Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2093
Views
0
Helpful
3
Replies

Cannot get CoA switch to bounce port

Josh Morris
Level 3
Level 3

‎02-25-2014 11:21 AM - edited ‎03-10-2019 09:27 PM

Hi, I am trying to clear up a VLAN change/IP addressing conflict and have configured the profile's associated CoA type to 'port bounce'. I also created an exception action to force CoA with an associate rule in the policy.

I can see the device hit the correct profile upon MAB, and the correct VLAN is applied to the port. However, I never see the port bounce occuring, so the deviec does not know to release/renew it's IP address.

Is there something I'm missing to get the CoA port bounce to happen? Here is my switchport config...

interface GigabitEthernet1/5

description ISE_TEST

switchport access vlan 32

switchport mode access

switchport voice vlan 64

ip access-group ACL-ALLOW in

logging event link-status

authentication event fail action next-method

authentication event server dead action authorize vlan 2700

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 600

authentication timer reauthenticate server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 5

service-policy input QoS-Input-Policy

service-policy output QoS-Host-Port-Output-Policy

end

Labels:
0 Helpful
3 Replies 3

Naveen Kumar
Level 4
Level 4

‎03-11-2014 11:06 PM

please see the Port Bounce Configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#wp2021892

0 Helpful

bikespace
Level 1
Level 1

‎05-31-2014 03:28 PM

Did you fix this?
0 Helpful

Josh Morris
Level 3
Level 3
In response to bikespace

‎06-04-2014 08:38 AM

I did, but my issue was not related to the port bounce itself. It was because arp inspection was identifying the arp based off the ports initial VLAN. Once ISE changed the VLAN, ip arp was denying the port because the address had changed. I disabled arp inspection and it cleared up the issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents