Enabling denial of service attack protection – Brocade TurboIron 24X Series Configuration Guide User Manual

1010

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring multi-device port authentication

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in
the running-config file on the device can be dynamically applied to the port. To do this, you
configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the
name or number of the IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a IP
ACL.

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS
server to refer to IP ACLs configured on a device.

Enabling denial of service attack protection

The device does not start forwarding traffic from an authenticated MAC address in hardware until
the RADIUS server authenticates the MAC address; traffic from the non-authenticated MAC
addresses is sent to the CPU. A denial of service (DoS) attack could be launched against the
device where a high volume of new source MAC addresses is sent to the device, causing the CPU to
be overwhelmed with performing RADIUS authentication for these MAC addresses. In addition, the
high CPU usage in such an attack could prevent the RADIUS response from reaching the CPU in
time, causing the device to make additional authentication attempts.

To limit the susceptibility of the device to such attacks, you can configure the device to use multiple
RADIUS servers, which can share the load when there are a large number of MAC addresses that
need to be authenticated. The device can run a maximum of 10 RADIUS clients per server and will
attempt to authenticate with a new RADIUS server if current one times out.

In addition, you can configure the device to limit the rate of authentication attempts sent to the
RADIUS server. When the multi-device port authentication feature is enabled, it keeps track of the
number of RADIUS authentication attempts made per second. When you also enable the DoS
protection feature, if the number of RADIUS authentication attempts for MAC addresses learned on
an interface per second exceeds a configurable rate (by default 512 authentication attempts per
second), the device considers this a possible DoS attack and disables the port. You must then
manually re-enable the port.

The DoS protection feature is disabled by default. To enable it on an interface, enter commands
such as the following.

Table 11:

Value

Description

ip.<number>.in

1

1.

The ACL must be an extended ACL. Standard ACLs are not supported.

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.<name>.in

1

,

2

2.

The <name> in the Filter ID attribute is case-sensitive

Applies the specified named ACL to the authenticated port in the inbound direction.

Table 12:

Possible values for the filter ID attribute on the
RADIUS server

ACLs configured on the device

ip.102.in

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

ip.fdry_filter.in

ip access-list standard fdry_filter permit host 10.48.0.3