06-03-2020 10:39 PM
Hello,
After upgrading from Rel 03.08.E to rel 3.11 [c4500] we are experiencing issues with IP device tracking where after IP Device Tracking Probe Interval experienced [now in rel 3.11 300 sec, before 30 sec] no IP ARP probe requests/responses are seen between switch and end device. Thus IP/MAC binding in IP Device tracking is removed and Invalid ARP packets are seen.
Port has been bounced, defaulted...etc. no success. Only, if ip device tracking is removed, port is bounced, packets are passed again.
The ARP probe is sent under two circumstances:
ØThe link associated with a current entry in the IPDT database moves from a DOWN to an UP state, and the ARP entry has been populated.
ØA link already in the UP state that is associated with an entry in the IPDT database has an expired probe interval.
Rel3.0.8.E#sh ip device tracking int tenGigabitEthernet 2/1
--------------------------------------------
Interface TenGigabitEthernet1/1 is: STAND ALONE
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 300
IPv6 Device Tracking Client Registered Handle: 50
IP Device Tracking Enabled Features:
HOST_TRACK_CLIENT_TRACK_HOST_UPTO_MAX
--------------------------------------------
1.1.1.1 aaaa.bbbb.cccc.dddd 10 TenGigabitEthernet2/1 30 ACTIVE ARP ==> after 300sec: INACTIVE STAT
Part of config:
ip device tracking probe auto-source fallback 0.0.0.99 255.255.255.0 override
ip device tracking probe delay 10
ip device tracking probe auto-source fallback 0.0.0.99 255.255.255.0 override
ip device tracking probe delay 10
interface TenGigabitEthernet1/1
switchport access vlan 100
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
ip device tracking maximum 3
ip arp inspection limit rate 100
:
ip verify source tracking port-security
ip dhcp snooping limit rate 5
06-03-2020 10:57 PM
What you describe sounds like buggy behavior.
Have you opened a TAC case?
06-04-2020 08:08 PM
Hello Marvin,
Yes, I did. So Cisco claimed that Rel 3.11 for c4500 platform is a stable version.
Today, I experienced another phenomenon where all of a sudden the following parameter disappeared in running config:
ip device tracking probe delay 10
And consequently a couple of Windows workstations lost their connections, since ip device tracking could not complete it's IP ARP probe every 300 sec as expected. It was possible to reissue the command, but it is not visible anymore in the running config. I am wondering, whether anyone else is using this code/platform and/or do have experience IP Device Tracking in combination with DAI and DHCP Snoop.
Regards,
Netmart
06-05-2020 02:11 PM
Judging by the replies/reviews, it seems that we are the only ones using IP Device Tracking. And Cisco HelpDesk is not useful at all; I have the impression that I have to explain netsec features to them and then they begin to read from documentations; pretty embarrassing...
06-05-2020 08:54 PM
Sorry to hear about your experience. I know that hundreds of customers (if not thousands) are using IP device tracking successfully - it is a core feature that enables ISE to work in wired deployments.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: