Enabling denial of service attack protection – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 265

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

245

53-1002601-01

Multi-device port authentication configuration

Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters
are not supported.

Dynamic ACL assignment with multi-device port authentication is not supported in conjunction
with any of the following features:

-

IP source guard

-

Rate limiting

-

Protection against ICMP or TCP Denial-of-Service (DoS) attacks

-

Policy-based routing

-

802.1X dynamic filter

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in
the running-config file on the Brocade device can be dynamically applied to the port. To do this, you
configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the
name or number of the Brocade IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a
Brocade IP ACL.

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS
server to refer to IP ACLs configured on a Brocade device.

Enabling denial of service attack protection

The Brocade device does not start forwarding traffic from an authenticated MAC address in
hardware until the RADIUS server authenticates the MAC address; traffic from the
non-authenticated MAC addresses is sent to the CPU. A denial of service (DoS) attack could be
launched against the device where a high volume of new source MAC addresses is sent to the
device, causing the CPU to be overwhelmed with performing RADIUS authentication for these MAC
addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response
from reaching the CPU in time, causing the device to make additional authentication attempts.

TABLE 57

Syntax for configuring the Filter-ID attribute

Value

Description

ip.number.in

1

1.

The ACL must be an extended ACL. Standard ACLs are not supported.

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.name.in

1

,

2

2.

The name in the Filter ID attribute is case-sensitive

Applies the specified named ACL to the authenticated port in the inbound direction.

TABLE 58

Filter-ID values

Possible values for the filter ID attribute on the
RADIUS server

ACLs configured on the Brocade device

ip.102.in

access-list 102 permit ip 36.0.0.0 0.255.255.255 any

ip.fdry_filter.in

ip access-list standard fdry_filter
permit host 36.48.0.3

Advertising
Popular Brands
Popular manuals