MAC-based VLAN overview

MAC-based VLAN feature structure

The MAC-based VLAN feature operates in two stages:

Source MAC Address Authentication

Policy-Based Classification and Forwarding

Source MAC address authentication

Source MAC address authentication is performed by a central RADIUS server when it receives a PAP request with a username and password that match the MAC address being authenticated. When the MAC address is successfully authenticated, the server must return the VLAN identifier, which is carried in the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes of the RADIUS packets. If the Tunnel-Type is tagged, the MAC address will be blocked or restricted. If the identified VLAN does not exist, then the authentication is considered a failure, and action is taken based on the configured failure options. (The default failure action is to drop the traffic.) The RADIUS server may also optionally return the QoS attribute for the authenticated MAC address. Refer to Table 47 on page 217 for more information about attributes.

Policy-based classification and forwarding

After the authentication stage is complete, incoming traffic is classified based on the response from the RADIUS server. There are three possible actions:

Incoming traffic from a specific source MAC is dropped because authentication failed

Incoming traffic from a specific source MAC is classified as untagged into a specific VLAN

Incoming traffic from a specific source MAC is classified as untagged into a restricted VLAN

Traffic classification is performed by programming incoming traffic and RADIUS-returned attributes in the hardware. Incoming traffic attributes include the source MAC address and the port on which the feature is enabled. The RADIUS-returned attributes are the VLAN into which the traffic is to be classified, and the QoS priority.

NOTE

This feature drops any incoming tagged traffic on the port, and classifies and forwards untagged traffic into the appropriate VLANs.

This feature supports up to a maximum of 32 MAC addresses per physical port, with a default of 2.

NOTE

Even though the feature supports up tp a maximum of 32 MAC address per physical port, the configuration of the maximum number of MAC addresses per port is limited by the available hardware resources.

Once a client MAC address is successfully authenticated and registered, the MAC-to-VLAN association remains until the port connection is dropped, or the MAC entry expires.

MAC-based VLAN and port up or down events

When the state of a port is changed to down, all authorized and unauthorized MAC addresses are removed from the MAC-to-VLAN mapping table, any pending authentication requests are cancelled.

212

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 232
Image 232
Brocade Communications Systems 6650 manual MAC-based Vlan feature structure, Source MAC address authentication