Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
162
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
How 802.1X port security works
•
802.1X multiple-host authentication has the following additions:
-
Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to
-
-
Dynamic multiple VLAN assignment for 802.1X ports. Refer
-
Configure a restriction to forward authenticated and unauthenticated tagged and
untagged clients to a restricted VLAN.
untagged clients to a restricted VLAN.
-
Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN.
-
Configure VLAN assignments for clients attempting to gain access through dual-mode
ports.
ports.
-
Enhancements to some show commands.
-
Differences in command syntax for saving dynamic VLAN assignments to the
startup-config file.
startup-config file.
Configurable hardware aging period for
denied client dot1x-mac-sessions
denied client dot1x-mac-sessions
When one of the 802.1X-enabled Clients in a multiple-host configuration attempts to log into a
network in which a Brocade device serves as an Authenticator, the device creates a
dot1x-mac-session for the Client.
network in which a Brocade device serves as an Authenticator, the device creates a
dot1x-mac-session for the Client.
When a Client has been denied access to the network, its dot1x-mac-session is aged out if no
traffic is received from the Client MAC address over a period of time. After a denied Client
dot1x-mac-session ages out, the Client can be re-authenticated. Aging of a denied Client's
dot1x-mac-session occurs in two phases, known as hardware aging and software aging.
traffic is received from the Client MAC address over a period of time. After a denied Client
dot1x-mac-session ages out, the Client can be re-authenticated. Aging of a denied Client's
dot1x-mac-session occurs in two phases, known as hardware aging and software aging.
The hardware aging period for a denied Client's dot1x-mac-session is not fixed at 70 seconds. The
hardware aging period for a denied Client's dot1x-mac-session is equal to the length of time
specified with the dot1x timeout quiet-period command. By default, the hardware aging time is 60
seconds. Once the hardware aging period ends, the software aging period begins. When the
software aging period ends, the denied Client's dot1x-mac-session ages out, and the Client can be
authenticated again.
hardware aging period for a denied Client's dot1x-mac-session is equal to the length of time
specified with the dot1x timeout quiet-period command. By default, the hardware aging time is 60
seconds. Once the hardware aging period ends, the software aging period begins. When the
software aging period ends, the denied Client's dot1x-mac-session ages out, and the Client can be
authenticated again.
802.1X port security and sFlow
sFlow is a standards-based protocol that allows network traffic to be sampled at a user-defined rate
for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on
user-specified interfaces.
for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on
user-specified interfaces.
When you enable sFlow forwarding on an 802.1X-enabled interface, the samples taken from the
interface include the user name string at the inbound or outbound port, or both, if that information
is available.
interface include the user name string at the inbound or outbound port, or both, if that information
is available.
For more information on sFlow, refer to the Brocade ICX 6650 Administration Guide.