[cisco-voip] dot1x err-disabling ports with phones

Erick Wellnitz ewellnitzvoip at gmail.com
Wed Jun 19 17:10:16 EDT 2013


My question would be:
Where is this Dell registered MAC coming from?  It's a safe assumption it
isn't coming from a Cisco branded phone.

Are you allowing PCs or laptops to connect via the phone?





On Wed, Jun 19, 2013 at 3:36 PM, <george.hendrix at l-3com.com> wrote:

>  My mistake…The mac address that the switch is already doing dot1x on is
> the phone mac address.  Before the switch does the output in my first
> email.  I see this in the switch log:****
>
> ** **
>
> Starting 'dot1x' for client (1caa.0711.6ec1) on Interface Gi0/23   ****
>
> Then it goes thru many dot1x entries with the phone mac address, such as
> resetting the client, and sending EAPOL packet to the phone mac.  It seems
> to do this multiple times.****
>
> ** **
>
> Then I get this:****
>
> Security violation on the interface GigabitEthernet0/23, new MAC address
> (0021.70c8.58cb) is seen.AuditSessionID Unassigned****
>
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable
> state****
>
> ** **
>
> The mac address (1caa.0711.6ec1) is the phone.  Sorry for the confusion.**
> **
>
> ** **
>
> The user is up, connected and already authenticated and working.  Then
> suddenly, we see this happen.****
>
> ** **
>
> Thanks,****
>
> Bill****
>
> ** **
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* Wednesday, June 19, 2013 4:11 PM
> *To:* Hendrix, George (Bill) @ NSS - STRATIS
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] dot1x err-disabling ports with phones****
>
> ** **
>
> The vendor listed for that MAC address is Dell.
> http://www.coffer.com/mac_find/?string=00%3A21%3A70%3Ac8%3A58%3Acb****
>
>  ****
>
> Perhaps you have someone or someones trying to plug a laptop into the
> phone.  That would explain why the switch sees a second mac and why the
> port is put into err-disable and is in single host mode.****
>
> ** **
>
> On Wed, Jun 19, 2013 at 2:48 PM, <george.hendrix at l-3com.com> wrote:****
>
> Hey guys,****
>
>  ****
>
>   We have an issue what seems to be mostly on 3560/3750 and older 4500
> switches.  We have not had the issue at all on any phone connected to our
> 4510s with Sup-7 engines.  At random when the phone/client is already
> connected to the switch, the port goes into err-disable.  The ports are in
> single host mode.****
>
>  ****
>
> interface FastEthernet1/0/5****
>
> switchport access vlan 2****
>
> switchport mode access****
>
> switchport voice vlan 3****
>
> srr-queue bandwidth share 10 10 60 20****
>
> srr-queue bandwidth shape 10 0 0 0****
>
> priority-queue out****
>
> authentication event server dead action authorize****
>
> authentication event server alive action reinitialize****
>
> authentication port-control auto****
>
> authentication periodic****
>
> mls qos trust cos****
>
> no snmp trap link-status****
>
> dot1x pae authenticator****
>
> dot1x timeout server-timeout 30****
>
> spanning-tree portfast****
>
> spanning-tree bpduguard enable****
>
> spanning-tree guard loop****
>
>  ****
>
> The error I see in the log before the port goes err-disable is below:****
>
>  ****
>
> Security violation on the interface GigabitEthernet0/23, new MAC address
> (0021.70c8.58cb) is seen.AuditSessionID Unassigned****
>
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable
> state****
>
>  ****
>
> The switch seems to be treating the phone like a new DATA client.****
>
>  ****
>
> TAC seems to think possibly the phone is not transmitting CDP long enough
> that the switch puts the phone mac address into the DATA group and when it
> does, it err-disables the port.****
>
>  ****
>
> Has anyone else seen this happen with firmware version SCCP 9.3.1.1 on
> 7962 model phones?****
>
>  ****
>
> Thanks,****
>
> Bill ****
>
>  ****
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130619/891ae858/attachment.html>


More information about the cisco-voip mailing list