beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 327

background image

Multi-Service IronWare Security Configuration Guide

309

53-1003035-02

Configuring 802.1x port security

8

Multiple IP ACLs and MAC address filters can be specified in the Filter ID attribute,
allowing multiple address filters to be simultaneously applied to an 802.1x
authenticated port. Use commas, semicolons, or carriage returns to separate the
address filters (for example: ip.3.in,mac.402.in).

If 802.1x is enabled on a VE port, ACLs, dynamic (802.1x assigned) or static (user
configured), cannot be applied to the port.

Configuring per-user IP ACLs or MAC address filters

Per-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute to
dynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MAC
address filter statements. When the RADIUS server returns the Access-Accept message granting a
client access to the network, the device reads the statements in the Vendor-Specific attribute and
applies these IP ACLs or MAC address filters to the client’s port. When the client disconnects from
the network, the dynamically applied filters are no longer applied to the port. If any filters had been
applied to the port previous to the client connecting, then those filters are reapplied to the port.

The following is the syntax for configuring the Brocade Vendor-Specific attribute with ACL or MAC
address filter statements.

The following table shows examples of IP ACLs and MAC address filters configured in the Brocade
Vendor-Specific attribute on a RADIUS server. These IP ACLs and MAC address filters follow the
same syntax as other Brocade ACLs and MAC address filters. Refer to the Multi-Service IronWare
Administration Guide or the Multi-Service IronWare Switching Configuration Guide for information
on syntax.

The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in an
Access-Accept message. However, the Vendor-Specific attribute can specify multiple IP ACLs or
MAC address filters. You can use commas, semicolons, or carriage returns to separate the filters
(for example: ipacl.e.in= permit ip any any,ipacl.e.in = deny ip any any).

Value

Description

ipacl.e.in=extended-acl-entries

Applies the specified extended ACL entries to the 802.1x
authenticated port in the inbound direction.

ipacl.e.out=extended-acl-entries

Applies the specified extended ACL entries to the 802.1x
authenticated port in the outbound direction.

macfilter.in=mac-access list-entries

Applies the specified MAC address filter entries to the 802.1x
authenticated port in the inbound direction.

IP ACL or MAC address filter

Vendor-specific attribute on RADIUS server

Extended ACL with one entry (outbound
direction)

ipacl.e.out=permit ip 10.0.0.0 10.255.255.255 any

Mac address filter with one entry

macfilter.in= deny any any

Mac address filter with two entries

macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any,
macfilter.in= permit 0000.0000.4444 ffff.ffff.0000 any

See also other documents in the category Brocade Computer Accessories: