Switch running 802.1x does not clear its MAC address table
Hi,
I have a stack of switches that are running dot1x
if the device authenticates using MAB, then even after it has been disconencted the MAC address still stays in the MAC address table
this is stopping devices working and I can see no way to remove the mac address from the table, there is no "clear mac address-table static command.
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE SOFTWARE (fc1)
cisco WS-C2960X-48FPD-L (APM86XXX) processor (revision A0) with 524288K bytes of memory
Any ideas where this is going wrong as it means that the first time we attach a decvice it will work. but after that the port will never work for another device of if the device moves to another port. I dove have "allow mac move" enabled global.
I have a stack of switches that are running dot1x
description Dot1X Enabled
switchport mode access
switchport voice vlan 10
switchport port-security aging time 1
switchport port-security aging type inactivity
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enableif the device authenticates using MAB, then even after it has been disconencted the MAC address still stays in the MAC address table
DP1-West#sh mac address-table int g1/0/33
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 9c93.4e55.3135 STATIC Gi1/0/33
Total Mac Addresses for this criterion: 1
DP1-West#
DP1-West#sh int g1/0/33
GigabitEthernet1/0/33 is down, line protocol is down (notconnect)
Hardware is Gigabit Ethernet, address is 34db.fd2e.6d21 (bia 34db.fd2e.6d21)
Description: Dot1X Enabled
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255this is stopping devices working and I can see no way to remove the mac address from the table, there is no "clear mac address-table static command.
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE SOFTWARE (fc1)
cisco WS-C2960X-48FPD-L (APM86XXX) processor (revision A0) with 524288K bytes of memory
Any ideas where this is going wrong as it means that the first time we attach a decvice it will work. but after that the port will never work for another device of if the device moves to another port. I dove have "allow mac move" enabled global.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the end it was an issue with portchannels and IOS version, all fixed now
ASKER
good spot. But actually this was applied after the issue had been happening so is no the cause. I got a suggestion from someone else saying to enable port-security timeout.
this happens to be the only port on the switch with this config applied, typical that its the one I used to copy the config from.
Cheers