02-05-2019 10:51 PM - edited 03-08-2019 05:15 PM
Dear all,
I would just like to confirm the following mismatched specification on Cat3K different version.
So normally in my understanding when locally DOT1X authentication success then the switches learn & create IP-SGT mapping table below but according to IOS-XE-Ver.16.X suddenly it can not learn with IOS-XE.Ver.3.X same configuration.
*IOS-XE-Ver.03.07.05.E
Cat3650#sh cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
1.1.1.1 12 SXP
10.0.40.1 201 LOCAL
*IOS-XE-Ver.16.03.06
Cat3650#sh cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
1.1.1.1 12 SXP
So I appreciate if there is any additional configuration or specification from 16.X.
Best Regard,
Masanobu Hiyoshi
02-06-2019 02:14 AM
Hello,
how did you configure CTS in 3.x ?
02-06-2019 02:21 AM
Hello,
not sure if this applies to you, but check the bug below:
CTS Untrusted Port with SGT not updated by SISF for IP-SGT
CSCuw77872
Description
Symptom:
IP-SGT mappings are not made for IP hosts learnt on interfaces that are not configured as trusted under cts-manual sub-mode.
Conditions:
When an interface is configured with 'cts manual' without an explicit 'trusted' keyword as in "policy static sgt trusted"
Workaround:
Configure the interface as trusted using 'policy static sgt trusted" configuration under cts manual sub-mode
02-06-2019 06:35 PM - edited 02-06-2019 06:35 PM
Hi Georg,
Thank you very much!
I think the bug is very similar to my verification however the following output occur that Dot1x auth can not co-exist with cts manual configuration below.
Cat3650#sh run int Gi1/0/1
*omit
!
interface GigabitEthernet1/0/1
description ###### HOST #####
switchport access vlan 40
switchport mode access
authentication port-control auto
dot1x pae authenticator
end
Cat3650#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3650(config)#int Gi1/0/1
Cat3650(config-if)#cts manual
Command rejected (Gi1/0/1): conflict with Dot1x Auth
Best Regards,
Masanobu Hiyoshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide