That's unlikely to cause any issues, unless there are other problems in your network.
If a mac is removed from the mac-address table, the traffic is sent to all ports in a VLAN, and as soon as the device responds, it's added to the table again.
If an arp entry is lost, traffic is kept, new ARP is done to get the mac address for a specific AP, then traffic is forwarded.
Personally, I would setup a port mirror on a device that shows the problem and on the port of your NAC, and see which packets are lost en when. Once you know which traffic is lost (if any), you will get a better understanding what is happening and how to solve it. This may be something to do with your Aruba partner and/or Aruba TAC Support.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 05, 2024 02:25 PM
From: nkuhl30
Subject: Aruba CX 6405 and Copp Policies
I'm also wondering if our controllers and APs are falling out of the mac address table erroneously, or too quickly. Our new core's arp timeout is default at 1800 with the mac address table age time at 300 (default).
Would it be worth trying to increase the mac address table age? What if we matched the arp table value?
Original Message:
Sent: Jul 04, 2024 09:38 AM
From: Herman Robers
Subject: Aruba CX 6405 and Copp Policies
If MTU is the issue, I would expect to see input/output errors or drops on your interfaces. Have you checked the interface counters already?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 04, 2024 09:17 AM
From: nkuhl30
Subject: Aruba CX 6405 and Copp Policies
Our Aruba SE mentioned that the 8212zl had a default MTU of 1522 instead of 1500 on the new CXs. Do you think that could be causing an issue? Would it be a good idea to increase the default MTU to 1522 on the controller interfaces connected to the new core?
Original Message:
Sent: Jul 04, 2024 02:44 AM
From: Herman Robers
Subject: Aruba CX 6405 and Copp Policies
CoPP should only affect traffic to your switch, not traffic through (from NAC to controllers/APs). If you see that you lose traffic, it may be good to investigate this further with your Aruba partner and/or TAC Support.
Except if someone reading this has seen the same and knows the answer.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 03, 2024 04:14 PM
From: nkuhl30
Subject: Aruba CX 6405 and Copp Policies
We've just moved our core from an HP 8212zl to an Aruba CX 6405. Almost immediately, we've been having issues with out NAC (FortiNAC) polling our Aruba 8 wireless cluster and 337 APs. According to FortiNAC, it loses contact with both controllers and most APs at random times throughout the day. The controllers and APs are not going down, FortiNACs polls (SNMP and ping) are sporadically failing.
After way too much time, this led me to think that these new copp policies may be causing the issue. If we look at the copp policy stats, there are a few lines of note:
WS-Core01# show copp-policy stat
Statistics for CoPP policy 'default':
Totals:
packets passed : 5050627 packets dropped : 39534
Class: icmp-unicast-ipv4
packets passed : 103783 packets dropped : 161
Class: ip-exceptions
packets passed : 415463 packets dropped : 32799
Class: unresolved-ip-unicast
packets passed : 773216 packets dropped : 6574
We did not have a control plane policy enabled on our 8212zl. It's enabled by default on the CX line and can't be turned off, only modified. Is there a way to whitelist my FortiNAC/controllers/APs or simply the VLAN traffic from being monitored with packets being dropped?