Configuration Guide User guide
1864 FastIron Configuration Guide
53-1002494-02
Multi-device port authentication configuration
Enabling denial of service attack protection
NOTE
This feature is not supported on FWS devices.
The Brocade device does not start forwarding traffic from an authenticated MAC address in
hardware until the RADIUS server authenticates the MAC address; traffic from the
non-authenticated MAC addresses is sent to the CPU. A denial of service (DoS) attack could be
launched against the device where a high volume of new source MAC addresses is sent to the
device, causing the CPU to be overwhelmed with performing RADIUS authentication for these MAC
addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response
from reaching the CPU in time, causing the device to make additional authentication attempts.
To limit the susceptibility of the Brocade device to such attacks, you can configure the device to use
multiple RADIUS servers, which can share the load when there are a large number of MAC
addresses that need to be authenticated. The Brocade device can run a maximum of 10 RADIUS
clients per server and will attempt to authenticate with a new RADIUS server if current one times
out.
In addition, you can configure the Brocade device to limit the rate of authentication attempts sent
to the RADIUS server. When the multi-device port authentication feature is enabled, it keeps track
of the number of RADIUS authentication attempts made per second. When you also enable the
DoS protection feature, if the number of RADIUS authentication attempts for MAC addresses
learned on an interface per second exceeds a configurable rate (by default 512 authentication
attempts per second), the device considers this a possible DoS attack and disables the port. You
must then manually re-enable the port.
The DoS protection feature is disabled by default. To enable it on an interface, enter commands
such as the following.
Brocade(config)#interface e 3/1
Brocade(config-if-e1000-3/1)#mac-authentication dos-protection enable
ITo specify a maximum rate for RADIUS authentication attempts, enter commands such as the
following.
Brocade(config)#interface e 3/1
Brocade(config-if-e1000-3/1)#mac-authentication dos-protection mac-limit 256
Syntax: [no] mac-authentication dos-protection mac-limit <number>
You can specify a rate from 1 – 65535 authentication attempts per second. The default is a rate of
512 authentication attempts per second.
Enabling source guard protection
Source Guard Protection is a form of IP Source Guard used in conjunction with multi-device port
authentication. When Source Guard Protection is enabled, IP traffic is blocked until the system
learns the IP address. Once the IP address is validated, traffic with that source address is
permitted.
NOTE
Source Guard Protection is supported together with multi-device port authentication as long as
ACL-per-port-per-vlan is enabled.