Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

Brocade ICX 6650 Security Configuration Guide 245

53-1002601-01

Multi-device port authentication configuration

• Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters

are not supported.

• Dynamic ACL assignment with multi-device port authentication is not supported in conjunction

with any of the following features:

- IP source guard

- Rate limiting

- Protection against ICMP or TCP Denial-of-Service (DoS) attacks

- Policy-based routing

- 802.1X dynamic filter

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in

the running-config file on the Brocade device can be dynamically applied to the port. To do this, you

configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the

name or number of the Brocade IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a

Brocade IP ACL.

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS

server to refer to IP ACLs configured on a Brocade device.

Enabling denial of service attack protection

The Brocade device does not start forwarding traffic from an authenticated MAC address in

hardware until the RADIUS server authenticates the MAC address; traffic from the

non-authenticated MAC addresses is sent to the CPU. A denial of service (DoS) attack could be

launched against the device where a high volume of new source MAC addresses is sent to the

device, causing the CPU to be overwhelmed with performing RADIUS authentication for these MAC

addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response

from reaching the CPU in time, causing the device to make additional authentication attempts.

TABLE 57 Syntax for configuring the Filter-ID attribute

Value Description

ip.number.in

1

1. The ACL must be an extended ACL. Standard ACLs are not supported.

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.name.in

1

,

2

2. The name in the Filter ID attribute is case-sensitive

Applies the specified named ACL to the authenticated port in the inbound direction.

TABLE 58 Filter-ID values

Possible values for the filter ID attribute on the

RADIUS server

ACLs configured on the Brocade device

ip.102.in access-list 102 permit ip 36.0.0.0 0.255.255.255 any

ip.fdry_filter.in ip access-list standard fdry_filter

permit host 36.48.0.3

previous next