General security measures, Port security, Chapter 10 – Brocade 6910 Ethernet Access Switch Configuration Guide (Supporting R2.2.0.0) User Manual
Page 245: Table 47, Chapter
Brocade 6910 Ethernet Access Switch Configuration Guide
189
53-1002651-02
Chapter
10
General Security Measures
In this chapter
This switch supports many methods of segregating traffic for clients attached to each of the data
ports, and for ensuring that only authorized clients gain access to the network. Port-based
authentication using IEEE 802.1X is commonly used for these purposes. In addition to these
method, several other options of providing client security are described in this chapter. These
include port-based authentication, which can be configured to allow network client access
by specifying a fixed set of MAC addresses. The addresses assigned to DHCP clients can also be
carefully controlled with IP Source Guard and DHCP Snooping commands.
Port Security
These commands can be used to enable port security on a port.
When using port security, the switch stops learning new MAC addresses on the specified port when
it has reached a configured maximum number. Only incoming traffic with source addresses already
stored in the dynamic or static address table for this port will be authorized to access the network.
The port will drop any incoming frames with a source MAC address that is unknown or has been
previously learned from another port. If a device with an unauthorized MAC address attempts to
use the switch port, the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.
TABLE 47
General Security Commands
Command Group
Function
*
The priority of execution for these filtering commands is Port Security, Port Authentication, Network Access, Web
Authentication, Access Control Lists, DHCP Snooping, and then IP Source Guard.
Configures secure addresses for a port
Configures host authentication on specific ports using 802.1X
Configures MAC authentication and dynamic VLAN assignment
*
Configures Web authentication
Provides filtering for IP frames (based on address, protocol, TCP/UDP port number
or TCP control code) or non-IP frames (based on MAC address or Ethernet type)
Filters untrusted DHCP messages on unsecure ports by building and maintaining a
DHCP snooping binding table
Filters IP traffic on insecure ports for which the source address cannot be identified
via DHCP snooping nor static source bindings
Validates the MAC-to-IP address bindings in ARP packets