Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
247
53-1002601-01
Multi-device port authentication configuration
•
The MAC-to-IP mapping is checked against the Static ARP Inspection table or the DHCP Secure
table.
table.
The Source Guard ACL entry is not written to the running configuration file. However, you can view
the configuration using the show auth-mac-addresses authorized-mac ip-addr. Refer to
the configuration using the show auth-mac-addresses authorized-mac ip-addr. Refer to
in the following section.
NOTE
The secure MAC-to-IP mapping is assigned at the time of authentication and remains in effect as
long as the MAC session is active. If the DHCP Secure table is updated after the session is
authenticated and while the session is still active, it does not affect the existing MAC session.
The secure MAC-to-IP mapping is assigned at the time of authentication and remains in effect as
long as the MAC session is active. If the DHCP Secure table is updated after the session is
authenticated and while the session is still active, it does not affect the existing MAC session.
The Source Guard ACL permit entry is removed when the MAC session expires or is cleared.
To enable Source Guard Protection on a port on which multi-device port authentication is enabled,
enter the following command at the Interface level of the CLI.
enter the following command at the Interface level of the CLI.
Brocade(config)# interface ethernet 1/1/4
Brocade(config-if-e10000-1/1/4)# mac-authentication source-guard-protection
enable
Brocade(config-if-e10000-1/1/4)# mac-authentication source-guard-protection
enable
Syntax: [no] mac-authentication source-guard-protection enable
Enter the no form of the command to disable SG protection.
Viewing the assigned ACL for ports on which source guard protection is enabled
Use the following command to view whether a Source Guard ACL or dynamic ACL is applied to ports
on which Source Guard Protection is enabled.
on which Source Guard Protection is enabled.
In the above output, for port 1/1/2, Source Guard Protection is enabled and the Source Guard ACL
is applied to the MAC session, as indicated by SG in the ACL column. For port 1/1/3, Source Guard
Protection is also enabled, but in this instance, a dynamic ACL (103) is applied to the MAC session.
is applied to the MAC session, as indicated by SG in the ACL column. For port 1/1/3, Source Guard
Protection is also enabled, but in this instance, a dynamic ACL (103) is applied to the MAC session.
Clearing authenticated MAC addresses
The Brocade device maintains an internal table of the authenticated MAC addresses (viewable with
the show authenticated-mac-address command). You can clear the contents of the authenticated
MAC address table either entirely, or just for the entries learned on a specified interface. In
addition, you can clear the MAC session for an address learned on a specific interface.
the show authenticated-mac-address command). You can clear the contents of the authenticated
MAC address table either entirely, or just for the entries learned on a specified interface. In
addition, you can clear the MAC session for an address learned on a specific interface.
To clear the entire contents of the authenticated MAC address table, enter the clear auth-mac-table
command.
command.
Brocade# clear auth-mac-table
Syntax: clear auth-mac-table
Brocade(config)# show auth-mac-addresses authorized-mac ip-addr
-------------------------------------------------------------------------------
MAC Address SourceIp Port Vlan Auth Age ACL dot1x
-------------------------------------------------------------------------------
0000.0010.2000 200.1.17.5 1/1/2 171 Yes Dis SG Ena
0000.0010.2001 200.1.17.6 1/1/3 171 Yes Dis 103 Ena
-------------------------------------------------------------------------------
MAC Address SourceIp Port Vlan Auth Age ACL dot1x
-------------------------------------------------------------------------------
0000.0010.2000 200.1.17.5 1/1/2 171 Yes Dis SG Ena
0000.0010.2001 200.1.17.6 1/1/3 171 Yes Dis 103 Ena