Multi-device port authentication configuration

The MAC-to-IP mapping is checked against the Static ARP Inspection table or the DHCP Secure table.

The Source Guard ACL entry is not written to the running configuration file. However, you can view the configuration using the show auth-mac-addressesauthorized-macip-addr. Refer to “Viewing the assigned ACL for ports on which source guard protection is enabled” in the following section.

NOTE

The secure MAC-to-IP mapping is assigned at the time of authentication and remains in effect as long as the MAC session is active. If the DHCP Secure table is updated after the session is authenticated and while the session is still active, it does not affect the existing MAC session.

The Source Guard ACL permit entry is removed when the MAC session expires or is cleared.

To enable Source Guard Protection on a port on which multi-device port authentication is enabled, enter the following command at the Interface level of the CLI.

Brocade(config)# interface ethernet 1/1/4 Brocade(config-if-e10000-1/1/4)# mac-authentication source-guard-protection enable

Syntax: [no] mac-authentication source-guard-protection enable

Enter the no form of the command to disable SG protection.

Viewing the assigned ACL for ports on which source guard protection is enabled

Use the following command to view whether a Source Guard ACL or dynamic ACL is applied to ports on which Source Guard Protection is enabled.

Brocade(config)# show auth-mac-addresses authorized-mac ip-addr

-------------------------------------------------------------------------------

MAC Address SourceIp Port Vlan Auth Age ACL dot1x

-------------------------------------------------------------------------------

0000.0010.2000

200.1.17.5

1/1/2

171

Yes

Dis

SG

Ena

0000.0010.2001

200.1.17.6

1/1/3

171

Yes

Dis

103

Ena

In the above output, for port 1/1/2, Source Guard Protection is enabled and the Source Guard ACL is applied to the MAC session, as indicated by SG in the ACL column. For port 1/1/3, Source Guard Protection is also enabled, but in this instance, a dynamic ACL (103) is applied to the MAC session.

Clearing authenticated MAC addresses

The Brocade device maintains an internal table of the authenticated MAC addresses (viewable with the show authenticated-mac-addresscommand). You can clear the contents of the authenticated MAC address table either entirely, or just for the entries learned on a specified interface. In addition, you can clear the MAC session for an address learned on a specific interface.

To clear the entire contents of the authenticated MAC address table, enter the clear auth-mac-tablecommand.

Brocade# clear auth-mac-table

Syntax: clear auth-mac-table

Brocade ICX 6650 Security Configuration Guide

247

53-1002601-01

 

Page 267
Image 267
Brocade Communications Systems 6650 manual Clearing authenticated MAC addresses, Syntax clear auth-mac-table