The reason is simple, any local communications would use MAC address, not IP address. Now you have a question “why do we need MAC address?” Here was my config.ARP stands for “Address Resolution Protocol” is a protocol for mapping an IP address to a physical MAC address on a local area network.īasically, ARP is a program used by a computer system to find another computer’s MAC address based on its IP address. I don't know if this will help or not, but I had a Cisco switch for a limited time to see what would be required for 802.1x for MAB only.
Source template AUTH-TEMPLATE-AVLAN3333-VVLAN666
Template AUTH-TEMPLATE-AVLAN3333-VVLAN666ĭevice-tracking attach-policy IPDT_POLICY Service-policy type control subscriber ISE Template AUTH-TEMPLATE-AVLAN2222-VVLAN555Īuthentication timer reauthenticate server Match result-type method mab authoritativeĬlass-map match-any system-cpp-police-ewlc-controlĬlass-map match-any system-cpp-police-topology-controlĬlass-map match-any system-cpp-police-sw-forwardĭescription Sw forwarding, L2 LVX data packets, LOGGING, Transit TrafficĬlass-map match-any system-cpp-police-sys-dataĭescription Openflow, Exception, EGR Exception, NFL Sampled Data, RPF FailedĬlass-map match-any system-cpp-police-punt-webauthĬlass-map match-any system-cpp-police-l2lvx-controlĬlass-map match-any system-cpp-police-forusĭescription Forus Address resolution and Forus trafficĬlass-map match-any system-cpp-police-multicast-end-stationĬlass-map match-any system-cpp-police-high-rate-appĬlass-map match-any system-cpp-police-multicastĬlass-map match-any system-cpp-police-l2-controlĬlass-map match-any system-cpp-police-dot1x-authĬlass-map match-any system-cpp-police-dataĭescription ICMP redirect, ICMP_GEN and BROADCASTĬlass-map match-any system-cpp-police-stackwise-virt-controlĬlass-map match-any system-cpp-police-routing-controlĭescription Routing control and Low LatencyĬlass-map match-any system-cpp-police-protocol-snoopingĬlass-map match-any system-cpp-police-dhcp-snoopingĬlass-map match-any system-cpp-police-ios-routingĭescription L2 control, Topology control, Routing control, Low LatencyĬlass-map match-any system-cpp-police-system-criticalĬlass-map match-any system-cpp-police-ios-featureĭescription ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailedġ0 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE Match result-type method dot1x agent-not-foundĬlass-map type control subscriber match-all MABĬlass-map type control subscriber match-all MAB_FAILED Match result-type method dot1x authoritativeĬlass-map type control subscriber match-all DOT1X_NO_RESP Text access-session acl default passthroughĬlass-map type control subscriber match-all DOT1XĬlass-map type control subscriber match-all DOT1X_FAILED The switch does not have "access-session mac-move deny" configured on it though, so by default, it should allow mac-move, right? Maybe there's a template configuration that is preventing the mac addresses from moving? Any ideas?īelow is the dot1x configuration and port templates. That's why we're thinking it has something to do with moving mac addresses around.
#WHAT IS THE DEFAULT CISCO MAC ADDRESS TABLE TIMEOUT PC#
By shutting and no shutting the old interface to clear that mac address, the PC started working on the new interface and the new interface picked up the mac address. While looking into we noticed that the old interface still had the mac address in it's table even though that PC had been unplugged from that interface for several hours. The new interface does not learn the mac address of the PC. However, when we move that PC to a different switch or different VLAN, it stops working. When a PC authenticates to a port on a specific VLAN, it works fine.
It's currently set up in Monitor mode, but we seem to be having an issue with what we think is related to "mac-move". Currently having an issue with our ISE and dot1x config on our switches.
0 kommentar(er)
