Static and dynamic hosts, Mac-based vlan feature structure, Source mac address authentication – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 228: Policy-based classification and forwarding
from the new MAC address will be blocked or dropped until the authentication succeeds. Traffic is
dropped if the authentication fails.
Static and dynamic hosts
Static hosts are devices on the network that do not speak until spoken to. Static hosts may not initiate
a request for authentication on their own. Such static hosts can be managed through a link up or link
down notification.
Dynamic hosts are "chatty" devices that generate packets whenever they are in the link up state.
Dynamic hosts must be authenticated before they can switch or forward traffic.
MAC-based VLAN feature structure
The MAC-based VLAN feature operates in two stages:
• Source MAC Address Authentication
• Policy-Based Classification and Forwarding
Source MAC address authentication
Source MAC address authentication is performed by a central RADIUS server when it receives a PAP
request with a username and password that match the MAC address being authenticated. When the
MAC address is successfully authenticated, the server must return the VLAN identifier, which is
carried in the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes of the
RADIUS packets. If the Tunnel-Type is tagged, the MAC address will be blocked or restricted. If the
identified VLAN does not exist, then the authentication is considered a failure, and action is taken
based on the configured failure options. (The default failure action is to drop the traffic.) The RADIUS
server may also optionally return the QoS attribute for the authenticated MAC address. Refer to the
Brocade vendor-specific attributes for RADIUS table for more information about attributes.
Policy-based classification and forwarding
Once the authentication stage is complete, incoming traffic is classified based on the response from
the RADIUS server. There are three possible actions:
• Incoming traffic from a specific source MAC is dropped because authentication failed
• Incoming traffic from a specific source MAC is classified as untagged into a specific VLAN
• Incoming traffic from a specific source MAC is classified as untagged into a restricted VLAN
Traffic classification is performed by programming incoming traffic and RADIUS-returned attributes in
the hardware. Incoming traffic attributes include the source MAC address and the port on which the
feature is enabled. The RADIUS-returned attributes are the VLAN into which the traffic is to be
classified, and the QoS priority.
NOTE
This feature drops any incoming tagged traffic on the port, and classifies and forwards untagged traffic
into the appropriate VLANs.
This feature supports up to a maximum of 32 MAC addresses per physical port, with a default of 2.
Static and dynamic hosts
228
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03