Verify IPDT Device Operations - Cisco

Introduction. This document describes how to verify IP Device Tracking (IPDT) operations and how to disable these actions. Prerequisites. Requirements. Skiptocontent Skiptosearch Skiptofooter SupportTechnologySupportIPIPRoutedProtocolsTroubleshootingTechNotes VerifyIPDTDeviceOperations Save LogintoSaveContent Translations Download Print AvailableLanguages DownloadOptions PDF (60.4KB) ViewwithAdobeReaderonavarietyofdevices ePub (84.5KB) ViewinvariousappsoniPhone,iPad,Android,SonyReader,orWindowsPhone Mobi(Kindle) (75.9KB) ViewonKindledeviceorKindleapponmultipledevices Updated:July26,2022 DocumentID:118630 Bias-FreeLanguage Bias-FreeLanguage Thedocumentationsetforthisproductstrivestousebias-freelanguage.Forthepurposesofthisdocumentationset,bias-freeisdefinedaslanguagethatdoesnotimplydiscriminationbasedonage,disability,gender,racialidentity,ethnicidentity,sexualorientation,socioeconomicstatus,andintersectionality.Exceptionsmaybepresentinthedocumentationduetolanguagethatishardcodedintheuserinterfacesoftheproductsoftware,languageusedbasedonRFPdocumentation,orlanguagethatisusedbyareferencedthird-partyproduct.LearnmoreabouthowCiscoisusingInclusiveLanguage. ContentsIntroductionPrerequisitesRequirementsComponentsUsedIPDTOverviewDefinitionandUsageExcerptProblemDefaultStateandOperationFunctionalityAreasFeatureMatrixFeaturesDisableIPDTEntertheipdevicetrackingprobedelay10  CommandEntertheipdevicetrackingprobeuse-svi CommandEntertheipdevicetrackingprobeauto-source[fallback][override ]  CommandEnterthe ipdevicetrackingprobeauto-source CommandEntertheipdevicetrackingprobeauto-sourcefallback0.0.0.1255.255.255.0  CommandEntertheipdevicetrackingprobeauto-sourcefallback0.0.0.1255.255.255.0override  CommandEntertheipdevicetrackingmaximum0 CommandTurnOffActiveFeaturesthatTriggerIPDTExampleVerifyIPDTOperation Introduction ThisdocumentdescribeshowtoverifyIPDeviceTracking(IPDT)operationsandhowtodisabletheseactions. Prerequisites Requirements Therearenospecificrequirementsforthisdocument. ComponentsUsed Thisdocumentisnotrestrictedtospecificsoftwareandhardwareversions.However,theoutputsinthisdocumentwerebasedonthesesoftwareandhardwareversions: CiscoWS-C2960X CiscoIOS®15.2 Theinformationinthisdocumentwascreatedfromthedevicesinaspecificlabenvironment.Allofthedevicesusedinthisdocumentstartedwithacleared(default)configuration.Ifyournetworkislive,ensurethatyouunderstandthepotentialimpactofanycommand. IPDTOverview DefinitionandUsage ThemainIPDTtaskistokeeptrackofconnectedhosts(associationofMACandIPaddress).Inordertodothis,itsendsunicastAddressResolutionProtocol(ARP)probeswithadefaultintervalof30seconds;theseprobesaresenttotheMACaddressofthehostconnectedontheothersideofthelink,anduseLayer2(L2)asthedefaultsourcetheMACaddressofthephysicalinterfaceoutofwhichtheARPgoesandasenderIPaddressof0.0.0.0,basedontheARPProbedefinitionlistedinRFC5227. Excerpt Inthisdocument,theterm'ARPProbe'isusedtorefertoanARPRequestpacket,broadcastonthelocallink,withanall-zero'senderIPaddress'.The'senderhardwareaddress'MUSTcontainthehardwareaddressoftheinterfacethatsendsthepacket.The'senderIPaddress'fieldMUSTbesettoallzeroes,toavoidcorruptionARPcachesinotherhostsonthesamelinkinthecasewheretheaddressturnsouttobealreadyinusebyanotherhost.The'targetIPaddress'fieldMUSTbesettotheaddressthatisprobed.AnARPProbeconveysbothaquestion(Doesanyoneusethisaddress?)andanimpliedstatement(ThisistheaddressIhopetouse.). ThepurposeofIPDTisfortheswitchtoobtainandmaintainalistofdevicesthatareconnectedtotheswitchviaanIPaddress.Theprobedoesnotpopulatethetrackingentry;itissimplyusedinordertomaintaintheentryinthetableafteritislearnedthroughanARPrequest/replyfromthehost. IPARPInspectionisenabledautomaticallywhenIPDTisenabled;itdetectsthepresenceofnewhostswhenitmonitorsARPpackets.IfdynamicARPinspectionisenabled,onlytheARPpacketsthatitvalidatesareusedinordertodetectnewhostsfortheDeviceTrackingtable. IPDHCPsnooping,ifenabled,detectsthepresenceorremovalofnewhostswhenDHCPassignsorrevokestheirIPaddresses. WhenDHCPtrafficisseenforagivenhost,theIPDTARPprobeintervaltimerisreset.  IPDTisafeaturethathasalwaysbeenavailable.However,onmorerecentCiscoIOS®releases,itsinterdependenciesareenabledbydefault(see'CiscobugIDCSCuj04986').ItcanbeextremelyusefulwhenitsdatabaseofIP/MAChostsassociationsisusedinordertopopulatethesourceIPofdynamicAccessControlLists(ACLs),ortomaintainabindingofanIPaddresstoasecuritygrouptag. TheARPprobeissentundertwocircumstances: ThelinkassociatedwithacurrententryintheIPDTdatabasemovesfromaDOWNtoanUPstate,andtheARPentryhasbeenpopulated. AlinkalreadyintheUPstatethatisassociatedwithanentryintheIPDTdatabasehasanexpiredprobeinterval. Problem The“keepalive”probesentbytheswitchisaL2check.Assuchfromtheswitch’spointofview,theIPaddressesusedassourceintheARPsarenotimportant:thisfeaturecanbeusedondeviceswithnoIPaddressconfiguredatall,sotheIPsourceof0.0.0.0isnotrelevant. Whenthehostreceivesthismessages,itrepliesbackandpopulatesthedestinationIPfieldwiththeonlyIPaddressavailableinthereceivedpacket,whichisitsownIPaddress.ThiscancausefalseduplicateIPaddressalerts,becausethehostthatrepliesseesitsownIPaddressasboththesourceandthedestinationofthepacket;refertotheDuplicateIPAddress0.0.0.0.ErrorMessageTroubleshootarticleformoreinformationabouttheduplicateIPaddressscenario. DefaultStateandOperation Theglobalon/offconfigforIPDTisalegacybehaviorwhichcausedissuesinthefieldascustomerswerenotalwaysawaretheyneededtoturnonIPDTforcertainfeaturestowork.Incurrentreleases,IPDTissolelycontrolledataninterfacelevelwhenitenablesafeaturethatrequiresIPDT. IPDTisongloballybydefaultwithinthesereleases;thatis,noglobalconfigcommanddueto'CiscobugID CSCua85383': Catalyst2k/3k:15.2(1)E Catalyst3850:3.2.0SE Catalyst4k:15.2(1)E/3.5.0E Itisimportanttonotethat,evenifIPDTisenabledglobally,thatdoesnotnecessarilyimplythatIPDTactivelymonitorsagivenport. OnreleaseswhereIPDTisalwaysonandwhereIPDTcanbegloballytoggledoff/on,whenIPDTisenabledglobally,otherfeaturesactuallydeterminewhetheritisactiveonaspecificinterface(seetheFunctionalityAreassection). FunctionalityAreas IPDTanditsARPprobessentoutofagiveninterfaceareusedforthesefeatures: NetworkMobilityServicesProtocol(NMSP),Versions3.2.0E,15.2(1)E,3.5.0Eandlater Devicesensor,Versions15.2(1)E,3.5.0Eandlater 1X,MACAuthenticationBypass(MAB),sessionmanager Web-basedauthentication Auth-proxy IPSourceGuard(IPSG)forstatichosts Flexiblenetflow CiscoTrustSec(CTS) Mediatrace HTTPredirects FeatureMatrix Platform Feature Defaulton(StartIn)  DisableMethod DisableCLI Cat2960/3750(CiscoIOS) IPDT 15.2(1)E* globalCLI(olderreleases)* per-interface noipdevicetracking* ipdevicetrackingmaximum0*** Cat2960/3750 (CiscoIOS) NMSP no globalCLIor per-interfaceCLI nonmspenable nmspattachmentsuppress**** Cat2960/3750 (CiscoIOS) DeviceSensor 15.0(1)SE globalCLI nomacroautomonitor Cat2960/3750 (CiscoIOS) ARPSnooping 15.2(1)E** n/a n/a Cat3850 IPDT allreleases* per-interface* ipdevicetrackingmaximum0*** Cat3850 NMSP allreleases per-interface nmspattachmentsuppress Cat3850 DeviceSensor no n/a n/a Cat3850 ARPSnooping allreleases** n/a n/a Cat4500 IPDT 15.2(1)E/3.5.0E* globalCLI(olderreleases)* per-interface noipdevicetracking* ipdevicetrackingmaximum0*** Cat4500 NMSP no globalCLIor per-interfaceCLI nonmspenable nmspattachmentsuppress**** Cat4500 DeviceSensor 15.1(1)SG/3.3.0SG globalCLI nomacroautomonitor Cat4500 ARPSnooping 15.2(1)E/3.5.0E** n/a n/a Features IPDTcannotbedisabledgloballyinnewerreleases,butIPDTisonlyactiveonportsiffeaturesthatrequireitareactive. ARPsnoopingisonlyactiveifspecificfeaturecombinationsenableit. IfyoudisableIPDTonaper-interfacebasisdoesnotstopARPsnoopingitdoespreventIPDTtracking.Thisisavailablefromi3.3.0SE,15.2(1)E,3.5.0Eandlater. Per-interfaceNMSPsuppressiononlyavailableifNMSPisenabledglobally. DisableIPDT OnreleaseswhereIPDTisnotenabledbydefault,IPDTcanbeturnedoffgloballywiththiscommand: Switch(config)#noipdevicetracking OnreleaseswhereIPDTisalwayson,thepreviouscommandisnotavailable,oritdoesnotallowyoutodisableIPDT('CiscobugIDCSCuj04986').Inthiscase,thereareseveralwaystoensurethatIPDTdoesnotmonitoraspecificportoritdoesnotgenerateduplicateIPalerts. Entertheipdevicetrackingprobedelay10  Command Thiscommanddoesnotallowaswitchtosendaprobefor10secondswhenitdetectsalinkUP/flap,whichminimizesthepossibilitytohavetheprobesentwhilethehostontheothersideofthelinkchecksforduplicateIPaddresses.TheRFCspecifiesa10-secondwindowforduplicateaddressdetection,soifyoudelaythedevice-trackingprobe,theissuecanbesolvedinmostcases. IftheswitchsendsoutanARPProbefortheclientwhilethehost(forexample,aMicrosoftWindowsPC)isinitsDuplicate-AddressDetectionphase,thehostdetectstheprobeasaduplicateIPaddressandpresentstheuserwithamessagethataduplicateIPaddresswasfoundonthenetwork.IfthePCdoesnotobtainanaddress,andtheusermustmanuallyrelease/renewtheaddress,disconnect,andreconnecttothenetwork,orrebootthePCinordertogainnetworkaccess. Inadditiontoprobe-delay,thedelayalsoresetsitselfwhentheswitchdetectsaprobefromthePC/host.Forexample,iftheprobetimerhascounteddowntofivesecondsanddetectsanARPProbefromthePC/host,thetimerresetsbackto10seconds. Thisconfigurationhasbeenmadeavailablethrough'CiscobugIDCSCtn27420'. Entertheipdevicetrackingprobeuse-svi Command Withthiscommand,youcanconfiguretheswitchinordertosendanon-RFCcompliantARPProbe;theIPsourceisnotbe0.0.0.0,butitistheSwitchVirtualInterface(SVI)intheVLANwherethehostresides.MicrosoftWindowsmachinesnolongerseetheprobeasaprobeasdefinedbyRFC5227anddonotflagapotentialduplicateIP. Entertheipdevicetrackingprobeauto-source[fallback][override ]  Command Forcustomerswhodonothavepredictable/controllableenddevicesorforthosewhohavemanyswitchesinanL2-onlyrole,theconfigurationofanSVI,whichintroducesaLayer3variableinthedesign,isnotasuitablesolution.Anenhancementintroduced,inVersion15.2(2)Eandlater,thepossibilitytoallowarbitraryassignmentofanIPaddressthatdoesnotneedtobelongtotheswitchforuseasthesourceaddressinARPprobesgeneratedbyIPDT.Thisenhancementintroducesthechancetomodifytheautomaticbehaviorofthesystemintheseways(thislistshowshowthesystemautomaticallybehavesaftereachcommandisused): Enterthe ipdevicetrackingprobeauto-source Command SetthesourcetoVLANSVIifpresent. Searchforasource/MACpairintheIPhosttableforthesamesubnet. SendthezeroIPsourceasinthedefaultcase. Entertheipdevicetrackingprobeauto-sourcefallback0.0.0.1255.255.255.0  Command SetthesourcetoVLANSVIifpresent. Searchforasource/MACpairintheIPhosttableforthesamesubnet. ComputethesourceIPfromthedestinationIPwiththehostbitandmaskprovided. Entertheipdevicetrackingprobeauto-sourcefallback0.0.0.1255.255.255.0override  Command SetthesourcetoVLANSVIifpresent. ComputethesourceIPfromthedestinationIPwiththehostbitandmaskprovided. Note:Anoverridemakesyouskipthesearchforanentryinthetable. Asanexampleofthepreviouscomputations,assumeyouprobehost192.168.1.200.Withthemaskandhostbitsprovided,yougenerateasourceaddressof192.168.1.1. Ifyouprobeentry10.5.5.20,youcangenerateanARPprobewithsourceaddress10.5.5.1,andsoon. Entertheipdevicetrackingmaximum0 Command ThiscommanddoesnottrulydisableIPDT,butitdoeslimitthenumberoftrackedhoststozero.Thisisnotarecommendedsolutionanditmustbeusedwithcaution,becauseitaffectsalloftheotherfeaturesthatrelyonIPDT,whichincludestheport-channelsconfigurationasdescribedin'CiscobugIDCSCun81556'. TurnOffActiveFeaturesthatTriggerIPDT SomefeaturesthatcantriggerIPDTincludeNMSP,devicesensor,dot1x/MAB,WebAuth,andIPSG. Thesefeaturesarenotrecommendedtobeenabledontrunkports.Thissolutionisreservedforthemostdifficultorcomplexsituations,whereeitherallofthesolutionspreviouslyavailabledidnotworkasexpected,ortheycreatedadditionalproblems.Thisis,however,theonlysolutionthatallowsextremegranularitywhenyoudisableIPDT,becauseyoucanturnoffonlytheIPDT-relatedfeaturesthatcauseproblemsandleaveeverythingelseunaffected. InthemostrecentCiscoIOS,Versions15.2(2)Eandlater,youseeanoutputsimilartothis: Switch#showipdevicetrackinginterfaceGigabitEthernet1/0/9--------------------------------------------InterfaceGigabitEthernet1/0/9is:STANDALONEIPDeviceTracking=DisabledIPDeviceTrackingProbeCount=3IPDeviceTrackingProbeInterval=180000IPv6DeviceTrackingClientRegisteredHandle:75IPDeviceTrackingEnabledFeatures:HOST_TRACK_CLIENT_ATTACHMENTHOST_TRACK_CLIENT_SM ThetwolinesinallcapsatthebottomoftheoutputarethosethatuseIPDTinordertowork.Mostoftheproblemscreatedwhenyoudisablethedevicetrackingcanbeavoidedifyoudisablethesingleservicesthatrunintheinterface. InearlierversionsofCiscoIOS,thiseasy waytoknowwhichmodulesareenabledunderaninterfaceisnotavailableyet,soyoumustgothroughamoreinvolvedprocessinordertogetthesameresults.Youmustturnondebugipdevicetrackinterface,whichisalow-frequencylogthatmustbesafeinmostsetups.Becarefulnottoturnondebugipdevicetrackingallbecausethis,onthecontrary,floodstheconsoleinscalesituations. Oncethedebugison,bringaninterfacebacktodefault,andthenaddandremoveanIPDTservicefromtheinterfaceconfiguration.Theresultsfromthedebugstellyouwhichservicehasbeenenabled/disabledwiththecommandyouused. Example Switch(config)#interfaceGigabitEthernet1/0/9Switch(config-if)#ipdevicetrackingmaximum10Switch(config-if)#*Mar2709:58:49.470:sw_host_track-interface:Feature00000008enabledonportGi1/0/9,masknow0000004C,65portsenabled*Mar2709:58:49.471:sw_host_track-interface:Gi1/0/9[L2DOWN,IPHOSTDIS]IPhosttrackingmaxsetto10Switch(config-if)# Whattheoutputrevealsisthatyouenabledfeature00000008,andthatthenewfeaturemaskis0000004C. Now,removetheconfigurationyoujustadded: Switch(config-if)#noipdevicetrackingmaximum10Switch(config-if)#*Mar2710:02:31.154:sw_host_track-interface:Feature00000008disabledonportGi1/0/9,masknow00000044,65portsenabled*Mar2710:02:31.154:sw_host_track-interface:Gi1/0/9[L2DOWN,IPHOSTDIS]IPhosttrackingmaxcleared*Mar2710:02:31.154:sw_host_track-interface:MaxlimithasbeenremovedfromtheinterfaceGigabitEthernet1/0/9.Switch(config-if)# Onceyouremovefeature00000008,youcanseethe00000044mask,whichmusthavebeentheoriginal,defaultmask.Thisvalueof00000044isexpectedsinceAIMis0x00000004andSMis0x00000040,whichtogetherresultin0x00000044. ThereareseveralIPDTservicesthatcanrununderaninterface: IPTService Interface HOST_TRACK_CLIENT_IP_ADMISSIONS     =0x00000001   HOST_TRACK_CLIENT_DOT1X    =0x00000002 HOST_TRACK_CLIENT_ATTACHMENT  =0x00000004 HOST_TRACK_CLIENT_TRACK_HOST_UPTO_MAX =0x00000008 HOST_TRACK_CLIENT_RSVP =0x00000010 HOST_TRACK_CLIENT_CTS =0x00000020 HOST_TRACK_CLIENT_SM  =0x00000040 HOST_TRACK_CLIENT_WIRELESS  =0x00000080 Intheexample,HOST_TRACK_CLIENT_SM(SESSION-MANAGER)andHOST_TRACK_CLIENT_ATTACHMENT(alsoknownasAIM/NMSP)modulesareconfiguredforIPDT.InordertoturnoffIPDTonthisinterface,youmustdisableboth,becauseIPDTisdisabledONLYwhenallofthefunctionsthatuseitaredisabledaswell. Afteryoudisablethosefeatures,youhaveanoutputsimilartothis: Switch(config-if)#doshowipdevicetrackinginterfaceGigabitEthernet1/0/9--------------------------------------------InterfaceGigabitEthernet1/0/9is:STANDALONEIPDeviceTracking=DisabledßIPDTisdisabledIPDeviceTrackingProbeCount=3IPDeviceTrackingProbeInterval=180000IPDeviceTrackingEnabledFeatures:ßNoactivefeatures-------------------------------------------- Inthisway,IPDTisdisabledwithmoregranularity. Herearesomeexampleofcommandsusedinordertodisablesomeofthefunctionsdiscussedpreviously: nmspattachsuppress nomacroautomonitor Note:ThelatestfeaturemustbeavailableonlyonplatformsthatsupportSmartPorts(SmartPortFlashpresentation),whichareusedtoenablefeaturesbasedonthelocationofaswitchinthenetworkandformassconfigurationdeploymentsacrossthenetwork.  VerifyIPDTOperation UsethesecommandsinordertoverifyIPDTstatusonyourdevice: showipdevicetracking ThiscommanddisplaysinterfaceswhereIPDTisenabledandwhereMAC/IP/interfaceassociationsarecurrentlytracked. clearipdevicetracking  ThiscommandclearsIPDT-relatedentries. Note:TheswitchsendsARPprobestothehoststhatwereremoved.Ifahostispresent,itrespondstotheARPprobeandtheswitchaddsanIPDTentryforthehost.YoumustdisableARPprobesbeforetheclearIPDTcommand;inthatway,alloftheARPentriesaregone.IfARPprobesareenabledaftertheclearipdevicetrackingcommand,alloftheentriescomebackagain. debugipdevicetracking ThiscommandallowsyoutocollectdebugsinordertodisplayIPDTactivityinrealtime. RevisionHistory Revision PublishDate Comments 1.0 25-Nov-2014 InitialRelease ContributedbyCiscoEngineers JulioJimenezCiscoTACEngineer WasthisDocumentHelpful? Yes No Feedback ContactCisco OpenaSupportCase (RequiresaCiscoServiceContract) ThisDocumentAppliestoTheseProducts LANSecurity ©2022Ciscoand/oritsaffiliates.Allrightsreserved.