beautypg.com

Brocade BigIron RX Series Configuration Guide User Manual

Page 1094

background image

1016

BigIron RX Series Configuration Guide

53-1002484-04

Displaying multi-device port authentication information

32

denied-mac-only disables aging of denied sessions and enables aging of permitted sessions.

permitted-mac-only disables aging of permitted (authenticated and restricted) sessions and
enables aging of denied sessions.

Specifying the aging time for blocked MAC addresses

When the device is configured to drop traffic from non-authenticated MAC addresses, traffic from
the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A Layer 2 CAM
entry is created that drops traffic from the blocked MAC address in hardware. If no traffic is
received from the blocked MAC address for a certain amount of time, this Layer 2 CAM entry is
aged out. If traffic is subsequently received from the MAC address, then an attempt can be made to
authenticate the MAC address again.

Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases, known as
hardware aging and software aging. The hardware aging period is fixed at 70 seconds and is
non-configurable. The software aging time is configurable through the CLI.

Once the device stops receiving traffic from a blocked MAC address, the hardware aging begins
and lasts for a fixed period of time. After the hardware aging period ends, the software aging period
begins. The software aging period lasts for a configurable amount of time (by default 120 seconds).
After the software aging period ends, the blocked MAC address ages out, and can be authenticated
again if the device receives traffic from the MAC address.

To change the length of the software aging period for blocked MAC addresses, enter a command
such as the following.

BigIron RX(config)# mac-authentication max-age 180

Syntax: [no] mac-authentication max-age <seconds>

You can specify from 1 – 65535 seconds. The default is 120 seconds.

NOTE

If a RADIUS profile is created for an incoming traffic with a tunnel private group ID as NULL, the
tagged traffic is authenticated only if the interface is a tagged member of the incoming VLAN,
whereas the untagged traffic is authenticated against the configured port VLAN ID.

Displaying multi-device port authentication information

You can display the following information about the multi-device port authentication configuration:

Information about authenticated MAC addresses

Information about the multi-device port authentication configuration

Authentication Information for a specific MAC address or port

Multi-device port authentication settings and authenticated MAC addresses for each port
where the multi-device port authentication feature is enabled

The MAC addresses that have been successfully authenticated

The MAC addresses for which authentication was not successful

See also other documents in the category Brocade Computer Accessories: