Mac address filter override configuration notes, Mac address filter override configuration syntax – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 298

Advertising
background image

264

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

MAC address filter override for 802.1X-enabled ports

MAC address filter override for 802.1X-enabled ports

The MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X
devices to share the same physical port. For example, this feature enables you to connect a PC and
a non-802.1X device, such as a Voice Over IP (VOIP) phone, to the same 802.1X-enabled port on
the Brocade device. The IP phone will bypass 802.1X authentication and the PC will require 802.1X
authentication.

To enable this feature, first create a MAC address filter, then bind it to an interface on which 802.1X
is enabled. The MAC address filter includes a mask that can match on any number of bytes in the
MAC address. The mask can eliminate the need to enter MAC addresses for all non-802.1X devices
connected to the Brocade device, and the ports to which these devices are connected.

MAC address filter override configuration notes

This feature is supported on untagged, tagged, and dual-mode ports.

You can configure this feature on ports that have ACLs and MAC address filters defined.

MAC address filter override configuration syntax

To configure MAC address filtering on an 802.1X-enabled port, enter commands such as the
following.

TurboIron#(config)#mac filter 1 permit 0000.00ab.9429 ffff.ffff.0000 any

TurboIron#(config)#int e1/2

TurboIron#(config-if-e1000-1/2)#dot1x auth-filter 1 3 to 5 10

The first line defines a MAC address filter that matches on the first four bytes (ffff.ffff.0000) of the
source MAC address 0000.00ab.9429, and any destination MAC address. The permit action
creates an 802.1X session in the FORCE AUTHORIZE state, meaning that the device is placed
unconditionally in the authorized state, bypassing 802.1X authentication and allowing all traffic
from the specified MAC address. If no match is found, the implicit action is to authenticate the
client.

The last line binds MAC address filters 1, 3, 4, 5, and 10 to interface 2.

Syntax: mac filter filter-num permit | deny src-mac mask | any dest-mac <mask | any

Syntax: dot1x auth-filter filter-list

The permit | deny argument determines the action the software takes when a match occurs. In the
previous example, the permit action creates an 802.1X session in the FORCE AUTHORIZE state,
meaning that the device is placed unconditionally in the authorized state, bypassing 802.1X
authentication and allowing all traffic from the specified MAC address. The deny action creates an
802.1X session in the FORCE UNAUTHORIZE state, meaning that the device will never be
authorized, even if it has the appropriate credentials.

The src-mac mask | any parameter specifies the source MAC address. You can enter a specific
address value and a comparison mask, or the keyword any to filter on all MAC addresses. Specify
the mask using f (ones) and zeros. For example, to match on the first two bytes of the address
aabb.ccdd.eeff, use the mask ffff.0000.0000. The filter matches on all MAC addresses that
contain aabb as the first two bytes and accepts any value for the remaining bytes of the MAC
address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC
addresses. If no match is found, the implicit action is to authenticate the client.

Advertising
Popular Brands
Popular manuals