General security measures, Port security, Chapter 10 – Brocade Communications Systems Brocate Ethernet Access Switch 6910 User Manual

Page 243: Table 47, Chapter

Advertising
background image

Brocade 6910 Ethernet Access Switch Configuration Guide

193

53-1002581-01

Chapter

10

General Security Measures

This switch supports many methods of segregating traffic for clients attached to each of the data
ports, and for ensuring that only authorized clients gain access to the network. Port-based
authentication using IEEE 802.1X is commonly used for these purposes. In addition to these
method, several other options of providing client security are described in this chapter. These
include port-based authentication, which can be configured to allow network client access
by specifying a fixed set of MAC addresses. The addresses assigned to DHCP clients can also be
carefully controlled with IP Source Guard and DHCP Snooping commands.

Port Security

These commands can be used to enable port security on a port.

When using port security, the switch stops learning new MAC addresses on the specified port when
it has reached a configured maximum number. Only incoming traffic with source addresses already
stored in the dynamic or static address table for this port will be authorized to access the network.
The port will drop any incoming frames with a source MAC address that is unknown or has been
previously learned from another port. If a device with an unauthorized MAC address attempts to
use the switch port, the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.

TABLE 47

General Security Commands

Command Group

Function

Port Security

*

* The priority of execution for these filtering commands is Port Security, Port Authentication, Network Access, Web

Authentication, Access Control Lists, DHCP Snooping, and then IP Source Guard.

Configures secure addresses for a port

802.1X Port
Authentication

*

Configures host authentication on specific ports using 802.1X

Network Access

*

Configures MAC authentication and dynamic VLAN assignment

Web Authentication

*

Configures Web authentication

Access Control Lists

*

Provides filtering for IP frames (based on address, protocol, TCP/UDP port number
or TCP control code) or non-IP frames (based on MAC address or Ethernet type)

DHCP Snooping

*

Filters untrusted DHCP messages on unsecure ports by building and maintaining a
DHCP snooping binding table

IP Source Guard

*

Filters IP traffic on insecure ports for which the source address cannot be identified
via DHCP snooping nor static source bindings

ARP Inspection

Validates the MAC-to-IP address bindings in ARP packets

Advertising