Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

280

Brocade Mobility RFS Controller System Reference Guide

53-1003099-01

6

10. If creating an new Association ACL, provide a name specific to its function. Avoid naming it

after a WLAN it may support. The name cannot exceed 32 characters.

11. Save the changes to the new MAC rule or reset to the last saved configuration as needed.

12. Set the following Trust Parameters:

13. Set the following Wireless Client Deny configuration:

14. Set a Firewall Session Hold Time in either Seconds (1 - 300) or Minutes (1 - 5). This is the hold

time for caching user credentials and firewall state information when a client roams. The
default setting is 30 seconds.

VLAN ID

Enter a VLAN ID representative of the shared SSID each user employs to interoperate
within the network (once authenticated by the local RADIUS server). The VLAN ID can be
between 1 - 4094.

Match 802.1P

Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner
control to define a setting between 0-7.

Source and Destination
MAC

Enter both Source and Destination MAC addresses. The wireless controller uses the source
IP address, destination MAC address as basic matching criteria. Provide a subnet mask if
using a mask.

Action

The following actions are supported:
Log - Creates a log entry that a Firewall rule has allowed a packet to either be denied or
permitted.
Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is
an action with an implicit permit.
Mark, Log - Conducts both mark and log functions.

Ethertype

Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp or monitor 8021q.
An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which
protocol is encapsulated in the payload of an Ethernet frame.

Precedence

Use the spinner control to specify a precedence for this MAC Firewall rule between 1-1500.
Access policies with lower precedence are always applied first to packets.

Description

Provide a description (up to 64 characters) for the rule to help differentiate the it from
others with similar configurations.

ARP Trust

Select the check box to enable ARP Trust on this WLAN. ARP packets received on this
WLAN are considered trusted and information from these packets is used to identify rogue
devices within the network. This setting is disabled by default.

Validate ARP Header
Mismatch

Select this option to verify the mismatch for source MAC in the ARP and Ethernet headers.
By default, mismatch verification is enabled.

DHCP Trust

Select the check box to enable DHCP trust on this WLAN. This setting is disabled by
default.

Wireless Client Denied
Traffic Threshold

If enabled, any associated client which exceeds the thresholds configured for storm traffic
is either deauthenticated or blacklisted depending on the selected action. The threshold
range is 1-1000000 packets per second. This feature is disabled by default.

Action

If enabling a wireless client threshold, use the drop-down menu to determine whether
clients are deauthenticated when the threshold is exceeded or blacklisted from
connectivity for a user defined interval. Selecting None applies no consequence to an
exceeded threshold.

Blacklist Duration

Select the check box and define a setting between 0 - 86,400 seconds. Once the blacklist
duration has been exceeded, offending clients can reauthenticate once again.