Brocade BigIron RX Series Configuration Guide User Manual

Page 1136

Advertising
background image

1058

BigIron RX Series Configuration Guide

53-1002484-04

Configuring 802.1x port security

34

Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound
ACL filters are not supported.

MAC address filters are supported only for the inbound direction. Outbound MAC
address filters are not supported.

Dynamically assigned IP ACLs and MAC address filters are subject to the same
configuration restrictions as non-dynamically assigned IP ACLs and MAC address
filters.

Multiple IP ACLs and MAC address filters can be specified in the Filter ID attribute,
allowing multiple filters to be simultaneously applied to an 802.1x authenticated port.
Use commas, semicolons, or carriage returns to separate the filters (for example
ip.3.in,mac.2.in).

If 802.1x is enabled on a VE port, ACLs, dynamic (802.1x assigned) or static (user
configured), cannot be applied to the port.

Configuring per-user IP ACLs or MAC address filters

Per-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute to
dynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MAC
address filter statements. When the RADIUS server returns the Access-Accept message granting a
client access to the network, the BigIron RX reads the statements in the Vendor-Specific attribute
and applies these IP ACLs or MAC address filters to the client’s port. When the client disconnects
from the network, the dynamically applied filters are no longer applied to the port. If any filters had
been applied to the port previous to the client connecting, then those filters are reapplied to the
port.

The following is the syntax for configuring the BigIron RX Vendor-Specific attribute with ACL or MAC
address filter statements.

The following table shows examples of IP ACLs and MAC address filters configured in the Brocade
Vendor-Specific attribute on a RADIUS server. These IP ACLs and MAC address filters follow the
same syntax as other Brocade ACLs and MAC address filters. Refer to

Chapter 22, “Access Control

List”

for information on syntax.

The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in an
Access-Accept message. However, the Vendor-Specific attribute can specify multiple IP ACLs or
MAC address filters. You can use commas, semicolons, or carriage returns to separate the filters
(for example ipacl.e.in= permit ip any any,ipacl.e.in = deny ip any any).

Value

Description

ipacl.e.in=

<

extended-acl-entries

>

Applies the specified extended ACL entries to the 802.1x
authenticated port in the inbound direction.

macfilter.in=

<

mac-filter-entries

>

Applies the specified MAC address filter entries to the 802.1x
authenticated port in the inbound direction.

Mac address filter

Vendor-specific attribute on RADIUS server

Mac address filter with one entry

macfilter.in= deny any any

Mac address filter with two entries

macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any,
macfilter.in= permit 0000.0000.4444 ffff.ffff.0000 any

Advertising
Popular Brands
Popular manuals