Table 167 – Brocade 6910 Ethernet Access Switch Configuration Guide (Supporting R2.2.0.0) User Manual

Brocade 6910 Ethernet Access Switch Configuration Guide

865

53-1002651-02

42

Network Access (MAC Address Authentication)

•

When enabled on a port, the authentication process sends a Password Authentication Protocol
(PAP) request to a configured RADIUS server. The user name and password are both equal to
the MAC address being authenticated. On the RADIUS server, PAP user name and passwords
must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).

•

Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address
table and are removed when the aging time expires. The maximum number of secure MAC
addresses supported for the switch system is 1024.

•

Configured static MAC addresses are added to the secure address table when seen on a
switch port. Static addresses are treated as authenticated without sending a request to a
RADIUS server.

•

When port status changes to down, all MAC addresses mapped to that port are cleared from
the secure MAC address table. Static VLAN assignments are not restored.

•

The RADIUS server may optionally return a VLAN identifier list to be applied to the switch port.
The following attributes need to be configured on the RADIUS server.

•

Tunnel-Type = VLAN

•

Tunnel-Medium-Type = 802

•

Tunnel-Private-Group-ID = 1u,2t [VLAN ID list]

The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-ID” attribute. The VLAN
list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an
untagged VLAN and “t” a tagged VLAN.

•

The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch
port for an authenticated user. The “Filter-ID” attribute (attribute 11) can be configured on the
RADIUS server to pass the following QoS information:

•

Multiple profiles can be specified in the Filter-ID attribute by using a semicolon to separate
each profile.
For example, the attribute “service-policy-in=pp1;rate-limit-input=100” specifies that the
diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps.

•

If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used.
For example, if the attribute is “service-policy-in=p1;service-policy-in=p2”, then the switch
applies only the DiffServ profile “p1.”

•

Any unsupported profiles in the Filter-ID attribute are ignored.
For example, if the attribute is “map-ip-dscp=2:3;service-policy-in=p1,” then the switch ignores
the “map-ip-dscp” profile.

TABLE 167

Dynamic QoS Profiles

Profile

Attribute Syntax

Example

DiffServ

service-policy-in=policy-map-name

service-policy-in=p1

Rate Limit

rate-limit-input=rate

rate-limit-input=100
(in units of Kbps)

802.1p

switchport-priority-default=value

switchport-priority-default=2

IP ACL

ip-access-group-in=ip-acl-name

ip-access-group-in=ipv4acl

IPv6 ACL

ipv6-access-group-in=ipv6-acl-name

ipv6-access-group-in=ipv6acl

MAC ACL

mac-access-group-in=mac-acl-name

mac-access-group-in=macAcl