BigIron RX Series Configuration Guide 92553-1001986-01Configuring multi-device port authentication 31This command removes the Layer 2 CAM entry created for the specified MAC address. If the devicereceives traffic from the MAC address again, the MAC address is authenticated again.Disabling aging for authenticated MAC addressesMAC addresses that have been authenticated or denied by a RADIUS server are aged out if notraffic is received from the MAC address for a certain period of time.• Authenticated MAC addresses or non-authenticated MAC addresses that have been placed inthe restricted VLAN are aged out if no traffic is received from the MAC address over thedevice’s normal MAC aging interval.• Non-authenticated MAC addresses that are blocked by the device are aged out if no traffic isreceived from the address over a fixed hardware aging period (70 seconds), plus aconfigurable software aging period. (See the next section for more information on configuringthe software aging period).You can optionally disable aging for MAC addresses subject to authentication, either for all MACaddresses or for those learned on a specified interface.To disable aging for all MAC addresses subject to authentication on all interfaces wheremulti-device port authentication has been enabled, enter the following command.BigIron RX(config)# mac-authentication disable-agingTo disable aging for all MAC addresses subject to authentication on a specific interface wheremulti-device port authentication has been enabled, enter commands such as the following.BigIron RX(config)# interface e 3/1BigIron RX(config-if-e100-3/1)# mac-authentication disable-agingSyntax: [no] mac-authentication disable-aging [denied-mac-only | permitted-mac-only]denied-mac-only disables aging of denied sessions and enables aging of permitted sessions.permitted-mac-only disables aging of permitted (authenticated and restricted) sessions andenables aging of denied sessions.Specifying the aging time for blocked MAC addressesWhen the device is configured to drop traffic from non-authenticated MAC addresses, traffic fromthe blocked MAC addresses is dropped in hardware, without being sent to the CPU. A Layer 2 CAMentry is created that drops traffic from the blocked MAC address in hardware. If no traffic isreceived from the blocked MAC address for a certain amount of time, this Layer 2 CAM entry isaged out. If traffic is subsequently received from the MAC address, then an attempt can be made toauthenticate the MAC address again.Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases, known ashardware aging and software aging. The hardware aging period is fixed at 70 seconds and isnon-configurable. The software aging time is configurable through the CLI.Once the device stops receiving traffic from a blocked MAC address, the hardware aging beginsand lasts for a fixed period of time. After the hardware aging period ends, the software aging periodbegins. The software aging period lasts for a configurable amount of time (by default 120 seconds).After the software aging period ends, the blocked MAC address ages out, and can be authenticatedagain if the device receives traffic from the MAC address.