[cisco-voip] dot1x err-disabling ports with phones

Ryan Ratliff rratliff at cisco.com
Thu Jun 20 12:27:15 EDT 2013


I don't recall specifics other than there have been quite a few bugs on both sides related to dot1x, most of them ending up just as you describe where the phone ends up triggering the max mac-address violation on the port.

What version of IOS are your switches running?
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html#wp389333 is a pretty good resource for this topic.

-Ryan

On Jun 20, 2013, at 10:10 AM, Erick Wellnitz <ewellnitzvoip at gmail.com> wrote:

That is what I see as well with the addition of my PC MAC on the data vlan.  I think this is expected behavior.
 
Perhaps Wes or someone else might be able to confirm?


On Thu, Jun 20, 2013 at 7:19 AM, <george.hendrix at l-3com.com> wrote:
The only thing I notice is that the phone mac address shows in both the data and voice vlan.  I thought the phone mac only showed in the data vlan for a short while until it comes up, and then is removed from data vlan mac table.

 

The PC/laptop is an authorized laptop connected to the PC port of the phone and the user could be authorized/authenticated for days.  Then suddenly, the switch does this scenario where it’s trying to count both the phone and laptop mac addresses as data mac addresses, which then err-disables the port, since it’s configured for single host mode.

 

-Bill

 

 

From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com] 
Sent: Wednesday, June 19, 2013 5:23 PM
To: Hendrix, George (Bill) @ NSS - STRATIS
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] dot1x err-disabling ports with phones

 

Do you see anything unusual If you do a 'sh mac address-table int <int number>' ?

 

 

 

On Wed, Jun 19, 2013 at 3:36 PM, <george.hendrix at l-3com.com> wrote:

My mistake…The mac address that the switch is already doing dot1x on is the phone mac address.  Before the switch does the output in my first email.  I see this in the switch log:

 

Starting 'dot1x' for client (1caa.0711.6ec1) on Interface Gi0/23  

Then it goes thru many dot1x entries with the phone mac address, such as resetting the client, and sending EAPOL packet to the phone mac.  It seems to do this multiple times.

 

Then I get this:

Security violation on the interface GigabitEthernet0/23, new MAC address (0021.70c8.58cb) is seen.AuditSessionID Unassigned

security-violation error detected on Gi0/23, putting Gi0/23 in err-disable state

 

The mac address (1caa.0711.6ec1) is the phone.  Sorry for the confusion.

 

The user is up, connected and already authenticated and working.  Then suddenly, we see this happen.

 

Thanks,

Bill

 

From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com] 
Sent: Wednesday, June 19, 2013 4:11 PM
To: Hendrix, George (Bill) @ NSS - STRATIS
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] dot1x err-disabling ports with phones

 

The vendor listed for that MAC address is Dell.  http://www.coffer.com/mac_find/?string=00%3A21%3A70%3Ac8%3A58%3Acb

 

Perhaps you have someone or someones trying to plug a laptop into the phone.  That would explain why the switch sees a second mac and why the port is put into err-disable and is in single host mode.

 

On Wed, Jun 19, 2013 at 2:48 PM, <george.hendrix at l-3com.com> wrote:

Hey guys,

 

  We have an issue what seems to be mostly on 3560/3750 and older 4500 switches.  We have not had the issue at all on any phone connected to our 4510s with Sup-7 engines.  At random when the phone/client is already connected to the switch, the port goes into err-disable.  The ports are in single host mode.

 

interface FastEthernet1/0/5

switchport access vlan 2

switchport mode access

switchport voice vlan 3

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

priority-queue out

authentication event server dead action authorize

authentication event server alive action reinitialize

authentication port-control auto

authentication periodic

mls qos trust cos

no snmp trap link-status

dot1x pae authenticator

dot1x timeout server-timeout 30

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard loop

 

The error I see in the log before the port goes err-disable is below:

 

Security violation on the interface GigabitEthernet0/23, new MAC address (0021.70c8.58cb) is seen.AuditSessionID Unassigned

security-violation error detected on Gi0/23, putting Gi0/23 in err-disable state

 

The switch seems to be treating the phone like a new DATA client.

 

TAC seems to think possibly the phone is not transmitting CDP long enough that the switch puts the phone mac address into the DATA group and when it does, it err-disables the port.

 

Has anyone else seen this happen with firmware version SCCP 9.3.1.1 on 7962 model phones?

 

Thanks,

Bill

 


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 

 


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130620/611343b8/attachment.html>


More information about the cisco-voip mailing list