Defining mac address filters – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1039

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

1005

53-1003053-01

Configuring multi-device port authentication

Note that the restricted VLAN must already exist on the device. You cannot configure the restricted
VLAN to be a non-existent VLAN. If the port is a tagged or dual-mode port, you cannot use a
restricted VLAN as the authentication-failure action.

To configure the device to drop traffic from non-authenticated MAC addresses in hardware, enter
commands such as the following.

TurboIron(config)#interface e 1

TurboIron(config-if-e10000-1)#mac-authentication auth-fail-action block-traffic

Syntax: [no] mac-authentication auth-fail-action block-traffic

Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device
port authentication is enabled.

Generating traps for multi-device port authentication

You can enable and disable SNMP traps for multi-device port authentication. SNMP traps are
enabled by default.

To enable SNMP traps for multi-device port authentication after they have been disabled, enter the
following command.

TurboIron(config)#snmp-server enable traps mac-authentication

Syntax: [no] snmp-server enable traps mac-authentication

Use the no form of the command to disable SNMP traps for multi-device port authentication.

Defining MAC address filters

You can specify MAC addresses that do not have to go through multi-device port authentication.
These MAC addresses are considered pre-authenticated, and are not subject to RADIUS
authentication. To do this, you can define MAC address filters that specify the MAC addresses to
exclude from multi-device port authentication.

You should use a MAC address filter when the RADIUS server itself is connected to an interface
where multi-device port authentication is enabled. If a MAC address filter is not defined for the
MAC address of the RADIUS server and applied on the interface, the RADIUS authentication
process would fail since the device would drop all packets from the RADIUS server itself.

For example, the following command defines a MAC address filter for address 0000.0058.aca4.

TurboIron(config)#mac-authentication mac-filter 1 0000.0058.aca4

Syntax: [no] mac-authentication mac-filter <filter>

The following commands apply the MAC address filter on an interface so that address
0000.0058.aca4 is excluded from multi-device port authentication.

TurboIron(config)#interface e 1

TurboIron(config-if-e10000-1)#mac-authentication apply-mac-auth-filter 1

Syntax: [no] mac-authentication apply-mac-auth-filter <filter-id>

Advertising
Popular Brands
Popular manuals