Brocade Communications Systems Brocade ICX 6650 6650 User Manual
234
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Multi-device port authentication and 802.1X security on the same port
DAI is supported together with multi-device port authentication as long as ACL-per-port-per-vlan is
enabled. Otherwise, you do not need to perform any extra configuration steps to enable support
with dynamic ACLs. When these features are enabled on the same port/VLAN, support is
automatically enabled.
enabled. Otherwise, you do not need to perform any extra configuration steps to enable support
with dynamic ACLs. When these features are enabled on the same port/VLAN, support is
automatically enabled.
Support for DHCP snooping with dynamic ACLs
Multi-device port authentication and DHCP snooping are supported in conjunction with dynamic
ACLs. Support is available in the Layer 3 software images only.
ACLs. Support is available in the Layer 3 software images only.
DHCP Snooping is supported together with multi-device port authentication as long as
ACL-per-port-per-vlan is enabled. Otherwise, you do not need to perform any extra configuration
steps to enable support with dynamic ACLs. When these features are enabled on the same
port/VLAN, support is automatically enabled.
ACL-per-port-per-vlan is enabled. Otherwise, you do not need to perform any extra configuration
steps to enable support with dynamic ACLs. When these features are enabled on the same
port/VLAN, support is automatically enabled.
Support for source guard protection
The Brocade proprietary Source Guard Protection feature, a form of IP Source Guard, can be used
in conjunction with multi-device port authentication. For details, refer to
in conjunction with multi-device port authentication. For details, refer to
Multi-device port authentication and 802.1X
security on the same port
security on the same port
On Brocade ICX 6650, multi-device port authentication and 802.1X security can be configured on
the same port, as long as the port is not a trunk port or an LACP port. When both of these features
are enabled on the same port, multi-device port authentication is performed prior to 802.1X
authentication. If multi-device port authentication is successful, 802.1X authentication may be
performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC
address on the RADIUS server.
the same port, as long as the port is not a trunk port or an LACP port. When both of these features
are enabled on the same port, multi-device port authentication is performed prior to 802.1X
authentication. If multi-device port authentication is successful, 802.1X authentication may be
performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC
address on the RADIUS server.
NOTE
When multi-device port authentication and 802.1X security are configured together on the same
port, Brocade recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.
When multi-device port authentication and 802.1X security are configured together on the same
port, Brocade recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.
When both features are configured on a port, a device connected to the port is authenticated as
follows.
follows.
1. Multi-device port authentication is performed on the device to authenticate the device MAC
address.
2. If multi-device port authentication is successful for the device, then the device checks whether
the RADIUS server included the Foundry-802_1x-enable VSA (described in
) in the
Access-Accept message that authenticated the device.
3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present
and set to 1, then 802.1X authentication is performed for the device.