Disabling aging for mac-based vlan sessions, For mac-based dynamic activation, Globally disabling aging – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

218

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

MAC-based VLAN configuration

period begins and lasts for a fixed length of time (default or user-configured). When the hardware
aging period ends, the software aging period begins. The software aging period lasts for a
configurable amount of time (the default is 120 seconds). After the software aging period ends, the
MAC-based VLAN session is flushed, and the MAC address can be authenticated or denied if the
Brocade device again receives traffic from that MAC address.

For MAC-based dynamic activation

If all of the sessions age out on a port, the port is dynamically removed from the VLAN table. When
any new session is established, the port is dynamically added back to the VLAN table.

NOTE

If the Brocade device receives a packet from an authenticated MAC address, and the MAC-based
VLAN software aging is still in progress (hardware aging has already occurred), a RADIUS message
is NOT sent to the RADIUS server. Instead the MAC address is reentered in the hardware along with
the parameters previously returned from the RADIUS server. A RADIUS message is sent only when
the MAC-based VLAN session ages out from the software.

To change the length of the software aging period

To change the length of the software aging period for blocked MAC addresses, enter a command
such as the following.

Brocade(config)# mac-authentication max-age 180

Syntax: [no] mac-authentication max-age seconds

You can specify from 1–65535 seconds. The default is 120 seconds.

Disabling aging for MAC-based VLAN sessions

MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no
traffic is received from the MAC address for a certain period of time.

You can optionally disable aging for MAC-based VLAN session subject to authentication, either for
all MAC addresses or for those learned on a specified interface.

Globally disabling aging

On most devices, you can disable aging on all interfaces where MAC-based VLAN has been
enabled, by entering the following command.

Brocade(config)# mac-authentication disable-aging

Syntax: mac-authentication disable-aging

Enter the command at the global or interface configuration level.

The denied-mac-only parameter prevents denied sessions from being aged out, but ages out
permitted sessions.

The permitted-mac-only parameter prevents permitted (authenticated and restricted) sessions
from being aged out and ages denied sessions.