ip client-tracker
Syntax
ip client-tracker [trusted | untrusted]
no ip client-tracker [trusted | untrusted]Description
Enables the visibility of statically and dynamically assigned IPv4 and IPv6 addresses for both authenticated and unauthenticated clients.
The
no form of this command disables the visibility of statically and dynamically assigned IPv4 and IPv6 addresses for both authenticated and unauthenticated client.
Command context
config
Parameters
trustedEnables or disables the visibility of statically and dynamically assigned IPv4 and IPv6 addresses for authenticated clients. The
trustedoption makes the feature track clients only on authentication enabled ports (edge ports), excluding uplink ports which are not enabled for authentication with the server.untrustedEnables or disables the visibility of statically and dynamically assigned IPv4 and IPv6 addresses for unauthenticated clients.
Usage
Switch sends ARP probes when IP client tracker feature is enabled. This interval is determined by setting
arp-age timeout. By defaultarp-age timeoutis 20 minutes however the default timeout can be changed by using the commandip arp-age <timeout value in minutes>.The periodic ARP probe aids in detecting any change of IP addresses on end clients.
Non-chatty clients that do not send packets within regular intervals get deauthenticated due to inactivity after the logoff period. IP client tracker can be used to keep these clients in the network. The customer must always configure the
ip arp-agevalue to less than the configured logoff period, to avoid being de-authenticated due to inactivity.
When the
ip client-trackercommand is executed more than once, it takes the last command's behavior. For example when the commandip client-tracker trustedis run after the commandip client-tracker, the behavior will follow the last command,ip client-tracker trusted.When the administrator tries to execute the
nocommand that has not been configured (does not exist in running configuration), an error will appear.
Example
Show port-access client with multiple addresses.
switch# show port-access clients Port Access Client Status Port Client Name MAC Address IP Address User Role Type VLAN ---- -------------- -------------- ---------------------- ---------- ----- ---- 1 005056bd3ff7 005056-bd3ff7 3ffe:501:ffff:100::5e MAC 1
Example
Show the port-access IPv4 client.
Switch-Stack(config)# show port-access clients Port Access Client Status Port Client Name MAC Address IP Address User Role Type VLAN ----- ------------- ------------- --------------- ----------------- ----- ---- 1/3 000002b85001 000002-b85001 10.1.1.30 MAC 10
Example
Show the port-access IPv6 client.
switch(config)# show port-access clients 22 Port Access Client Status Port Client Name MAC Address IP Address User Role Type VLAN ----- ------------- ------------- --------------- ----------------- ----- ---- 22 0000005daa34 000000-5daa34 n/a MAC 20
Example
Show the port-access client detail.
switch(config)# show port-access clients 22 detailed Port Access Client Status Detail Client Base Details : Port : 22 Authentication Type : mac-based Client Status : authenticated Session Time : 64 seconds Client Name : 0000005daa34 Session Timeout : 0 seconds MAC Address : 000000-5daa34 IP : n/a Access Policy Details : COS Map : Not Defined In Limit Kbps : Not Set Untagged VLAN : 20 Out Limit Kbps : Not Set Tagged VLANs : No Tagged VLANs Port Mode : 1000FDx RADIUS ACL List : No Radius ACL List IPV6 Address : 2000::10
If neither
trusted nor
untrusted option is configured, the feature is enabled for both trusted (authentication enabled) and untrusted (authentication disabled) ports. Since uplink ports are always authentication disabled,
ip client-tracker command without any options starts tracking these ports which result in tracking routed clients as well.