Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

218 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

MAC-based VLAN configuration

period begins and lasts for a fixed length of time (default or user-configured). When the hardware

aging period ends, the software aging period begins. The software aging period lasts for a

configurable amount of time (the default is 120 seconds). After the software aging period ends, the

MAC-based VLAN session is flushed, and the MAC address can be authenticated or denied if the

Brocade device again receives traffic from that MAC address.

For MAC-based dynamic activation

If all of the sessions age out on a port, the port is dynamically removed from the VLAN table. When

any new session is established, the port is dynamically added back to the VLAN table.

NOTE

If the Brocade device receives a packet from an authenticated MAC address, and the MAC-based

VLAN software aging is still in progress (hardware aging has already occurred), a RADIUS message

is NOT sent to the RADIUS server. Instead the MAC address is reentered in the hardware along with

the parameters previously returned from the RADIUS server. A RADIUS message is sent only when

the MAC-based VLAN session ages out from the software.

To change the length of the software aging period

To change the length of the software aging period for blocked MAC addresses, enter a command

such as the following.

Brocade(config)# mac-authentication max-age 180

Syntax: [no] mac-authentication max-age seconds

You can specify from 1–65535 seconds. The default is 120 seconds.

Disabling aging for MAC-based VLAN sessions

MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no

traffic is received from the MAC address for a certain period of time.

You can optionally disable aging for MAC-based VLAN session subject to authentication, either for

all MAC addresses or for those learned on a specified interface.

Globally disabling aging

On most devices, you can disable aging on all interfaces where MAC-based VLAN has been

enabled, by entering the following command.

Brocade(config)# mac-authentication disable-aging

Syntax: mac-authentication disable-aging

Enter the command at the global or interface configuration level.

The denied-mac-only parameter prevents denied sessions from being aged out, but ages out

permitted sessions.

The permitted-mac-only parameter prevents permitted (authenticated and restricted) sessions

from being aged out and ages denied sessions.

previous next