Published On: August 6ᵗʰ, 2019 02:01

IP Device Tracking

The IP Device Tracking maintains a database of IP and MAC addresses that are used to get the source IP of dynamic ACL, and to maintain the binding of the IPs to the security group tags.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About IP Device Tracking

The IP Device Tracking feature uses Address Resolution Protocol (ARP) snooping and DHCP snooping to maintain a database of IP and MAC addresses. This data is also used to track switches that do not perform routing and do not have ARP tables.

IP Device Tracking is enabled if features such as Network Mobility Service Protocol (NMSP) or Device Sensor, which have dependency on IP Device Tracking, are enabled.

IP Device Tracking is controlled at an interface level. For example, if feature X, which is dependent on IP Device Tracking is enabled on port Y, then IP Device Tracking is also enabled on port Y. However, if you want to turn off IP Device Tracking on port Y, remove feature X, which automatically disables IP Device Tracking on port Y.

To disable IP Device Tracking, turn off the features that enable IP Device Tracking, and then use the following command at the interface level:

ip device tracking maximum 0


Note
Do not configure the interface-level commands because they might have an impact on the features that are dependent on IP Device Tracking.

Tracking ARP

If IP Device Tracking is enabled globally, the following features will cause IP Device Tracking to track ARP for a given interface:

  • NMSP

  • Device sensor

  • 802.1X, MAB, Session Manager,

  • WebAuth, auth-proxy

  • IPSG for static hosts

  • Flexible NetFlow

  • Cisco TrustSec (CTS)

  • Mediatrace

Recommended Best Practices

The following are the best practices in the context of working with Cisco Catalyst 3850 Series Switches:

  • Enter the non zero source IP addresses in ARP requests to eliminate duplicate IP addresses that are created due to IP Device Tracking.

  • Delay the ARP probes that are dependent on IP Device Tracking and are triggered by a link-up.

  • Disable IP Device Tracking on trunk ports.


Note
Enabling IPDT on a trunk port implies that all hosts connected to the neighboring switch over the trunk port may be tracked. This is typically the reason why IPDT may have a large device tracking table and can cause some issues as listed below:

  • Officially IPDT supports only around 2048 hosts from the original design. Operation on a large table, such as searching a host will consume more CPU time. In a stack switch, device tracking table is synced between active and standby switch. If a trunk port flaps, or if there are frequent entry insertion or deletion, the state of all the entries learnt from the port needs to be updated and synced to the standby, which could result in a large number of notification flooding the standby and will impact other features.

  • With IPDT turned on, ARP probes are sent to connected hosts if no activities such as ARP or DHCP packets are detected within a certain period of time (this time length is configurable, and its default value is 30 seconds). Large number of tracked hosts will increase the network traffic and degrade switch performance. In addition, activities of a host connected indirectly through another switch over a trunk port may not come to this switch at all. As a result, the probability of the need to probe a remote host is higher.

  • IPDT tracks the host by sending ARP probe periodically. By enabling IPDT on trunk port, probes may actually be sent by a remote switch connected to the local switch via trunk ports. This could increase the chance of Duplicate IP Address issue introduced by IPDT probes. Further more, it is more difficult to pin down the real source of the probe causing the Duplicate IP address error.

Supported Platforms and Releases

The following feature is available for Cisco Catalyst 3850 Series Switches:
Table 1 Supported Platforms and Releases
Supported Platforms Feature Name Disable Method CLI to Disable
Cisco Catalyst 3850 Series Switches IP Device Tracking Per interface ip device tracking maximum 0

Note

  • From Cisco IOS Release Denali-16.1.1, IP Device Tracking is replaced by Switch Integrated Security Feature (SISF) Device Tracking

  • If the features that are enabled on IP Device Tracking are enabled, IP Device Tracking is enabled.

How to Disable IP Device Tracking

Disabling IP Device Tracking

Procedure
  Command or Action Purpose
Step 1 enable


Example: 
Device > enable
 

Enables privileged EXEC mode.

Enter your password if prompted.

 
Step 2 configure terminal


Example: 
Device# configure terminal
 

Enters global configuration mode.

 
Step 3 no ip device tracking


Example: 
Device(config)# no ip device tracking
 

Turns off IP Device Tracking.

 
Step 4 end


Example: 
Device(config)# end
 

Returns to privileged EXEC mode.

 

Verifying IP Device Tracking

Procedure
  Command or Action Purpose
Step 1 enable


Example: 
Device> enable
 

Enables privileged EXEC mode.

Enter your password if prompted.

 
Step 2 show ip device tracking


Example: 
Device# show ip device tracking
 

Displays the interface where IP Device Tracking is enabled, and the MAC, IP, or the interface associations that are tracked.

Note   

Starting from release Cisco IOS XE Denali 16.1.1, this output displays information associated with both IPv4 and IPv6 addresses.
 
Step 3 show ip device tracking interface interface type/number


Example: 
Device# show ip device tracking interface Gigabit Ethernet1/0/2
 

Displays the features that depend on IP Device Tracking.

 
Step 4 debug ip device tracking


Example: 
Device# debug ip device tracking
 

Collects debug information to display IP Device Tracking activity in real time.

 

Configuration Examples for IP Device Tracking

Example: Verifying if IP Device Tracking is Disabled

The following is a sample output of the show ip device tracking command on Cisco Catalyst 3850 Series Switch:

Device# show ip device tracking interface GigibitEthernet 1/0/9
Interface GigabitEthernet1/0/9 is: STAND ALONE
IP Device Tracking = Disabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 180000
IPv6 Device Tracking Client Registered Handle: 75
IP Device Tracking Enabled Features:
        HOST_TRACK_CLIENT_ATTACHMENT
        HOST_TRACK_CLIENT_SM

Example: Displaying Port-Asic Details

The following is a sample output of the show platform command on a Cisco Catalyst 3850 Series Switch:

Device# show platform port-asic ifm mappings port-le switch 1
Mappings Table
Port-LE      Interface    IIF-ID               Type
0x488ab810   Gi1/0/12     0x0101954000000023   PORT_LE
0x5470ce18   Gi1/0/1      0x010375c000000008   PORT_LE
0x547124c0   Gi1/0/2      0x0106ccc00000000a   PORT_LE

After you associate a snooping value in port LE, if the value is 1, ARP snooping is enabled. Otherwise it is disabled. The following example shows if ARP snooping is enabled on a port:

show platform abstraction print-resource-handle 0x547124c0 1 sw 1 | I SNOOPING
LEAD_PORT_ARP_OR_ND_SNOOPING_ENABLED_IPV4 value 0 Pass
LEAD_PORT_ARP_OR_ND_SNOOPING_ENABLED_IPV6 value 0 Pass

Additional References for Disabling IP Device Tracking

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Security commands

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http:/​/​www.cisco.com/​support

Feature Information for IP Device Tracking

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
Table 2 Feature Information for Modes of Operation

Feature Name

Releases

Feature Information

IP Device Tracking

Denali-16.1.1

No commands were introduced or modified.
Configuration guide

Copyright © 2016, Cisco Systems, Inc. All rights reserved.