Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x, Catalyst 3560,

Hi all,

we have rolled out 802.1x enterprise-wide. As RADIUS-servers, we have deployed ACS 1121 (5.3.0.40). Currently we are rolling-out  Win7-clients

The access layer is built on switches of type Catalyst 3560G-48-PoE, running IOS 2.2(53)SE2.

On certain switches we have the problem (only Win 7 clients; XPs do not cause this problem) that client MAC addresses are registered in VLAN 4 (Data-VLAN) as well as in VLAN 996 (Quarantine-VLAN).

switch#sh mac- int gi0/27

               Mac Address Table

-----------------------------------------------------------------------------------

Vlan         Mac Address                     Type             Ports

------          -------------------                     -------             -------- 

     4         2c27.d71d.6279                 STATIC         Drop     

996          2c27.d71d.6279                 DYNAMIC     Gi0/27

Total Mac Addresses for this criterion: 2

Unfortunately the MAC addresses never will age-out, which means that they keep this status until the switch is rebooted, which is basically not an ideal solution.

We are not abel to connect another client to port showing tha above mentiones status.

Has anyone faced something similar to this ? What is causing this problem ? How can we get rid of these MAC addresses without rebooting the switch ?

Any hints are very much appreciated.

Best regards

RHUB

Everyone's tags (4)
2 REPLIES
New Member

802.1x, Catalyst 3560,

A quick fix is to enable "IP device tracking".

BTW, how are this Change of VLAN performed, CoA ?? and if CoA then reauth or port-bounce?

Port-bounce should also resolve this multiple mac entires

Thanks

New Member

802.1x, Catalyst 3560,

good evening,

many thanks for your reply. "ip device tracking" would be the solution - thats exactly what I thought too but we have enabled it since we rolled-out the 3560's many month ago.

This status will happen after a clients is not able to authenticate successfully against ACS and therefore should be moved to the quarantine-VLAN. The majority of clients, not authenticating successfully are moved without any problems but some of them show the problem.

Thanks and best regards

Roman 

688
Views
0
Helpful
2
Replies
CreatePlease to create content