beautypg.com

Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 264

background image

244

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

Multi-device port authentication configuration

The Brocade device uses information in the Filter ID to apply an IP ACL on a per-user basis. The
Filter-ID attribute can specify the number of an existing IP ACL configured on the Brocade device. If
the Filter-ID is an ACL number, the specified IP ACL is applied on a per-user basis.

Multi-device port authentication with dynamic IP ACLs and
ACL-per-port-per-VLAN

Multi-device port authentication and dynamic ACLs are supported on tagged, dual-mode, and
untagged ports, with or without virtual interfaces.

Support is automatically enabled when all of the required conditions are met.

The following describes the conditions and feature limitations:

On Layer 3 router code, dynamic IP ACLs are allowed on physical ports when
ACL-per-port-per-vlan is enabled.

On Layer 3 router code, dynamic IP ACLs are allowed on tagged and dual-mode ports when
ACL-per-port-per-vlan is enabled. If ACL-per-port-per-vlan is not enabled, dynamic IP ACLs are
not allowed on tagged or dual-mode ports.

Dynamic IP ACLs can be added to tagged/untagged ports in a VLAN with or without a VE, as
long as the tagged/untagged ports do not have configured ACLs assigned to them. The
following shows some example scenarios where dynamic IP ACLs would not apply:

-

A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and an ACL is
bound to VE 20.

-

A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and a
per-port-per-vlan ACL is bound to VE 20 and to a subset of ports in VE 20

In the above scenarios, dynamic IP ACL assignment would not apply in either instance,
because a configured ACL is bound to VE 20 on the port. Consequently, the MAC session would
fail.

Configuration considerations and guidelines for
multi-device port authentication

Dynamic IP ACLs with multi-device port authentication are supported. Dynamic MAC address
filters with multi-device port authentication are not supported.

In the Layer 2 switch code, dynamic IP ACLs are not supported when ACL-per-port-per-vlan is
enabled on a global-basis.

The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is
not supported.

The dynamic ACL must be an extended ACL. Standard ACLs are not supported.

Multi-device port authentication and 802.1x can be used together on the same port. However,
Brocade does not recommend the use of multi-device port authentication and 802.1X with
dynamic ACLs together on the same port. If a single supplicant requires both 802.1x and
multi-device port authentication, and if both 802.1x and multi-device port authentication try to
install different dynamic ACLs for the same supplicant, the supplicant will fail authentication.

Dynamically assigned IP ACLs are subject to the same configuration restrictions as
non-dynamically assigned IP ACLs. One caveat is that ports with VE interfaces cannot have
assigned user-defined ACLs. For example, a user-defined ACL bound to a VE or a port on a VE is
not allowed. There are no restrictions on ports that do not have VE interfaces.

See also other documents in the category Brocade Communications Systems Computer Accessories: