×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cat 2960 shows mac address port as "Drop"

Unanswered Question
Jul 30th, 2012
User Badges:

Hi all


I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB.  On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan.  However, I then see no traffic from the phone on the switch.  I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked.  There is no static mac address table blocking configured on the switch.   Can anyone suggest why this is happening?


Switch Version

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 50    WS-C2960-48TC-L    15.0(1)SE3            C2960-LANBASEK9-M


Port configuration

interface FastEthernet0/1

description "Standard user port"

switchport access vlan 9

switchport mode access

network-policy 1

no logging event link-status

srr-queue bandwidth share 5 10 40 55

priority-queue out

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

mab eap

mls qos trust dscp

no snmp trap link-status

macro description vanilla_port

dot1x pae authenticator

dot1x timeout tx-period 3

dot1x timeout supp-timeout 3

spanning-tree portfast

end


LLDP-MED network-policy

network-policy profile 1

voice vlan 835


Authentication (debug radius) result

Jul 30 11:42:19.600: %AUTHMGR-5-START: Starting 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Jul 30 11:42:19.650: %MAB-5-SUCCESS: Authentication successful for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Jul 30 11:42:19.650: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Jul 30 11:42:20.682: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592


Resulting Switchport config - voice vlan is 835

CLBdg640Test-AS2960-0#show int fa0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 9 (NATIVE-DISCARD)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: 835 (VOICE)

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL



Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none


LLDP neighbor info showing voice vlan 835

CLBdg640Test-AS2960-0#sh lldp neighbors fa0/1 detail

------------------------------------------------

Chassis id: 0.0.0.0

Port id: 0004.f297.6668

Port Description - not advertised

System Name - not advertised

System Description - not advertised



Time remaining: 3558 seconds

System Capabilities: T

Enabled Capabilities: T

Management Addresses - not advertised

Auto Negotiation - supported, enabled

Physical media capabilities:

    100base-T2(HD)

    100base-TX(FD)

    100base-T4

    10base-T(FD)

Media Attachment Unit type - not advertised

Vlan ID: - not advertised



MED Information:



    MED Codes:

          (NP) Network Policy, (LI) Location Identification

          (PS) Power Source Entity, (PD) Power Device

          (IN) Inventory



    Inventory information - not advertised

    Capabilities: NP

    Device type: Endpoint Class III

    Network Policy(Voice): VLAN 835, tagged, Layer-2 priority: 5, DSCP: 46

    PD device, Power source: PSE, Power Priority: High, Wattage: 6.5

    Location - not advertised


Total entries displayed: 1


MAC address table showing "Drop" port for learned address in VLAN 835


CLBdg640Test-AS2960-0#sh mac address-table address 0004.f297.6668

          Mac Address Table

-------------------------------------------



Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

   9    0004.f297.6668    STATIC      Fa0/1

835    0004.f297.6668    DYNAMIC     Drop

Total Mac Addresses for this criterion: 2





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
raarons Mon, 07/30/2012 - 06:29
User Badges:

Found the problem.  Needed to send the Cisco VSA "device-traffic-class=voice" via Radius.

Ditmar Tavares Wed, 04/08/2015 - 08:10
User Badges:

I am having this issue, could you share how you configured this solutions ?

kgalaxy Tue, 10/15/2013 - 23:06
User Badges:

Thanks for updating the problem raarons!

Actions

This Discussion