Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility Access Point System Reference Guide

421

53-1003100-01

6

13. Save the changes to the new MAC rule, or reset to the last saved configuration as needed.

14. Define the following parameters for Association ACL. An Association ACL defines the rules used

to allow/deny association to devices for this wireless LAN. If no Association ACL exists, select
the Create button to display a new window where new ACL can be created.

15. Select the + Add Row button.

16. Define the following parameters for Association ACL:

17. Set the following Trust Parameters:

18. Set the following Wireless Client Deny configuration:

VLAN ID

Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the
network (once authenticated by the access point’s local RADIUS server). Set the VLAN form 1 -
4094.

Match 802.1P

Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to
define a setting from 0 - 7.

Ethertype

Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp or monitor 8021q. An
Ethertype is a two-octet field within an Ethernet frame. It is used to indicate which protocol is
encapsulated in the payload of an Ethernet frame.

Description

Provide a description (up to 64 characters) for this rule to help differentiate it from others with
similar configurations.

Precedence

Enter a numerical value indicating the precedence of rule execution.

Starting MAC Address

Enter a MAC address to define the start of range. This field is mandatory.

Ending MAC Address

Enter a MAC address to define the end of range.

Allow/Deny

Every Association ACL rule consists of matching criteria rules. The action defines what to do with the
device if it matches the specified criteria. The following actions are supported:

•

Deny - Instructs the Firewall to not to allow the device to associate with this WLAN.

•

Permit - Instructs the Firewall to allow the device to associate with this WLAN.

ARP Trust

Select this radio button to enable ARP trust on this WLAN. ARP packets received on this WLAN are
considered trusted and information from these packets is used to identify rogue devices within the
network. This setting is disabled by default.

Validate ARP Header
Mismatch

Select this radio button to check for a source MAC mismatch in the ARP header and Ethernet
header. This setting is enabled by default.

DHCP Trust

Select this radio button to enable DHCP trust on this WLAN. This setting is disabled by default.

Wireless Client Denied
Traffic Threshold

If enabled, any associated client, exceeding the thresholds configured for storm traffic, is either
deauthenticated or blacklisted depending on the selected action. The threshold range is from 1-
1000000 packets per second. This feature is disabled by default.

Action

If enabling a wireless client threshold, use the drop-down menu to determine whether clients are
deauthenticated when the threshold is exceeded, or blacklisted from connectivity for a user-defined
interval. Selecting None applies no consequence to an exceeded threshold.

Blacklist Duration

Select this option and define a setting from 0 - 86,400 seconds. Offending clients can
reauthenticate, once this blacklist duration has been exceeded.