This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

How avoid that uplink interface of cisco switch with x450-G2 switch fill up the end-system table of my Extreme Control engine with mall mac that ear on the access vlan

How avoid that uplink interface of cisco switch with x450-G2 switch fill up the end-system table of my Extreme Control engine with mall mac that ear on the access vlan

Antonio_Opromol
Contributor II

ā€Ž04-28-2022 04:12 AM

Hi,

I've got in my lab an x450-g2 switch and connected to one port of this in trunk mode, there is a cisco switch (on cisco the uplink port is gigabitethernet0/1).
When I connect the cisco to the x450-g2 switch, the end-system table of the control engine, after a while is filled up of entries related to the cisco uplink port as in the screenshot below:
K2f9OxOR7yFYptUVCE8s_End-systems-after-cisco-connected_uplink_port.jpeg

The autentication on cisco is not enable on GigaEthernet0/1 as shown below (is enabled mac an dot1x on all other ports and works when i connect and end-system to the access ports).
cDue8UzKSzWditgz3YnQ_cisco_interfaces.jpeg

How can avoid that uplink port fill up the end-system table of the control engine with all mac address that "ear" on the access vlan?
0 Kudos
2 REPLIES 2

Antonio_Opromol
Contributor II

ā€Ž05-26-2022 03:57 PM

Hi Ryan,

I've follow for the cisco configuration the Extreme's document "ExtremeCloud IQ - Site Engine and ExtremeControl ā€“ Cisco Switch Integration Guide".
and this guide suggest to use the following setting:
aaa accounting update periodic 5

After contact a local Extreme's SE , he suggests me to remove this line of configuration and now the uplink port messages are no more presents and only the access interfaces authenticate my hosts.

Thanks
0 Kudos

Ryan_Yacobucci
Extreme Employee

ā€Ž05-15-2022 09:21 PM

Hello

Typically "Session Detected" means that we've received a RADIUS accounting packet for that end system.

If you take a tcpdump on control and look for port 1812/1813 can you find any packets for that end system that have the uplink port defined in the RADIUS AVPs?

tcpdump -i eth0 -s 0 -w nactrace.pcap port 1812 or port 1813

Leave it running and have an end system get a few of those "Session Detected" messages.

Once completed search the trace for any RADIUS packets for the affected client. 

You can use search filters for calling-station-id which will capture MAB/802.1x authentication, or by username for 802.1x. Once you find packets check the RADIUS AVPs to make sure the uplink isn't there.


Also, I notice that there is a "Kerberos" event. Are you doing any mirroring to get Kerberos traffic to the NAC? NAC can snoop Kerberos packets to get the username, but since you're doing 802.1x NAC can get the username without Kerberos snooping.

You can right click the NAC --> Engine Settings --> Username Resolution --> Disable "Kerberos Username Resolution"

Thanks
-Ryan 

0 Kudos
GTM-P2G8KFN