01-16-2024 12:20 AM
The IPT is connected to the SW and the SW interface authentication on RADIUS
The IPT is set to VLAN 401.
Why are Voice Vlans being dropped from Mac table?
Switch#sh mac add | inc 7dca
201 a8e5.397a.7dca STATIC Gi1/0/37
401 a8e5.397a.7dca DYNAMIC Drop
interface GigabitEthernet1/0/37
switchport access vlan 201
switchport mode access
switchport voice vlan 401
load-interval 30
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation restrict
mab
spanning-tree portfast
end
01-16-2024 01:38 AM
Switch#sh mac add | inc 7dca
201 a8e5.397a.7dca STATIC Gi1/0/37
401 a8e5.397a.7dca DYNAMIC Drop
Looking at the output both the MAC Looks same for the Voice device you connected.
coupld of things need to check - is this working before or failed or never worked ?
what switch model and IOS code running ?
you running 802.1x on the port - are you using ISE ? you configured only MAB is this what requirement ?
01-16-2024 08:01 PM
WS-C2960S-48LPS-L
12.2(58)SE2
We using ISE and only use MAB policy.
If MAB authentication is passed, the Authorization policy is Permit.
01-16-2024 03:11 AM
You add mac of VoIP to dyanimc vlan policy in radius?
How VoIP get vlan 201 in first place?
MHM
01-16-2024 08:15 PM
- You add mac of VoIP to dyanimc vlan policy in radius?
ISE does not use dynamic vlan.
We using ISE and only use MAB policy.
If MAB authentication is passed, the Authorization policy is Permit.
- How VoIP get vlan 201 in first place?
Isn't this because the switch has ACCESS VLAN 201 set on it?
If I remove the voice vlan from the switch and give it accee vlan 401, it will not drop.
01-16-2024 08:36 PM
Yes friend I know you use only MAB
but from your answer the end point only authc not authz
so what happened when you apply only Authc without authz profile in ISE
the endpoint auth and the SW open port and use access vlan for VoIP endpoint
you need to use dynamic assign which make ISE return back the Voice VLAN to SW, this make endpoint Authc and Authz use correct vlan (voice vlan)
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide