Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 248
228
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Sample MAC-based VLAN application
FIGURE 9
Sample MAC-based VLAN configuration
Host A MAC address is statically mapped to VLAN 1 with priority 1 and is not subjected to RADIUS
authentication. When Host B MAC address is authenticated, the Access-Accept message from the
RADIUS server specifies that Host B MAC address be placed into VLAN 2. Since Host C MAC
address is not present in the RADIUS server, Host C will be rejected by the server and its MAC
address will be placed into a restricted VLAN.
Below is the configuration for this example.
module 1 icx6650-64-56-port-management-module
module 2 icx6650-64-4-port-160g-module
module 3 icx6650-64-8-port-80g-module
vlan 1 by port
untagged ethe 1/1/10
mac-vlan-permit ethe 1/1/1 to 1/1/2
no spanning-tree
vlan 2 by port
untagged ethe 1/1/30
mac-vlan-permit ethe 1/1/1 to 1/1/2
no spanning-tree
vlan 666 name mac_restricted by port
untagged ethe 1/1/20
mac-vlan-permit ethe 1/1/1 to 1/1/2
no spanning-tree
vlan 4000 name DEFAULT-VLAN by port
no spanning-tree
vlan 4004 by port
mac-vlan-permit ethe 1/1/1
default-vlan-id 4000
ip address 10.44.3.8 255.255.255.0
ip default-gateway 10.44.3.1
radius-server host 10.44.3.111
radius-server key 1 $-ndUno
mac-authentication enable
RADIUS Server
User: 0030.4875.3f73 (Host B)
Tunnel-Private-Group-ID = VLAN2
No profile for MAC 0030.4875.3ff5
(Host C)
Port e1/1/1
mac-vlan-permit
PS1
PS2
37
38
13
14
25
26
Lnk
Act
Power
Lnk/
Act
FDX
FDX
Lnk/
Act
Console
Hub
Untagged
Untagged
Untagged
Host station A
MAC: 0030.4888.b9fe
Host station B
MAC: 0030.4875.3f73
Host station C
MAC: 0030.4875.3ff5
Brocade Device
49C
50C
49F
50F
1
2