Re: IP Device Tracking - Turns in active after default Interval of 300 sec expires

Netmart · ‎06-03-2020

Hello,

After upgrading from Rel 03.08.E to rel 3.11 [c4500] we are experiencing issues with IP device tracking where after IP Device Tracking Probe Interval experienced [now in rel 3.11 300 sec, before 30 sec] no IP ARP probe requests/responses are seen between switch and end device. Thus IP/MAC binding in IP Device tracking is removed and Invalid ARP packets are seen.

Port has been bounced, defaulted...etc. no success. Only, if ip device tracking is removed, port is bounced, packets are passed again.

The ARP probe is sent under two circumstances:

ØThe link associated with a current entry in the IPDT database moves from a DOWN to an UP state, and the ARP entry has been populated.

ØA link already in the UP state that is associated with an entry in the IPDT database has an expired probe interval.

Rel3.0.8.E#sh ip device tracking int tenGigabitEthernet 2/1

--------------------------------------------

Interface TenGigabitEthernet1/1 is: STAND ALONE

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 300

IPv6 Device Tracking Client Registered Handle: 50

IP Device Tracking Enabled Features:

HOST_TRACK_CLIENT_TRACK_HOST_UPTO_MAX

--------------------------------------------

1.1.1.1 aaaa.bbbb.cccc.dddd 10 TenGigabitEthernet2/1 30 ACTIVE ARP ==> after 300sec: INACTIVE STAT

Part of config:

ip device tracking probe auto-source fallback 0.0.0.99 255.255.255.0 override
ip device tracking probe delay 10

interface TenGigabitEthernet1/1
switchport access vlan 100
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
ip device tracking maximum 3
ip arp inspection limit rate 100
:
ip verify source tracking port-security
ip dhcp snooping limit rate 5

Marvin Rhoads · ‎06-03-2020

What you describe sounds like buggy behavior.

Have you opened a TAC case?

Netmart · ‎06-04-2020

Hello Marvin,

Yes, I did. So Cisco claimed that Rel 3.11 for c4500 platform is a stable version.

Today, I experienced another phenomenon where all of a sudden the following parameter disappeared in running config:

ip device tracking probe delay 10

And consequently a couple of Windows workstations lost their connections, since ip device tracking could not complete it's IP ARP probe every 300 sec as expected. It was possible to reissue the command, but it is not visible anymore in the running config. I am wondering, whether anyone else is using this code/platform and/or do have experience IP Device Tracking in combination with DAI and DHCP Snoop.

Regards,

Netmart

Netmart · ‎06-05-2020

Judging by the replies/reviews, it seems that we are the only ones using IP Device Tracking. And Cisco HelpDesk is not useful at all; I have the impression that I have to explain netsec features to them and then they begin to read from documentations; pretty embarrassing...

Marvin Rhoads · ‎06-05-2020

Sorry to hear about your experience. I know that hundreds of customers (if not thousands) are using IP device tracking successfully - it is a core feature that enables ISE to work in wired deployments.