Brocade Communications Systems Brocade ICX 6650 6650 User Manual

244

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

Multi-device port authentication configuration

The Brocade device uses information in the Filter ID to apply an IP ACL on a per-user basis. The
Filter-ID attribute can specify the number of an existing IP ACL configured on the Brocade device. If
the Filter-ID is an ACL number, the specified IP ACL is applied on a per-user basis.

Multi-device port authentication with dynamic IP ACLs and
ACL-per-port-per-VLAN

Multi-device port authentication and dynamic ACLs are supported on tagged, dual-mode, and
untagged ports, with or without virtual interfaces.

Support is automatically enabled when all of the required conditions are met.

The following describes the conditions and feature limitations:

•

On Layer 3 router code, dynamic IP ACLs are allowed on physical ports when
ACL-per-port-per-vlan is enabled.

•

On Layer 3 router code, dynamic IP ACLs are allowed on tagged and dual-mode ports when
ACL-per-port-per-vlan is enabled. If ACL-per-port-per-vlan is not enabled, dynamic IP ACLs are
not allowed on tagged or dual-mode ports.

•

Dynamic IP ACLs can be added to tagged/untagged ports in a VLAN with or without a VE, as
long as the tagged/untagged ports do not have configured ACLs assigned to them. The
following shows some example scenarios where dynamic IP ACLs would not apply:

-

A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and an ACL is
bound to VE 20.

-

A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and a
per-port-per-vlan ACL is bound to VE 20 and to a subset of ports in VE 20

In the above scenarios, dynamic IP ACL assignment would not apply in either instance,
because a configured ACL is bound to VE 20 on the port. Consequently, the MAC session would
fail.

Configuration considerations and guidelines for
multi-device port authentication

•

Dynamic IP ACLs with multi-device port authentication are supported. Dynamic MAC address
filters with multi-device port authentication are not supported.

•

In the Layer 2 switch code, dynamic IP ACLs are not supported when ACL-per-port-per-vlan is
enabled on a global-basis.

•

The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is
not supported.

•

The dynamic ACL must be an extended ACL. Standard ACLs are not supported.

•

Multi-device port authentication and 802.1x can be used together on the same port. However,
Brocade does not recommend the use of multi-device port authentication and 802.1X with
dynamic ACLs together on the same port. If a single supplicant requires both 802.1x and
multi-device port authentication, and if both 802.1x and multi-device port authentication try to
install different dynamic ACLs for the same supplicant, the supplicant will fail authentication.

•

Dynamically assigned IP ACLs are subject to the same configuration restrictions as
non-dynamically assigned IP ACLs. One caveat is that ports with VE interfaces cannot have
assigned user-defined ACLs. For example, a user-defined ACL bound to a VE or a port on a VE is
not allowed. There are no restrictions on ports that do not have VE interfaces.