HP ProCurve 9304M Security Manual page 129
Routing switches
Hide thumbs
Also See for ProCurve 9304M:
- Management and configuration manual (690 pages) ,
- Installation and configuration manual (504 pages) ,
- Installation and getting started manual (348 pages)
Table of Contents
Advertisement
ProCurveRS(config-if-e100-3/1)# mac-authentication dos-protection enable
Syntax: [no] mac-authentication dos-protection enable
To specify a maximum rate for RADIUS authentication attempts, enter commands such as the following:
ProCurveRS(config)# interface e 3/1
ProCurveRS(config-if-e100-3/1)# mac-authentication dos-protection mac-limit 256
Syntax: [no] mac-authentication dos-protection mac-limit <number>
You can specify a rate from 1 – 65535 authentication attempts per second. The default is a rate of 512
authentication attempts per second.
Clearing Authenticated MAC Addresses
The HP device maintains an internal table of the authenticated MAC addresses (viewable with the show
authenticated-mac-address command). You can clear the contents of the authenticated MAC address table
either entirely, or just for the entries learned on a specified interface. In addition, you can clear the MAC session
for an address learned on a specific interface.
To clear the entire contents of the authenticated MAC address table, enter the following command:
ProCurveRS(config)# clear auth-mac-table
Syntax: clear auth-mac-table
To clear the authenticated MAC address table of entries learned on a specified interface, enter a command such
as the following:
ProCurveRS(config)# clear auth-mac-table e 3/1
Syntax: clear auth-mac-table <portnum>
To clear the MAC session for an address learned on a specific interface, enter commands such as the following:
ProCurveRS(config)# interface e 3/1
ProCurveRS(config-if-e100-3/1)# mac-authentication clear-mac-session 00e0.1234.abd4
Syntax: mac-authentication clear-mac-session <mac-address>
This command removes the Layer 2 CAM entry created for the specified MAC address. If the HP device receives
traffic from the MAC address again, the MAC address is authenticated again.
Disabling Aging for Authenticated MAC Addresses
MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received
from the MAC address for a certain period of time.
•
Authenticated MAC addresses or non-authenticated MAC addresses that have been placed in the restricted
VLAN are aged out if no traffic is received from the MAC address over the device's normal MAC aging
interval.
•
Non-authenticated MAC addresses that are blocked by the device are aged out if no traffic is received from
the address over a fixed hardware aging period (70 seconds), plus a configurable software aging period. (See
the next section for more information on configuring the software aging period).
You can optionally disable aging for MAC addresses subject to authentication, either for all MAC addresses or for
those learned on a specified interface.
To disable aging for all MAC addresses subject to authentication on all interfaces where multi-device port
authentication has been enabled, enter the following command:
ProCurveRS(config)# mac-authentication disable-aging
To disable aging for all MAC addresses subject to authentication on a specific interface where multi-device port
authentication has been enabled, enter commands such as the following:
ProCurveRS(config)# interface e 3/1
June 2005
Configuring Multi-Device Port Authentication
6 - 7
Advertisement
Table of Contents
