Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Relearning MAC address on a switch (NAC issue)

I was wondering if a shut, no shut, will actually clear that particular mac address and force the switch to relearn??  I am deploying Cisco NAC and ran into an issues where the shut no shut did not actually force the mac out of the mac address table.  Any thoughts?  Maybe next time i should just clear the mac table for the whole switch.

1 REPLY
New Member

Re: Relearning MAC address on a switch (NAC issue)

Have you configured "MAC Changed Notification"?, or if you are using 4.1(3)+ "MAC Move notification?

Here is a link for 4.1(3):

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html#wp299440

MAC change notification—when the switch learns a new MAC address on a managed port

MAC move notification—when a device/host moves from one managed port to another

Here is how it works:

(disclaimer: I am also working on NAC implementation and have not actually done this step before but this is how  I understand it works)

MAC Change:

You plug in Device 1 into Switch A on gi2/2.  MAC change notification identifies the MAC fro Device 1 and sends it to the NAC.  Then the NAC configures the switch to be on the correct vlan and such.  This process also clears the switch's MAC address entry for gi2/2 and updates the MAC address.

You can then unplug Device 1 and plug in Device 2.  Mac change notification goes to work again and repeats the process which then configures the mac-address and vlan and all the other stuff from NAC to the switch.

MAC Move:

So let's say you have Device 1 unplugged, but you never plugged in Device 2.  The mac-address is going to be listed on gi2/2 still and if NAC tried to apply the same mac to another switch port then port-security will prohibit the dual mac entry.  MAC move clears this up by deleting the mac entry on 2/2, and i think it sets a port based mac like 0022.000.000, and now with the mac cleared from gi2/2 it can now be applied in the same way as MAC change works.

1042
Views
0
Helpful
1
Replies