beautypg.com

Mac-based vlan configuration – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 231

background image

vlan 222 name RESTRICTED_MBV by port

untagged ethe 0/1/4

mac-vlan-permit ethe 0/1/1 to 0/1/3

vlan 666 name RESTRICTED_MAC_AUTH by port

untagged ethe 0/1/20

mac-vlan-permit ethe 0/1/1 to 0/1/3

spanning-tree 802-1w

vlan 4000 name DEFAULT-VLAN by port

vlan 4004 by port

mac-vlan-permit ethe 0/1/1 ethe 0/1/3

default-vlan-id 4000

ip address 10.44.3.3 255.255.255.0

ip default-gateway 10.44.3.1

radius-server host 10.44.3.111

radius-server key 1 $-ndUno

mac-authentication enable

mac-authentication mac-vlan-dyn-activation

mac-authentication max-age 60

mac-authentication hw-deny-age 30

mac-authentication auth-passwd-format xxxx.xxxx.xxxx

mac-authentication auth-fail-vlan-id 666

interface ethernet 0/1/1

mac-authentication mac-vlan max-mac-entries 5

mac-authentication mac-vlan 0000.0088.b9fe vlan 1 priority 1

mac-authentication mac-vlan enable

interface ethernet 0/1/2

mac-authentication mac-vlan max-mac-entries 10

mac-authentication mac-vlan enable

mac-authentication auth-fail-action restrict-vlan 222

interface ethernet 0/1/3

mac-authentication mac-vlan enable

mac-authentication auth-fail-action restrict-vlan

!

end

MAC-based VLAN configuration

Configure MAC-based VLAN mapping on the switch statically for static hosts, or dynamically for non-
static hosts, by directing the RADIUS server to authenticate the incoming packet.

To configure the a MAC-based VLAN, first perform the following tasks:

• In the VLANs, configure mac-vlan-permit for each port that will be participating in the MAC-based

VLAN

• If a port has been MAC-based VLAN-enabled, but has not been added as mac-vlan-permit in any of

the VLANs, any MAC addresses learned on this port will be blocked in the reserved VLAN. To
prevent this, you must create all of the VLANs and add all ports as mac-vlan-permit before enabling
MAC-based VLAN on any ports.

• Disable any multi-device port authentication on ports you will be using for MAC-to-VLAN mapping

NOTE
Do not configure MAC-based VLAN on ports that are tagged to any VLAN. Do not use ports on which
MAC-based VLAN is configured as tagged ports.

NOTE
For FCX and ICX devices, MAC-based VLAN with 802.1X will not work on the same port if 802.1X has
the RADIUS VLAN attribute defined as an untagged VLAN (for example U:1, U:2).

MAC-based VLAN configuration

FastIron Ethernet Switch Security Configuration Guide

231

53-1003088-03

See also other documents in the category Brocade Computer Accessories: