beautypg.com

Mac address filter override configuration notes, Mac address filter override configuration syntax – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 251

background image

MAC address filter override for 802.1X-enabled ports

The MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X devices to
share the same physical port. For example, this feature enables you to connect a PC and a non-802.1X
device, such as a Voice Over IP (VOIP) phone, to the same 802.1X-enabled port on the Brocade
device. The IP phone will bypass 802.1X authentication and the PC will require 802.1X authentication.

To enable this feature, first create a MAC address filter, then bind it to an interface on which 802.1X is
enabled. The MAC address filter includes a mask that can match on any number of bytes in the MAC
address. The mask can eliminate the need to enter MAC addresses for all non-802.1X devices
connected to the Brocade device, and the ports to which these devices are connected.

MAC address filter override configuration notes

• This feature is supported on untagged, tagged, and dual-mode ports.
• You can configure this feature on ports that have ACLs and MAC address filters defined.

MAC address filter override configuration syntax

To configure MAC address filtering on an 802.1X-enabled port, enter commands such as the following.

device#(config)#mac filter 1 permit 0000.00ab.9429 ffff.ffff.0000 any

device#(config)#int e1/2

device#(config-if-e1000-1/2)#dot1x auth-filter 1 3 to 5 10

The first line defines a MAC address filter that matches on the first four bytes (ffff.ffff.0000) of the source
MAC address 0000.00ab.9429, and any destination MAC address. The permit action creates an 802.1X
session in the FORCE AUTHORIZE state, meaning that the device is placed unconditionally in the
authorized state, bypassing 802.1X authentication and allowing all traffic from the specified MAC
address. If no match is found, the implicit action is to authenticate the client.

The last line binds MAC address filters 1, 3, 4, 5, and 10 to interface 2.

Syntax: [no] mac filter filter-num { permit | deny } [ src-mac mask | any ] [ dest-mac mask | any ]

Syntax: dot1x auth-filter filter-list

The permit or deny argument determines the action the software takes when a match occurs. In the
previous example, the permit action creates an 802.1X session in the FORCE AUTHORIZE state,
meaning that the device is placed unconditionally in the authorized state, bypassing 802.1X
authentication and allowing all traffic from the specified MAC address. The deny action creates an
802.1X session in the FORCE UNAUTHORIZE state, meaning that the device will never be authorized,
even if it has the appropriate credentials.

The src-mac mask | any parameter specifies the source MAC address. You can enter a specific
address value and a comparison mask, or the keyword any to filter on all MAC addresses. Specify the
mask using f (ones) and zeros. For example, to match on the first two bytes of the address
aabb.ccdd.eeff, use the mask ffff.0000.0000. The filter matches on all MAC addresses that contain aabb
as the first two bytes and accepts any value for the remaining bytes of the MAC address. If you specify
any , do not specify a mask. In this case, the filter matches on all MAC addresses. If no match is found,
the implicit action is to authenticate the client.

The dest-mac mask | any parameter specifies the destination MAC address. The syntax rules are the
same as those for the src-mac mask | any parameter. Note that the 802.1x Authentication filter (dot1x
auth-filter ) does not use the destination MAC address in the MAC address filter.

MAC address filter override for 802.1X-enabled ports

FastIron Ethernet Switch Security Configuration Guide

251

53-1003088-03

See also other documents in the category Brocade Computer Accessories: