Wired Intelligent Edge (Campus Switching and Routing)

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Occasional Contributor II

Strange behaviour with port-access local-mac authentication

Hi all,

 

We have a bunch of Aruba 2930F switches, organized in stacks (vsf).

 

# show vsf

VSF Domain ID : 1
MAC Address : 8030e0-xxxxxx
VSF Topology : Ring
VSF Status : Active
Uptime : 354d 2h 23m
VSF MAD : None
VSF Port Speed : 10G
Software Version : WC.16.05.0007

Mbr
ID MAC Address Model Pri Status
--- ----------------- ------------------------------------- --- ---------------
1 8030e0-955540 Aruba JL558A 2930F-48G-740W-PoE+-4... 128 Commander
2 8030e0-95df40 Aruba JL558A 2930F-48G-740W-PoE+-4... 128 Standby
3 8030e0-96f3c0 Aruba JL558A 2930F-48G-740W-PoE+-4... 128 Member

 

We also use port-access local-mac to authenticate and place the devices on the right vlans.

 

Our work areas are formed of huawei 7910/7950 phones linked to desktops of several manufacturers/models.

 

The normal configuration of our ports is:

 

interface x/y

 tagged vlan <voice>

 untagged vlan <user>

 aaa port-access local-mac

 aaa port-access local-mac address-limit 2

 aaa port-access local-mac mac-pin

 

Normal case works. We see two devices authenticated to the ports:

 

# show port-access local-mac 1/12 cli

Port Access Local MAC Authentication Client Status

Port MAC Address IP Address Client Status
----- --------------- ------------------ ----------------------
1/12 3464a9-00acf8 n/a authenticated
1/12 a08cf8-68e2af n/a authenticated

 

and see both devices on the MAC-Address table, associated to the port:

 

# show mac-address 1/12

Status and Counters - Port Address Table - 1/12

MAC Address VLANs
----------------- ------------
3464a9-00acf8 160
a08cf8-68e2af 152

 

But, for some reason, some ports aren't working as expected. Even when we have 2 devices authenticated, only one of them get to the MAC-Address Table.

 

# show port-access local-mac 3/31 cli

Port Access Local MAC Authentication Client Status

Port MAC Address IP Address Client Status
----- --------------- ------------------ ----------------------
3/31 0040a7-2f8445 n/a authenticated
3/31 a08cf8-36a09b n/a authenticated

 

# show mac-address 3/31

Status and Counters - Port Address Table - 3/31

MAC Address VLANs
----------------- ------------
0040a7-2f8445 160

 

This seems to be happening only on vsf member 3, which was last added to the stack.

 

Does anyone ever saw this behaviour?


Accepted Solutions
Highlighted
Occasional Contributor II

Re: Strange behaviour with port-access local-mac authentication

Thanks for your attention.

 

Opened a support case, and was instructed to update the switches' software. This solved the big case.

 

In the mean time, I saw that the IP Phones needed a special configuration, as they was trying to authenticate on the switch both on the tagged and on the untagged VLAN. So, I changed:

 

(...)

aaa port-access local-mac profile IP-Phone

 vlan tagged 152

 exit

(...)

 

to:

 

(...)

aaa port-access local-mac profile IP-Phone

 vlan tagged 152

 vlan untagged 160

 exit

(...)

 

After that, the IP phones started to figure out both on the tagged and on the untagged VLANs:

 

# show port-acc local-mac cli 1/6

Port Access Local MAC Authentication Client Status

Port MAC Address IP Address Client Status
----- --------------- ------------------ ----------------------
1/6 a08cf8-68e81e n/a authenticated
1/6 d02788-5deca7 n/a authenticated

 

# show mac-addr 1/6

Status and Counters - Port Address Table - 1/6

MAC Address VLANs
----------------- ------------
a08cf8-68e81e 152,160
d02788-5deca7 160

 

This did the trick. Now I have peace!!!

View solution in original post


All Replies
Highlighted
MVP Guru

Re: Strange behaviour with port-access local-mac authentication

Please double check that both ports have the exact same configuration, and you use the exact same devices to test with.

 

I wouldn't see a reason to have different behavior on different stack members with the same configuration.

 

If there is no difference, please work with Aruba Support to further investigate.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Occasional Contributor II

Re: Strange behaviour with port-access local-mac authentication

Thanks for your attention.

 

Opened a support case, and was instructed to update the switches' software. This solved the big case.

 

In the mean time, I saw that the IP Phones needed a special configuration, as they was trying to authenticate on the switch both on the tagged and on the untagged VLAN. So, I changed:

 

(...)

aaa port-access local-mac profile IP-Phone

 vlan tagged 152

 exit

(...)

 

to:

 

(...)

aaa port-access local-mac profile IP-Phone

 vlan tagged 152

 vlan untagged 160

 exit

(...)

 

After that, the IP phones started to figure out both on the tagged and on the untagged VLANs:

 

# show port-acc local-mac cli 1/6

Port Access Local MAC Authentication Client Status

Port MAC Address IP Address Client Status
----- --------------- ------------------ ----------------------
1/6 a08cf8-68e81e n/a authenticated
1/6 d02788-5deca7 n/a authenticated

 

# show mac-addr 1/6

Status and Counters - Port Address Table - 1/6

MAC Address VLANs
----------------- ------------
a08cf8-68e81e 152,160
d02788-5deca7 160

 

This did the trick. Now I have peace!!!

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: