Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
34161
Views
30
Helpful
8
Replies

Cat 2960 shows mac address port as "Drop"

raarons
Level 1
Level 1

‎07-30-2012 03:52 AM - edited ‎03-07-2019 08:03 AM

Hi all

I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB.  On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan.  However, I then see no traffic from the phone on the switch.  I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked.  There is no static mac address table blocking configured on the switch.   Can anyone suggest why this is happening?

Switch Version

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 50    WS-C2960-48TC-L    15.0(1)SE3            C2960-LANBASEK9-M

Port configuration

interface FastEthernet0/1

description "Standard user port"

switchport access vlan 9

switchport mode access

network-policy 1

no logging event link-status

srr-queue bandwidth share 5 10 40 55

priority-queue out

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication timer reauthenticate server

mab eap

mls qos trust dscp

no snmp trap link-status

macro description vanilla_port

dot1x pae authenticator

dot1x timeout tx-period 3

dot1x timeout supp-timeout 3

spanning-tree portfast

end

LLDP-MED network-policy

network-policy profile 1

voice vlan 835

Authentication (debug radius) result

Jul 30 11:42:19.600: %AUTHMGR-5-START: Starting 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Jul 30 11:42:19.650: %MAB-5-SUCCESS: Authentication successful for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Jul 30 11:42:19.650: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Jul 30 11:42:20.682: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592

Resulting Switchport config - voice vlan is 835

CLBdg640Test-AS2960-0#show int fa0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 9 (NATIVE-DISCARD)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: 835 (VOICE)

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

LLDP neighbor info showing voice vlan 835

CLBdg640Test-AS2960-0#sh lldp neighbors fa0/1 detail

------------------------------------------------

Chassis id: 0.0.0.0

Port id: 0004.f297.6668

Port Description - not advertised

System Name - not advertised

System Description - not advertised

Time remaining: 3558 seconds

System Capabilities: T

Enabled Capabilities: T

Management Addresses - not advertised

Auto Negotiation - supported, enabled

Physical media capabilities:

    100base-T2(HD)

    100base-TX(FD)

    100base-T4

    10base-T(FD)

Media Attachment Unit type - not advertised

Vlan ID: - not advertised

MED Information:

    MED Codes:

          (NP) Network Policy, (LI) Location Identification

          (PS) Power Source Entity, (PD) Power Device

          (IN) Inventory

    Inventory information - not advertised

    Capabilities: NP

    Device type: Endpoint Class III

    Network Policy(Voice): VLAN 835, tagged, Layer-2 priority: 5, DSCP: 46

    PD device, Power source: PSE, Power Priority: High, Wattage: 6.5

    Location - not advertised

Total entries displayed: 1

MAC address table showing "Drop" port for learned address in VLAN 835

CLBdg640Test-AS2960-0#sh mac address-table address 0004.f297.6668

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

   9    0004.f297.6668    STATIC      Fa0/1

835    0004.f297.6668    DYNAMIC     Drop

Total Mac Addresses for this criterion: 2



7 people had this problem
Labels:
0 Helpful
8 Replies 8

raarons
Level 1
Level 1

‎07-30-2012 06:29 AM

Found the problem.  Needed to send the Cisco VSA "device-traffic-class=voice" via Radius.

Ditmar Tavares
Level 1
Level 1
In response to raarons

‎04-08-2015 08:10 AM

I am having this issue, could you share how you configured this solutions ?

Ditmar Tavares
Level 1
Level 1
In response to Ditmar Tavares

‎04-08-2015 08:19 AM

found the settings on ISE,

podasrinivasulu@gmail.com
Level 1
Level 1
In response to Ditmar Tavares

‎08-20-2018 06:17 PM

i am also having same issue..

 

could you please tell me where i have to modify the settings in ISE ? because in switch port i have configured aaa authentication.

 

if i remove aaa config from the switch port and add the required access vlan to the switch port, is it works ?

0 Helpful

iliyasahmed22
Level 1
Level 1
In response to Ditmar Tavares

‎06-15-2022 02:55 AM

hi

have you got solution for interface status DROP?.

please let me know if you got it.

 

0 Helpful

KelvinT
Level 1
Level 1
In response to iliyasahmed22

‎11-14-2022 12:16 PM

Hello,

From ISE....Policy --> Policy Elements --> Results --> Authorization --> Authorization Profile

Whichever profile you create for the phone/voice you check the box for "Voice Domain Permission".

KelvinT_0-1668456949983.png

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1072518442

 

Hope this help.

 

0 Helpful

Khijir
Level 1
Level 1
In response to raarons

‎05-07-2021 07:25 AM

HI, Could you please elaborate a little bit more of the solution? 

0 Helpful

kgalaxy
Level 1
Level 1

‎10-15-2013 11:06 PM

Thanks for updating the problem raarons!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card