Support for dhcp snooping with dynamic acls, Support for source guard protection – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Support for DHCP snooping with dynamic ACLs

NOTE
This feature is not supported on FCX devices.

Multi-device port authentication and DHCP snooping are supported in conjunction with dynamic ACLs.
Support is available in the Layer 3 software images only.

DHCP Snooping is supported together with multi-device port authentication as long as ACL-per-port-
per-vlan is enabled. Otherwise, you do not need to perform any extra configuration steps to enable
support with dynamic ACLs. When these features are enabled on the same port/VLAN, support is
automatically enabled.

Support for source guard protection

The Brocade proprietary Source Guard Protection feature, a form of IP Source Guard, can be used in
conjunction with multi-device port authentication. For details, refer to

Enabling source guard protection

on page 268.

Multi-device port authentication and 802.1Xsecurity on the same
port

On some Brocade devices, multi-device port authentication and 802.1X security can be configured on
the same port, as long as the port is not a trunk port or an LACP port. When both of these features are
enabled on the same port, multi-device port authentication is performed prior to 802.1X authentication.
If multi-device port authentication is successful, 802.1X authentication may be performed, based on the
configuration of a vendor-specific attribute (VSA) in the profile for the MAC address on the RADIUS
server.

NOTE
When multi-device port authentication and 802.1X security are configured together on the same port,
Brocade recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.

When both features are configured on a port, a device connected to the port is authenticated as follows.

1. Multi-device port authentication is performed on the device to authenticate the device MAC address.
2. If multi-device port authentication is successful for the device, then the device checks whether the

RADIUS server included the Foundry-802_1x-enable VSA (described in the Brocade vendor-specific
attributes for RADIUS table) in the Access-Accept message that authenticated the device.

3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present and

set to 1, then 802.1X authentication is performed for the device.

4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0, then

802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs specified in
the Access-Accept message returned during multi-device port authentication are applied to the port.

5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or ACLs

specified in the Access-Accept message returned during 802.1X authentication are applied to the
port.

Support for DHCP snooping with dynamic ACLs

FastIron Ethernet Switch Security Configuration Guide

257

53-1003088-03