Security

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



EX 2200/2300 dot1x and "set protocols l2-learning global-mac-table-aging-time" - view age?

This thread has been viewed 6 times
  • 1.  EX 2200/2300 dot1x and "set protocols l2-learning global-mac-table-aging-time" - view age?

    Posted 12-21-2021 13:07
    Hi,

    I've got about 200 ex2200 and ex2300s (use as L2 switches) where we've just moved to macauth out wired devices. Our reauth time is 10 minutes, though we're going to want to move that higher once our conversion is complete.

    In general, this works fine. But as many people find, we have issues with "quiet nodes" like scanners, HVAC, alarm, etc. These devices talk for the first one or two authentication attempts, but then the device disappears from the ethernet-switching table. The auths then fail because the devices do not send any traffic. They are static IP'd so there's no periodic DHCP. They don't use NTP, or send SNMP traps. 

    Once they expire from the ethernet-switching table, they remain in our firewall (where L3 and DHCP relay is) ARP table for 30 minutes total. 

    To address this, I set the "protocols l2-learning global-mac-table-aging-time" to be 1800 seconds (30 min - like the firewall ARP). What I wonder is how do I tell what the remaining time before aging out is? If I was arping on the switches, I could see it here.  The run show dot1x interface  command shows me the time to reauth. 

    When I look at the ethernet-switching table, I see:
    So how can I see how much longer is left before the entry ages out?

    Also, has anyone had similar "quiet node" issues, and how did you deal with it?

    Thanks,

    Ambi