802.1x MAC Address Authentication Bypass (MAB)
is a supplemental authentication mechanism that lets
non-802.1x devices bypass the traditional 802.1x
process altogether, letting them authenticate to the
network using their client MAC address as an identifier
• A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for
MAB purpose
• MAB can be configured on a per-port basis on the switch
• MAB initiates aer unsuccesful dot1x authentication process (configurable time out), when clients don’t
respond to any of EAPOL packets
• When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the
authentication server
• The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses
• The RADIUS server returns the access policy and VLAN assignment to the switch for each client
With Successive Tiering, the Authentication Manager
allows for authentication methods per port for a
Tiered Authentication based on configured time-outs
• By default, configuration authentication methods are tried in this order: Dot1x, then MAB, then Captive
Portal (web authentication)
• With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies
• For instance, when a client is connecting, M6100 tries to authencate the user/client using the three
methods above, the one aer the other
• The admin can restrict the configuration such that no other method is allowed to follow the captive portal
method, for instance
Double VLANs (DVLAN - QinQ) pass trac from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are
preserved and a service provider VLAN ID is added to the trac so the trac can pass the metro core in a simple, secure manner
Private VLANs (with Primary VLAN, Isolated VLAN,
Community VLAN, Promiscuous port, Host port,
Trunks) provide Layer 2 isolation between ports that
share the same broadcast domain, allowing a VLAN
broadcast domain to be partitioned into smaller point-
to-multipoint subdomains accross switches in the
same Layer 2 network
• Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but
need to communicate with a router
• They remove the need for more complex port-based VLANs with respective IP interface/subnets and
associated L3 routing
• Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop
or attack other users’ trac
Secure Shell (SSH) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured
TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch configuration, based on
latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP
and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password
Superior quality of service
Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
7 queues for priorities and various QoS policies based on 802.1p (CoS) and DiServ can be applied to interfaces and VLANs
Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with time-based ACLs for best granularity
Single Rate Policing feature enables support for Single
Rate Policer as defined by RFC 2697
• Committed Information Rate (average allowable rate for the class)
• Committed Burst Size (maximum amount of contiguous packets for the class)
• Excessive Burst Size (additional burst size for the class with credits refill at a slower rate than committed
burst size)
• DiServ feature applied to class maps
Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls
iSCSI Flow Acceleration and automatic protection/QoS with Auto-iSCSI
Flow Control
802.3x Flow Control implementation per IEEE 802.3
Annex 31 B specifications with Symmetric flow
control, Asymmetric flow control or No flow control
• Asymmetric flow control allows the switch to respond to received PAUSE frames, but the ports cannot
generate PAUSE frames
• Symmetric flow control allows the switch to both respond to, and generate MAC control PAUSE frames
Allows trac from one device to be throttled for a
specified period of time
• A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a
PAUSE frame
ProSAFE® LAN Access and Aggregation Chassis Switches Data Sheet
M6100 series
Page 12 of 46
Komentáře k této Příručce