beautypg.com

Enabling source guard protection – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 268

background image

To specify a maximum rate for RADIUS authentication attempts, enter commands such as the
following.

device(config)#interface e 3/1

device(config-if-e1000-3/1)#mac-authentication dos-protection mac-limit 256

Syntax: [no] mac-authentication dos-protection mac-limit number

You can specify a rate from 1 - 65535 authentication attempts per second. The default is a rate of 512
authentication attempts per second.

Enabling source guard protection

Source Guard Protection is a form of IP Source Guard used in conjunction with multi-device port
authentication. When Source Guard Protection is enabled, IP traffic is blocked until the system learns
the IP address. Once the IP address is validated, traffic with that source address is permitted.

NOTE
Source Guard Protection is supported together with multi-device port authentication as long as ACL-
per-port-per-vlan is enabled.

When a new MAC session begins on a port that has Source Guard Protection enabled, the session
will either apply a dynamically created Source Guard ACL entry, or it will use the dynamic IP ACL
assigned by the RADIUS server. If a dynamic IP ACL is not assigned, the session will use the Source
Guard ACL entry. The Source Guard ACL entry is permit ip secure-ip any , where secure-ip is
obtained from the ARP Inspection table or from the DHCP Secure table. The DHCP Secure table is
comprised of DHCP Snooping and Static ARP Inspection entries.

The Source Guard ACL permit entry is added to the hardware table after all of the following events
occur:

• The MAC address is authenticated
• The IP address is learned
• The MAC-to-IP mapping is checked against the Static ARP Inspection table or the DHCP Secure

table.

The Source Guard ACL entry is not written to the running configuration file. However, you can view the
configuration using the show auth-mac-addresses authorized-mac ip-addr . Refer to

Viewing the

assigned ACL for ports on which source guard protection is enabled

on page 269 in the following

section.

NOTE
The secure MAC-to-IP mapping is assigned at the time of authentication and remains in effect as long
as the MAC session is active. If the DHCP Secure table is updated after the session is authenticated
and while the session is still active, it does not affect the existing MAC session.

The Source Guard ACL permit entry is removed when the MAC session expires or is cleared.

To enable Source Guard Protection on a port on which multi-device port authentication is enabled,
enter the following command at the Interface level of the CLI.

device(config)int e 1/4

device(config-if-e1000-1/4)mac-authentication source-guard-protection enable

Syntax: [no] mac-authentication source-guard-protection enable

Enter the no form of the command to disable SG protection.

Enabling source guard protection

268

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: