10-10-2012 07:27 AM - edited 03-07-2019 09:23 AM
Hi,
I have a C3750G-24PS where a printer appears to have gone off the network, but the ARP cache still shows it in the list, (rather then stating incomplete) and in the MAC address table where I would expect to see the port number, I see the word drop. See below;
#sh arp | i 31
Internet 10.32.68.31 198 0021.b7fc.e414 ARPA Vlan10
#sh mac- | i e414
10 0021.b7fc.e414 DYNAMIC Drop
Is it simply a case of the device going off the network and this is a transition state before the ARP states incomplete, or is there some other reason for this?
Regards,
Eamon
10-10-2012 10:36 PM
Hi Eamon,
Since the printer is off network, the mac address table showing as DYNAMIC drop and this is not any kind of transition state.
Did you configure any port-security on the interface?
When a switchport port-security maximum command is configured on a port, the port learns the MAC addresses of the devices connected to the port. You can also manually enter the addresses, up to the specified number of allowed MAC addresses. If the switchport port-security maximum command is configured on the 2940, 2950 and 2955, 2970,
3550 or 3750 series of switches, then the addresses do not age out until the switch is reset. If another device is connected to the port after the maximum number has been reached, the port will not permit the new MAC address, even if one or more of the original MAC addresses are inactive.
To avoid having to manually delete the existing secure MAC address, the switchport port-security aging time
Refer:
Regards,
Aru
*** Please rate if the post is useful ***
10-11-2012 12:54 AM
We use dot1x for port security.
Good explanation, thanks for the reply and the link.
01-23-2018 06:53 AM
Hi,
We are seeing similar behavior with cisco's new 8845 phone connected to a 3750. However we have no port security and like the other person on this thread we are using 802.1x via cisco ISE. Cisco ISE is fully integrated in this deployment. What is interesting in our case is that even after a switch reset the port will come back DROP on our voice vlan and phone will show up on our data vlan.
After many hours of the phone just setting there in a "detecting networking" state the phone will final join the voice vlan and everything is fine then.
It's almost like these new phones won't auth with MAB at first and are trying 802.1x. There is no ISE policy for 802.1x for the phones we are using MAB for the phones.
But why just this phone model...
Any help would be greatly appreciated
05-01-2018 07:32 AM
Did you find a resolution to your issue. I am experiencing this issue with a full ISE deployment and dot1x
05-01-2018 07:37 AM
we have an on going tac case opened that is with Cisco development...(case 683800858)
We believe to be having a sync issue between psn nodes.
I can fill you in more when we get our case resolved.
izzy
05-01-2018 07:38 AM
we have an on going tac case opened that is with Cisco development...(683800858)
We believe to be having a sync issue between psn nodes.
I can fill you in more when we get our case resolved.
izzy
08-29-2019 05:51 AM
Did you ever figure anything out on this issue? I'm having the same issue but it's very sporadic.
Thanks.
06-30-2021 03:04 PM
THANK YOU so much for the pointers! I was going thru the same problem and the fix that worked for me was to change the priority on the switch port:
authentication order mab dot1x
authentication priority mab dot1x
instead of :
authentication order dot1x mab
authentication priority dot1x mab
Hope this is helpful.
Thank you all again!
-Rez
01-23-2018 06:55 AM
Hi,
We are seeing similar behavior with cisco's new 8845 phone connected to a 3750. However we have no port security and like the other person on this thread we are using 802.1x via cisco ISE. Cisco ISE is fully integrated in this deployment. What is interesting in our case is that even after a switch reset the port will come back DROP on our voice vlan and phone will show up on our data vlan.
After many hours of the phone just setting there in a "detecting networking" state the phone will final join the voice vlan and everything is fine then.
It's almost like these new phones won't auth with MAB at first and are trying 802.1x. There is no ISE policy for 802.1x for the phones we are using MAB for the phones.
But why just this phone model...
Any help would be greatly appreciated
02-05-2021 09:18 AM
Could you find the problem ?, I have exactly the same problem now on a SW WS-C2960S-24TS-L 15.0 (2a) SE9
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide