Solved: Re: Multiple dhcp snooping bindings

Zakitis · ‎01-08-2024

Hi guys,

I am currently applying NAC to my nodes and have recently found out that some users are using NetGear micro switches to use multiple devices with the same port.

When applying NAC, this prevents those multiple PCs from authenticating on the network, which is great. However, I am wondering if there is another method/command that allows identifying multiple PCs/a micro switch connected to the same port. This is so that I can identify these devices before applying NAC.

TIA

Zakitis · ‎01-09-2024

I'm afraid I can't but this is also useful as it lists all the active devices in order, which allows me spotting multiple entries on the same port and the same VLAN. So thank you!

View solution in original post

MHM Cisco World · ‎01-08-2024

can you more elaborate
MHM

Zakitis · ‎01-08-2024

Hi,

I found out that there is a NETGEAR 5 Port Gigabit Network Switch (GS105)/Ethernet Splitter connected to a C9200 switchport, which is not detectable with the show mac address-table command:

SWITCHNAME-9200-E1#sh mac add | inc Gi3/0/28
DATA_V aaaa.1b1b.cccc STATIC Gi3/0/28

You can only see the multiple MAC addresses when issuing the show ip dhcp snooping binding command:

SWITCHNAME-9200-E1#sh ip dhcp sno bin int gi3/0/28
Load for five secs: 3%/0%; one minute: 4%; five minutes: 4%
Time source is NTP, 15:53:25.325 GMT Mon Jan 8 2024

MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
AA:AA:1B:1B:CC:CC 10.10.10.1 33390 dhcp-snooping DATA_V GigabitEthernet3/0/28
AA:AA:1B:1B:DD:DD 10.10.10.2 20921 dhcp-snooping DATA_V GigabitEthernet3/0/28
AA:AA:1B:1B:EE:EE 10.10.10.3 20854 dhcp-snooping DATA_V GigabitEthernet3/0/28
Total number of bindings: 3

All three IPs are pingable.

When I apply NAC to the port, it automatically authenticates only one dot1x device on that port, which is expected according to the settings I have applied, and de-authenticates the other two.

My question is if there is another way to detect multiple ip addresses binding to the same port, at the same time, as this could mean that there are potentially other hubs connected to other ports, like in this case.

MHM Cisco World · ‎01-08-2024

If you use pre-auth then it can be host get IP before auth.

And auth make SW learn and add only one mac to port.

So it egg and chicken issue

If you prevent host from get IP before auth it can not learn ip even after auth

Can i see switchport config

MHM

Zakitis · ‎01-08-2024

Thank you MHM.

Effectively, there should be only one PC connected to one port; maximum, phone + PC.

Here's the port config:

interface GigabitEthernet3/0/28
description ** NODE/PORT_ID **
switchport access vlan DATA_VLAN
switchport mode access
switchport voice vlan VOICE_VLAN
switchport port-security maximum 3
switchport port-security violation protect
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
authentication event fail action authorize vlan NAC_VLAN
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan NAC_VLAN
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication priority dot1x mab

authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 600
authentication timer unauthorized 60
authentication violation replace
mab
trust device cisco-phone
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level bps 20m
storm-control multicast level bps 25m
storm-control action trap
auto qos voip cisco-phone
macro description AccessEdgeQoS
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 30
end

MHM Cisco World · ‎01-08-2024

can you share
show port security address
MHM

Zakitis · ‎01-09-2024

I'm afraid I can't but this is also useful as it lists all the active devices in order, which allows me spotting multiple entries on the same port and the same VLAN. So thank you!

MHM Cisco World · ‎01-09-2024

the port security list MAC as 802.1x address or not?
there is many restriction of using port security with 802.1x
I think you hit one of this restriction
MHM

Georg Pauwen · ‎01-08-2024

Hello,

in order to detect when someone connects a Netgear device, you could run an EEM script (example below). The script detects the Netgear OUI and shuts down the port (you van obviously take any action you want). It also sends an email informing you that a Netgear has been connected...

event manager environment _email_to to_email@mail.com
event manager environment _email_server username:password@smtp.mail.com
event manager environment _email_from from_email@mail.com
event manager environment netgear_oui 0024.b2
event manager applet detect-mac
event mat mac-address "^$netgear_oui"
action 001 syslog msg "detect-mac running"
action 002 cli command "enable"
action 003 cli command "config t"
action 004 cli command "interface $_mat_intf_name"
action 005 if $_mat_notification eq "add"
action 006 cli command "shut"
action 007 end
action 008 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Netgear switch detetcted - interface $_mat_intf_name on $_info_routername shut down" body "$_cli_result"
action 009 syslog msg "Netgear switch detected on interface $_mat_intf_name"
action 010 cli command "end"

Zakitis · ‎01-09-2024

Thank you! this is a good idea too