[cisco-voip] dot1x err-disabling ports with phones

Erick Wellnitz ewellnitzvoip at gmail.com
Thu Jun 20 10:10:24 EDT 2013


That is what I see as well with the addition of my PC MAC on the data
vlan.  I think this is expected behavior.

Perhaps Wes or someone else might be able to confirm?


On Thu, Jun 20, 2013 at 7:19 AM, <george.hendrix at l-3com.com> wrote:

>  The only thing I notice is that the phone mac address shows in both the
> data and voice vlan.  I thought the phone mac only showed in the data vlan
> for a short while until it comes up, and then is removed from data vlan mac
> table.****
>
> ** **
>
> The PC/laptop is an authorized laptop connected to the PC port of the
> phone and the user could be authorized/authenticated for days.  Then
> suddenly, the switch does this scenario where it’s trying to count both the
> phone and laptop mac addresses as data mac addresses, which then
> err-disables the port, since it’s configured for single host mode.****
>
> ** **
>
> -Bill****
>
> ** **
>
> ** **
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* Wednesday, June 19, 2013 5:23 PM
> *To:* Hendrix, George (Bill) @ NSS - STRATIS
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] dot1x err-disabling ports with phones****
>
> ** **
>
> Do you see anything unusual If you do a 'sh mac address-table int <int
> number>' ?****
>
>  ****
>
>  ****
>
> ** **
>
> On Wed, Jun 19, 2013 at 3:36 PM, <george.hendrix at l-3com.com> wrote:****
>
> My mistake…The mac address that the switch is already doing dot1x on is
> the phone mac address.  Before the switch does the output in my first
> email.  I see this in the switch log:****
>
>  ****
>
> Starting 'dot1x' for client (1caa.0711.6ec1) on Interface Gi0/23   ****
>
> Then it goes thru many dot1x entries with the phone mac address, such as
> resetting the client, and sending EAPOL packet to the phone mac.  It seems
> to do this multiple times.****
>
>  ****
>
> Then I get this:****
>
> Security violation on the interface GigabitEthernet0/23, new MAC address
> (0021.70c8.58cb) is seen.AuditSessionID Unassigned****
>
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable
> state****
>
>  ****
>
> The mac address (1caa.0711.6ec1) is the phone.  Sorry for the confusion.**
> **
>
>  ****
>
> The user is up, connected and already authenticated and working.  Then
> suddenly, we see this happen.****
>
>  ****
>
> Thanks,****
>
> Bill****
>
>  ****
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* Wednesday, June 19, 2013 4:11 PM
> *To:* Hendrix, George (Bill) @ NSS - STRATIS
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] dot1x err-disabling ports with phones****
>
>  ****
>
> The vendor listed for that MAC address is Dell.
> http://www.coffer.com/mac_find/?string=00%3A21%3A70%3Ac8%3A58%3Acb****
>
>  ****
>
> Perhaps you have someone or someones trying to plug a laptop into the
> phone.  That would explain why the switch sees a second mac and why the
> port is put into err-disable and is in single host mode.****
>
>  ****
>
> On Wed, Jun 19, 2013 at 2:48 PM, <george.hendrix at l-3com.com> wrote:****
>
> Hey guys,****
>
>  ****
>
>   We have an issue what seems to be mostly on 3560/3750 and older 4500
> switches.  We have not had the issue at all on any phone connected to our
> 4510s with Sup-7 engines.  At random when the phone/client is already
> connected to the switch, the port goes into err-disable.  The ports are in
> single host mode.****
>
>  ****
>
> interface FastEthernet1/0/5****
>
> switchport access vlan 2****
>
> switchport mode access****
>
> switchport voice vlan 3****
>
> srr-queue bandwidth share 10 10 60 20****
>
> srr-queue bandwidth shape 10 0 0 0****
>
> priority-queue out****
>
> authentication event server dead action authorize****
>
> authentication event server alive action reinitialize****
>
> authentication port-control auto****
>
> authentication periodic****
>
> mls qos trust cos****
>
> no snmp trap link-status****
>
> dot1x pae authenticator****
>
> dot1x timeout server-timeout 30****
>
> spanning-tree portfast****
>
> spanning-tree bpduguard enable****
>
> spanning-tree guard loop****
>
>  ****
>
> The error I see in the log before the port goes err-disable is below:****
>
>  ****
>
> Security violation on the interface GigabitEthernet0/23, new MAC address
> (0021.70c8.58cb) is seen.AuditSessionID Unassigned****
>
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable
> state****
>
>  ****
>
> The switch seems to be treating the phone like a new DATA client.****
>
>  ****
>
> TAC seems to think possibly the phone is not transmitting CDP long enough
> that the switch puts the phone mac address into the DATA group and when it
> does, it err-disables the port.****
>
>  ****
>
> Has anyone else seen this happen with firmware version SCCP 9.3.1.1 on
> 7962 model phones?****
>
>  ****
>
> Thanks,****
>
> Bill ****
>
>  ****
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip****
>
>  ****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130620/41697d1c/attachment.html>


More information about the cisco-voip mailing list