Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


WIRED - OPEN/CLOSED Complications on Cisco 3750 Switch

ISE Version:  2.1, patch 6 (soon to be patch 7)

Cisco Switch Image:  c3750e-ipbasek9npe-mz.150-2.SE11/c3750e-ipbasek9npe-mz.150-2.SE11.bin

Open TAC Case:  683828357

Question:  Looking for some support on apparently random dACL deployment issues with a Cisco Catalyst Switch.  Additional details are below


Occasionally a domain computer will be locked out of the network and work as if it had been quarantined – and then just start working.  Timeframe is hard to pinpoint - generally within a 5-60 min period.

When personal MacBook is connected (non-Domain computer) you could issue the command show ip access-list int gi1/0/25 and it would show the correct ACL (GUEST-INET-ONLY). Give it a couple minutes and issues the same command and there would be NO ACL. Give it a few minutes and – back and forth.

We don't appear to be having a similar issue with wired endpoints connected to a Cisco 2960XR switch.

It was locking down domain computers and allowing visitor computers full access. They had me delete the voice vlan and then put it back on my interface. The non-domain computer was locked down – makes not sense, but the domain computer still had issues.

Final thoughts - now that ISE V2.2 is defined as the safe-harbor, we have considered upgrading to that; however, want to ensure it is not a problem with just the Cisco Catalyst code on the 3750 switches.

Greg Gibbs
Cisco Employee

I can't say that I've seen this symptom before with the 3750/3750-X platforms, so this could be caused by switch or ISE configuration. I would suggest using the following Community post to review Top Ten mis-configured settings as well as the 'Universal IOS Switch Config for ISE' info.

Otherwise, it would be best to continue working with TAC as they may need to look at debugs, etc.



Cisco Employee

I glanced through the case notes and could not find ISE at fault at all as the switch retrieving attributes ok. Please continue working with TAC as Greg suggested.

15.0(2)SE11 is rather old so it would worth to try the recommended IOS train IOS 15.2(2)E5 or E6.

I do not use "switchport block unicast" with my DOT1X interface so good to try without it.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube