Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1109
Views
5
Helpful
4
Replies

dot1x behavior on Cat9300 configured with SDA/DNA

Go to solution
hugo.girard
Level 1
Level 1

‎11-25-2020 01:58 AM

Hi,

I have build a SDA fabric with Cat 9300 edges nodes.

I have noticed that I have 802.1x sessions although the port are not configured for that.

I have also noticed that uplink ports are in this state.

 

switch#show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/34 0008.5d31.0455 N/A UNKNOWN Unauth 9301160A0000063C87F71BC7
Gi1/0/46 00fe.c84e.1bec N/A UNKNOWN Unauth 9301160A00000011D59BD03A
Gi1/0/44 00fe.c86f.ffec N/A UNKNOWN Unauth 9301160A00000013D59C2BC0
Gi1/0/45 00fe.c87f.575c N/A UNKNOWN Unauth 9301160A00000010D59BCED7
Te1/1/1 084f.a93d.2a5f N/A UNKNOWN Unauth 000000000000000BD58E1556     -> UPLINK
Te1/1/8 084f.a93d.33bf N/A UNKNOWN Unauth 9301160A0000000CD58E36B1     -> UPLINK
Gi1/0/12 1c1a.dfb0.fea3 N/A UNKNOWN Unauth 9301160A0000062E799C686D
Gi1/0/1 2816.a801.0397 N/A UNKNOWN Unauth 9301160A000006DCFE670F3E

 

 

switch#show running-config interface gigabitEthernet 1/0/34
Building configuration...

Current configuration : 203 bytes
!
interface GigabitEthernet1/0/34
switchport access vlan 1042
switchport mode access
device-tracking attach-policy IPDT_MAX_10
load-interval 30
no macro auto processing
spanning-tree portfast
end

 

 

IOS-XE Version is 16.12.2 on all my switchs.

 

On this particular switch, all ports are configured in DNA with "No authentication".

Could someone explain this behaviour to me.

 

Regards,

 

Hugo

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jalejand
Cisco Employee
Cisco Employee

‎11-30-2020 11:02 PM

It is cosmetic, it is caused by ISBN2.0 conversion and macro ports:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo13640

View solution in original post

4 Replies 4

Go to solution
rasmus.elmholt
Level 7
Level 7

‎11-30-2020 02:54 AM

Hi,

I have seen the same on 9300.

The Uplink ports and other ports in the UP state is shown in show authentication session even though the shouldn't.

Both Trunks, and routed ports.

 

I think this is pure cosmetics. Have not experienced any problems with it yet.

0 Helpful

Go to solution
jalejand
Cisco Employee
Cisco Employee

‎11-30-2020 11:02 PM

It is cosmetic, it is caused by ISBN2.0 conversion and macro ports:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo13640

Go to solution
hugo.girard
Level 1
Level 1
In response to jalejand

‎12-02-2020 02:34 AM

By default, DNA configures access ports on switches in the Fabric with 'no macro auto processing' command.

I don't understand why this command is enable globally and then disable on all ports. So I wonder if removing ‘macro auto global processing’ will be a good idea and mainly if there is no impact.

 

0 Helpful

Go to solution
jalejand
Cisco Employee
Cisco Employee
In response to hugo.girard

‎12-02-2020 07:10 AM

No macro auto processing is configured on each interface with an authentication template like Open/Close/Low Impact, macros are used when no authentication template is configured so APs and phones can trigger their own port configuration. 

0 Helpful
Customers Also Viewed These Support Documents