Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2053
Views
22
Helpful
9
Replies

Remove IBNS2 configure - access session show unknown status for some

Go to solution
rayyaanfayker0006
Level 1
Level 1

‎08-23-2022 11:34 PM

Hi

Is there a way to stop IBNS 2 running on the switch or completely remove it so i can rebuilt it again, we have 2 switches in our environment showing a few status unknowns in the access sessions table for ports that are not even configured for IBNS2 and even if i reboot the switch or "clear access session" it still populates in the access session table. See below the port is defaulted wtih no config but its still picks up the session after shutting and unshutting the port.

rayyaanfayker0006_0-1661322644645.png

We have multiple of the same switches running with the same firmware and only 2 are giving this problem after we did a fail-over test of the ISE cores. 

thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-29-2022 04:55 PM

Years ago, I saw similar on one of my lab switches and they were due to Cisco IOS device classifier (DC). You could try "no macro auto monitor".

More recently with Cisco IOS-XE Polaris on C9K switches, I observed them associated with AutoConf or Auto SmartPort.

View solution in original post

9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-24-2022 12:47 AM

if the switch not configured AAA config to ISE or port configuration, that should be set as default of the switch config

can you post below information :

show run

and show run interface x/x (specific one showing unknown)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
rayyaanfayker0006
Level 1
Level 1
In response to balaji.bandi

‎08-24-2022 01:17 AM

hi Balaji 

I have attached the for another switch, you can see that for port Te1/0/1 which is an uplink port it listed all the session for that port.

 

 

Preview file
21 KB
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎08-24-2022 01:22 PM

Hello @rayyaanfayker0006 

It may have to do with Device Tracking feature. It's a little known fact (and the Prescriptive Guide unfortunately doesn't mention this) that 802.1Q trunk interfaces require a special Device Tracking configuration to prevent them from learning about endpoints from other switches, and then to maintain reachability with probes (ARP etc.)

I follow the advice from Cisco Live BRKSEC-3018 document - and I create a profile for trunks, and then apply to all trunks. It's amazing how much better the switch run (esp. large Stack switches) - massive reduction in CPU also.

device tracking policy DT TRUNK
 trusted port
 device role switch

and then apply to your trunks

interface xxxx (including port channels)
 description *** Uplink ***
 switchport mode trunk
 device tracking attach policy DT TRUNK
 ip dhcp snooping trust

 On some older IOS-XE I have to then also issue a clear device-tracking database command to clear out all the zombie data.

 

Go to solution
rayyaanfayker0006
Level 1
Level 1

‎08-25-2022 10:13 AM - edited ‎08-25-2022 10:26 AM

Hi 

Thanks for the feedback and to disable tracking on the port for 2960x switches running 152-7.E4 the command is "ip device tracking max 0" , but even with this the entries for IBNS 2 is still showing the sessions in its table after a reboot as well. It so weird and frustrating that in the background somehow even with radius not configured on a port its applying it. 

rayyaanfayker0006_0-1661447316940.png

rayyaanfayker0006_3-1661447388852.png

maybe it can be a bug as even with this command if you check globally ip device globally it states that its still enabled.  

 

rayyaanfayker0006_4-1661447405372.png

 

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-29-2022 04:55 PM

Years ago, I saw similar on one of my lab switches and they were due to Cisco IOS device classifier (DC). You could try "no macro auto monitor".

More recently with Cisco IOS-XE Polaris on C9K switches, I observed them associated with AutoConf or Auto SmartPort.

Go to solution
rayyaanfayker0006
Level 1
Level 1
In response to hslai

‎08-30-2022 05:42 AM

You are a legend!! thanks

just added this command to the switch and those unknown stopped showing up. 

Go to solution
p.lan
Level 1
Level 1

‎03-22-2024 08:54 AM

We still have many access-sessions on our trunk links. The device-tracking database is empty for the trunk links as expected, but does anyone know how to prevent the MACs of devices attached to other switches from appearing in the session table on Cat9300 (17.9.4)?

interface TenGigabitEthernet1/0/24 
 description TRUNK
 switchport mode trunk
 switchport nonegotiate
 device-tracking attach-policy DISABLE-IP-TRACKING
 ip arp inspection trust
 auto qos trust 
 spanning-tree portfast disable
 ip dhcp snooping trust
!
!
device-tracking policy DISABLE-IP-TRACKING
 trusted-port
 device-role switch
 no protocol udp
 tracking disable

C9300-ACC-01#show access-session int t1/0/24   
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Te1/0/24                 001b.6606.45fe N/A     UNKNOWN Unauth      0A0A000A0000006666D655CA
Te1/0/24                 001b.6606.4dc6 N/A     UNKNOWN Unauth      0A0A000A0000006E66D65791
Te1/0/24                 001d.c194.6368 N/A     UNKNOWN Unauth      0A0A000A0000007066D658B3
Te1/0/24                 001d.c194.636d N/A     UNKNOWN Unauth      0A0A000A0000006F66D6583A
Te1/0/24                 001d.c195.06d7 N/A     UNKNOWN Unauth      0A0A000A0000006866D6561C
Te1/0/24                 001d.c195.28a6 N/A     UNKNOWN Unauth      0A0A000A0000007166D65901
Te1/0/24                 001d.c195.2a46 N/A     UNKNOWN Unauth      0A0A000A0000006D66D65750
Te1/0/24                 0060.74fe.088a N/A     UNKNOWN Unauth      0A0A000A0000006C66D6573C
Te1/0/24                 00be.432b.e569 N/A     UNKNOWN Unauth      0A0A000A0000008366D67722
Te1/0/24                 0892.04df.1553 N/A     UNKNOWN Unauth      0A0A000A0000007466D65EA0
Te1/0/24                 3473.5ae1.6d82 N/A     UNKNOWN Unauth      0A0A000A0000006B66D65738
Te1/0/24                 384b.7630.03cb N/A     UNKNOWN Unauth      0A0A000A0000007E66D66B07
Te1/0/24                 384b.7630.04b9 N/A     UNKNOWN Unauth      0A0A000A0000007F66D66B0A
Te1/0/24                 384b.76e0.3fbe N/A     UNKNOWN Unauth      0A0A000A0000007B66D66AF8
Te1/0/24                 384b.76e0.49bc N/A     UNKNOWN Unauth      0A0A000A0000008066D66B0E

 Tried "no macro auto monitor" to no avail. No smartports or autoconf on this switch, either. 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to p.lan

‎03-24-2024 04:09 PM

@p.lan - that seems to be the way the product works. I can't find a way of disabling session status on trunks. If it's any consolation, port-channels don't appear in this list. So you could possibly turn your trunk interfaces into port-channel interfaces. Not ideal, but it does the job.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to p.lan

‎03-24-2024 05:30 PM

Have you tried configuring 'no access-session monitor' on the switchport?

Example from my lab:

interface GigabitEthernet1/0/46
description ~ uplink to sw1 ~
switchport mode trunk
no access-session monitor
ip dhcp snooping trust
end
Customers Also Viewed These Support Documents