Re: IP Device Tracking doesn't always register the IP of a device

djlcurly · ‎04-08-2022

I have a bit of a problem with IP device tracking on my switches, it doesn't always work. For whatever reason the switch sometimes never registers the IP unless I clear the arp entry from the core and force a new arp to be generated with a ping, though this will obviously happen eventually.

This is the relevant configuration from the switches:

ip device tracking probe auto-source fallback 0.0.0.0 255.255.255.0 override
ip device tracking probe delay 60

It isn't causing a ton of issues at the moment because I don't really use DACLs in that many places, just getting started down full ISE and 802.1x implementation. That being said I don't feel particularly confident that the DACL process is going to protect us from threats in the way that Cisco advertises if the switch randomly fails to identify the IP of device and then just doesn't apply an ACL as a result. If there was a way to log when this happens that would at least make us aware of it, but at the moment I wouldn't know it was an issue unless I was logging into every switch daily looking through every "sh access-session int gx/0/x de"

MHM Cisco World · ‎04-08-2022

ip device tracking probe auto-source fallback 0.0.0.X 255.255.255.0 override <- try change the source

source of Probe
1- SVI if config
2- search table "this you override with keyword override"
3- same IP destination except change the last Host IP address bit with X

after check the Cisco Doc. you can specify other than 1 so I correct my comment.
you can use any UNUSE ip in this VLAN AND NOT 0 to be the source of ARP this not make conflict with GW that use p.p.p.1

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html

djlcurly · ‎04-08-2022

No.

If I change it to .1 then the devices start to populate their Arp table with that and then the gateway isn't there and bad things happen, then stop happening, then start happening again.

Flavio Miranda · ‎04-08-2022

You didn´t mention which device and version you have but make sure you are using SISF-Based Device-Tracking. I think it start in Cisco IOS XE Everest 16.5.1a.

The legacy option which is IP Device Tracking (IPDT) has some problems but I´ve seem SISF running in large network and it seems to work just fine.

djlcurly · ‎04-08-2022

Running a Cisco 2960x with version 15.2(7)E4. I will look into this though. Yeah these switches don't run XE so doesn't look like this is an option.

Leo Laohoo · ‎04-08-2022

Those commands look weird. We don't use them.

conf t
 ip device-tracking
interface <PORT>
 ip device-tracking max <number> 
end

The above is what we got.

By the way, for consistency purposes, there are several ways to deploy IPDT in Cisco IOS-XE. Here are the "rules":

If the switch has IPDT enabled in 3.X.X, the continue using the command "ip device-tracking".
If not, use the command "device-tracking database"

djlcurly · ‎04-11-2022

Sorry, should have mentioned in the post, I am not using IOS-XE

Leo Laohoo · ‎04-11-2022

Try the commands I have posted.

djlcurly · ‎04-12-2022

I am not running IOS-XE. Sorry, I should have mentioned that...

Leo Laohoo · ‎04-12-2022

@djlcurly wrote:

I am not running IOS-XE. Sorry, I should have mentioned that...

The command is wrong.
Please read my previous reply.

djlcurly · ‎04-12-2022

Yeah I already run that. Check your show run all, you'll find something similar to my commands. Do a "show ip device tracking all" and you'll see source selection and probe delay times. If I didn't have device tracking on I would never be getting the information. I have thousands upon thousands of ips tracked no problem. But occasionally some don't stay. I'll just make a TAC case.

Leo Laohoo · ‎04-12-2022

The command is there: ip device tracking

djlcurly · ‎04-13-2022

Which is not the command you sent.

Here is a link to a doc explaining how IPDT works https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html

It clearly shows my commands. Additionally explaining that it is enabled by default in more recent IOS releases. It doesn't actually show up in the running config on my device.