Guest

Preview Tool

Cisco Bug: CSCvv11668 - PM assigns VLAN 1 on ports using MAB/Dot1x Auth regardless of the configured access VLAN

Last Modified

Sep 01, 2020

Products (1)

  • Cisco Catalyst 3850 Series Switches

Known Affected Releases

16.9.5

Description (partial)

Symptom:
Following a reload or power cycle of a Catalyst 3850 stack, ports configured for MAB/Dot1x Authentication and using the VLAN statically defined on the interface (no DVLAN push from ISE), we see some ports are stuck on VLAN1 on PM (Port Manager) regardless of the "switchport access vlan #" configuration.

Example of a port in broken state:

C3850_Stack-DUT#show run int gig 2/0/19
Building configuration...

Current configuration : 794 bytes
!
interface GigabitEthernet2/0/19
 switchport access vlan 211                  <<< Access vlan configured is 211
 switchport mode access
 device-tracking attach-policy IPDT
 authentication control-direction in
 authentication event server dead action authorize vlan 4094
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server dynamic
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

C3850_Stack-DUT#   show platform pm port-data gi2/0/19

  Field                     AdminFields          OperFields
===============================================================
  Access Mode               Static               Static
  Access Vlan Id             1                     0                 <<< But VLAN 1 is set on PM
  Voice Vlan Id               4096                0
  VLAN Unassigned                                0
  ExAccess Vlan Id          32767                
  Native Vlan Id              1                    
  Port Mode                   access              access

C3850_Stack-DUT#show mac add int gig 2/0/19
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0000.0c07.ac02    STATIC      Gi2/0/19       <<< Hosts will then be assigned to VLAN1 incorrectly.
   1    0024.14a2.c441    STATIC      Gi2/0/19 
Total Mac Addresses for this criterion: 2

Conditions:
- Seen on Catalyst 3850 stacks running IOS 16.9.5, with around 30 or more MAB/Dot1x hosts connected.

- Does not happen if VLAN is pushed dynamically from ISE.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.