Configuration Guide User guide
1868 FastIron Configuration Guide
53-1002494-02
Multi-device port authentication configuration
On FastIron X Series devices, the hardware aging period for blocked MAC addresses is not fixed at
70 seconds. The hardware aging period for blocked MAC addresses is equal to the length of time
specified with the mac-age command. As on FastIron devices, once the hardware aging period
ends, the software aging period begins. When the software aging period ends, the blocked MAC
address ages out, and can be authenticated again if the device receives traffic from the MAC
address.
To change the hardware aging period for blocked MAC addresses, enter a command such as the
following.
Brocade(config)#mac-authentication hw-deny-age 10
Syntax: [no] mac-authentication hw-deny-age <num>
The <num> parameter is a value from 1 to 65535 seconds. The default is 70 seconds.
Specifying the aging time for blocked MAC addresses
When the Brocade device is configured to drop traffic from non-authenticated MAC addresses,
traffic from the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A
Layer 2 CAM entry is created that drops traffic from the blocked MAC address in hardware. If no
traffic is received from the blocked MAC address for a certain amount of time, this Layer 2 CAM
entry is aged out. If traffic is subsequently received from the MAC address, then an attempt can be
made to authenticate the MAC address again.
Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases, known as
hardware aging and software aging. The hardware aging period is fixed at 70 seconds and is
non-configurable. The software aging time is configurable through the CLI.
Once the Brocade device stops receiving traffic from a blocked MAC address, the hardware aging
begins and lasts for a fixed period of time. After the hardware aging period ends, the software
aging period begins. The software aging period lasts for a configurable amount of time (by default
120 seconds). After the software aging period ends, the blocked MAC address ages out, and can
be authenticated again if the Brocade device receives traffic from the MAC address.
To change the length of the software aging period for blocked MAC addresses, enter a command
such as the following.
Brocade(config)#mac-authentication max-age 180
Syntax: [no] mac-authentication max-age <seconds>
You can specify from 1 – 65535 seconds. The default is 120 seconds.
Specifying the RADIUS timeout action
A RADIUS timeout occurs when the Brocade device does not receive a response from a RADIUS
server within a specified time limit and after a certain number of retries. The time limit and number
of retries can be manually configured using the CLI commands radius-server timeout and
radius-server retransmit, respectively. If the parameters are not manually configured, the Brocade
device applies the default value of three seconds with a maximum of three retries.