Re: Switch Port with Dual MAC breaks SDA

~Saj~ · ‎07-20-2023

Hi Community,

Having an issue where the SD-Access switch is detecting dual MAC addresses from two different VLANs. At this point, I'm guessing it's a client-side ( voice device) issue but would like to hear if anyone comes across such scenarios.

Switches on the SDA fabric configured with 802.1x. The voice device is authenticated to the fabric through profiling. I can see the client is successfully authenticated to the network and assigned the correct VLAN.

===============================================================

Sw-1#sh mac address-table | i 5/0/32
1 0090.8f11.c806 STATIC Gi5/0/32
1020 0090.8f11.c806 STATIC Gi5/0/32

=================================================================

Sw-1#sh authentication sessions interface Gi5/0/32 details
Interface: GigabitEthernet5/0/32
IIF-ID: 0x18C1275C
MAC Address: 0090.8f11.c806
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 00-90-8F-11-C8-06
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 168312s
Common Session ID: 0538580A000019E8766E3C02
Acct Session ID: 0x000026fd
Handle: 0x46000a2e
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Local Policies:

Server Policies:
Vlan Group: Vlan: 1020
SGT Value: 19

Method status list:
Method State
dot1x Stopped
mab Authc Success

================================================================

Sw-1#sh arp vrf GREEN | i 0090.8f

***** No ARP entry on the switch for the client

===============================================================

Sw-1#sh device-tracking database interface gigabitEthernet 5/0/32
portDB has 0 entries for interface Gi5/0/32, 0 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned

Network Layer Address Link Layer Address Interface vlan prlvl age state Time left

***** No entry on the device tracking database

============================================================
Monitor Capture on port connected to Voice Device ( all traffic)
============================================================

Sw-1#sh monitor capture CAP buffer brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit

1 0.000000 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
2 0.000259 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
3 1.002462 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
4 1.999435 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
5 1.999583 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
6 3.014195 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
7 4.010519 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
8 4.010623 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
9 5.018551 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
10 6.022782 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
11 6.022909 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
12 6.736321 ac:bc:d9:04:26:20 -> ac:bc:d9:04:26:20 LOOP 60 Reply
13 7.004137 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:0e LLDP 382 TTL = 120 SysName = Sw-1 SysDesc = Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.6.4, RELEASE SOFTWARE (fc1)\nTechnical Support: http://www.cisco.com/techsupport\nCopyright (c) 1986-2022 by Cisco Systems, Inc.\nCompiled Sun 14-Aug-22 08:58 by mcpre
14 7.078750 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
15 8.115259 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
16 8.115381 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
17 9.172254 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
18 10.172371 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
19 10.172489 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
20 11.177633 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
21 12.176410 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
22 12.176631 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
23 13.180724 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
24 13.217839 00:90:8f:11:c8:06 -> ff:ff:ff:ff:ff:ff ARP 60 Who has 10.1.10.1? Tell 10.1.10.11
25 14.179045 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
26 14.179160 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
27 14.221960 00:90:8f:11:c8:06 -> ff:ff:ff:ff:ff:ff ARP 60 Who has 10.1.10.1? Tell 10.1.10.11
28 15.184818 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
29 15.217867 00:90:8f:11:c8:06 -> ff:ff:ff:ff:ff:ff ARP 60 Who has 10.1.10.1? Tell 10.1.10.11
30 16.184548 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
31 16.184733 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
32 16.738018 ac:bc:d9:04:26:20 -> ac:bc:d9:04:26:20 LOOP 60 Reply
33 17.224883 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
34 18.220811 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
35 18.220919 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
36 19.225118 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1056/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
37 20.223015 ac:bc:d9:04:26:20 -> 01:00:0c:cc:cc:cd STP 64 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0
38 20.224043 ac:bc:d9:04:26:20 -> 01:80:c2:00:00:00 STP 60 RST. Root = 32768/1/ac:bc:d9:0f:2a:80 Cost = 0 Port = 0x81a0

***** Voice Device is assigned with static IP 10.1.10.11. DG for VLAN 1020 is 10.1.10.1. This is the correct VLAN assigned by ISE after the auth process.

Any thoughts on why the switch did not respond back for the broadcast client is sending? Is it breaking due to the dual mac on the port?

andy!doesnt!like!uucp · ‎07-25-2023

seems u dont have IP device-tracking operational. can u play more around device-tracking on Gi5/0/32 what is the port-/vlan-level device-tracking configuration?

~Saj~ · ‎07-25-2023

Hi Andy,

Thanks for the clue. I had a look at the port config and device-tracking config was missing on the particular port. So i changed the port and i case an entry. However, entry is against VLAN 1 not VLAN 1020.

Sw-1#sh device-tracking database interface gigabitEthernet 1/0/47
portDB has 1 entries for interface Gi1/0/47, 1 dynamic
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned

Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
ARP 10.1.10.11 0090.8f11.c806 Gi1/0/47 1 0005 21s REACHABLE 282 s

Cheers

Saj

andy!doesnt!like!uucp · ‎07-26-2023

i wonder why u can see on access port multiple vlans. can u show interface g1/0/47 swi or sho interfa trunk | i 1/0/47 ?

~Saj~ · ‎07-27-2023

Hello Andy,

Please find the outputs requested. Device-tracking database shows ARP entry against VLAN 1.

Sw-1#show interface g1/0/47 swi
Name: Gi1/0/47
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 1020 (voip)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
App Interface: false
Appliance trust: none

Sw-1#show interface trunk | i 1/0/47

***** No Match ****

Flavio Miranda · ‎07-25-2023

Hi @~Saj~

Can you share the command

Show run int Gi5/0/32

The Mac address in question belongs to áudio code and it seems the profilingn is faling to identify the device. You can see that we do not see any IP address on the authentication session and thats why the communituon is not hapenning.

How this Mac address look on the ISE logs?

~Saj~ · ‎07-25-2023

Hi Flavio,

Thanks for the response. there was a missing config on device-tracking. Below is the config on the port that was tested.

interface GigabitEthernet1/0/47
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
ipv6 flow monitor dnacmonitor_v6 input
ipv6 flow monitor dnacmonitor_v6 output
dot1x timeout tx-period 7
dot1x max-reauth-req 3
source template DefaultWiredDot1xClosedAuth
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery

MAC address is fine in ISE. ISE is authenticating the device with MAB and correctly assigning the port to VLAN 1020. On the switch end, port is authenticated and on the correct vlan ( VLAN 1020 ).

But device-tracking says it's in vlan 1. I'm thinking due to switch port identify the same MAC on two vlans.

Sw-1#sh mac address-table | i 1/0/47
1 0090.8f11.c806 STATIC Gi1/0/47
1020 0090.8f11.c806 STATIC Gi1/0/47

Cheers

Saj

andy!doesnt!like!uucp · ‎07-28-2023

u dont have neither data nor voice vlan configured on the interface. this may be the contributor to the cause. can u show your vlan 1020 authorization profile from ISE?

~Saj~ · ‎07-28-2023

Vlan is pushed by ISE. Please find the auth session of the port.

Sw-1#sh authentication sessions interface Gi5/0/32 details
Interface: GigabitEthernet5/0/32
IIF-ID: 0x18C1275C
MAC Address: 0090.8f11.c806
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 00-90-8F-11-C8-06
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 168312s
Common Session ID: 0538580A000019E8766E3C02
Acct Session ID: 0x000026fd
Handle: 0x46000a2e
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Local Policies:

Server Policies:
Vlan Group: Vlan: 1020
SGT Value: 19

Method status list:
Method State
dot1x Stopped
mab Authc Success

============================

andy!doesnt!like!uucp · ‎07-28-2023

looks like audiocodes doesnt recognize voice vlan (usually communicated via CDP to Cisco audio devices from Cisco switch).

Can u configure "switchport voice vlan 1020' on the port?

alternatively u can try to drop voice domain from autorization profile & assign 1020 as data vlan