Home » HP Manuals » Storage Devices » HP StorageWorks 8/80 » Manual Viewer

HP StorageWorks 8/80 Brocade Converged Enhanced Ethernet Administrator's Guide - Page 139

Configuring 802.1x Port Authentication, In this x protocol overview

View all HP StorageWorks 8/80 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 139 highlights

Chapter Configuring 802.1x Port Authentication 10 In this chapter •802.1x protocol overview 119 •802.1x configuration guidelines and restrictions 119 •802.1x authentication configuration tasks 120 •Interface-specific administrative tasks for 802.1x 120 802.1x protocol overview The 802.1x protocol defines a port-based authentication algorithm involving network data communication between client-based supplicant software, an authentication database on a server, and the authenticator device. In this situation the authenticator device is the Brocade FCoE hardware. As the authenticator, the Brocade FCoE hardware prevents unauthorized network access. Upon detection of the new supplicant, the Brocade FCoE hardware enables the port and marks it "unauthorized". In this state, only 802.1x traffic is allowed. All other traffic, such as DHCP and HTTP, is blocked. The Brocade FCoE hardware transmits an EAP-request to the supplicant, which responds with the EAP-response packet. The Brocade FCoE hardware, which then forwards the EAP-response packet to the RADIUS authentication server. If the credentials are validated by the RADIUS server database, the supplicant may access the protected network resources. NOTE 802.1x port authentication is not supported by LAG (Link Aggregation Group) or interfaces that participate in a LAG. NOTE The EAP-MD5, EAP-TLS, EAP-TTLS and PEAP-v0 protocols are supported by the RADIUS server and are transparent to the authenticator switch. When the supplicant logs off, it sends an EAP-logoff message to the Brocade FCoE hardware which then sets the port back to the "unauthorized" state. 802.1x configuration guidelines and restrictions Follow these 802.1x configuration guidelines and restrictions when configuring 802.1x: • If you globally disable 802.1x, then all interface ports with 802.1x authentication enabled automatically switch to force-authorized port-control mode. Converged Enhanced Ethernet Administrator's Guide 119 53-1001346-01

Section	Page
Contents	3
Chapter 1 Introducing FCoE	3
Chapter 2 Using the CEE CLI	4
Chapter 3 Standard CEE Integrations and Configurations	4
Chapter 4 Configuring VLANs Using the CEE CLI	4
Chapter 5 Configuring STP, RSTP, and MSTP using the CEE CLI	5
Chapter 6 Configuring Link Aggregation using the CEE CLI	6
Chapter 7 Configuring LLDP using the CEE CLI	6
Chapter 8 Configuring ACLs using the CEE CLI	7
Chapter 9 Configuring QoS using the CEE CLI	7
Chapter 10 Configuring 802.1x Port Authentication	8
Chapter 11 Configuring FCoE using the Fabric OS CLI	8
Chapter 12 Administering the switch	8
Chapter 13 Configuring RMON using the CEE CLI	8
Figures	11
Tables	13
About This Document	15
In this chapter	15
How this document is organized	15
Supported hardware and software	16
What’s new in this document	17
Document conventions	17
Text formatting	17
Command syntax conventions	17
Notes, cautions, and warnings	18
Key terms	18
Notice to the reader	18
Additional information	19
Brocade resources	19
Other industry resources	19
Getting technical help	19
Document feedback	20
Introducing FCoE	21
In this chapter	21
FCoE terminology	21
FCoE overview	21
FCoE hardware	22
Layer 2 Ethernet overview	28
Layer 2 forwarding	28
VLAN tagging	29
Loop-free network environment	30
Frame classification (incoming)	30
Congestion control and queuing	31
Access control	32
Trunking	33
Flow Control	33
FCoE Initialization Protocol	33
FIP discovery	33
FIP login	34
FIP logout	35
FCoE login	35
FCoE logout	35
Logincfg	36
Name server	36
FC zoning	36
Registered state change notification (RSCN)	37
FCoE queuing	37
Using the CEE CLI	39
In this chapter	39
Management Tools	39
CEE Command Line Interface	39
Saving your configuration changes	40
CEE CLI RBAC permissions	40
Accessing the CEE CLI through the console or Telnet	41
Accessing the CEE CLI from the Fabric OS shell	41
CEE CLI command modes	41
CEE CLI keyboard shortcuts	43
Using the do command as a shortcut	44
Displaying CEE CLI commands and command syntax	44
CEE CLI command completion	45
CEE CLI command output modifiers	45
Standard CEE Integrations and Configurations	47
In this chapter	47
Overview of standard CEE integrations	47
SAN Integration	47
Integrating a Brocade 8000 switch on a SAN	48
CEE and LAN integration	48
Creating the CEE map	50
Configuring DCBX	51
Configuring Spanning Tree Protocol	52
Configuring VLAN Membership	52
Configuring the CEE Interfaces	53
Server connections to the Brocade 8000 switch	55
Fibre Channel configuration for the CNA	55
Ethernet configuration for the CNA	55
Minimum CEE configuration to allow FCoE traffic flow	55
Configuring VLANs Using the CEE CLI	57
In this chapter	57
VLAN overview	57
Ingress VLAN filtering	57
VLAN configuration guidelines and restrictions	59
Default VLAN configuration	59
VLAN configuration and management	59
Enabling and disabling an interface port	60
Configuring the MTU on an interface port	60
Creating a VLAN interface	60
Enabling STP on a VLAN	61
Disabling STP on a VLAN	61
Configuring a VLAN interface to forward FCoE traffic	61
Configuring an interface port as a Layer 2 switch port	62
Configuring an interface port as an access interface	62
Configuring an interface port as a trunk interface	62
Disabling a VLAN on a trunk interface	63
Configuring an interface port as a converged interface	63
Disabling a VLAN on a converged interface	64
Configuring protocol-based VLAN classifier rules	64
Configuring a VLAN classifier rule	65
Configuring MAC address-based VLAN classifier rules	65
Deleting a VLAN classifier rule	65
Creating a VLAN classifier group and adding rules	65
Activating a VLAN classifier group with an interface port	66
Clearing VLAN counter statistics	66
Displaying VLAN information	66
Configuring the MAC address table	66
Specifying or disabling the aging time for MAC addresses	67
Adding static addresses to the MAC address table	67
Configuring STP, RSTP, and MSTP using the CEE CLI	69
In this chapter	69
STP overview	69
Configuring STP on Brocade FCoE hardware	70
RSTP overview	71
MSTP overview	73
Configuring MSTP on Brocade FCoE hardware	74
STP, RSTP, and MSTP configuration guidelines and restrictions	75
Default STP, RSTP, and MSTP configuration	75
STP, RSTP, and MSTP configuration and management	77
Enabling STP, RSTP, or MSTP	77
Disabling STP, RSTP, or MSTP	77
Shutting down STP, RSTP, or MSTP globally	77
Specifying the bridge priority	78
Specifying the bridge forward delay	78
Specifying the bridge maximum aging time	79
Enabling the error disable timeout timer	79
Specifying the error disable timeout interval	79
Specifying the port-channel path cost	80
Specifying the bridge hello time (STP and RSTP)	80
Specifying the transmit hold count (RSTP and MSTP)	80
Enabling Cisco interoperability (MSTP)	81
Disabling Cisco interoperability (MSTP)	81
Mapping a VLAN to an MSTP instance	81
Specifying the maximum number of hops for a BPDU (MSTP)	82
Specifying a name for an MSTP region	82
Specifying a revision number for an MSTP configuration	82
Flushing MAC addresses (RSTP and MSTP)	83
Clearing spanning tree counters	83
Clearing spanning tree-detected protocols	83
Displaying STP, RSTP, and MSTP-related information	84
Configuring STP, RSTP, or MSTP on CEE interface ports	84
Enabling automatic edge detection	84
Configuring the path cost	84
Enabling a port (interface) as an edge port	85
Enabling the guard root	85
Specifying the MSTP hello time	86
Specifying restrictions for an MSTP instance	86
Specifying a link type	87
Enabling port fast (STP)	87
Specifying the port priority	87
Restricting the port from becoming a root port	88
Restricting the topology change notification	88
Enabling spanning tree	88
Disabling spanning tree	89
Configuring Link Aggregation using the CEE CLI	91
In this chapter	91
Link aggregation overview	91
Link Aggregation Group configuration	91
Link Aggregation Control Protocol	95
Dynamic link aggregation	95
Static link aggregation	95
Brocade-proprietary aggregation	95
LAG distribution process	95
LACP configuration guidelines and restrictions	96
Default LACP configuration	96
LACP configuration and management	96
Enabling LACP on a CEE interface	97
Configuring the LACP system priority	97
Configuring the LACP timeout period on a CEE interface	97
Clearing LACP counter statistics on a LAG	98
Clearing LACP counter statistics on all LAG groups	98
Displaying LACP information	98
LACP troubleshooting tips	98
Configuring LLDP using the CEE CLI	101
In this chapter	101
LLDP overview	101
Layer 2 topology mapping	102
DCBX overview	104
Enhanced Transmission Selection (ETS)	104
Priority Flow Control (PFC)	105
DCBX interaction with other vendor devices	105
LLDP configuration guidelines and restrictions	105
Default LLDP configuration	106
LLDP configuration and management	106
Enabling LLDP globally	106
Disabling and resetting LLDP globally	106
Configuring LLDP global command options	107
Configuring LLDP interface-level command options	111
Clearing LLDP-related information	111
Displaying LLDP-related information	111
Configuring ACLs using the CEE CLI	113
In this chapter	113
ACL overview	113
Default ACL configuration	114
ACL configuration guidelines and restrictions	114
ACL configuration and management	114
Creating a standard MAC ACL and adding rules	114
Creating an extended MAC ACL and adding rules	115
Modifying MAC ACL rules	115
Removing a MAC ACL	116
Reordering the sequence numbers in a MAC ACL	116
Applying a MAC ACL to a CEE interface	117
Applying a MAC ACL to a VLAN interface	117
Configuring QoS using the CEE CLI	119
In this chapter	119
QoS overview	119
Rewriting	120
Queueing	120
User-priority mapping	120
Traffic class mapping	124
Congestion control	126
Tail drop	126
Ethernet pause	128
Ethernet Priority Flow Control	129
Multicast rate limiting	129
Scheduling	130
Strict priority scheduling	130
Deficit weighted round robin scheduling	131
Traffic class scheduling policy	131
Multicast queue scheduling	133
Converged Enhanced Ethernet map configuration	133
Configuring 802.1x Port Authentication	139
In this chapter	139
802.1x protocol overview	139
802.1x configuration guidelines and restrictions	139
802.1x authentication configuration tasks	140
Configure authentication between the switch and CNA or NIC	140
Interface-specific administrative tasks for 802.1x	140
Configuring 802.1x on specific interface ports	140
Configuring 802.1x timeouts on specific interface ports	141
Configuring 802.1x re-authentication on specific interface ports	141
Disabling 802.1x on specific interface ports	141
Configuring FCoE using the Fabric OS CLI	143
In this chapter	143
FCoE configuration guidelines and restrictions	143
Managing and displaying the FCoE configuration	143
Enabling or disabling an FCoE port	144
Configuring FCMAP values for a VLAN	144
Configuring FIP multicast advertisement intervals	144
Clearing logins	145
Displaying FCoE configuration-related information	145
Managing and displaying the FCoE login configuration	145
Enabling or disabling FCoE login configuration management	145
Displaying or aborting the current configuration transaction	146
Cleaning up login groups and VN_port mappings	146
Displaying the FCoE login configuration	146
Saving the current FCoE configuration	147
Creating and managing the FCoE login group configuration	147
Creating an FCoE login group	147
Modifying the FCoE login group device list	148
Deleting an FCoE login group	148
Renaming an FCoE login group	148
Administering the switch	149
In this chapter	149
CEE configuration management guidelines and restrictions	149
CEE configuration management tasks	149
Flash file management commands	150
Debugging and logging commands	151
Configuring RMON using the CEE CLI	153
In this chapter	153
RMON overview	153
RMON configuration and management	153
Default RMON configuration	153
Configuring RMON settings	153
Configuring RMON events	154
Configuring RMON Ethernet group statistics collection	154
Index	157
Symbols	157
Numerics	157
A	157
B	157
C	158
D	158
E	158
F	158
G	159
H	159
I	159
K	159
L	159
M	160
N	160
O	160
P	160
Q	161
R	161
S	161
T	161
U	162
V	162
W	162

Match case Limit results 1 per page

Converged Enhanced Ethernet Administrator’s Guide

119

53-1001346-01

Chapter

Configuring 802.1x Port Authentication

In this chapter

•

802.1x protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

•

802.1x configuration guidelines and restrictions . . . . . . . . . . . . . . . . . . . . 119

•

802.1x authentication configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . 120

•

Interface-specific administrative tasks for 802.1x . . . . . . . . . . . . . . . . . . . 120

802.1x protocol overview

The 802.1x protocol defines a port-based authentication algorithm involving network data

communication between client-based supplicant software, an authentication database on a server,

and the authenticator device. In this situation the authenticator device is the Brocade FCoE

hardware.

As the authenticator, the Brocade FCoE hardware prevents unauthorized network access. Upon

detection of the new supplicant, the Brocade FCoE hardware enables the port and marks it

“unauthorized”. In this state, only 802.1x traffic is allowed. All other traffic, such as DHCP and

HTTP, is blocked. The Brocade FCoE hardware transmits an EAP-request to the supplicant, which

responds with the EAP-response packet. The Brocade FCoE hardware, which then forwards the

EAP-response packet to the RADIUS authentication server. If the credentials are validated by the

RADIUS server database, the supplicant may access the protected network resources.

NOTE

802.1x port authentication is not supported by LAG (Link Aggregation Group) or interfaces that

participate in a LAG.

NOTE

The EAP-MD5, EAP-TLS, EAP-TTLS and PEAP-v0 protocols are supported by the RADIUS server and

are transparent to the authenticator switch.

When the supplicant logs off, it sends an EAP-logoff message to the Brocade FCoE hardware which

then sets the port back to the “unauthorized” state.

802.1x configuration guidelines and restrictions

Follow these 802.1x configuration guidelines and restrictions when configuring 802.1x:

•

If you globally disable 802.1x, then all interface ports with 802.1x authentication enabled

automatically switch to force-authorized port-control mode.