Support for dhcp snooping with dynamic acls, Support for source guard protection – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 257

Advertising
background image

Support for DHCP snooping with dynamic ACLs

NOTE
This feature is not supported on FCX devices.

Multi-device port authentication and DHCP snooping are supported in conjunction with dynamic ACLs.
Support is available in the Layer 3 software images only.

DHCP Snooping is supported together with multi-device port authentication as long as ACL-per-port-
per-vlan is enabled. Otherwise, you do not need to perform any extra configuration steps to enable
support with dynamic ACLs. When these features are enabled on the same port/VLAN, support is
automatically enabled.

Support for source guard protection

The Brocade proprietary Source Guard Protection feature, a form of IP Source Guard, can be used in
conjunction with multi-device port authentication. For details, refer to

Enabling source guard protection

on page 268.

Multi-device port authentication and 802.1Xsecurity on the same
port

On some Brocade devices, multi-device port authentication and 802.1X security can be configured on
the same port, as long as the port is not a trunk port or an LACP port. When both of these features are
enabled on the same port, multi-device port authentication is performed prior to 802.1X authentication.
If multi-device port authentication is successful, 802.1X authentication may be performed, based on the
configuration of a vendor-specific attribute (VSA) in the profile for the MAC address on the RADIUS
server.

NOTE
When multi-device port authentication and 802.1X security are configured together on the same port,
Brocade recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.

When both features are configured on a port, a device connected to the port is authenticated as follows.

1. Multi-device port authentication is performed on the device to authenticate the device MAC address.
2. If multi-device port authentication is successful for the device, then the device checks whether the

RADIUS server included the Foundry-802_1x-enable VSA (described in the Brocade vendor-specific
attributes for RADIUS table) in the Access-Accept message that authenticated the device.

3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present and

set to 1, then 802.1X authentication is performed for the device.

4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0, then

802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs specified in
the Access-Accept message returned during multi-device port authentication are applied to the port.

5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or ACLs

specified in the Access-Accept message returned during 802.1X authentication are applied to the
port.

Support for DHCP snooping with dynamic ACLs

FastIron Ethernet Switch Security Configuration Guide

257

53-1003088-03

Advertising
See also other documents in the category Brocade Computer Accessories: