Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
215
53-1002601-01
MAC-based VLAN configuration
vlan 4004 by port
mac-vlan-permit ethernet 1/1/1 to 1/1/3
default-vlan-id 4000
ip address 10.44.3.3 255.255.255.0
ip default-gateway 10.44.3.1
radius-server host 10.44.3.111
radius-server key 1 $-ndUno
mac-authentication enable
mac-authentication mac-vlan-dyn-activation
mac-authentication max-age 60
mac-authentication hw-deny-age 30
mac-authentication auth-passwd-format xxxx.xxxx.xxxx
mac-authentication auth-fail-vlan-id 666
interface ethernet 1/1/1
mac-authentication mac-vlan max-mac-entries 5
mac-authentication mac-vlan 0030.4888.b9fe vlan 1 priority 1
mac-authentication mac-vlan enable
interface ethernet 1/1/2
mac-authentication mac-vlan max-mac-entries 10
mac-authentication mac-vlan enable
mac-authentication auth-fail-action restrict-vlan 222
interface ethernet 1/1/3
mac-authentication mac-vlan enable
mac-authentication auth-fail-action restrict-vlan
!
end
mac-vlan-permit ethernet 1/1/1 to 1/1/3
default-vlan-id 4000
ip address 10.44.3.3 255.255.255.0
ip default-gateway 10.44.3.1
radius-server host 10.44.3.111
radius-server key 1 $-ndUno
mac-authentication enable
mac-authentication mac-vlan-dyn-activation
mac-authentication max-age 60
mac-authentication hw-deny-age 30
mac-authentication auth-passwd-format xxxx.xxxx.xxxx
mac-authentication auth-fail-vlan-id 666
interface ethernet 1/1/1
mac-authentication mac-vlan max-mac-entries 5
mac-authentication mac-vlan 0030.4888.b9fe vlan 1 priority 1
mac-authentication mac-vlan enable
interface ethernet 1/1/2
mac-authentication mac-vlan max-mac-entries 10
mac-authentication mac-vlan enable
mac-authentication auth-fail-action restrict-vlan 222
interface ethernet 1/1/3
mac-authentication mac-vlan enable
mac-authentication auth-fail-action restrict-vlan
!
end
MAC-based VLAN configuration
Configure MAC-based VLAN mapping on the switch statically for static hosts, or dynamically for
non-static hosts, by directing the RADIUS server to authenticate the incoming packet.
non-static hosts, by directing the RADIUS server to authenticate the incoming packet.
To configure the a MAC-based VLAN, first perform the following tasks:
•
In the VLANs, configure mac-vlan-permit for each port that will be participating in the
MAC-based VLAN
MAC-based VLAN
•
If a port has been MAC-based VLAN-enabled, but has not been added as mac-vlan-permit in
any of the VLANs, any MAC addresses learned on this port will be blocked in the reserved
VLAN. To prevent this, you must create all of the VLANs and add all ports as mac-vlan-permit
before enabling MAC-based VLAN on any ports.
any of the VLANs, any MAC addresses learned on this port will be blocked in the reserved
VLAN. To prevent this, you must create all of the VLANs and add all ports as mac-vlan-permit
before enabling MAC-based VLAN on any ports.
•
Disable any multi-device port authentication on ports you will be using for MAC-to-VLAN
mapping
mapping
NOTE
Do not configure MAC-based VLAN on ports that are tagged to any VLAN. Do not use ports on which
MAC-based VLAN is configured as tagged ports.
Do not configure MAC-based VLAN on ports that are tagged to any VLAN. Do not use ports on which
MAC-based VLAN is configured as tagged ports.
NOTE
MAC-based VLAN is not supported on trunk or LACP ports. Do not configure trunks on MAC-based
VLAN-enabled ports.
VLAN-enabled ports.