Security

 View Only
last person joined: 13 days ago 

Securing your network and related platform configuration and troubleshooting with Juniper security technologies including Advance Threat Prevention, Cloud-Based Management Services, Cloud-delivered Security, Cloud Workload Protection, DDoS, Juniper Secure and other solutions.

EX 2200/2300 dot1x and "set protocols l2-learning global-mac-table-aging-time" - view age?

  • 1.  EX 2200/2300 dot1x and "set protocols l2-learning global-mac-table-aging-time" - view age?

    Posted 12-21-2021 13:07
    Hi,

    I've got about 200 ex2200 and ex2300s (use as L2 switches) where we've just moved to macauth out wired devices. Our reauth time is 10 minutes, though we're going to want to move that higher once our conversion is complete.

    In general, this works fine. But as many people find, we have issues with "quiet nodes" like scanners, HVAC, alarm, etc. These devices talk for the first one or two authentication attempts, but then the device disappears from the ethernet-switching table. The auths then fail because the devices do not send any traffic. They are static IP'd so there's no periodic DHCP. They don't use NTP, or send SNMP traps. 

    Once they expire from the ethernet-switching table, they remain in our firewall (where L3 and DHCP relay is) ARP table for 30 minutes total. 

    To address this, I set the "protocols l2-learning global-mac-table-aging-time" to be 1800 seconds (30 min - like the firewall ARP). What I wonder is how do I tell what the remaining time before aging out is? If I was arping on the switches, I could see it here.  The run show dot1x interface  command shows me the time to reauth. 

    When I look at the ethernet-switching table, I see:
    So how can I see how much longer is left before the entry ages out?

    Also, has anyone had similar "quiet node" issues, and how did you deal with it?

    Thanks,

    Ambi