Dot1x disable mac-address aging

Similar Messages

• Arp aging time on router and mac address aging time on switches set close t

  Hi,
  appreciate some advice on the following:
  what is the benefit of setting arp aging time on router and mac address aging time on switches close to each other?
  Thanks,
  Christina

  Hi,
  based on the below output, do you think implementing it will benefit? Thanks.
  C2950#sh int fa0/43
  FastEthernet0/43 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 000d.5e11.4e2b (bia 000d.5e11.4e2b)
  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
  reliability 255/255, txload 7/255, rxload 2/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 933000 bits/sec, 149 packets/sec
  5 minute output rate 2981000 bits/sec, 263 packets/sec
  2819781393 packets input, 3782332886 bytes, 0 no buffer
  Received 266693 broadcasts (0 multicast)
  0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast, 0 pause input
  0 input packets with dribble condition detected
  4015025747 packets output, 2328228393 bytes, 0 underruns
  0 output errors, 0 collisions, 2 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out
  C2950#

• 3750 mac-address-aging timer

  Hi,
  i'm trying to change mac-address timers but having problems, i.e the change I’m trying to change mac-address-aging timers but having problems, i.e. the change only applies to existing active vlans. if i add new vlan after changing mac-address-aging timer it will have default value 300. Is this way it works or I’m missing something?
  3750-sw-1(config)#mac-ad aging-time 1300
  3750-sw-1#sh mac-ad ag
  Vlan Aging Time
  10 1300
  20 1300
  30 1300
  3750-sw-1#! Now adding a new vlan
  3750-sw-1#conf t
  3750-sw-1(config)#vlan 40
  3750-sw-1 (config-vlan
  3750-sw-1#sh mac-ad ag
  Vlan Aging Time
  10 1300
  20 1300
  30 1300
  40 300
  New vlan 40 has default value????

  Just checked the command reference. In the usage guidelines it states:
  Usage Guidelines
  If hosts do not send continuously, increase the aging time to record the dynamic entries for a longer time. Increasing the time can reduce the possibility of flooding when the hosts send again.
  If you do not specify a specific VLAN, this command sets the aging time for all VLANs.
  The last sentence is relevant to your question. The command may also be issued on a particular vlan.
  New vlans are created after setting this parameter globally will hence be using the default values.
  The key issue to check if this is a bug or not is to check whether the global command is reflected in the config. If it was, I would call the issue a bug.
  As it is not, you must approach this as a parameter that can (and should) be set per vlan. After creating a new vlan, you may add this line in the script or re-issue the global command.
  Regards,
  Leo

• How to view logs of disabled MAC addresses?

  I have a Wireless LAN Controller 4402 and WCS 7.0, and I have a few MAC addresses that are "disabled" due to policy violations. How can I view a log or a report that will show me if these MAC addresses are still attempting to connect?

  if the clinet is excluded.. then the client will not be able to connect at all... if you want to see the Logs.. i guess we see that on the TRAP logs, if not then we need to run the debug..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• How to disable mac address filtering

  Hello I have a macbook pro. I am using a Westell 7500 wireless router and my hp photosmart 110 printer stopped working, saying that "MAC address filtering may be enabled on your wirelss router". Not sure how to dissble this and/or why it all of a sudden was enabled. Printer had worked perfectly for 2 months previously since installation of new wireless router/internet in our home. Any help is appreciated!

  You need to use AirPort Utility to change any of the AirPort Extreme's settings.
  However, like Bob Timmons said I don't believe the tech really knows what he is after, and is lost in the weeds regarding MAC Address Filtering.
  Perhaps you can ask for another technician who understands you are using an AirPort Extreme. Your Roku box should not require so much effort to configure.
  Have you read these instructions?
  http://support.roku.com/entries/244199-how-do-i-set-up-my-roku-player
  I don't have a Roku but it seems very similar to my Blu-Ray player. Account registration and setup is performed on a computer by going to the address www.roku.com/link in Step 6.
  It should not be necessary to change anything at all with your AirPort. Just make sure the Roku is within its wireless range.

• EPC3010 MAC Address Aging

  The spec sheet does not say a lot about the bridge forwarding table.
  Could someone tell me the number of MAC addresses that the forwarding table can hold.
  Also are there SNMP OIDs for controlling how quickly entries in the forwarding table will time out, or for deleting entries in the forwarding table?

  The Add option allows you to add Ethernet MAC addresses for devices that might pass traffic through the bridge. If no addresses are added through the Add option, the bridge learns the first eight MAC addresses that pass through its Ethernet Port. Subsequently, only data from those addresses is allowed to pass through the bridge.
  Caution: The first MAC address you add should be that of the PC you are using to Telnet or browse to
  the bridge.
  You should add MAC addresses if there are more than eight Ethernet devices attached to the hub to
  which the bridge is connected. This ensures that the selected devices communicate through the bridge. After an address is added, the bridge won't learn any more addresses. You must type each MAC address you wish to have communicate through the bridge (up to eight).
  Once you enter the first MAC address, the MAC addresses of every other device that you want the
  bridge to communicate with must be entered. The process is not automatic and the bridge will no longer "learn" any addresses. The addresses must be manually entered.

• WiFi issue with MAC address

  I've been using MAC filtering as part of my home network wireless security for years. This means inputting the MAC address of every device and computer that I want to have connect to my network. So I get my new WiFi + 3G iPad on May 28th and look in Settings to find the MAC address so I can input it into my router info. The router (D-Link) says that it's not a valid MAC format, presumably because it begins with E8 instead of the 00 that all my other devices have. I ended up having to disable MAC address filtering in order to have my iPad connect to my WiFi network. Does anybody have any comments or ideas about how I can get the router to recognize a MAC that begins E8:06 etc.?
  Would appreciate any help. Thanks.
  Glenys

  I am using MAC filtering on my network using a Linksys router (WRT300N) and had no problems adding our iPad to the MAC table. Also, if I'm not mistaken, the first portion of a MAC address is unique to the manufacturer, so unless all of your wireless devices are from the same manufacturer (at least the wireless component of the device), then it isn't likely that all of your MAC addresses will start with the same digits. Make sure when you enter the MAC address that you include the colon in between each pair. My Linksys won't accept the MAC address without them. As someone else recommended, you may also want to see if there is a firmware update for your router that addresses this issue. Good Luck.

• TP 60 Access connection - Preferred AP MAC address disabled permanently

  I have at home WiFi Router and WiFi repeater. They both are visible, but Router has weak signal, Repeater strong signal. TP not like to connect to Repeater. Problem, that preferred AP MAC address field is always disabled in Connection wizard (profile).
  Access Connection v.5.72 - last recommended for my PC. WiFi adapter 11 a/b/g/n/ Wireless LAN Mini-PCI Express Adapter (Atheros Communication Inc), driver 2.0.0.75
  Any idea?

  OS - Win7 Pro 32 bit

• Need to disable "Block Anonymous Internet Requests" with "Clone MAC address?"

  Ok -- so I learned from tech support and this forum that the "Clone MAC address" option needs to be enabled when connecting to the Internet via a cable modem. In one of the forum posts (sorry lost track of which one), it said that in addition I need to disable "Block Anonymous Internet Requests" as well -- is this correct? If so what is the effect of this? Linksys documentation is not clear if this is absolutely necessary.
  I think the comment is in this thread
  http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&message.id=8600

  Usually resetting you cable modem will allow you to use a router without cloning the MAC address.  Reset modem, power down, plug router into the modem, power up the modem, power up the router and you should be good to go.  The popular reason that I know of for unchecking "Block Anonymous Internet Requests" is when you plan to use P2P software like Azureus.  Your computer becomes pingable and can be seen on the net.

• Strange mac address causing err-disable

  I have mainly 3550/4506 with port-security. Every day user ports go into err-disable and it's the same few mac addresses each time? anyone else came acreoss this ans know what's it is all about.

  It should tell you in the logg why the port is err-disableing the port . Could be as simple as speed/duplex mismatches on the port if they are causing something like a lot of late collisions the switch will err-disable the ports . Check the switch and nic settings for these devices .

• ISE Identities - Lifetime/Age-Out of Mac-Addresses

  Hello,
  is there a way to have the Mac-Addresses/Identities in the ISE-Database age-out after a certain amount of time (i.e. 4 weeks).
  Beste regards

  Here are some screenshot for the same

• ISE 1.2 disable endpoints with certain mac address

  Hi All,
  We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.
  Thanks

  You have two options from ISE and one option from the WLC:
  The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
  Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
  From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

• How to configure dot1x to check for mac address then to send to radius

  hi,
  is there any way on a switch to get a port to check a list of mac addresses then if the pc is not in that list send the request to a radius server. the radius we use is steelbelt radius.
  cheers
  tony

  Hi,
  It looks you are looking for the mac authentication bypass (MAB) feature.
  Please take a look at the feature in detail:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1205506.
  You can authenticate devices based on MAC address.
  Here is a step guide to configure it on older IOS releases:
  http://preview.cisco.com/en/US/docs/solutions/Enterprise/Campus/IBD/MACAuthB.html.
  12.2(50) and later IOS:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1196845.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• 802.1x phone with two MAC address

  Hello,
  I have following scenario: Computers are connected behind phones, and phones are authenticating with MAB. The problem is with phones, because they have two mac addresses one is in voice vlan and another is in data vlan. Both phone and computer are authenticated successfully but when switch sees additional MAC address of phone in data vlan it shuts down port. Here is sample configuration:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 15
  authentication host-mode multi-domain
  authentication port-control auto
  dot1x pae authenticator
  authentication violation shutdown
  mab
  spanning-tree portfast

  Can you verify if the phone's mac address is being learned on the data vlan and the voice vlan? Because cisco phones use cdp to discover if a voice vlan is configured on the switchport before forwarding traffic.
  Please issue a show mac address table interface x/y after bouncing the port to see what is causing the port to error disable.
  Also what version of code is running on the switch and phone?
  Thanks

• ACS v4.1 PEAP and MAC Address Validation

  I would like to authenticate to a ACS server via both 802.1x (PEAP) and to also validate the MAC Address of the user. Can both of these be done? I have 802.1x (PEAP) working to the ACS and Active Directory but now I would like to add the MAC Address of the laptops. Can I use Network Access Profiles and add the MAC-address under MAC-Authentication bypass?
  Your assistance is appreciated.

  I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
  I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
  What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
  Appreciate your help.