[cisco-voip] dot1x err-disabling ports with phones

Wes Sisk wsisk at cisco.com
Fri Jun 21 11:12:51 EDT 2013 

Agreed with Ryan. I don't have an easy quick answer. I've seen several of these instances investigated and not a single coherent solution.

I recommend a TAC case for more complete investigation.

One thing would be very helpful - a packet capture from SPAN or packet capture from PC with span to PC enabled. Make sure the capture machine gets packets with dot1q headers. This will help to identify the exact packets going through on data vlan.

-Wes

On Jun 20, 2013, at 12:27 PM, Ryan Ratliff <rratliff at cisco.com> wrote:

I don't recall specifics other than there have been quite a few bugs on both sides related to dot1x, most of them ending up just as you describe where the phone ends up triggering the max mac-address violation on the port.

What version of IOS are your switches running?
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/IP_Tele/IP_Telephony_DIG.html#wp389333 is a pretty good resource for this topic.

-Ryan

On Jun 20, 2013, at 10:10 AM, Erick Wellnitz <ewellnitzvoip at gmail.com> wrote:

That is what I see as well with the addition of my PC MAC on the data vlan.  I think this is expected behavior.
 
Perhaps Wes or someone else might be able to confirm?


On Thu, Jun 20, 2013 at 7:19 AM, <george.hendrix at l-3com.com> wrote:
> The only thing I notice is that the phone mac address shows in both the data and voice vlan.  I thought the phone mac only showed in the data vlan for a short while until it comes up, and then is removed from data vlan mac table.
> 
>  
> 
> The PC/laptop is an authorized laptop connected to the PC port of the phone and the user could be authorized/authenticated for days.  Then suddenly, the switch does this scenario where it’s trying to count both the phone and laptop mac addresses as data mac addresses, which then err-disables the port, since it’s configured for single host mode.
> 
>  
> 
> -Bill
> 
>  
> 
>  
> 
> From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com] 
> Sent: Wednesday, June 19, 2013 5:23 PM
> To: Hendrix, George (Bill) @ NSS - STRATIS
> Cc: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] dot1x err-disabling ports with phones
> 
>  
> 
> Do you see anything unusual If you do a 'sh mac address-table int <int number>' ?
> 
>  
> 
>  
> 
>  
> 
> On Wed, Jun 19, 2013 at 3:36 PM, <george.hendrix at l-3com.com> wrote:
> 
> My mistake…The mac address that the switch is already doing dot1x on is the phone mac address.  Before  the switch does the output in my first email.  I see this in the switch log:
> 
>  
> 
> Starting 'dot1x' for client (1caa.0711.6ec1) on Interface Gi0/23  
> 
> Then it goes thru many dot1x entries with the phone mac address, such as resetting the client, and sending EAPOL packet to the phone mac.  It seems to do this multiple times.
> 
>  
> 
> Then I get this:
> 
> Security violation on the interface GigabitEthernet0/23, new MAC address (0021.70c8.58cb) is seen.AuditSessionID Unassigned
> 
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable state
> 
>  
> 
> The mac address (1caa.0711.6ec1) is the phone.  Sorry for the confusion.
> 
>  
> 
> The user is up, connected and already authenticated and working.  Then suddenly, we see this happen.
> 
>  
> 
> Thanks,
> 
> Bill
> 
>  
> 
> From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com] 
> Sent: Wednesday, June 19, 2013 4:11 PM
> To: Hendrix, George (Bill) @ NSS - STRATIS
> Cc: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] dot1x err-disabling ports with phones
> 
>  
> 
> The vendor listed for that MAC address is Dell.  http://www.coffer.com/mac_find/?string=00%3A21%3A70%3Ac8%3A58%3Acb
> 
>  
> 
> Perhaps you have someone or someones trying to plug a laptop into the phone.  That would explain why the switch sees a second mac and why the port is put into err-disable and is in single host mode.
> 
>  
> 
> On Wed, Jun 19, 2013 at 2:48 PM, <george.hendrix at l-3com.com> wrote:
> 
> Hey guys,
> 
>  
> 
>   We have an issue what seems to be mostly on 3560/3750 and older 4500 switches.  We have not had the issue at all on any phone connected to our 4510s with Sup-7 engines.  At random when the phone/client is already connected to the switch, the port goes into err-disable.  The ports are in single host mode.
> 
>  
> 
> interface FastEthernet1/0/5
> 
> switchport access vlan 2
> 
> switchport mode access
> 
> switchport voice vlan 3
> 
> srr-queue bandwidth share 10 10 60 20
> 
> srr-queue bandwidth shape 10 0 0 0
> 
> priority-queue out
> 
> authentication event server dead action authorize
> 
> authentication event server alive action reinitialize
> 
> authentication port-control auto
> 
> authentication periodic
> 
> mls qos trust cos
> 
> no snmp trap link-status
> 
> dot1x pae authenticator
> 
> dot1x timeout server-timeout 30
> 
> spanning-tree portfast
> 
> spanning-tree bpduguard enable
> 
> spanning-tree guard loop
> 
>  
> 
> The error I see in the log before the port goes err-disable is below:
> 
>  
> 
> Security violation on the interface GigabitEthernet0/23, new MAC address (0021.70c8.58cb) is seen.AuditSessionID Unassigned
> 
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable state
> 
>  
> 
> The switch seems to be treating the phone like a new DATA client.
> 
>  
> 
> TAC seems to think possibly the phone is not transmitting CDP long enough that the switch puts the phone mac address into the DATA group and when it does, it err-disables the port.
> 
>  
> 
> Has anyone else seen this happen with firmware version SCCP 9.3.1.1 on 7962 model phones?
> 
>  
> 
> Thanks,
> 
> Bill
> 
>  
> 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130621/478ab47b/attachment.html>

More information about the cisco-voip mailing list