TL;DR: Are there any concerns/caveats with changing the MAC address table aging value when using 802.1X or otherwise?
The default value is 300 seconds (at least on the Cisco 2960X platform, I think that value is pretty common across the board though) and I'm thinking of bumping it up just a bit to try to accommodate a weird issue we're having with some security system controllers.
We have these particular controllers at several of our locations but only a handful are having issues where the security company can't communicate to them to push new access rules. We have to bounce the ports and then the device is reachable again. When the device is unreachable the port shows up/up, there's usually an ARP entry that hasn't aged out yet in the upstream router, and there's no MAC address listed in the table on the switch BUT there is still an auth session for the MAC on that port.
As for why I'm looking at the aging value, according to the security company the panels check in every 6 minutes and whenever a badge reader is used. One of the common denominators that the afflicted locations have is that they don't have a lot of readers on interior doors, so it's totally plausible that depending on whether or not employees at that location brought their lunch with them that day that it could be hours until a given badge reader is used again. Which brings me back to the regular check-in. Even if the MAC has aged out it I would think it gets repopulated as soon as the panel goes to check in again, but this doesn't appear to be happening.
My current hunch is it has something to do with our 802.1X configuration on the port because I took it off one of them and there hasn't been a problem with that panel since. We have to have it though so I've got to figure out what part of that configuration is the problem and how to fix it, and since whether the panel is reachable or not is tied to the presence of the MAC address in the table I'm thinking of changing the aging value for that VLAN.
I may be worried about nothing regarding the aging value but I imagine those values are a way for a reason and I've never been in a situation where I needed to change this one so I'm trying to make sure I'm not doing something completely stupid by bumping it to say 400 seconds instead of 300.
No comments:
Post a Comment