Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
245
53-1002601-01
Multi-device port authentication configuration
•
Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters
are not supported.
are not supported.
•
Dynamic ACL assignment with multi-device port authentication is not supported in conjunction
with any of the following features:
with any of the following features:
-
IP source guard
-
Rate limiting
-
Protection against ICMP or TCP Denial-of-Service (DoS) attacks
-
Policy-based routing
-
802.1X dynamic filter
Configuring the RADIUS server to support dynamic IP ACLs
When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in
the running-config file on the Brocade device can be dynamically applied to the port. To do this, you
configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the
name or number of the Brocade IP ACL.
the running-config file on the Brocade device can be dynamically applied to the port. To do this, you
configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the
name or number of the Brocade IP ACL.
The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a
Brocade IP ACL.
Brocade IP ACL.
The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS
server to refer to IP ACLs configured on a Brocade device.
server to refer to IP ACLs configured on a Brocade device.
Enabling denial of service attack protection
The Brocade device does not start forwarding traffic from an authenticated MAC address in
hardware until the RADIUS server authenticates the MAC address; traffic from the
non-authenticated MAC addresses is sent to the CPU. A denial of service (DoS) attack could be
launched against the device where a high volume of new source MAC addresses is sent to the
device, causing the CPU to be overwhelmed with performing RADIUS authentication for these MAC
addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response
from reaching the CPU in time, causing the device to make additional authentication attempts.
hardware until the RADIUS server authenticates the MAC address; traffic from the
non-authenticated MAC addresses is sent to the CPU. A denial of service (DoS) attack could be
launched against the device where a high volume of new source MAC addresses is sent to the
device, causing the CPU to be overwhelmed with performing RADIUS authentication for these MAC
addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response
from reaching the CPU in time, causing the device to make additional authentication attempts.
TABLE 57
Syntax for configuring the Filter-ID attribute
Value
Description
ip.number.in
1
1.
The ACL must be an extended ACL. Standard ACLs are not supported.
Applies the specified numbered ACL to the authenticated port in the inbound direction.
ip.name.in
1
,
2
2.
The name in the Filter ID attribute is case-sensitive
Applies the specified named ACL to the authenticated port in the inbound direction.
TABLE 58
Filter-ID values
Possible values for the filter ID attribute on the
RADIUS server
RADIUS server
ACLs configured on the Brocade device
ip.102.in
access-list 102 permit ip 36.0.0.0 0.255.255.255 any
ip.fdry_filter.in
ip access-list standard fdry_filter
permit host 36.48.0.3
permit host 36.48.0.3