Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

Brocade ICX 6650 Security Configuration Guide 213

53-1002601-01

Dynamic MAC-based VLAN

Dynamic MAC-based VLAN

When enabled, the dynamic MAC-based VLAN feature allows the dynamic addition of

mac-vlan-permit ports to the VLAN table only after successful RADIUS authentication. Ports that fail

RADIUS authentication are not added to the VLAN table.

When this feature is not enabled, the physical port is statically added to the hardware table,

regardless of the outcome of the authentication process. This feature prevents the addition of

unauthenticated ports to the VLAN table. For information about how to configure Dynamic

MAC-based VLAN, refer to “Configuring dynamic MAC-based VLAN” on page 220.

Configuration notes and feature limitations

for dynamic MAC-based VLAN

The following guidelines apply to MAC-based VLAN configurations:

• MAC-based VLAN is not currently supported for trunk ports and LACP.

• MAC-based VLAN is not supported for VLAN groups, topology groups and dual-mode

configuration.

• MAC-based VLAN is not supported together with ACLs or MAC address filters.

• Brocade ICX 6650 devices do not support UDLD link-keepalives on ports with MAC-based VLAN

enabled.

• Brocade ICX 6650 devices do not support STP BPDU packets on ports with MAC-based VLAN

enabled.

• MAC-to-VLAN mapping must be associated with VLANs that exist on the switch. Create the

VLANs before you configure the MAC-based VLAN feature.

• Ports participating in MAC-based VLANs must first be configured as mac-vlan-permit ports

under the VLAN configuration.

• In the RADIUS server configuration file, a MAC address cannot be configured to associate with

more than one VLAN.

• This feature does not currently support dynamic assignment of a port to a VLAN. Users must

pre-configure VLANs and port membership before enabling the feature.

• Multi-device port authentication filters will not work with MAC-based VLANs on the same port.

Dynamic MAC-based VLAN CLI commands

The following table describes the CLI commands used to configure MAC-based VLANs.

TABLE 45 CLI commands for MAC-based VLANs

CLI command Description CLI level

mac-auth mac-vlan enable Enables per-port MAC-based VLAN Interface

mac-auth mac-vlan disable Disables per-port MAC-based VLAN interface

mac-auth mac-vlan-dyn-activation Enables Dynamic MAC-based VLAN global

no mac-auth mac-vlan-dyn-activation Disables Dynamic MAC-based VLAN global

no mac-auth mac-vlan Removes the MAC-VLAN configuration from the

port

interface

previous next