Solved: Does a port secured switch forward a broadcast on all ports

wags · ‎03-31-2022

I have a TAC case open, but it seems like I am not getting through to the engineer. This is a fairly straight forward question to me.

Does a switch forward broadcasts (specifically an ARP request or unknow MAC unicast) out all port, to include a port that is not authenticated (aka sh auth sess is "blank" for the port)? Can you point me to specific Cisco technical literature that explains how port security works with broadcasts, and if there are IOS interface commands that can alter the action and not totally circumvent port security?

More details: We are running ISE 802.1x with MAB fallback. We have ICS devices that are not capable of or otherwise not using certs and instead use MAB. We always have issues getting the ICS device online, but once online they seem to work for long periods of time until they "just stop working". I finally had time to look closer at this and what I found is as follows. If you put the device into a port, it will not work until you circumvent port security, with for, example auth open on the interface. The device will apparently get an ARP broadcast of the unicast, send a reply and we are good. We remove auth open and all is still good for now. Now simulate a power hit on the switch (or an IOS upgrade) and the ARP (or unicast) apparently does not make it to the device (out the port), until you do an auth open and the ARP table populates, unicast is seen and replied to and so on. Can simulate the same thing with clear auth session. The ICS devices in question "never" initiates traffic, they have statically configured IP (no DHCP what so ever) and its application only talks back when spoken to. Happens to be on a Cisco 9K switch.

Flavio Miranda · ‎03-31-2022

Those device called "Silent devices" always offer some challangers. I faced some problem recently but with Fabric switch which makes things harder.

But, there was a thread here in the forum and I found the solution interesting and you may benefit from it.

https://community.cisco.com/t5/network-access-control/wired-802-1x-mab-for-silent-endpoint/td-p/4403961

View solution in original post

MHM Cisco World · ‎03-31-2022

there are three mode of Auth
monitor <-low security "not recommend"
Low-mode
High-mode <- problem is here ? why you use silent device with static IP address "no dhcp" so this silent device will be un-auth after first auth process.

So the solution is

Low-mode
config specific VLAN for silent device, apply this VLAN to any port connect to silent device,

config auth control-direction IN
config the ISE to return ACL if the MAB auth pass and this silent device is full access after auth and get ACL from ISE.

Flavio Miranda · ‎03-31-2022

Those device called "Silent devices" always offer some challangers. I faced some problem recently but with Fabric switch which makes things harder.

But, there was a thread here in the forum and I found the solution interesting and you may benefit from it.

https://community.cisco.com/t5/network-access-control/wired-802-1x-mab-for-silent-endpoint/td-p/4403961

wags · ‎04-01-2022

For future readers.

Both responses have the answer, but I find the extra references on the second as better. Specifically the CLI interface command "auth control-direction in" and the reference to the "wired 802.1x deployment guide".

thanks again folks.

MHM Cisco World · ‎04-01-2022

We are here in cisco community try help each other, and we are so happy when issue solved.