beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 190

background image

Notes for dynamically applying ACLs or MAC address filters

• The name in the Filter ID attribute is case-sensitive.
• You can specify only numbered MAC address filters in the Filter ID attribute. Named MAC address

filters are not supported.

• Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are

not supported.

• MAC address filters are supported only for the inbound direction. Outbound MAC address filters are

not supported.

• Dynamically assigned IP ACLs and MAC address filters are subject to the same configuration

restrictions as non-dynamically assigned IP ACLs and MAC address filters.

Configuring per-user IP ACLs or MAC address filters

Per-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute to
dynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MAC
address filter statements. When the RADIUS server returns the Access-Accept message granting a
client access to the network, the Brocade device reads the statements in the Vendor-Specific attribute
and applies these IP ACLs or MAC address filters to the client port. When the client disconnects from
the network, the dynamically applied filters are no longer applied to the port. If any filters had been
applied to the port previous to the client connecting, then those filters are reapplied to the port.

NOTE
Dynamic IP ACL filters and MAC address filters are not supported on the same port at the same time.

The following table shows the syntax for configuring the Brocade Vendor-Specific attributes with ACL
or MAC address filter statements.

Value

Description

ipacl.e.in=extended-ACL-entries Applies the specified extended ACL entries to the 802.1X authenticated port in

the inbound direction.

macfilter.in=mac-filter-entries

Applies the specified MAC address filter entries to the 802.1X authenticated
port in the inbound direction.

The following table shows examples of IP ACLs and MAC address filters configured in the Brocade
Vendor-Specific attribute on a RADIUS server. These IP ACLs and MAC address filters follow the
same syntax as other Brocade ACLs and MAC address filters. Refer to the related chapters in this
book for information on syntax.

ACL or MAC address filter

Vendor-specific attribute on RADIUS server

MAC address filter with one entry

macfilter.in= deny any any

MAC address filter with two entries macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any, macfilter.in= permit

0000.0000.4444 ffff.ffff.0000 any

The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in an Access-
Accept message.

Notes for dynamically applying ACLs or MAC address filters

190

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: