Re: Problem with clearing a static mac address on neat port

martinh1 · ‎02-28-2023

Hello everyone,
we've recently come across an issue where a phone is plugged into a Port-Security free port on a C2960CX (supplicant_A) ('dynamic' according to the Mac Table). If this phone is plugged into a second C2960CX (supplicant_B) (port also without security), the phone can no longer boot.

Both 2960s are connected to a 9300 (authenticator), the uplinks are protected by ciscos 'neat' function. If you look at the mac table of supplicant_A's uplink port on the 9300, it says the phone's Mac address is static.

Now the question, how do I get this static entry out without having to constantly shut down the uplinks.

The configurations look like this:

Now the question, how do I get this static entry out without having to constantly shut down the uplinks.

The configurations look like this:

Phone port on supplicant_A:

interface GigabitEthernet0/8
description ****
switchport access vlan 5
switchport mode access
switchport voice vlan 105
srr-queue bandwidth share ** ** ** **
priority-queue out
no cdp enable
mls qos trust dscp
spanning-tree portfast edge
spanning-tree bpduguard enable

Phone port on supplicant_B:

interface GigabitEthernet0/8
description ****
switchport access vlan 5
switchport mode access
switchport voice vlan 105
srr-queue bandwidth share ** ** ** **
priority-queue out
no cdp enable
mls qos trust dscp
spanning-tree portfast edge
spanning-tree bpduguard enable

Uplink port on supplicant_A:

interface GigabitEthernet0/12
description Uplink
switchport mode trunk
load-interval **
srr-queue bandwidth share ** ** ** **
priority-queue out
mls qos trust dscp
dot1x pae supplicant
dot1x credentials ****
dot1x supplicant eap profile ****

Uplink port on supplicant_B:

interface GigabitEthernet0/12
description Uplink
switchport mode trunk
load-interval **
srr-queue bandwidth share ** ** ** **
priority-queue out
mls qos trust dscp
dot1x pae supplicant
dot1x credentials ****
dot1x supplicant eap profile ****

Uplink ports on authenticator:

interface GigabitEthernet2/0/11
description supplicant_B
switchport mode trunk
load-interval **
authentication host-mode multi-host
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
spanning-tree portfast trunk
service-policy output ****

interface GigabitEthernet2/0/12
description supplicant_A
switchport mode trunk
load-interval **
authentication host-mode multi-host
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
spanning-tree portfast trunk
service-policy output ****

The error status looks like this:

Step 1: connect phone to supplicant_A (phone works)

authenticator#sh mac add int gi2/0/11
         Mac Address Table
-------------------------------------------

Vlan   Mac Address      Type       Ports
----   -----------      --------   -----
   1   cccc.dddd.2222   STATIC     Gi2/0/11   (supplicant_B, Mac of Gi0/12)
   1   cccc.dddd.1111   STATIC     Gi2/0/11   (supplicant_B, Mac of VLAN 1)
Total Mac Addresses for this criterion: 2
authenticator#sh mac add int gi2/0/12
         Mac Address Table
-------------------------------------------

Vlan   Mac Address      Type       Ports
----   -----------      --------   -----
   1   aaaa.bbbb.2222   STATIC     Gi2/0/12   (supplicant_A, Mac of Gi0/12)
   1   aaaa.bbbb.1111   STATIC     Gi2/0/12   (supplicant_A, Mac of VLAN 1)
   5   xxxx.yyyy.zzzz   STATIC     Gi2/0/12   (phone)
 105   xxxx.yyyy.zzzz   STATIC     Gi2/0/12   (phone)
Total Mac Addresses for this criterion: 4

Step 2: disconnect phone from supplicant_A

authenticator#sh mac add int gi2/0/11
         Mac Address Table
-------------------------------------------

Vlan   Mac Address      Type       Ports
----   -----------      --------   -----
   1   cccc.dddd.2222   STATIC     Gi2/0/11
   1   a4b4.395a.ee40   STATIC     Gi2/0/11
Total Mac Addresses for this criterion: 2
authenticator#sh mac add int gi2/0/12
         Mac Address Table
-------------------------------------------

Vlan   Mac Address      Type       Ports
----   -----------      --------   -----
   1   aaaa.bbbb.2222   STATIC     Gi2/0/12
   1   aaaa.bbbb.1111   STATIC     Gi2/0/12
 105   xxxx.yyyy.zzzz   STATIC     Gi2/0/12
Total Mac Addresses for this criterion: 3

Step 3: connect phone to supplicant_B (phone doesn't work)

authenticator#sh mac add int gi2/0/11
         Mac Address Table
-------------------------------------------

Vlan   Mac Address      Type       Ports
----   -----------      --------   -----
   1   cccc.dddd.2222   STATIC     Gi2/0/11
   1   cccc.dddd.1111   STATIC     Gi2/0/11
   5   xxxx.yyyy.zzzz   STATIC     Gi2/0/11
Total Mac Addresses for this criterion: 3
authenticator#sh mac add int gi2/0/12
         Mac Address Table
-------------------------------------------

Vlan   Mac Address      Type       Ports
----   -----------      --------   -----
   1   aaaa.bbbb.2222   STATIC     Gi2/0/12
   1   aaaa.bbbb.1111   STATIC     Gi2/0/12
 105   xxxx.yyyy.zzzz   STATIC     Gi2/0/12
Total Mac Addresses for this criterion: 3

The phone cannot boot because it cannot load its configuration. It is not forwarded to supplicant_B in voice vlan 105 because the Mac address is still statically attached to supplicant_A.

MHM Cisco World · ‎02-28-2023

authentication timer reauthenticate <<- add reauth, this make the server remove the phone from SW-A and add to SW-B

martinh1 · ‎02-28-2023

I sent the command to both ports from the authenticator and plugged the phone out and back in, unfortunately the result remains the same.

Port-Config looks like this now:

interface GigabitEthernet2/0/12
description supplicant_A
switchport mode trunk
load-interval **
authentication host-mode multi-host
authentication port-control auto
authentication timer reauthenticate 60
authentication violation restrict
dot1x pae authenticator
spanning-tree portfast trunk
service-policy output ****

MHM Cisco World · ‎02-28-2023

authentication timer reauthenticate 60 <<- reduce the time to min value

sorry but why you not config dot1x directly into 2960 ??

martinh1 · ‎02-28-2023

changed the timer to 1, still no improvement.

In a later step, the telephone ports will be provided with dot1x, but they have to load their initial configuration/firmware out-of-the-box. This only works on a free port, even on port security ports they often bitch around without this config.

MHM Cisco World · ‎02-28-2023

authentication mac-move permit

check this command,
apply it on authr, this allow MAC move between two connect SW

martinh1 · ‎02-28-2023

This command is already in our standard configuration and is active on all switches.

We have also tried to apply 'host-mode multi-auth' instead of 'multi-host' on the interfaces and various 'clear'-commands in privileged mode... None of this helped.

MHM Cisco World · ‎02-28-2023

I suggest first re-auth but I check cisco doc.
cisco doc. recommend inactivity not re-auth

authentication mac-move permit

Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.

Defaults

MAC move is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

The command enables authenticated hosts to move between 802.1x-enabled ports on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.

Note

MAC address entry from the first port needs to be removed for the new port to succeed in authentication. Use the sub interface command authentication timer inactivity time_in_seconds to remove the MAC address entry from the port.

If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.

MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.

Examples

This example shows how to enable MAC move on a switch:

Switch(config)# authentication mac-move permit

Switch(config)# authentication timer inactivity 4

martinh1 · ‎02-28-2023

I tried the inactivity timer, no improvement.

Just to be clear, the phone never appears as a session. All sessions I have on this interface is the C2960CX uplink port. The mac address is stuck in mac table. That's why I thought 'multi-auth' could help, to get a session for the phone. But this wasn't the case either. I guess authentication commands aren't helping in this case.

authenticator#sh auth sess int gi2/0/12
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi2/0/12                 aaaa.bbbb.2222 dot1x   DATA    Auth        ************************

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle  Priority  Name
      12         5  dot1xSup
       8         5  dot1x
      13        10  webauth
      11        15  mab