beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 266

background image

Support is automatically enabled when all of the required conditions are met.

The following describes the conditions and feature limitations:

• On Layer 3 router code, dynamic IP ACLs are allowed on physical ports when ACL-per-port-per-

vlan is enabled.

• On Layer 3 router code, dynamic IP ACLs are allowed on tagged and dual-mode ports when ACL-

per-port-per-vlan is enabled. If ACL-per-port-per-vlan is not enabled, dynamic IP ACLs are not
allowed on tagged or dual-mode ports.

• Dynamic IP ACLs can be added to tagged/untagged ports in a VLAN with or without a VE, as long

as the tagged/untagged ports do not have configured ACLs assigned to them. The following shows
some example scenarios where dynamic IP ACLs would not apply:

A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and an ACL is
bound to VE 20.

A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and a per-
port-per-vlan ACL is bound to VE 20 and to a subset of ports in VE 20

In the above scenarios, dynamic IP ACL assignment would not apply in either instance, because a
configured ACL is bound to VE 20 on the port. Consequently, the MAC session would fail.

Configuration considerations and guidelines for multi-device port authentication

• On FastIron X Series devices, dynamic ARP inspection (DAI) and DHCP Snooping are supported

together with dynamic ACLs.

• Dynamic IP ACLs with multi-device port authentication are supported. Dynamic MAC address filters

with multi-device port authentication are not supported.

• In the Layer 2 switch code, dynamic IP ACLs are not supported when ACL-per-port-per-vlan is

enabled on a global-basis.

• The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is not

supported.

• The dynamic ACL must be an extended ACL. Standard ACLs are not supported.
• Multi-device port authentication and 802.1x can be used together on the same port. However,

Brocade does not support the use of multi-device port authentication and 802.1X with dynamic
ACLs together on the same port. If a single supplicant requires both 802.1x and multi-device port
authentication, and if both 802.1x and multi-device port authentication try to install different dynamic
ACLs for the same supplicant, the supplicant will fail authentication.

• Dynamically assigned IP ACLs are subject to the same configuration restrictions as non-

dynamically assigned IP ACLs. One caveat is that ports with VE interfaces cannot have assigned
user-defined ACLs. For example, a user-defined ACL bound to a VE or a port on a VE is not
allowed. There are no restrictions on ports that do not have VE interfaces.

• Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are

not supported.

• Dynamic ACL assignment with multi-device port authentication is not supported in conjunction with

any of the following features:

IP source guard

Rate limiting

Protection against ICMP or TCP Denial-of-Service (DoS) attacks

Policy-based routing

802.1X dynamic filter

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in the
running-config file on the Brocade device can be dynamically applied to the port. To do this, you

Configuration considerations and guidelines for multi-device port authentication

266

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: