Disabling aging for authenticated mac addresses – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

278

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring multi-device port authentication

6

Syntax: mac-authentication clear-mac-session mac-address

This command removes the Layer 2 CAM entry created for the specified MAC address. If the device
receives traffic from the MAC address again, the MAC address is authenticated again.

Disabling aging for authenticated MAC addresses

MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no
traffic is received from the MAC address for a certain period of time:

•

Authenticated MAC addresses or non-authenticated MAC addresses that have been placed in
the restricted VLAN are aged out if no traffic is received from the MAC address over the
device’s normal MAC aging interval.

•

Non-authenticated MAC addresses that are blocked by the device are aged out if no traffic is
received from the address over a fixed hardware aging period (70 seconds), plus a
configurable software aging period. (Refer to the next section for more information on
configuring the software aging period).

You can optionally disable aging for MAC addresses subject to authentication, either for all MAC
addresses or for those learned on a specified interface.

To disable aging for all MAC addresses subject to authentication on all interfaces where
multi-device port authentication has been enabled, enter the following command.

Brocade(config)# mac-authentication disable-aging

To disable aging for all MAC addresses subject to authentication on a specific interface where
multi-device port authentication has been enabled, enter commands such as the following.

Brocade(config)# interface e 3/1

Brocade(config-if-e100-3/1)# mac-authentication disable-aging

Syntax: [no] mac-authentication disable-aging [denied-mac-only | permitted-mac-only]

denied-mac-only disables aging of denied sessions and enables aging of permitted sessions.

permitted-mac-only disables aging of permitted (authenticated and restricted) sessions and
enables aging of denied sessions.

Specifying the aging time for blocked MAC addresses

When the device is configured to drop traffic from non-authenticated MAC addresses, traffic from
the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A Layer 2 CAM
entry is created that drops traffic from the blocked MAC address in hardware. If no traffic is
received from the blocked MAC address for a certain amount of time, this Layer 2 CAM entry is
aged out. If traffic is subsequently received from the MAC address, then an attempt can be made to
authenticate the MAC address again.

Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases, known as
hardware aging and software aging. The hardware aging period is fixed at 70 seconds and is
non-configurable. The software aging time is configurable through the CLI.

Once the device stops receiving traffic from a blocked MAC address, the hardware aging begins
and lasts for a fixed period of time. After the hardware aging period ends, the software aging period
begins. The software aging period lasts for a configurable amount of time (by default 120 seconds).
After the software aging period ends, the blocked MAC address ages out, and can be authenticated
again if the device receives traffic from the MAC address.