Wired Intelligent Edge

 View Only
last person joined: 15 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

This thread has been viewed 22 times
  • 1.  Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

    Posted 4 days ago
    ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
    We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
    There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
    "show port-access client" not seeing these cameras when they drop
    "show mac-address port xxx" is not register mac address of the camera.
    CPPM access tracker shows no reject or any events of camera trying to re authenticate.

    Event log when camera connects gets a VLAN and role:
    2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
    2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
    2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

    Event log after 5 minutes:
    2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
    2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

    Endpoint Policy Cache
    Poiicy
    Ideas? suggestions?
    Thanks,

    ------------------------------
    Trinh Nguyen
    ------------------------------


  • 2.  RE: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

    Posted 3 days ago
    Hello, 

    This document describes a very similar symptom with MAC authentication and end devices which normally don't talk actively on the network and only respond when someone sends a packet to them. If you think that your cameras may behave the same way maybe you can try the suggested options here - MAC pinning and controlled-direction in.

    https://community.arubanetworks.com/blogs/esupport1/2019/06/04/mac-authentication-for-printers-and-other-headless-devices

    ------------------------------
    Emil Gogushev
    ------------------------------