Configuration Guide User guide
FastIron Configuration Guide 1867
53-1002494-02
Multi-device port authentication configuration
You can optionally disable aging for MAC addresses subject to authentication, either for all MAC
addresses or for those learned on a specified interface.
Globally disabling aging of MAC addresses
On most devices, you can disable aging for all MAC addresses on all interfaces where multi-device
port authentication has been enabled by entering the mac-authentication disable-aging command.
Brocade(config)#mac-authentication disable-aging
Syntax: mac-authentication disable-aging
Enter the command at the global or interface configuration level.
The denied-only parameter prevents denied sessions from being aged out, but ages out permitted
sessions.
The permitted-only parameter prevents permitted (authenticated and restricted) sessions from
being aged out and ages denied sessions.
Disabling the aging of MAC addresses on interfaces
To disable aging for all MAC addresses subject to authentication on a specific interface where
multi-device port authentication has been enabled, enter the command at the interface level.
Example
Brocade(config)#interface e 3/1
Brocade(config-if-e1000-3/1)#mac-authentication disable-aging
Syntax: [no] mac-authentication disable-aging
Changing the hardware aging period for blocked
MAC addresses
When the Brocade device is configured to drop traffic from non-authenticated MAC addresses,
traffic from the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A
Layer 2 hardware entry is created that drops traffic from the MAC address in hardware. If no traffic
is received from the MAC address for a certain amount of time, this Layer 2 hardware entry is aged
out. If traffic is subsequently received from the MAC address, then an attempt can be made to
authenticate the MAC address again.
Aging of the Layer 2 hardware entry for a blocked MAC address occurs in two phases, known as
hardware aging and software aging.
On FastIron devices, the hardware aging period for blocked MAC addresses is fixed at 70 seconds
and is non-configurable. (The hardware aging time for non-blocked MAC addresses is the length of
time specified with the mac-age command.) The software aging period for blocked MAC addresses
is configurable through the CLI, with the mac-authentication max-age command. Once the
hardware aging period ends, the software aging period begins. When the software aging period
ends, the blocked MAC address ages out, and can be authenticated again if the Brocade device
receives traffic from the MAC address.