Mac-based vlan feature structure, Source mac address authentication, Policy-based classification and forwarding – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

212

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

MAC-based VLAN overview

MAC-based VLAN feature structure

The MAC-based VLAN feature operates in two stages:

•

Source MAC Address Authentication

•

Policy-Based Classification and Forwarding

Source MAC address authentication

Source MAC address authentication is performed by a central RADIUS server when it receives a
PAP request with a username and password that match the MAC address being authenticated.
When the MAC address is successfully authenticated, the server must return the VLAN identifier,
which is carried in the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes of
the RADIUS packets. If the Tunnel-Type is tagged, the MAC address will be blocked or restricted. If
the identified VLAN does not exist, then the authentication is considered a failure, and action is
taken based on the configured failure options. (The default failure action is to drop the traffic.) The
RADIUS server may also optionally return the QoS attribute for the authenticated MAC address.
Refer to

Table 47

on page 217 for more information about attributes.

Policy-based classification and forwarding

After the authentication stage is complete, incoming traffic is classified based on the response
from the RADIUS server. There are three possible actions:

•

Incoming traffic from a specific source MAC is dropped because authentication failed

•

Incoming traffic from a specific source MAC is classified as untagged into a specific VLAN

•

Incoming traffic from a specific source MAC is classified as untagged into a restricted VLAN

Traffic classification is performed by programming incoming traffic and RADIUS-returned attributes
in the hardware. Incoming traffic attributes include the source MAC address and the port on which
the feature is enabled. The RADIUS-returned attributes are the VLAN into which the traffic is to be
classified, and the QoS priority.

NOTE

This feature drops any incoming tagged traffic on the port, and classifies and forwards untagged
traffic into the appropriate VLANs.

This feature supports up to a maximum of 32 MAC addresses per physical port, with a default of 2.

NOTE

Even though the feature supports up tp a maximum of 32 MAC address per physical port, the
configuration of the maximum number of MAC addresses per port is limited by the available
hardware resources.

Once a client MAC address is successfully authenticated and registered, the MAC-to-VLAN
association remains until the port connection is dropped, or the MAC entry expires.

MAC-based VLAN and port up or down events

When the state of a port is changed to down, all authorized and unauthorized MAC addresses are
removed from the MAC-to-VLAN mapping table, any pending authentication requests are cancelled.