Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron
1921192219231924192519261927192819291930
FastIron Configuration Guide 1865
53-1002494-02
Multi-device port authentication configuration
When a new MAC session begins on a port that has Source Guard Protection enabled, the session
will either apply a dynamically created Source Guard ACL entry, or it will use the dynamic IP ACL
assigned by the RADIUS server. If a dynamic IP ACL is not assigned, the session will use the
Source Guard ACL entry. The Source Guard ACL entry is permit ip <secure-ip> any, where
<secure-ip> is obtained from the ARP Inspection table or from the DHCP Secure table. The DHCP
Secure table is comprised of DHCP Snooping and Static ARP Inspection entries.
The Source Guard ACL permit entry is added to the hardware table after all of the following events
occur:
The MAC address is authenticated
The IP address is learned
The MAC-to-IP mapping is checked against the Static ARP Inspection table or the DHCP Secure
table.
The Source Guard ACL entry is not written to the running configuration file. However, you can view
the configuration using the show auth-mac-addresses authorized-mac ip-addr. Refer to “Viewing
the assigned ACL for ports on which source guard protection is enabled” in the following section.
NOTE
The secure MAC-to-IP mapping is assigned at the time of authentication and remains in effect as
long as the MAC session is active. If the DHCP Secure table is updated after the session is
authenticated and while the session is still active, it does not affect the existing MAC session.
The Source Guard ACL permit entry is removed when the MAC session expires or is cleared.
To enable Source Guard Protection on a port on which multi-device port authentication is enabled,
enter the following command at the Interface level of the CLI.
FastIron(config)int e 1/4
FastIron(config-if-e1000-1/4)mac-authentication source-guard-protection enable
Syntax: [no] mac-authentication source-guard-protection enable
Enter the no form of the command to disable SG protection.
Viewing the assigned ACL for ports on which source guard protection is enabled
Use the following command to view whether a Source Guard ACL or dynamic ACL is applied to ports
on which Source Guard Protection is enabled.
In the above output, for port 6/12, Source Guard Protection is enabled and the Source Guard ACL
is applied to the MAC session, as indicated by SG in the ACL column. For port 6/13, Source Guard
Protection is also enabled, but in this instance, a dynamic ACL (103) is applied to the MAC session.
Brocade(config)#show auth-mac-addresses authorized-mac ip-addr
-------------------------------------------------------------------------------
MAC Address SourceIp Port Vlan Auth Age ACL dot1x
-------------------------------------------------------------------------------
00A1.0010.2000 200.1.17.5 6/12 171 Yes Dis SG Ena
00A1.0010.2001 200.1.17.6 6/13 171 Yes Dis 103 Ena