Ethernet Switches & Routers

Reply
brf
New Contributor
Posts: 2
Registered: ‎02-18-2016

Dynamic VLAN<-> MAC address problem...

Just testing this out and got stuck with a very simple scenario. I have a GS648P and am trying to test adding / removing VID 20 from frames between two Ethernet Ports, specifically I have Port 3 on an untagged network and Port 2 with a Linux laptop generating frames on VID 20 and am just trying to ping across the switch as a test. Both ends have fixed IPs on the same subnet.

 

Without mac authentication and just using

 

vlan 20 by port
 tagged ethe 0/1/2
 untagged ethe 0/1/3
!

 

I can get this to work, however, adding in mac-authentication breaks everything....

 

I have a Radius server on Port 48 directly connected to the switch and I can see the Radius requests and responses on that all going to/from the 648, so I know that bit is working.

 

My config is:

 

ver 04.3.01T7e1
!
module 1 fgs-48-port-management-module
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 20 by port
 tagged ethe 0/1/2
 untagged ethe 0/1/3
!
vlan 999 by port
 untagged ethe 0/1/48
!
!
!
boot sys fl sec
username brocade password .....
radius-server host 192.168.168.152 auth-port 1812 acct-port 1813 default key 1 $on-o=g"Z|8 dot1x
radius-server key 1 $on-o=g"Z|8
mac-authentication enable
mac-authentication mac-vlan-dyn-activation
interface ethernet 0/1/2
 mac-authentication enable
 mac-authentication auth-fail-action restrict-vlan 20
 mac-authentication enable-dynamic-vlan
!
interface ethernet 0/1/3
 mac-authentication enable
 mac-authentication auth-fail-action restrict-vlan
 mac-authentication enable-dynamic-vlan
!
interface ethernet 0/1/48
 ip address 192.168.168.154 255.255.255.0
!
end

 

The 648 has learnt the relevant MAC addresses / VIDs correctly from the Radius server:

 

BR-FGS648P Router(config-if-e1000-0/1/3)#show mac-address
Total active entries from all ports = 1068
MAC-Address     Port           Type          Index   VLAN
5c26.0a0d.d6cb  0/1/3          Dynamic       10172   1
0013.a9d6.cc7c  0/1/2          Dynamic       508     20
4494.fc27.957f  0/1/3          Dynamic       6272    1
b083.fec3.f45f  0/1/48         Dynamic       8544    999

 

Tagged traffic (VID 20) on 0/1/2, untagged test laptops on 0/1/3 and Radius server on 0/1/48.

 

I can see that authentication has worked:

 

BR-FGS648P Router(config-if-e1000-0/1/3)#show auth-mac-addresses detailed

Port                             : 0/1/2
Dynamic-Vlan  Assignment         : Enabled
RADIUS failure action            : Restricted Vlan
   Failure restrict use dot1x    : No
   Failure restrict vlan         : 20
Override-restrict-vlan           : Yes
Vlan                             : ( TAGGED )
Port Vlan State                  : DEFAULT
802.1x override Dynamic PVID     : NO
Original PVID                    : 1
DOS attack protection            : Disabled
Accepted Mac Addresses           : 1
Rejected Mac Addresses           : 0
Authentication in progress       : 0
Authentication attempts          : 0
RADIUS timeouts                  : 0
RADIUS timeouts action           : Retry
MAC Address on PVID              : 0
MAC Address authorized on PVID   : 0
Aging of MAC-sessions            : Enabled
Port move-back vlan              : Port-configured-vlan
Max-Age of sw mac session        : 120 seconds
hw age for denied mac            : 70 seconds
MAC Filter  applied              : No
Dynamic Acl applied              : No
num Dynamic Tagged Vlan          : 4636640
------------------------------------------------------------------------------
MAC Address    RADIUS Server   Authenticated  Time  Age  Dot1x Dyn-acl
------------------------------------------------------------------------------
0013.a9d6.cc7c 192.168.168.152 Yes    29d04h21m06s  S0   Dis


Port                             : 0/1/3
Dynamic-Vlan  Assignment         : Enabled
RADIUS failure action            : Restricted Vlan
   Failure restrict use dot1x    : No
   Failure restrict vlan         : 1
Override-restrict-vlan           : Yes
Port Default VLAN                : 1 ( RADIUS assigned: Yes) (1)
Port Vlan State                  : RADIUS VLAN
802.1x override Dynamic PVID     : NO
Original PVID                    : 20
DOS attack protection            : Disabled
Accepted Mac Addresses           : 2
Rejected Mac Addresses           : 9
Authentication in progress       : 0
Authentication attempts          : 0
RADIUS timeouts                  : 0
RADIUS timeouts action           : Retry
MAC Address on PVID              : 11
MAC Address authorized on PVID   : 2
Aging of MAC-sessions            : Enabled
Port move-back vlan              : Port-configured-vlan
Max-Age of sw mac session        : 120 seconds
hw age for denied mac            : 70 seconds
MAC Filter  applied              : No
Dynamic Acl applied              : No
num Dynamic Tagged Vlan          : 4636640
------------------------------------------------------------------------------
MAC Address    RADIUS Server   Authenticated  Time  Age  Dot1x Dyn-acl
------------------------------------------------------------------------------
8c70.5aa9.98d2 192.168.168.152 No     29d04h22m01s  H68  Dis
a00b.bae6.cff9 192.168.168.152 No     29d05h04m40s  H56  Dis
0007.eb06.1241 192.168.168.152 No     29d04h21m28s  H4   Dis
3859.f903.b90e 192.168.168.152 No     29d05h56m08s  S0   Dis
001f.1f72.ef38 192.168.168.152 No     29d05h59m00s  S64  Dis
b48b.1923.2726 192.168.168.152 No     29d06h19m37s  H16  Dis
207d.740f.f7e1 192.168.168.152 No     29d05h53m52s  S24  Dis
d8bb.2ca8.37ba 192.168.168.152 No     29d06h08m01s  S12  Dis
0023.1483.c360 192.168.168.152 No     29d04h22m58s  H52  Dis
4494.fc27.957f 192.168.168.152 Yes    29d04h27m26s  Ena  Dis
5c26.0a0d.d6cb 192.168.168.152 Yes    29d04h21m05s  S0   Dis

 

What I don't get is why I can't ping between the laptops on Ports 2 and 3. If I switch off the Mac authentication stuff it just works.....

 

Any help would be appreciated!

 

Ben

brf
New Contributor
Posts: 2
Registered: ‎02-18-2016

Re: Dynamic VLAN<-> MAC address problem...

So, on further investigation.

 

With a simple set up

 

vlan 20 by port
 tagged ethe 0/1/2
 untagged ethe 0/1/3

 

ARPs pass across the switch getting tagged / untagged as required.

 

As soon as the mac authentication is enabled, ARPs are no longer passed, which means L3 isn't going to work..

 

This can't be right, so I can only assume I'm missing something.....

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.