Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
1
Replies

Detect physical cable disconnect rather than link down?

isaccounts
Level 1
Level 1

‎02-07-2024 02:03 AM

We use smartport macros triggered by a matched policy in Cisco ISE. Is it possible to detect a physical cable disconnect rather than a down/down event on the port? Default port config (Unauth vlan):

interface GigabitEthernet1/0/2
 device-tracking attach-policy IP-Tracking
 ip access-group ACL_Default in
 source template Port-Dot1x-Default
 spanning-tree portfast
end

When an authorized PC is connected it matches an ISE policy which triggers the following macro:

macro auto execute win10-config {
if [[ $LINKUP == YES ]]
then configure terminal
default interface $INTERFACE
interface $INTERFACE
switchport mode access
switchport access vlan 900
device-tracking attach-policy IP-Tracking
source template Port-Dot1x-Default
macro description $TRIGGER
spanning-tree portfast
exit
fi
if [[ $LINKUP == NO ]]
then configure terminal
default interface $INTERFACE
interface $INTERFACE
device-tracking attach-policy IP-Tracking
ip access-group ACL_Default in
source template Port-Dot1x-Default
spanning-tree portfast
exit
fi
}

When the PC is powered down the link goes down/down and the macro is removed from the port and the port configured back to default (unauth vlan).

We would rather leave the macro in place on a power down but remove it on a physical cable disconnect. Is it possible for the Cisco 9000 switch to know the difference? if I power down or disconnect cable the switch logs give the same message.

Labels:
0 Helpful
1 Reply 1

Leo Laohoo
Hall of Fame
Hall of Fame

‎02-07-2024 03:12 AM - edited ‎02-07-2024 03:13 AM

We have been using Dot1X since 2015.  

One of the biggest problem we have are faulty NICs and faulty ports.  When the port flaps continuously, it strains the switch's CPU and memory. 

Fast forward to switches running IOS-XE with Dot1x.  A continuously flapping port can cause the switch to crash which we have seen many, many times (with TAC cases to boot).

Keep Dot1X simple:  By default, unauthenticated ports are assigned to an ISOLATION VLAN that simply goes nowhere.  As soon as the machine is authenticated it gets punted to the correct VLAN.  As soon as the machine logs out, the port goes back to ISOLATION.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card