my lab switches and they were due to Cisco IOS device classifier (DC). You could try "no macro auto monitor".
More recently with Cisco IOS-XE Polaris on C9K switches, I observed them associated with AutoConf or Auto SmartPort.
08-24-2022 12:47 AM
if the switch not configured AAA config to ISE or port configuration, that should be set as default of the switch config
can you post below information :
show run
and show run interface x/x (specific one showing unknown)
08-24-2022 01:17 AM
08-24-2022 01:22 PM
Hello @rayyaanfayker0006
It may have to do with Device Tracking feature. It's a little known fact (and the Prescriptive Guide unfortunately doesn't mention this) that 802.1Q trunk interfaces require a special Device Tracking configuration to prevent them from learning about endpoints from other switches, and then to maintain reachability with probes (ARP etc.)
I follow the advice from Cisco Live BRKSEC-3018 document - and I create a profile for trunks, and then apply to all trunks. It's amazing how much better the switch run (esp. large Stack switches) - massive reduction in CPU also.
device tracking policy DT TRUNK
trusted port
device role switch
and then apply to your trunks
interface xxxx (including port channels)
description *** Uplink ***
switchport mode trunk
device tracking attach policy DT TRUNK
ip dhcp snooping trust
On some older IOS-XE I have to then also issue a clear device-tracking database command to clear out all the zombie data.
08-25-2022 10:13 AM - edited 08-25-2022 10:26 AM
Hi
Thanks for the feedback and to disable tracking on the port for 2960x switches running 152-7.E4 the command is "ip device tracking max 0" , but even with this the entries for IBNS 2 is still showing the sessions in its table after a reboot as well. It so weird and frustrating that in the background somehow even with radius not configured on a port its applying it.
maybe it can be a bug as even with this command if you check globally ip device globally it states that its still enabled.
08-29-2022 04:55 PM
Years ago, I saw similar on one of my lab switches and they were due to Cisco IOS device classifier (DC). You could try "no macro auto monitor".
More recently with Cisco IOS-XE Polaris on C9K switches, I observed them associated with AutoConf or Auto SmartPort.
08-30-2022 05:42 AM
You are a legend!! thanks
just added this command to the switch and those unknown stopped showing up.
03-22-2024 08:54 AM
We still have many access-sessions on our trunk links. The device-tracking database is empty for the trunk links as expected, but does anyone know how to prevent the MACs of devices attached to other switches from appearing in the session table on Cat9300 (17.9.4)?
interface TenGigabitEthernet1/0/24
description TRUNK
switchport mode trunk
switchport nonegotiate
device-tracking attach-policy DISABLE-IP-TRACKING
ip arp inspection trust
auto qos trust
spanning-tree portfast disable
ip dhcp snooping trust
!
!
device-tracking policy DISABLE-IP-TRACKING
trusted-port
device-role switch
no protocol udp
tracking disable
C9300-ACC-01#show access-session int t1/0/24
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Te1/0/24 001b.6606.45fe N/A UNKNOWN Unauth 0A0A000A0000006666D655CA
Te1/0/24 001b.6606.4dc6 N/A UNKNOWN Unauth 0A0A000A0000006E66D65791
Te1/0/24 001d.c194.6368 N/A UNKNOWN Unauth 0A0A000A0000007066D658B3
Te1/0/24 001d.c194.636d N/A UNKNOWN Unauth 0A0A000A0000006F66D6583A
Te1/0/24 001d.c195.06d7 N/A UNKNOWN Unauth 0A0A000A0000006866D6561C
Te1/0/24 001d.c195.28a6 N/A UNKNOWN Unauth 0A0A000A0000007166D65901
Te1/0/24 001d.c195.2a46 N/A UNKNOWN Unauth 0A0A000A0000006D66D65750
Te1/0/24 0060.74fe.088a N/A UNKNOWN Unauth 0A0A000A0000006C66D6573C
Te1/0/24 00be.432b.e569 N/A UNKNOWN Unauth 0A0A000A0000008366D67722
Te1/0/24 0892.04df.1553 N/A UNKNOWN Unauth 0A0A000A0000007466D65EA0
Te1/0/24 3473.5ae1.6d82 N/A UNKNOWN Unauth 0A0A000A0000006B66D65738
Te1/0/24 384b.7630.03cb N/A UNKNOWN Unauth 0A0A000A0000007E66D66B07
Te1/0/24 384b.7630.04b9 N/A UNKNOWN Unauth 0A0A000A0000007F66D66B0A
Te1/0/24 384b.76e0.3fbe N/A UNKNOWN Unauth 0A0A000A0000007B66D66AF8
Te1/0/24 384b.76e0.49bc N/A UNKNOWN Unauth 0A0A000A0000008066D66B0E
Tried "no macro auto monitor" to no avail. No smartports or autoconf on this switch, either.
03-24-2024 04:09 PM
@p.lan - that seems to be the way the product works. I can't find a way of disabling session status on trunks. If it's any consolation, port-channels don't appear in this list. So you could possibly turn your trunk interfaces into port-channel interfaces. Not ideal, but it does the job.
03-24-2024 05:30 PM
Have you tried configuring 'no access-session monitor' on the switchport?
Example from my lab:
interface GigabitEthernet1/0/46
description ~ uplink to sw1 ~
switchport mode trunk
no access-session monitor
ip dhcp snooping trust
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide