1x port security and sflow – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 182

Advertising
background image

162

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

How 802.1X port security works

802.1X multiple-host authentication has the following additions:

-

Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to

“Configurable hardware aging period for denied client dot1x-mac-sessions”

on page 162.

-

Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations.
Refer to

“Dynamically applying IP ACLs and MAC address filters to 802.1X ports”

on

page 170.

-

Dynamic multiple VLAN assignment for 802.1X ports. Refer

“Dynamic multiple VLAN

assignment for 802.1X ports”

on page 168.

-

Configure a restriction to forward authenticated and unauthenticated tagged and
untagged clients to a restricted VLAN.

-

Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN.

-

Configure VLAN assignments for clients attempting to gain access through dual-mode
ports.

-

Enhancements to some show commands.

-

Differences in command syntax for saving dynamic VLAN assignments to the
startup-config file.

Configurable hardware aging period for
denied client dot1x-mac-sessions

When one of the 802.1X-enabled Clients in a multiple-host configuration attempts to log into a
network in which a Brocade device serves as an Authenticator, the device creates a
dot1x-mac-session for the Client.

When a Client has been denied access to the network, its dot1x-mac-session is aged out if no
traffic is received from the Client MAC address over a period of time. After a denied Client
dot1x-mac-session ages out, the Client can be re-authenticated. Aging of a denied Client's
dot1x-mac-session occurs in two phases, known as hardware aging and software aging.

The hardware aging period for a denied Client's dot1x-mac-session is not fixed at 70 seconds. The
hardware aging period for a denied Client's dot1x-mac-session is equal to the length of time
specified with the dot1x timeout quiet-period command. By default, the hardware aging time is 60
seconds. Once the hardware aging period ends, the software aging period begins. When the
software aging period ends, the denied Client's dot1x-mac-session ages out, and the Client can be
authenticated again.

802.1X port security and sFlow

sFlow is a standards-based protocol that allows network traffic to be sampled at a user-defined rate
for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on
user-specified interfaces.

When you enable sFlow forwarding on an 802.1X-enabled interface, the samples taken from the
interface include the user name string at the inbound or outbound port, or both, if that information
is available.

For more information on sFlow, refer to the Brocade ICX 6650 Administration Guide.

Advertising
Popular Brands
Popular manuals