Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
217
53-1002601-01
MAC-based VLAN configuration
Aging for MAC-based VLAN
The aging process for MAC-based VLAN works as described below.
For permitted hosts
For permitted hosts, as long as the Brocade device is receiving traffic aging does not occur. The age
column in the output of the show table-mac-vlan command displays Ena or S num. If the Brocade
device stops receiving traffic, the entry first ages out from the MAC table (in the hardware) and then
the aging cycle for MAC-based VLAN begins. Aging in the MAC-based VLAN continues for 2 minutes
(the default is 120 seconds) after which the MAC-based VLAN session is flushed out.
column in the output of the show table-mac-vlan command displays Ena or S num. If the Brocade
device stops receiving traffic, the entry first ages out from the MAC table (in the hardware) and then
the aging cycle for MAC-based VLAN begins. Aging in the MAC-based VLAN continues for 2 minutes
(the default is 120 seconds) after which the MAC-based VLAN session is flushed out.
For blocked hosts
For blocked hosts, as long as the Brocade device is receiving traffic, aging does not occur. In the
output of the show table-mac-vlan command, the age column displays H0 to H70, S0, and H0 to
H70, etc. Aging of the MAC-based VLAN MAC occurs in two phases: hardware aging and software
aging. The hardware aging period can be configured using the mac-authentication hw-deny-age
command in config mode. The default is 70 seconds. The software aging time for MAC-based VLAN
MACs can be configured using the mac-authentication max-age command. When the Brocade
device is no longer receiving traffic from a MAC-based VLAN MAC address, the hardware aging
output of the show table-mac-vlan command, the age column displays H0 to H70, S0, and H0 to
H70, etc. Aging of the MAC-based VLAN MAC occurs in two phases: hardware aging and software
aging. The hardware aging period can be configured using the mac-authentication hw-deny-age
command in config mode. The default is 70 seconds. The software aging time for MAC-based VLAN
MACs can be configured using the mac-authentication max-age command. When the Brocade
device is no longer receiving traffic from a MAC-based VLAN MAC address, the hardware aging
TABLE 47
Brocade vendor-specific attributes for RADIUS
Attribute name
Attribute ID
Data type
Optional or
mandatory
mandatory
Description
Foundry-MAC-based
VLAN-QoS
VLAN-QoS
8
decimal
Optional
The QoS attribute specifies the priority of the
incoming traffic based on any value between 0
(lowest priority) and 7 (highest priority). Default
is 0.
incoming traffic based on any value between 0
(lowest priority) and 7 (highest priority). Default
is 0.
Foundry-802_1x-en
able
able
6
integer
Optional
Specifies whether 802.1X authentication is
performed when MAC-based VLAN is successful
for a device. This attribute can be set to one of
the following:
0 - Do not perform 802.1X authentication on a
device that passes MAC-based VLAN. Set the
attribute to zero (0) for devices that do not
support 802.1X authentication.
1 - Perform 802.1X authentication when a
device passes MAC-based VLAN. Set the
attribute to one (1) for devices that support
802.1X authentication.
performed when MAC-based VLAN is successful
for a device. This attribute can be set to one of
the following:
0 - Do not perform 802.1X authentication on a
device that passes MAC-based VLAN. Set the
attribute to zero (0) for devices that do not
support 802.1X authentication.
1 - Perform 802.1X authentication when a
device passes MAC-based VLAN. Set the
attribute to one (1) for devices that support
802.1X authentication.
Foundry-802_1x-val
id
id
7
integer
Optional
Specifies whether the RADIUS record is valid
only for MAC-based VLAN, or for both
MAC-based VLAN and 802.1X authentication.
This attribute can be set to one of the following:
0 - The RADIUS record is valid only for
MAC-based VLAN. Set this attribute to zero (0) to
prevent a user from using their MAC address as
username and password for 802.1X
authentication
1 - The RADIUS record is valid for both
MAC-based VLAN and 802.1X authentication.
only for MAC-based VLAN, or for both
MAC-based VLAN and 802.1X authentication.
This attribute can be set to one of the following:
0 - The RADIUS record is valid only for
MAC-based VLAN. Set this attribute to zero (0) to
prevent a user from using their MAC address as
username and password for 802.1X
authentication
1 - The RADIUS record is valid for both
MAC-based VLAN and 802.1X authentication.