Brocade Communications Systems 6650 Switch User Manual


 
218 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
MAC-based VLAN configuration
period begins and lasts for a fixed length of time (default or user-configured). When the hardware
aging period ends, the software aging period begins. The software aging period lasts for a
configurable amount of time (the default is 120 seconds). After the software aging period ends, the
MAC-based VLAN session is flushed, and the MAC address can be authenticated or denied if the
Brocade device again receives traffic from that MAC address.
For MAC-based dynamic activation
If all of the sessions age out on a port, the port is dynamically removed from the VLAN table. When
any new session is established, the port is dynamically added back to the VLAN table.
NOTE
If the Brocade device receives a packet from an authenticated MAC address, and the MAC-based
VLAN software aging is still in progress (hardware aging has already occurred), a RADIUS message
is NOT sent to the RADIUS server. Instead the MAC address is reentered in the hardware along with
the parameters previously returned from the RADIUS server. A RADIUS message is sent only when
the MAC-based VLAN session ages out from the software.
To change the length of the software aging period
To change the length of the software aging period for blocked MAC addresses, enter a command
such as the following.
Brocade(config)# mac-authentication max-age 180
Syntax: [no] mac-authentication max-age seconds
You can specify from 1–65535 seconds. The default is 120 seconds.
Disabling aging for MAC-based VLAN sessions
MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no
traffic is received from the MAC address for a certain period of time.
You can optionally disable aging for MAC-based VLAN session subject to authentication, either for
all MAC addresses or for those learned on a specified interface.
Globally disabling aging
On most devices, you can disable aging on all interfaces where MAC-based VLAN has been
enabled, by entering the following command.
Brocade(config)# mac-authentication disable-aging
Syntax: mac-authentication disable-aging
Enter the command at the global or interface configuration level.
The denied-mac-only parameter prevents denied sessions from being aged out, but ages out
permitted sessions.
The permitted-mac-only parameter prevents permitted (authenticated and restricted) sessions
from being aged out and ages denied sessions.