Re: cisco 3650 changing switches, printers are sometimes unreachable - Page 3

Daniele Galtelli · ‎04-26-2019

Good morning, I ask for help.
I changed all the switches from 3750 to 3650, after the change I noticed that printers are randomly not reached anymore. I thought it was a problem related to the arp, so I extended the time. This morning, however, he gave me back the problem, on the interface of the switch I see it, the mac address on the dedicated vlan is there

the show interface shows me line protocol up / up, but I can't ping it.

Daniele Galtelli · ‎05-07-2019

these are the mac addresses that you see on the interface.
the phone is seen twice, in the other version I did not have this symptom
Vlan Mac Address Type Ports
---- ----------- -------- -----
192 001e.135c.8958 DYNAMIC Gi3/0/41
246 001e.135c.8958 DYNAMIC Gi3/0/41
246 d8cb.8a8e.72ec DYNAMIC Gi3/0/41

Mark Malone · ‎05-07-2019

are you running port-security with 802.1x ?
thats not supported and shouldn't be ran on same interface together . 2 forms of security trying to do same thing will cause conflicts

Daniele Galtelli · ‎05-07-2019

ok but the problem of security violation happens even without port security

Mark Malone · ‎05-07-2019

can you post the config of the port g3/0/41 , show run int g3/0/41
and also show port-security int g3/0/41

Daniele Galtelli · ‎05-07-2019

interface GigabitEthernet3/0/41
description "PC e SoftPhone"
switchport access vlan 246
switchport mode access
switchport voice vlan 192
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 246
authentication event no-response action authorize vlan 30
authentication order dot1x
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 15
dot1x timeout auth-period 40
spanning-tree portfast
spanning-tree bpduguard enable

Giallo_5#show port-security int gi3/0/41
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001e.135c.8958:192
Security Violation Count : 0

Daniele Galtelli · ‎05-07-2019

Vlan Mac Address Type Ports
---- ----------- -------- -----
192 001e.135c.8958 STATIC Gi3/0/41
246 001e.135c.8958 DYNAMIC Drop
Total Mac Addresses for this criterion: 2
Giallo_5#
May 7 13:01:43.154: %DOT1X-5-FAIL:Switch 1 R0/0: smd: Authentication failed for client (001E.135C.8958) on Interface Gi3/0/41 AuditSessionID 0AB0BC65000038819262006F
why give me 2 times the mac address of the phone?

Mark Malone · ‎05-07-2019

You have it set to 1 mac address only in PS ,but the port configured for voice and data , so once it seen 2 the macs it disabled it it should as that's whats set

Maximum MAC Addresses : 1

set this command under the interface

switchport port-security maximum 2

Daniele Galtelli · ‎05-07-2019

I did, if you look at the last message it is the sh mac address and the strange thing is that the mac of the phone is seen on two vlan, the vlan 192 is that of the phones.

Mark Malone · ‎05-07-2019

did you try clear one of them ? it may be temp as its coming up as the trunk is forming ...
clear mac address-tabl dyn address xxxxxxxx
if its not it could be a bug or loop
and i would set the PS port to violate for now so it does not shut them all down , rather than disable it

Daniele Galtelli · ‎05-07-2019

I think it's better to go back to the everest version, if anything I will update it from 16.6.5 to 16.6.6.
At least I had no problems with 8021x, but I had problems reaching it after a day.

Daniele Galtelli · ‎05-08-2019

I ran the update, and it looks like everything works for the dot1x part. I noticed that the problem of unreachability of the printer after one day seems to be solved by removing port security on the port configuration. Isn't that these firmware have a system that hides doors that don't do traffic?

Daniele Galtelli · ‎05-22-2019

the problem repeats every day, I have to disconnect the devices and they are reachable again