10-20-2016 12:40 AM - edited 03-11-2019 12:10 AM
Hi;
I'm going to explain my simple topology in which I have a 3560 switch port g0/8 is connected to the phone and phone is connected to a PC. other ports on the switch are members of default vlan 1, that is our data vlan. ISE (10.1.150.152) and CUCM (10.1.150.150) are inside vlan 1 too and I changed their default gateway to points to this switch with IP of 10.1.1.154/16.
I created a separate vlan for the voice vlan (vlan 500) and then added a vlan500 interface with the IP of 192.168.250.2/24 on the switch and finally configured it to be default gateway for both vlan 1 and vlan 500. also I turned IP routing on the switch on and enabled DHCP server service on the switch and configured a pool as you'll see below. the reachability is OK and the ping with the vlan500 as source interface toward the ISE and CUCM completed successfuly.
the RADIUS livelog page on the ISE shows both authentication and dACL download was successful.
Policy Server: cisco-ise
Event 5200 Authentication succeeded
Username: 38:ED:18:55:78:7C
User Type: Host
Endpoint Id: 38:ED:18:55:78:7C
Calling Station Id: 38-ED-18-55-78-7C
Endpoint Profile: Cisco-Device
Authentication Identity Store: Internal Endpoints
Identity Group: Profiled
Audit Session Id: 000000000000000E00F073B6
Authentication Method: mab
Authentication Protocol: Lookup
Service Type: Call Check
Network Device: Cisco-3560
NAS IPv4 Address: 10.1.1.154
NAS Port Id: GigabitEthernet0/8
NAS Port Type: Ethernet
Authorization Profile: TIMAZ_AUTHO-PROFILE1
epm logging revealed the following output:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD_REQUEST
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD-SUCCESS
%EPM-6-IPEVENT: IP 0.0.0.0 MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT IP-WAIT
the result is phone couldn't get the IP address from the DHCP pool on the switch and cannot register to the CUCM. I got empty output after issuing the "sh ip dhcp binding" and "sh ip device tracking all" commands on the switch. here is my consolidated config on the switch in the case if you think it is necessary to take a look at.
aaa new-model
aaa group server radius RADIUS_GROUP
server-private 10.1.150.152 key cisco
!
aaa authentication login default group RADIUS_GROUP local
aaa authentication login CONSOLE_AUTHEN local
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
!
aaa server radius dynamic-author
client 10.1.150.152 server-key cisco
!
ip routing
ip dhcp database ftp://10.1.3.221/DHCPDB
ip dhcp excluded-address 192.168.250.1 192.168.250.220
!
ip dhcp pool TEST_PoOL
network 192.168.250.0 255.255.255.0
option 150 ip 10.1.150.150
dns-server 10.1.1.30
default-router 192.168.250.2
lease 0 5
!
epm logging
!
interface GigabitEthernet0/8
switchport mode access
switchport voice vlan 500
authentication host-mode multi-domain
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
!
interface Vlan1
ip address 10.1.1.154 255.255.0.0
!
interface Vlan500
ip address 192.168.250.2 255.255.255.0
ip helper-address 10.1.150.150
!
ip default-gateway 10.1.1.1
even "sh ip access-list" command on the switch shows that "deny ip any any" dACL has been downloaded onto the switch:
Switch(config)#do sh ip access
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32 (per-user)
1 deny ip any any
any idea? does the dACL with "deny ip any any" downloaded into the switch automatically prevents the IP address assignments to the phone and prevents voice vlan assignments too?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide