Cisco Bug: CSCvv11668 - PM assigns VLAN 1 on ports using MAB/Dot1x Auth regardless of the configured access VLAN
Sep 01, 2020
- Cisco Catalyst 3850 Series Switches
Known Affected Releases
Symptom: Following a reload or power cycle of a Catalyst 3850 stack, ports configured for MAB/Dot1x Authentication and using the VLAN statically defined on the interface (no DVLAN push from ISE), we see some ports are stuck on VLAN1 on PM (Port Manager) regardless of the "switchport access vlan #" configuration. Example of a port in broken state: C3850_Stack-DUT#show run int gig 2/0/19 Building configuration... Current configuration : 794 bytes ! interface GigabitEthernet2/0/19 switchport access vlan 211 <<< Access vlan configured is 211 switchport mode access device-tracking attach-policy IPDT authentication control-direction in authentication event server dead action authorize vlan 4094 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast end C3850_Stack-DUT# show platform pm port-data gi2/0/19 Field AdminFields OperFields =============================================================== Access Mode Static Static Access Vlan Id 1 0 <<< But VLAN 1 is set on PM Voice Vlan Id 4096 0 VLAN Unassigned 0 ExAccess Vlan Id 32767 Native Vlan Id 1 Port Mode access access C3850_Stack-DUT#show mac add int gig 2/0/19 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0000.0c07.ac02 STATIC Gi2/0/19 <<< Hosts will then be assigned to VLAN1 incorrectly. 1 0024.14a2.c441 STATIC Gi2/0/19 Total Mac Addresses for this criterion: 2 Conditions: - Seen on Catalyst 3850 stacks running IOS 16.9.5, with around 30 or more MAB/Dot1x hosts connected. - Does not happen if VLAN is pushed dynamically from ISE.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases