Dell FCX624-I Laptop User Manual


  Open as PDF
of 1494
 
1286 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring multi-device port authentication
36
Enabling source guard protection
Source Guard Protection is a form of IP Source Guard used in conjunction with multi-device port
authentication. When Source Guard Protection is enabled, IP traffic is blocked until the system
learns the IP address. Once the IP address is validated, traffic with that source address is
permitted.
NOTE
Source Guard Protection is supported together with multi-device port authentication as long as
ACL-per-port-per-vlan is enabled.
When a new MAC session begins on a port that has Source Guard Protection enabled, the session
will either apply a dynamically created Source Guard ACL entry, or it will use the dynamic IP ACL
assigned by the RADIUS server. If a dynamic IP ACL is not assigned, the session will use the
Source Guard ACL entry. The Source Guard ACL entry is permit ip <secure-ip> any, where
<secure-ip> is obtained from the ARP Inspection table or from the DHCP Secure table. The DHCP
Secure table is comprised of DHCP Snooping and Static ARP Inspection entries.
The Source Guard ACL permit entry is added to the hardware table after all of the following events
occur:
The MAC address is authenticated
The IP address is learned
The MAC-to-IP mapping is checked against the Static ARP Inspection table or the DHCP Secure
table.
The Source Guard ACL entry is not written to the running configuration file. However, you can view
the configuration using the show auth-mac-addresses authorized-mac ip-addr. Refer to “Viewing
the assigned ACL for ports on which source guard protection is enabled” in the following section.
NOTE
The secure MAC-to-IP mapping is assigned at the time of authentication and remains in effect as
long as the MAC session is active. If the DHCP Secure table is updated after the session is
authenticated and while the session is still active, it does not affect the existing MAC session.
The Source Guard ACL permit entry is removed when the MAC session expires or is cleared.
To enable Source Guard Protection on a port on which multi-device port authentication is enabled,
enter the following command at the Interface level of the CLI.
PowerConnect (config)int e 1/4
PowerConnect (config-if-e1000-1/4)mac-authentication source-guard-protection
enable
Syntax: [no] mac-authentication source-guard-protection enable
Enter the no form of the command to disable SG protection.
Viewing the assigned ACL for ports on which source guard protection is enabled
Use the following command to view whether a Source Guard ACL or dynamic ACL is applied to ports
on which Source Guard Protection is enabled.