Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27612
Views
15
Helpful
10
Replies

C3750G-24PS sh mac- states "Drop" instead of port detail

Eamon Scanlon
Level 1
Level 1

‎10-10-2012 07:27 AM - edited ‎03-07-2019 09:23 AM

Hi,

I have a C3750G-24PS where a printer appears to have gone off the network, but the ARP cache still shows it in the list, (rather then stating incomplete) and in the MAC address table where I would expect to see the port number, I see the word drop. See below;

#sh arp | i 31

Internet  10.32.68.31           198   0021.b7fc.e414  ARPA   Vlan10

#sh mac- | i e414

  10    0021.b7fc.e414    DYNAMIC     Drop

Is it simply a case of the device going off the network and this is a transition state before the ARP states incomplete, or is there some other reason for this?

Regards,

Eamon

2 people had this problem
Labels:
0 Helpful
10 Replies 10

Arumugam Muthaiah
Cisco Employee
Cisco Employee

‎10-10-2012 10:36 PM

Hi Eamon,

Since the printer is off network, the mac address table showing as DYNAMIC drop and this is not any kind of transition state.

Did you configure any port-security on the interface?

When a switchport port-security maximum  command is configured on a port, the port learns the MAC addresses of the devices connected to the port. You can also manually enter the addresses, up to the specified number of allowed MAC addresses. If the switchport port-security maximum command is configured on the 2940, 2950 and 2955, 2970,
3550 or 3750 series of switches, then the addresses do not age out until the switch is reset. If another device is connected to the port after the maximum number has been reached, the port will not permit the new MAC address, even if one or more of the original MAC addresses are inactive.

To avoid having to manually delete the existing secure MAC address, the switchport port-security aging time

Refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swtrafc.html

Regards,

Aru

*** Please rate if the post is useful ***

Regards, Aru *** Please rate if the post useful ***

Eamon Scanlon
Level 1
Level 1
In response to Arumugam Muthaiah

‎10-11-2012 12:54 AM

We use dot1x for port security.

Good explanation, thanks for the reply and the link.

0 Helpful

islamsallaj
Level 4
Level 4
In response to Eamon Scanlon

‎01-23-2018 06:53 AM

Hi,

 

We are seeing similar behavior with cisco's new 8845 phone connected to a 3750. However we have no port security and like the other person on this thread we are using 802.1x via cisco ISE.  Cisco ISE is fully integrated in this deployment. What is interesting in our case is that even after a switch reset the port will come back DROP on our voice vlan and phone will show up on our data vlan.

 

After many hours of the phone just setting there in a "detecting networking" state the phone will final join the voice vlan and everything is fine then.

 

It's almost like these new phones won't auth with MAB at first and are trying 802.1x. There is no ISE policy for 802.1x for the phones we are using MAB for the phones.

 

But why just this phone model...

 

Any help would be greatly appreciated 

jheck@woodforest.com
Level 1
Level 1
In response to islamsallaj

‎05-01-2018 07:32 AM

Did you find a resolution to your issue. I am experiencing this issue with a full ISE deployment and dot1x

0 Helpful

islamsallaj
Level 4
Level 4
In response to jheck@woodforest.com

‎05-01-2018 07:37 AM

we have an on going tac case opened that is with Cisco development...(case 683800858)

 

We believe to be having a sync issue between psn nodes.

 

I can fill you in more when we get our case resolved.

 

izzy

0 Helpful

islamsallaj
Level 4
Level 4
In response to jheck@woodforest.com

‎05-01-2018 07:38 AM

we have an on going tac case opened that is with Cisco development...(683800858)

 

We believe to be having a sync issue between psn nodes.

 

I can fill you in more when we get our case resolved.

 

izzy

0 Helpful

nborden
Level 1
Level 1
In response to islamsallaj

‎08-29-2019 05:51 AM

Did you ever figure anything out on this issue?  I'm having the same issue but it's very sporadic.

 

Thanks.

0 Helpful

RezSalahuddin68319
Level 1
Level 1
In response to islamsallaj

‎06-30-2021 03:04 PM

THANK YOU so much for the pointers! I was going thru the same problem and the fix that worked for me was to change the priority on the switch port:

 

authentication order mab dot1x
authentication priority mab dot1x

 

instead of :

 

authentication order  dot1x mab
authentication priority dot1x mab

 

 

Hope this is helpful. 

 

Thank you all again!

 

-Rez

 

 

0 Helpful

islamsallaj
Level 4
Level 4
In response to Arumugam Muthaiah

‎01-23-2018 06:55 AM

Hi, 

We are seeing similar behavior with cisco's new 8845 phone connected to a 3750. However we have no port security and like the other person on this thread we are using 802.1x via cisco ISE.  Cisco ISE is fully integrated in this deployment. What is interesting in our case is that even after a switch reset the port will come back DROP on our voice vlan and phone will show up on our data vlan.

 

After many hours of the phone just setting there in a "detecting networking" state the phone will final join the voice vlan and everything is fine then.

 

It's almost like these new phones won't auth with MAB at first and are trying 802.1x. There is no ISE policy for 802.1x for the phones we are using MAB for the phones.

 

But why just this phone model...

 

Any help would be greatly appreciated 

pabloperez57851
Level 1
Level 1
In response to islamsallaj

‎02-05-2021 09:18 AM

Could you find the problem ?, I have exactly the same problem now on a SW WS-C2960S-24TS-L 15.0 (2a) SE9

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card