Symptom
IP-SGP mapping shows entries for IPs that no longer exist on the switch:
FE-LY305-101a-G1#Sh cts role-based sgt-map vrf Trust all | i .132.220|IP|=
%IPv6 protocol is not enabled in VRF Trust
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.196.132.220 97 LOCAL
IP-SGT Active Bindings Summary
============================================
FE-LY305-101a-G1#sh cts authorization entries | inc Peer SGT
…
Peer SGT = 92-47:SDA_Common_DTUguest_OtherUser
Peer SGT = 97-45:SDA_ENRGK_TRUST_DepUser <<<<<<<
Peer SGT = 65535-06:ANY
FE-LY305-101a-G1#
FE-LY305-101a-G1#sh device-tracking data add 10.196.132.220
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
FE-LY305-101a-G1#
Conditions
Behavior is seen on SDA catalyst switches with IOS-XE, enabled as edge.
The issue is triggered when an endpoint already onboarded with assigned IP, VLAN, and SGT has a COA (change of authorization) from ISE and a new VLAN, SGT is assigned.
Workaround
Not workaround at the moment.
