Wired Intelligent Edge

Hi Airheads,

Just wondering if someone can give me an explanation for what I'm seeing in the logs of my CX6000. We use 802.1X and MAC Auth on our switchport configs, they auth to ClearPass Radius. I'm not sure why I'm seeing so many block\unblock events in such a short period of time, this has to be affecting the performance of the switchport???

This is what I'm seeing in the logs

2026-01-22T06:50:58.950465+10:00 TSV-CX6000-24-AS01 ops-switchd[739]: Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for f8:ed:fc:71:39:1e with VLAN 3 on port 1/1/22
2026-01-22T06:50:58.787392+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is down
2026-01-22T06:50:46.565330+10:00 TSV-CX6000-24-AS01 port-accessd[2713]: Event|10534|LOG_INFO|AMM|1/1|Interface 1/1/22 is unblocked by port-access.
2026-01-22T06:50:46.532149+10:00 TSV-CX6000-24-AS01 ops-switchd[739]: Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 3 is mapped to client f8:ed:fc:71:39:1e on port 1/1/22
2026-01-22T06:50:43.345049+10:00 TSV-CX6000-24-AS01 port-accessd[2713]: Event|10533|LOG_INFO|AMM|1/1|Interface 1/1/22 is blocked by port-access.
2026-01-22T06:50:43.223569+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is up at 1 Gbps
2026-01-22T06:50:40.337341+10:00 TSV-CX6000-24-AS01 ops-switchd[739]: Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for f8:ed:fc:71:39:1e with VLAN 3 on port 1/1/22
2026-01-22T06:50:40.142551+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is down
2026-01-22T06:50:38.521520+10:00 TSV-CX6000-24-AS01 port-accessd[2713]: Event|10534|LOG_INFO|AMM|1/1|Interface 1/1/22 is unblocked by port-access.
2026-01-22T06:50:38.480676+10:00 TSV-CX6000-24-AS01 ops-switchd[739]: Event|2108|LOG_INFO|AMM|1/1|Created Mac based VLAN entry. VLAN 3 is mapped to client f8:ed:fc:71:39:1e on port 1/1/22
2026-01-22T06:50:23.082883+10:00 TSV-CX6000-24-AS01 port-accessd[2713]: Event|10533|LOG_INFO|AMM|1/1|Interface 1/1/22 is blocked by port-access.
2026-01-22T06:50:22.987012+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is up at 1 Gbps
2026-01-22T06:50:19.956331+10:00 TSV-CX6000-24-AS01 port-accessd[2713]: Event|10534|LOG_INFO|AMM|1/1|Interface 1/1/22 is unblocked by port-access.
2026-01-22T06:50:19.892092+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is down
2026-01-22T06:50:18.961035+10:00 TSV-CX6000-24-AS01 port-accessd[2713]: Event|10533|LOG_INFO|AMM|1/1|Interface 1/1/22 is blocked by port-access.
2026-01-22T06:50:18.864632+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|403|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is up at 1 Gbps
2026-01-22T06:50:15.923922+10:00 TSV-CX6000-24-AS01 ops-switchd[739]: Event|2110|LOG_INFO|AMM|1/1|Deleted Mac based VLAN entry for f8:ed:fc:71:39:1e with VLAN 3 on port 1/1/22
2026-01-22T06:50:15.738137+10:00 TSV-CX6000-24-AS01 intfd[769]: Event|404|LOG_INFO|AMM|1/1|Link status for interface 1/1/22 is down

This is the switchport config 

interface 1/1/22
    no shutdown
    vlan access 3
    spanning-tree bpdu-guard
    spanning-tree root-guard
    spanning-tree port-type admin-edge
    aaa authentication port-access client-limit 5
    aaa authentication port-access dot1x authenticator
        cached-reauth
        eapol-timeout 3
        max-eapol-requests 3
        max-retries 1
        reauth
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        reauth
        enable
    loop-protect
    exit

Looking at the link up/down messages, it seems that your real problem is the flapping of the physical link itself, caused by bad cabling, a bad transceiver, severe EMI or similar. Port-based authentication only amplifies that problem - it needs to block a disconnected port logically and re-authenticate/unblock a newly connected port.

Just from these logs it looks like the device is failing authentication. You see that with the "Interface 1/1/22 is blocked by port-access" entry. By default, it will authenticate dot1x first then mac authentication. If you add "port-access onboarding-method concurrent enable" to the port config, it can try mac-auth and dot1x at the same time.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

Here is an example with some changes to timers and re-auth counters. See if this helps reduce how often its failing:

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

As Dustin wrote, your client doesn't have correct dot1x credentials and it's not registered for MAC authentication. Hence authentications fails on this port. Check the client device for configuration/credentials mismatch.

Best, Gorazd