Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
5
Replies

Why are Voice Vlans being dropped from Mac table?

JustTakeTheFirstStep
Level 4
Level 4

‎01-16-2024 12:20 AM

The IPT is connected to the SW and the SW interface authentication on RADIUS

The IPT is set to VLAN 401.

Why are Voice Vlans being dropped from Mac table?

 

Switch#sh mac add | inc 7dca
 201    a8e5.397a.7dca    STATIC      Gi1/0/37 
 401    a8e5.397a.7dca    DYNAMIC     Drop
interface GigabitEthernet1/0/37
switchport access vlan 201
switchport mode access
switchport voice vlan 401
load-interval 30
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication violation restrict
mab
spanning-tree portfast
end

 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2024 01:38 AM 

Switch#sh mac add | inc 7dca
 201    a8e5.397a.7dca    STATIC      Gi1/0/37 
 401    a8e5.397a.7dca    DYNAMIC     Drop

Looking at the output both the MAC Looks same for the Voice device you connected.

coupld of things need to check - is this working before or failed or never worked ?

what switch model and IOS code running ?

you running 802.1x on the port - are you using ISE ? you configured only MAB is this what requirement  ?

Look at the below guide for IBNS 1.0 and 2.0 Configuration suggestions.
IBNS 1.0 interface Configuration for Monitor Mode

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

JustTakeTheFirstStep
Level 4
Level 4
In response to balaji.bandi

‎01-16-2024 08:01 PM

WS-C2960S-48LPS-L
12.2(58)SE2

We using ISE and only use MAB policy.
If MAB authentication is passed, the Authorization policy is Permit.

0 Helpful

MHM Cisco World
VIP
VIP

‎01-16-2024 03:11 AM

You add mac of VoIP to dyanimc vlan policy in radius?

How VoIP get vlan 201 in first place?

MHM

0 Helpful

JustTakeTheFirstStep
Level 4
Level 4
In response to MHM Cisco World

‎01-16-2024 08:15 PM

- You add mac of VoIP to dyanimc vlan policy in radius?

ISE does not use dynamic vlan.
We using ISE and only use MAB policy.
If MAB authentication is passed, the Authorization policy is Permit.

- How VoIP get vlan 201 in first place?

Isn't this because the switch has ACCESS VLAN 201 set on it?
If I remove the voice vlan from the switch and give it accee vlan 401, it will not drop.

0 Helpful

MHM Cisco World
VIP
VIP
In response to JustTakeTheFirstStep

‎01-16-2024 08:36 PM

Yes friend I know you use only MAB 
but from your answer the end point only authc not authz
so what happened when you apply only Authc without authz profile in ISE 
the endpoint auth and the SW open port and use access vlan for VoIP endpoint 
you need to use dynamic assign which make ISE return back the Voice VLAN to SW, this make endpoint Authc and Authz use correct vlan (voice vlan)
MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card