Brocade Communications Systems ICX 6650 Security Configuration Manual
  1. Manuals
  2. Brands
  3. Brocade Communications Systems Manuals
  4. Switch
  5. ICX 6650 series
  6. Security configuration manual

Brocade Communications Systems ICX 6650 Security Configuration Manual

Hide thumbs Also See for ICX 6650:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual
53-1002601-01
®
28 September 2012
Brocade ICX 6650
Security Configuration Guide
Supporting FastIron Software Release 07.5.00

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ICX 6650 and is the answer not in the manual?

Questions and answers

Related Manuals for Brocade Communications Systems ICX 6650

Summary of Contents for Brocade Communications Systems ICX 6650

  • Page 1 53-1002601-01 ® 28 September 2012 Brocade ICX 6650 Security Configuration Guide Supporting FastIron Software Release 07.5.00...
  • Page 2 Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.

  • Page 3: Table Of Contents

    Supported hardware and software ......xi Brocade ICX 6650 slot and port numbering ....xi How this document is organized .
  • Page 4 TCP Flags - edge port security ......60 Using TCP Flags in combination with other ACL features ..61 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 5 Hardware aging of Layer 4 CAM entries ....84 ACL configuration considerations ......85 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 6 QoS options for IP ACLs ........114 Configuration notes for QoS options on Brocade ICX 6650 . .115 Using an IP ACL to mark DSCP values (DSCP marking).
  • Page 7 Configuring fixed rate limiting ......143 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 8 802.1X accounting attributes for RADIUS ....183 Enabling 802.1X accounting ......183 viii Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 9 Static and dynamic hosts ......211 MAC-based VLAN feature structure .....212 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 10 RADIUS server ........235 Brocade ICX 6650 Security Configuration Guide...
  • Page 11 DoS attacks ......271 Brocade ICX 6650 Security Configuration Guide...
  • Page 12 Enabling IP source guard on a VE ..... . .297 Displaying learned IP addresses......297 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 13 Configuring rate limiting for BUM traffic....299 Viewing rate limits set on BUM traffic ....300 Index Brocade ICX 6650 Security Configuration Guide xiii 53-1002601-01...
  • Page 14 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 15: About This Document

    The Brocade ICX 6650 contains the following slots and Ethernet ports: • Slot 1 is located on the front of the Brocade ICX 6650 device and contains ports 1 through 56. Ports 1 through 32 are 10 GbE. Ports 33 through 56 are 1/10 GbE SFP+ ports. Refer to the following figure.

  • Page 16: How This Document Is Organized

    • Slot 2 is located on the back of the Brocade ICX 6650 device and contains ports 1 through 3 on the top row and port 4 on the bottom row. These ports are 2x40 GbE QSFP+. Refer to the following figure.

  • Page 17: Document Conventions

    Brocade ICX 6650 slot and port numbering Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names...

  • Page 18: Notice To The Reader

    • Brocade ICX 6650 Hardware Installation Guide New • Brocade ICX 6650 Administration Guide • Brocade ICX 6650 Platform and Layer 2 Configuration Guide • Brocade ICX 6650 Layer 3 Routing Configuration Guide • Brocade ICX 6650 Security Configuration Guide •...

  • Page 19: Additional Information

    Brocade ICX 6650 slot and port numbering • Brocade ICX 6650 Diagnostic Reference • Unified IP MIB Reference • Ports-on-Demand Licensing for the Brocade ICX 6650 The latest versions of these guides are posted at http://www.brocade.com/ethernetproducts. Additional information This section lists additional Brocade and industry-specific documentation that you might find helpful.

  • Page 20: Document Feedback

    Brocade ICX 6650 slot and port numbering Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you.

  • Page 21: Security Access

    This chapter explains how to secure access to management functions on a Brocade device. NOTE For the Brocade ICX 6650, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication.
  • Page 22 Allow SSH access only from specific IP addresses Allow SSH access only from specific MAC addresses Establish passwords for privilege levels of the CLI Set up local user accounts Configure TACACS/TACACS+ security Configure RADIUS security Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 23: Remote Access To Management Function Restrictions

    The following sections describe how to restrict remote access to a Brocade device using these methods. ACL usage to restrict remote access You can use standard ACLs to control the following access methods to management functions on a Brocade device: • Telnet • • SNMP Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 24 Brocade(config)# access-list 12 deny host 10.157.22.98 log Brocade(config)# access-list 12 deny 10.157.23.0 0.0.0.255 log Brocade(config)# access-list 12 deny 10.157.24.0/24 log Brocade(config)# access-list 12 permit any Brocade(config)# ssh access-group 12 Brocade(config)# write memory Syntax: ssh access-group num Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 25: Defining The Console Idle Time

    By default, a Brocade device does not time out serial console sessions. A serial session remains open indefinitely until you close it. You can however define how many minutes a serial management session can remain idle before it is timed out. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 26: Remote Access Restrictions

    To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command. Brocade(config)# ip ssh client 10.157.22.39 Syntax: [no] ip ssh client ip-addr | ipv6-addr Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 27: Restricting Access To The Device Based On Ip Or Mac Address

    To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command. Brocade(config)# ip ssh client 10.157.22.39 0000.000f.e9a0 Syntax: [no] ip ssh client ip-addr | ipv6-addr mac-addr Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 28: Defining The Telnet Idle Time

    By default, the login timeout period for a Telnet session is 1 minute. To change the login timeout period, use the following command. Brocade(config)# telnet login-timeout 5 Syntax: [no] telnet login-timeout minutes For minutes, enter a value from 1 to 10. The default timeout period is 1 minute. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 29: Specifying The Maximum Number Of Login Attempts

    VLAN that is not permitted still cannot access the device through Telnet. Restricting Telnet access to a specific VLAN To allow Telnet access only to clients in a specific VLAN, enter a command such as the following. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 30: Designated Vlan For Telnet Management Sessions

    Designated VLAN for Telnet management sessions to a Layer 2 switch Brocade ICX 6650 supports the creation of management VLANs. By default, the management IP address you configure on a Layer 2 switch applies globally to all the ports on the device. This is true even if you divide the device ports into multiple port-based VLANs.

  • Page 31: Device Management Security

    In addition, you must use AAA authentication to create a password to allow SSHv2 access. For example the following command configures AAA authentication to use TACACS+ for authentication as the default or local if TACACS+ is not available. Brocade(config)# aaa authentication login default tacacs+ local Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 32: Disabling Specific Access Methods

    You can globally disable TFTP to block TFTP client access. By default, TFTP client access is enabled. To disable TFTP client access, enter the following command at the Global CONFIG level of the CLI. Brocade(config)# tftp disable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 33: Passwords Used To Secure Access

    To suppress the connection rejection message, use the following CLI method. To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following command at the global CONFIG level of the CLI. Brocade(config)# telnet server suppress-reject-message Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 34: Setting Passwords For Management Privilege Levels

    Super User level password can be an alphanumeric string, but cannot begin with a number. 4. Enter the following commands to set the Port Configuration level and Read Only level passwords. Brocade(config)# enable port-config-password text Brocade(config)# enable read-only-password text Syntax: enable super-user-password text Syntax: enable port-config-password text Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 35 – IPv6 access list configuration level • rip-router – RIP router level; for example, Brocade(config-rip-router)# • ospf-router – OSPF router level; for example, Brocade(config-ospf-router)# • pim-router – PIM router level; for example, Brocade(config-pim-router)# Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 36: Recovering From A Lost Password

    By default, the Brocade device imposes no minimum length on the Line (Telnet), Enable, or Local passwords. You can configure the device to require that Line, Enable, and Local passwords be at least a specified length. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 37: Local User Accounts

    This section describes the enhancements to the username and password features introduced in earlier releases. The following rules are enabled by default: • Users are required to accept the message of the day. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 38 “i4aY“were used consecutively in the previous password • If the user tries to configure a password that was previously used, the Local User Account configuration will not be allowed and the following message will be displayed. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 39: Enabling User Password Masking

    The password aging feature uses the SNTP server clock to record the set-time. If the network does not have an SNTP server, then set-time will appear as set-time 0 in the output of the show running configuration command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 40: Configuring Password History

    To re-enable a user that has been locked out, do one of the following: • Reboot the Brocade device to re-enable all disabled users. • Enable the user by entering the following command. Brocade(config)# username sandy enable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 41: Local User Account Configuration

    NOTE This requirement is disabled by default, unless configured. Users are not required to press Enter after the MOTD banner is displayed. Refer to Brocade ICX 6650 Administration Guide. Local user account configuration You can create accounts for local users with or without passwords. Accounts with passwords can have encrypted or unencrypted passwords.
  • Page 42 If strict password enforcement is enabled on the device, you must enter a minimum of eight characters containing the following combinations: • At least two upper case characters • At least two lower case characters • At least two numeric characters Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 43: Creating A Password Option

    The privilege parameter specifies the privilege level for the account. You can specify one of the following: • 0 – Super User level (full read-write access) • 4 – Port Configuration level • 5 – Read Only level Enter up to 255 alphanumeric characters for password-string. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 44: Changing A Local User Password

    UNIX workstation or PC with a TACACS/TACACS+ server running. How TACACS+ differs from TACACS TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 45: Tacacs/Tacacs+ Authentication, Authorization

    0 default start-stop tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting system default start-stop tacacs+ enable aaa console hostname Fred ip address 10.10.6.56/255 tacacs-server host 255.253.255 tacacs-server key 1 $Gsig@U\ Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 46 1 minutes 5 seconds in idle established 1 hours 4 minutes 18 seconds in idle established 1 hours 4 minutes 15 seconds in idle established 1 hours 4 minutes 9 seconds in idle Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 47: Tacacs Authentication

    4. The Brocade device obtains a password prompt from a TACACS+ server. 5. The user is prompted for a password. 6. The user enters a password. The Brocade device sends the password to the TACACS+ server. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 48 5. The TACACS+ accounting server records information about the event. 6. When the event is concluded, the Brocade device sends an Accounting Stop packet to the TACACS+ accounting server. The TACACS+ accounting server acknowledges the Accounting Stop packet. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 49: Aaa Operations For Tacacs/Tacacs

    AAA security for commands pasted into the running-config If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 50: Tacacs/Tacacs+ Configuration Considerations

    “Configuring authentication-method lists for TACACS and TACACS+” on page 34. 4. Optionally configure TACACS+ authorization. Refer to “Configuring TACACS+ authorization” page 36. 5. Optionally configure TACACS+ accounting. Refer to “TACACS+ accounting configuration” page 39. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 51: Enabling Tacacs

    34.) Otherwise, when you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not be able to access the system. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 52: Specifying Different Servers For Individual Aaa Functions

    TACACS/TACACS+ servers are unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 53 TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds. Brocade(config)# tacacs-server timeout 5 Syntax: tacacs-server timeout number Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 54: Configuring Authentication-Method Lists For Tacacs And Tacacs

    Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password… command. Refer to “Setting passwords for management privilege levels” on page 14. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 55 When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server. If a user attempts to login through Telnet or SSH, but none of the configured TACACS+ servers are available, the following takes place: Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 56: Configuring Tacacs+ Authorization

    A-V (Attribute-Value) pair that specifies the privilege level of the user. When the Brocade device receives the response, it extracts an A-V pair configured for the Exec service and uses it to determine the user privilege level. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 57 A-V pair to set the user privilege level to 0 (super-user), granting the user full read-write access. In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for the Exec service, the non-”foundry-privlvl” A-V pair is ignored. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 58 If configured, command accounting is performed for these commands. AAA support for console commands AAA support for commands entered at the console includes the following: • Login prompt that uses AAA authentication, using authentication-method lists Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 59: Tacacs+ Accounting Configuration

    Syntax: aaa accounting commands privilege-level default start-stop radius | tacacs+ | none The privilege-level parameter can be one of the following: • 0 – Records commands available at the Super User level (all commands) Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 60: Configuring An Interface As The Source For All Tacacs And Tacacs+ Packets

    You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS/TACACS+ packets from the Layer 3 switch. For configuration details, refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

  • Page 61: Radius Security

    Logging into the device using Telnet or SSH • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3. The user enters a username and password. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 62 A user logs into the management interface using Telnet or SSH • A user enters a command for which accounting has been configured • A system event occurs, such as a reboot or reloading of the configuration file Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 63 Command authorization: [no] aaa accounting system default aaa authorization commands privilege-level default method-list start-stop method-list Command accounting: aaa accounting commands privilege-level default start-stop method-list System accounting start: aaa accounting system default start-stop method-list Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 64: Radius Configuration Considerations

    Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 65: Configuring Radius

    Brocade device. Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendor-specific attributes. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 66 • ipacl.e is an extended ACL; ipacl.s is a standard ACL. foundry-MAC-authent-needs-80 integer Specifies whether or not 802.1x authentication is required and enabled. 0 - Disabled 1 - Enabled Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 67: Enabling Snmp To Configure Radius

    The host ip-addr | ipv6-addr | server-name parameter is either an IP address or an ASCII text string. The auth-port parameter is the Authentication port number. The default is 1645. The acct-port parameter is the Accounting port number. The default is 1646. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 68: Specifying Different Servers For Individual Aaa Functions

    RADIUS servers 10.10.10.103 and 10.10.10.104 will be used only to authenticate users on ports to which the servers are mapped. To map a RADIUS server to a port, refer to “RADIUS server to individual ports mapping” on page 49. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 69: Radius Server To Individual Ports Mapping

    With the above configuration, port e 3 would send a RADIUS request to 10.10.10.103 first, since it is the first server mapped to the port. If it fails, it will go to 10.10.10.110. Syntax: use-radius-server ip-addr The host ip-addr is an IPv4 address. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 70: Radius Parameters

    The default retransmit value is 3 retries. The range of retransmit values is from 1 – 5. To set the RADIUS retransmit limit, enter a command such as the following. Brocade(config)# radius-server retransmit 5 Syntax: radius-server retransmit number Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 71: Setting Authentication-Method Lists For Radius

    To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. Brocade(config)# aaa authentication enable default radius local none Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 72 Do not use any authentication method. The device automatically permits access. NOTE For examples of how to define authentication-method lists for types of authentication other than RADIUS, refer to “Authentication-method lists” on page 58. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 73: Radius Authorization

    Brocade(config)# aaa authorization exec default radius Syntax: aaa authorization exec default radius | none If you specify none, or omit the aaa authorization exec command from the device configuration, no EXEC authorization is performed. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 74 The Brocade device supports command authorization and command accounting for CLI commands entered at the console. To configure the device to perform command authorization and command accounting for console commands, enter the following. Brocade(config)# enable aaa console Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 75: Radius Accounting

    If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place. Syntax: aaa accounting commands privilege-level default start-stop radius | tacacs | none Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 76: Configuring An Interface As The Source For All Radius Packets

    You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the Layer 3 switch. For configuration details, refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide. Displaying RADIUS configuration information The show aaa command displays information about all TACACS/TACACS+ and RADIUS servers identified on the device.
  • Page 77 - Number of packets received from the server • packets out - Number of packets sent to the server connection The current connection status. This can be “no connection” or “connection active”. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 78: Authentication-Method Lists

    The following examples show how to configure authentication-method lists. In these examples, the primary authentication method for each is “local”. The device will authenticate access attempts using the locally configured usernames and passwords. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 79 The snmp-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access. NOTE TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 80: Tcp Flags - Edge Port Security

    Match-all - Indicates that incoming TCP traffic must be matched against all of the TCP flags configured as part of the match-all ACL rule. In CAM hardware, there will be only one ACL rule for all configured flags. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 81: Using Tcp Flags In Combination With Other Acl Features

    If a range option and match-any TCP-flags are combined in the same ACL, the total number of rules will be calculated as: Total number of rules in CAM hardware = (number of rules for range)* (number of rules for match-any TCP-flags). Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 82 TCP Flags - edge port security Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 83: Ssh2 And Scp

    Chapter SSH2 and SCP Table 12 lists SSH2 and Secure Copy features supported on Brocade ICX 6650. TABLE 12 Supported SSH2 and Secure Copy features Feature Brocade ICX 6650 Secure Shell (SSH) version 2 AES encryption for SSH2 Optional parameters for SSH2...

  • Page 84: Tested Ssh2 Clients

    Five inbound SSH connection at one time are supported. • One outbound SSH is supported. SSH2 unsupported features The following are not supported with SSH2: • Compression • TCP/IP port forwarding, X11 forwarding, and secure file transfer • SSH version 1 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 85: Ssh2 Authentication Types

    When a host key pair is is deleted, it is deleted from the flash memory of all management modules. The time to initially generate SSH keys varies depending on the configuration, and can be from a under a minute to several minutes. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 86 To generate an RSA key pair, enter a command such as the following: Brocade(config)# crypto key generate rsa modulus 2048 To delete the RSA host key pair, enter the following command. Brocade(config)# crypto key zeroize rsa Syntax: crypto key generate | zeroize rsa [modulus modulus-size] Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 87: Configuring Dsa Or Rsa Challenge-Response Authentication

    SSH. When DSA or RSA challenge-response authentication is enabled, the following events occur when a client attempts to gain access to the device using SSH: Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 88 TFTP server. To load a public key file called pkeys.txt from a TFTP server, enter a command such as the following: Brocade(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 89: Optional Ssh Parameters

    Optional SSH parameters You can adjust the following SSH settings on the Brocade device: • The number of SSH authentication retries • The user authentication method the Brocade device uses for SSH connections Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 90: Setting The Number Of Ssh Authentication Retries

    Syntax: ip ssh key-authentication yes | no The default is yes. To deactivate password authentication, enter the following command. Brocade(config)# ip ssh password-authentication no Syntax: ip ssh password-authentication no | yes The default is yes. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 91: Enabling Empty Password Logins

    Designating an interface as the source for all SSH packets You can designate a loopback interface, virtual interface, or Ethernet port as the source for all SSH packets from the device. For more information, refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

  • Page 92: Filtering Ssh Access Using Acls

    To display information about SSH connections, enter the show ip ssh command. Brocade# show ip ssh Connection Version Encryption Username HMAC Server Hostkey IP Address Inbound: SSH-2 3des-cbc Raymond hmac-sha1 ssh-dss 10.120.54.2 Outbound: SSH-2 aes256-cbc Steve hmac-sha1 ssh-dss 10.37.77.15 SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048) Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 93: Displaying Ssh Configuration Information

    :ssh_ipv6_acl Brocade# Syntax: show ip ssh config This display shows the following information. TABLE 14 SSH configuration information Field Description SSH server SSH server is enabled or disabled SSH port SSH port number Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 94: Displaying Additional Ssh Connection Information

    2. established, client ip address 10.2.2.2, server hostkey RSA 2 minutes 25 seconds in idle SSH connection (outbound): 3. established, server ip address 10.37.77.15, server hostkey RSA 7 seconds in idle show who [begin expression | exclude expression | include expression] Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 95: Secure Copy With Ssh2

    192.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client. C:\> scp c:\cfg\brocade.cfg terry@192.168.1.50:runConfig If password authentication is enabled for SSH, the user is prompted for user terry password before the file transfer takes place. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 96 C:\> scp terry@192.168.1.50:flash:primary FCXLR07500.bin To copy a software image file from the secondary flash on these devices to an SCP-enabled client, enter a command such as the following. C:\> scp terry@192.168.1.50:flash:secondary FCXLR07500.bin Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 97 The ip-address variable is the IP address of the server that contains the public key file. The key-filename variable is the name of the DSA or RSA public key file that you want to import into the device. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 98: Ssh2 Client

    The following sections describe how to configure SSH client public key authentication: • “Generating and deleting a client DSA key pair” on page 79 • “Generating and deleting a client RSA key pair” on page 79 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 99: Using Ssh2 Client

    “Importing authorized public keys into the Brocade device” on page 68. Using SSH2 client To start an SSH2 client connection to an SSH2 server using password authentication, enter a command such as the following: Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 100: Displaying Ssh2 Client Information

    SSH2 port, where portnum is the port number. The default port number is 22. Displaying SSH2 client information For information about displaying SSH2 client information, see the following sections: • “Displaying SSH connection information” on page 72 • “Displaying additional SSH connection information” on page 74 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 101: Rule-Based Ip Acls

    Chapter Rule-Based IP ACLs Table 15 Table 16 list the Access Control List (ACL) features supported on Brocade ICX 6650. Table 15 lists the features supported on inbound traffic, while Table 16 lists the features supported on outbound traffic. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 102: Acl Overview

    Brocade ICX 6650 devices do not support flow-based ACLs. Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup (or as new ACLs are entered and bound to ports).

  • Page 103: Types Of Ip Acls

    You can configure up to the maximum number of entries in any combination in different ACLs. For Brocade ICX 6650, the maximum number of ACL TCAM entries per port region are 2045 and maximum number of ACL entries per system is 8192. You configure ACLs on a global basis, then apply them to the incoming or outgoing traffic on specific ports.

  • Page 104: Default Acl Action

    ACL filtering of fragmented packets” on page 108. Hardware aging of Layer 4 CAM entries Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into the CAM. The entries never age out. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 105: Acl Configuration Considerations

    • The following ACL features and options are not supported on the Brocade ICX 6650 devices: Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled. ACL logging of permitted packets– ACL logging is supported for packets that are sent to the CPU for processing (denied packets) for inbound traffic.

  • Page 106: Configuring Standard Numbered Acls

    IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “10.157.22.26 0.0.0.255” as “10.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL mask (where zeros instead of ones are the Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 107: Configuration Example For Standard Numbered Acls

    1/1/1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. Standard named ACL configuration This section describes how to configure standard named ACLs with alphanumeric IDs. This section also provides configuration examples. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 108: Standard Named Acl Syntax

    The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded). The source-ip parameter specifies the source IP address. Alternatively, you can specify the host name. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 109 If the ACL is bound to a virtual routing interface, you also can specify a subset of ports within the VLAN containing that interface when assigning an ACL to the interface. See “Enabling ACL filtering based on VLAN membership or VE port membership” on page 109 for further details. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 110: Configuration Example For Standard Named Acls

    TCP port 80 (HTTP) packets from a specified source IP address to the website IP address. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 111: Extended Numbered Acl Syntax

    If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with subnet mask in the display produced by the show ip access-list command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 112 TCP sessions, not to new sessions. Refer to Section 3.1, “Header Format”, in RFC 793 for information about this field. NOTE This operator applies only to destination TCP ports, not source TCP ports. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 113 The tos name | num parameter of the ip access-list command specifies the IP ToS. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 114 The dscp-cos-mapping option overrides port-based priority settings. NOTE The dscp-cos-mapping option is not supported for Brocade ICX 6650 devices. The dscp-marking option enables you to configure an ACL that marks matching packets with a specified DSCP value. Enter a value from 0 – 63. Refer to “Using an IP ACL to mark DSCP values...

  • Page 115: Configuration Examples For Extended Numbered Acls

    1/3/1. Brocade(config)# interface ethernet 1/1/2 Brocade(config-if-e10000-1/1/2)# ip access-group 102 in Brocade(config-if-e10000-1/1/2)# exit Brocade(config)# interface ethernet 1/3/1 Brocade(config-if-e10000-1/3/1)# ip access-group 102 in Brocade(config)# write memory Here is another example of an extended ACL. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 116: Extended Named Acl Configuration

    Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 117: Extended Named Acl Syntax

    IP address into zeros. For example, if you specify 10.157.22.26/24 or 10.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 10.157.22.0/24 (if you have enabled display of subnet lengths) or 10.157.22.0 0.0.0.255 in the startup-config file. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 118 The QoS options listed below are only available if a specific ICMP type is specified for the icmp-type parameter and cannot be used with the any-icmp-type option above. See “QoS options for IP ACLs” on page 1734for more information on using ACLs to perform QoS. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 119 4. • immediate or 2 – The ACL matches packets that have the immediate precedence. If you specify the option number instead of the name, specify number 2. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 120 The dscp-marking option enables you to configure an ACL that marks matching packets with a specified DSCP value. Enter a value from 0 – 63. Refer to “Using an IP ACL to mark DSCP values (DSCP marking)” on page 1736. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 121: Applying Egress Acls To Control (Cpu) Traffic

    To enable this feature, enter the ip preserve-ACL-user-input-format command. Brocade(config)# ip preserve-ACL-user-input-format Syntax: ip preserve-ACL-user-input-format Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 122: Acl Comment Text Management

    Brocade(config-ext-nACL)# remark The following permits UDP packets Brocade(config-ext-nACL)# permit udp 192.168.2.52/24 10.2.2.2/24 Brocade(config-ext-nACL)# deny ip any any Syntax: [no] access-list ACL-num remark comment-text Syntax: [no] ip access-list standard | extended ACL-num Syntax: remark comment-text Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 123: Adding A Comment To An Entry In A Named Acl

    Brocade(config)# no remark The following line permits TCP packets Syntax: no remark comment-text Viewing comments in an ACL You can use the following commands to display comments for ACL entries: • show running-config • show access-list • show ip access-list Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 124: Applying An Acl To A Virtual Interface In A Protocol- Or Subnet-Based Vlan

    Brocade(config)# vlan 1 name DEFAULT-VLAN by port Brocade(config-vlan-1)# ip-subnet 192.168.10.0 255.255.255.0 Brocade(config-vlan-ip-subnet)# static ethe 1 Brocade(config-vlan-ip-subnet)# router-interface ve 10 Brocade(config-vlan-ip-subnet)# ip-subnet 10.15.1.0 255.255.255.0 Brocade(config-vlan-ip-subnet)# static ethe 1/1/1 Brocade(config-vlan-ip-subnet)# router-interface ve 20 Brocade(config-vlan-ip-subnet)# logging console Brocade(config-vlan-ip-subnet)# exit Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 125: Acl Logging

    Configuration notes for ACL logging Note the following points before configuring ACL logging: • ACL logging is supported for denied packets, which are sent to the CPU for logging. ACL logging is not supported for permitted packets. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 126: Configuration Tasks For Acl Logging

    Brocade(config)# access-list 1 deny host 10.157.22.26 log Brocade(config)# access-list 1 deny 10.157.29.12 log Brocade(config)# access-list 1 deny host IPHost1 log Brocade(config)# access-list 1 permit any Brocade(config)# interface ethernet 1/1/4 Brocade(config-if-e10000-1/1/4)# ACL-logging Brocade(config-if-e10000-1/1/4)# ip access-group 1 in Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 127: Displaying Acl Log Entries

    The Syslog contains entries only for the ACL entries that deny packets and have logging enabled. To display syslog entries, enter the show log command from any CLI prompt: Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 128: Enabling Strict Control Of Acl Filtering Of Fragmented Packets

    This option begins dropping all fragments received by the port as soon as you enter the command. This option is especially useful if the port is receiving an unusually high rate of fragments, which can indicate a hacker attack. Syntax: [no] ip access-group frag deny Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 129: Enabling Acl Support For Switched Traffic In The Router Image

    Enabling ACL support for switched traffic in the router image Enabling ACL support for switched traffic in the router image For Brocade ICX 6650, ACL support for switched traffic in the router image is enabled by default. There is no command to enable or disable it.

  • Page 130: Applying An Ipv4 Acl To Specific Vlan Members On A Port (Layer 2 Devices Only)

    VLANs and contains all the ports within the VLAN. The IPv4 ACL applies to all the ports on the virtual routing interface. You also can specify a subset of ports within the VLAN containing a specified virtual interface when assigning an ACL to that virtual interface. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 131: Acls To Filter Arp Packets

    ARP requests checks the source IP address in the received ARP packet. Only packets with the permitted IP address will be allowed to be to be written in the ARP table; others are dropped. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 132: Configuration Considerations For Filtering Arp Packets

    Enter an ACL ID to explicitly specify the ACL to be used for filtering. In the example above, the line Brocade(config-ve-2)# ip use-ACL-on-arp 103 specifies ACL 103 to be used as the filter. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 133: Displaying Acl Filters For Arp

    To configure an extended IP ACL that matches based on IP precedence, enter commands such as the following. Brocade(config)# access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24 precedence internet Brocade(config)# access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24 precedence 6 Brocade(config)# access-list 103 permit ip any any Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 134: Tcp Flags - Edge Port Security

    Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on incoming port, VLAN membership, and so on. (This method is described in Brocade ICX 6650 Platform and Layer 2 Switching Configuration Guide.) The following QoS ACL options are supported: •...

  • Page 135: Configuration Notes For Qos Options On Brocade Icx 6650

    97for the syntax for configuring extended ACLs. Configuration notes for QoS options on Brocade ICX 6650 These devices do not support marking and prioritization simultaneously with the same rule (and do not support DSCP CoS mapping at all). To achieve this, you need to create two separate rules. In other words, you can mark a rule with DSCP or 802.1p information, or you can prioritize a rule...
  • Page 136 NOTE This feature is not applicable to outbound traffic. On Brocade ICX 6650, if the user does not set a specific internal marking priority, the default value is the same as the 802.1-priority marking value: Priority values range from 0 to 7.

  • Page 137: Dscp Matching

    ACL-based rate limiting provides the facility to limit the rate for IP traffic that matches the permit conditions in extended IP ACLs. This feature is available in the Layer 2 and Layer 3 code. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 138: Acl Statistics

    • Identify which multicast group packets will be forwarded or blocked on an interface For configuration procedures, refer to Brocade ICX 6650 IP Multicast Configuration Guide. Enabling and viewing hardware usage statistics for an ACL The number of configured ACL rules can affect the rate at which hardware resources are used. You can use the show access-list hw-usage on command to enable hardware usage statistics, followed by the show access-list access-list-id command to determine the hardware usage for an ACL.

  • Page 139: Displaying Acl Information

    A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with PBR, you can route IP packets based on their source IP address. With extended ACLs, you can route IP packets based on all of the clauses in the extended ACL. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 140: Configuration Considerations For Policy-Based Routing

    ACLs according to the instructions in the route maps. To configure a PBR policy: • Configure ACLs that contain the source IP addresses for the IP traffic you want to route using PBR. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 141: Configuring The Acls

    Ones mean any value matches. For example, the source-ip and wildcard values 10.157.22.26 0.0.0.255 mean that all hosts in the Class A subnet 10.157.22.x match the policy. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 142: Configuring The Route Map

    The map-name is a string of characters that names the map. Map names can be up to 32 characters in length. You can define an unlimited number of route maps on the Brocade device, as long as system memory is available. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 143: Enabling Pbr

    “test-route” route map to the interface. You can apply a PBR route map to Ethernet ports or virtual interfaces. Syntax: ip policy route-map map-name Enter the name of the route map you want to use for the route-map map-name parameter. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 144: Configuration Examples For Pbr

    The following commands configure three entries in a route map called “test-route”. The first entry (permit 50) matches on the IP address information in ACL 50 above. For IP traffic from subnet 10.157.23.0/24, this route map entry sets the next-hop IP address to 192.168.2.1. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 145: Setting The Output Interface To The Null Interface

    Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The commands in this example configure IP addresses in the source subnet identified in ACL 56, then apply route map file-13 to the interface. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 146: Trunk Formation With Pbr Policy

    When a trunk is removed, the PBR policy that was applied to the trunk interface is unbound (removed) from former secondary ports. If global PBR is configured, the secondary ports adhere to the global PBR; otherwise, no PBR policy is bound to former secondary ports. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 147: Ipv6 Acls

    IPv6 Access Control Lists (ACL) features supported on Brocade ICX 6650. These features are supported in Brocade ICX 6650 that can be configured as an IPv6 host in an IPv6 network, and in devices that support IPv6 routing. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 148: Ipv6 Acl Traffic Filtering Criteria

    IPv4 source guard and IPv6 ACLs are supported together on the same device, as long as they are not configured on the same port or virtual Interface. • IPv6 ACLs do not support ACL filtering based on VLAN membership or VE port membership. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 149: Configuring An Ipv6 Acl

    To enable IPv6 on an interface, enter ipv6 enable at the Interface level of the CLI, or assign an IPv6 address to the interface as described in Brocade ICX 6650 Administration Guide and further discussed in Brocade ICX 6650 Security Configuration Guide.
  • Page 150 A show running-config command displays the following. Brocade(config)# show running-config ipv6 access-list rtr deny tcp 2001:db8:21::/24 2001:db8:22::/24 deny udp any range rje 6 2001:db8:22::/24 permit ipv6 any any A show ipv6 access-list command displays the following. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 151: Default And Implicit Ipv6 Acl Action

    For example, if you want to deny ICMP neighbor discovery acknowledgement, then permit any remaining IPv6 traffic, enter commands such as the following. Brocade(config)# ipv6 access-list netw Brocade(config-ipv6-access-list-netw)# permit icmp 2001:db8:e0bb::/64 2001:3782::/64 Brocade(config-ipv6-access-list-netw)# deny icmp any any nd-na Brocade(config-ipv6-access-list-netw)# permit ipv6 any any Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 152: Creating An Ipv6 Acl

    (Same limitation as for ipv6-operator fragments) When creating ACLs, use the appropriate syntax below for the protocol you are filtering. For IPv6 and supported protocols other than ICMP, TCP, or UDP Syntax: [no] ipv6 access-list ACL-name Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 153 Syntax: permit | deny udp ipv6-source-prefix/prefix-length | any | host source-ipv6_address [tcp-udp-operator [source port number]] ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address [tcp-udp-operator [destination port number]] [ipv6-operator [value]] [802.1p-priority-matching number] [dscp-marking number 802.1p-priority-marking number internal-priority-marking number] Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 154 ICMP packets are filtered by ICMP messages. Refer to “ICMP message configurations” on page 136 for a list of ICMP message types. Indicates the you are filtering TCP packets. Indicates the you are filtering UDP packets. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 155 TCP flags, and ICMP flags. • routing – The policy applies only to IPv6 source-routed packets. NOTE: This option is not applicable to filtering based on source or destination port, TCP flags, and ICMP flags. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 156 • echo-request • header • hop-limit • mld-query • mld-reduction • mld-report • nd-na • nd-ns • next-header • no-admin • no-route • packet-too-big • parameter-option • parameter-problem • port-unreachable • reassembly-timeout Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 157: Enabling Ipv6 On An Interface To Which An Acl Will Be Applied

    To enable IPv6 on an interface, enter ipv6 enable at the Interface level of the CLI, or assign an IPv6 address to the interface, as described in Brocade ICX 6650 Administration Guide. For example: Brocade(config)# interface ethernet 1/1/1 Brocade(config-if-e10000-1/1/1)# ipv6 enable These commands enable IPv6 on Ethernet interface 1/1/1 ready for an IPv6 ACL to be applied.

  • Page 158: Syntax For Applying An Ipv6 Acl

    Brocade(config-ipv6-access-list rtr)# deny udp any any Brocade(config-ipv6-access-list rtr)# remark This entry denies IPv6 packets from any source to any destination Brocade(config-ipv6-access-list rtr)# deny ipv6 any any Brocade(config-ipv6-access-list rtr)# write memory Syntax: remark comment-text Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 159: Deleting A Comment From An Ipv6 Acl Entry

    Refer to “ACL logging” page 105. Displaying IPv6 ACLs To display the IPv6 ACLs configured on a device, enter the show ipv6 access-list command. Here is an example. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 160 This entry denies IPv6 packets from any source to any destination deny ipv6 any any Syntax: show ipv6 access-list [access-list-name] For the access-list-name parameter, specify the name of an IPv6 ACL created using the ipv6 access-list command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 161: Acl-Based Rate Limiting

    Chapter ACL-based Rate Limiting Table 19 lists the ACL-based rate limiting features supported on Brocade ICX 6650. These features are supported in the Layer 2, edge Layer 3, and full Layer 3 software images, except where explicitly noted. TABLE 19...

  • Page 162: Traffic Policies Overview

    ACL statistics but do not enforce any rate limit. On Brocade ICX 6650, ACL counting for fixed rate limiting is similar to the single-rate three-color marker (srTCM) mechanism described in RFC 2697. ACL counting for adaptive rate limiting is similar to the two-rate three-color marker (trTCM) mechanism described in RFC 2698.

  • Page 163: Configuration Notes For Traffic Policies

    Rate limits and ACL counting are applied at the traffic policy level, and are cumulative across ACLs and ACL entries on which they are applied. However, they are not cumulative across port regions. As Brocade ICX 6650 has a single port region, traffic policies defined on Brocade ICX 6650 are cumulative across the device.

  • Page 164: Configuring Adaptive Rate Limiting

    For brevity, the access-list command does not include all parameters. ATTENTION Brocade ICX 6650 allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. Brocade ICX 6650 does not issue a warning or an error message for non-existent TPDs.

  • Page 165: Marking Class Of Service Parameters In Adaptive Rate Limiting145

    2. Create a new extended ACL entry or modify an existing extended ACL entry that references the traffic policy. Enter a command such as the following. Brocade(config)# access-list 104 permit ip host 10.10.12.2 any traffic-policy TPDAfour Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 166 For brevity, the access-list command does not include all parameters. ATTENTION Brocade ICX 6650 allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. Brocade ICX 6650 does not issue a warning or an error message for non-existent TPDs.

  • Page 167: Handling Packets That Exceed The Rate Limit

    Syntax: [no] traffic-policy TPD-name rate-limit fixed cir-value exceed-action drop The following example shows the drop action applied to an adaptive rate limiting policy. Brocade(config)# traffic-policy TPDAfour rate-limit adaptive cir 10000 cbs 1600 pir 20000 pbs 4000 exceed-action drop Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 168: Permitting Packets At Low Priority

    ACL statistics in a traffic policy that specifies a rate limit. “Viewing traffic policies” page 152 explains how to view ACL statistics using show commands. “Clearing ACL and rate limit counters” on page 151 explains how to clear ACL statistic counters. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 169: Enabling Acl Statistics

    For brevity, some parameters were omitted from the access-list syntax. ATTENTION Brocade ICX 6650 allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. Brocade ICX 6650 does not issue a warning or an error message for non-existent TPDs.

  • Page 170: Enabling Acl Statistics With Rate Limiting Traffic Policies

    Viewing ACL and rate limit counters When ACL counting is enabled on Brocade ICX 6650, you can use show commands to display the total packet count and byte count of the traffic filtered by ACL statements. The output of the show commands also displays the rate limiting traffic counters, which are automatically enabled for active rate limiting traffic policies.

  • Page 171: Clearing Acl And Rate Limit Counters

    Clearing ACL and rate limit counters Brocade ICX 6650 keeps a running tally of the number of packets and the number of bytes per packet that are filtered by ACL statements and rate limiting traffic policies. You can clear these accumulated counters, essentially resetting them to zero.

  • Page 172: Viewing Traffic Policies

    The TPD-name is the name of the traffic policy definition for which you want to clear traffic policy counters. Viewing traffic policies To view traffic policies that are currently defined on Brocade ICX 6650, enter the show traffic-policy command. The following example shows the output of this command.Table 23 explains the output of the show traffic-policy command.

  • Page 173: 802.1X Port Security

    Brocade ICX 6650 supports the IEEE 802.1X standard for authenticating devices attached to LAN ports. Using 802.1X port security, you can configure a Brocade ICX 6650 device to grant access to a port based on information supplied by a client to an authentication server.

  • Page 174: How 802.1X Port Security Works

    Client and the Authentication Server. Based on the identity information supplied by the Client, and the authentication information supplied by the Authentication Server, the Authenticator either grants or does not grant network access to the Client. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 175: Communication Between The Devices

    The uncontrolled port provides access only for EAPOL traffic between the Client and the Authentication Server. When a Client is successfully authenticated, the controlled port is opened to the Client. Figure 3 illustrates this concept. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 176 When a Client connected to the port is successfully authenticated, the controlled port is then placed in the authorized state until the Client logs off. Refer to “Enabling 802.1X port security” on page 174 for more information. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 177: Message Exchange During Authentication

    Message exchange during authentication Figure 4 illustrates a sample exchange of messages between an 802.1X-enabled Client, a Brocade ICX 6650 switch acting as Authenticator, and a RADIUS server acting as an Authentication Server. FIGURE 4 Message exchange between client/supplicant, authenticator, and authentication...

  • Page 178: Setting The Ip Mtu Size

    Setting the IP MTU size When jumbo frames are enabled on a Brocade ICX 6650 device and the certificate in use is larger than the standard packet size of 1500 bytes, 802.1X authentication will not work if the supplicant or the RADIUS server does not support jumbo frames.

  • Page 179: Authenticating Multiple Hosts Connected To The Same Port

    1500 for Ethernet II packets and 1492 for SNAP packets. EAP pass-through support EAP pass-through is supported on Brocade ICX 6650 devices that have 802.1X enabled. EAP pass-through support is fully compliant with RFC 3748, in which, by default, compliant pass-through authenticator implementations forward EAP challenge request packets of any type, including those listed in the previous section.
  • Page 180 4. If the Client is successfully authenticated, the Client dot1x-mac-session is set to “access-is-allowed”. This means that traffic from the Client can be forwarded normally. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 181 180 for more information. • Dynamic IP ACL and MAC address filter assignment is supported in an 802.1X multiple-host configuration. Refer to “Dynamically applying IP ACLs and MAC address filters to 802.1X ports” on page 170. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 182: 802.1X Port Security And Sflow

    When you enable sFlow forwarding on an 802.1X-enabled interface, the samples taken from the interface include the user name string at the inbound or outbound port, or both, if that information is available. For more information on sFlow, refer to the Brocade ICX 6650 Administration Guide. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 183: 802.1X Accounting

    “Specifying a timeout for retransmission of messages to the authentication server” page 178 (optional) • “Allowing access to multiple hosts” on page 179 (optional) • “MAC address filters for EAP frames” on page 182 (optional) Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 184: Configuring An Authentication Method List For 802.1X

    Many IEEE 802.1X Authenticators will function as RADIUS clients. Some of the RADIUS attributes may be received as part of IEEE 802.1X authentication. Brocade devices support the following RADIUS attributes for IEEE 802.1X authentication: • Username (1) – RFC 2865 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 185 Brocade(config)# interface ethernet 1/3/1 Brocade(config-if-e10000-1/3/1)# dot1x auth-timeout-action success Syntax: [no] dot1x auth-timeout-action success Once the success timeout action is enabled, use the no form of the command to reset the RADIUS timeout behavior to retry. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 186: Dynamic Vlan Assignment For 802.1X Port Configuration

    (the RADIUS server) sends the Authenticator (the Brocade device) a RADIUS Access-Accept message that grants the client access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user's access profile on the RADIUS server. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 187 (that is, the port default VLAN).Refer to “Displaying dynamically assigned VLAN information” on page 188 for sample output indicating the port dynamically assigned VLAN. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 188 VLANs. Membership in the VLANs specified through 802.1X authentication is not changed. Specifying an untagged VLAN and multiple tagged VLANs To specify an untagged VLAN and multiple tagged VLANs, use the following. "U:10;T:12;T:marketing" Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 189 • If the RADIUS Access-Accept message does not contain any VLAN information, the Client dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified VLAN, it remains in that VLAN. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 190: Dynamically Applying Ip Acls And Mac Address Filters To 802.1X Ports

    IP ACL or no IP ACL. If no clients on the port use dynamic ACL, then the port ACL will be applied to all traffic. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 191 To disable strict security mode globally, enter the following commands. Brocade(config)# dot1x-enable Brocade(config-dot1x)# no global-filter-strict-security After you globally disable strict security mode, you can re-enable it by entering the following command. Brocade(config-dot1x)# global-filter-strict-security Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 192 2 permit 3333.3333.3333 ffff.ffff.ffff any etype eq 0800 mac.2.in mac filter 2 permit 3333.3333.3333 ffff.ffff.ffff any etype eq 0800 mac.3.in mac filter 3 permit 2222.2222.2222 ffff.ffff.ffff any etype eq 0800 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 193: Configuring Per-User Ip Acls Or Mac Address Filters

    MAC address filter with two entries macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any, macfilter.in= permit 0000.0000.4444 ffff.ffff.0000 any The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in an Access-Accept message. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 194: Enabling 802.1X Port Security

    When a Client connected to the interface is successfully authenticated, the controlled port is then placed in the authorized state. The controlled port remains in the authorized state until the Client logs off. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 195: Configuring Periodic Re-Authentication

    To configure periodic re-authentication using the default interval of 3,600 seconds, enter the following command. Brocade(config-dot1x)# re-authentication Syntax: [no] re-authentication To configure periodic re-authentication with an interval of 2,000 seconds, enter the following commands. Brocade(config-dot1x)# re-authentication Brocade(config-dot1x)# timeout re-authperiod 2000 Syntax: [no] timeout re-authperiod seconds Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 196: Re-Authenticating A Port Manually

    By default, if the Brocade device does not receive an EAP-response/identity frame from a Client, the device waits 30 seconds, then retransmits the EAP-request/identity frame. You can optionally change the amount of time the Brocade device waits before retransmitting the EAP-request/identity frame to the Client. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 197: Wait Interval And Number Of Eap-Request/ Identity Frame Retransmissions From The Radius Server

    Client, it expects to receive a response from the Client within 30 seconds. You can optionally specify the wait interval using the supptimeout command. For example, to configure the device to retransmit an EAP-Request frame if the Client does not respond within 45 seconds, enter the following command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 198: Specifying A Timeout For Retransmission Of Messages To The Authentication Server

    Initializing 802.1X on a port To initialize 802.1X port security on a port, enter a command such as the following. Brocade# dot1x initialize e 1/3/1 Syntax: dot1x initialize ethernet port Specify the port variable in stack-unit/slotnum/portnum format. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 199: Allowing Access To Multiple Hosts

    Brocade(config-dot1x)# auth-fail-action restricted-vlan Syntax: [no] auth-fail-action restricted-vlan To specify VLAN 300 as the restricted VLAN for all ports on the device, enter the auth-fail-vlanid num command. Brocade(config-dot1x)# auth-fail-vlanid 300 Syntax: [no] auth-fail-vlanid vlan-id Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 200 Syntax: [no] mac-session-aging no-aging permitted-mac-only To disable aging of the denied dot1x-mac-sessions, enter the following command. Brocade(config-dot1x)# mac-session-aging no-aging denied-mac-only Syntax: [no] mac-session-aging no-aging denied-mac-only NOTE This command enables aging of permitted sessions. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 201 You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC address can be re-authenticated by the RADIUS server. Example Brocade# clear dot1x mac-session 0000.0034.abd4 Syntax: clear dot1x mac-session mac-address Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 202: Mac Address Filters For Eap Frames

    Brocade device, it sends the following information to a RADIUS server whenever an authenticated 802.1X client (user) logs into or out of the Brocade device: • The user name • The session ID Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 203: 802.1X Accounting Attributes For Radius

    To enable 802.1X accounting, enter the following command. Brocade(config)# aaa accounting dot1x default start-stop radius none Syntax: aaa accounting dot1x default start-stop radius | none radius – Use the list of all RADIUS servers that support 802.1X for authentication. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 204: Displaying 802.1X Information

    Whether periodic re-authentication is enabled on the device. Refer to “Configuring periodic re-authentication” on page 175. When periodic re-authentication is enabled, the device automatically re-authenticates Clients every 3,600 seconds by default. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 205 Original PVID : 101 PVID mac total PVID mac authorized num mac sessions num mac authorized Number of Auth filter Syntax: show dot1x config ethernet port Specify the port variable in stack-unit/slotnum/portnum format. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 206 Whether the port is configured to allow multiple Supplicants accessing the interface on the Brocade device through a hub. Refer to “Allowing access to multiple hosts” on page 179 for information on how to change this setting. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 207: Displaying 802.1X Statistics

    The total number of EAPOL frames transmitted on the port. TX EAP Req/Id The number of EAP-Request/Identity frames transmitted on the port. TX EAP Req other than Req/Id The number of EAP-Request frames transmitted on the port that were not EAP-Request/Identity frames. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 208: Clearing 802.1X Statistics

    0 output errors, 0 collisions, DMA transmitted 919 packets In this example, the 802.1X-enabled port has been moved from VLAN 1 to VLAN 2. When the client disconnects, the port will be moved back to VLAN 1. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 209: Displaying Information About Dynamically Applied Mac Address Filters And Ip Acls

    Syntax: show dot1x ip-ACL Displaying dynamically applied MAC address filters and IP ACLs To display the dynamically applied MAC address filters active on an interface, enter a command such as the following. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 210: Displaying The Status Of Strict Security Mode

    Displaying the status of strict security mode globally on the device To display the status of strict security mode globally on the device, enter the show dot1x command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 211: Displaying 802.1X Multiple-Host Authentication Information

    You can display the following information about 802.1X multiple-host authentication: • Information about the 802.1X multiple-host configuration • The dot1x-mac-sessions on each port • The number of users connected on each port in a 802.1X multiple-host configuration Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 212 The output of the show dot1x config command for an interface displays the configured port control for the interface. This command also displays information related to 802.1X multiple host-authentication. The following is an example of the output of the show dot1x config command for an interface. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 213 Displaying information about the dot1x MAC sessions on each port The show dot1x mac-session command displays information about the dot1x-mac-sessions on each port on the device. The output also shows the authenticator PAE state. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 214 Authenticator PAE state machine indefinitely in the ABORTING state. If this should happen, use the dot1x initialize command to initialize 802.1X port security on the port, or unplug the Client or hub connected to the port, then reconnect it. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 215 The number of users connected to the port that have been successfully authenticated. Dynamic VLAN Whether the port is a member of a RADIUS-specified VLAN. Dynamic Filters Whether RADIUS-specified IP ACLs or MAC address filters have been applied to the port. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 216: Sample 802.1X Configurations

    Brocade(config)# dot1x-enable ethernet 1/2/1 to 1/2/3 Brocade(config-dot1x)# re-authentication Brocade(config-dot1x)# timeout re-authperiod 2000 Brocade(config-dot1x)# timeout quiet-period 30 Brocade(config-dot1x)# timeout tx-period 60 Brocade(config-dot1x)# maxreq 6 Brocade(config-dot1x)# exit Brocade(config)# interface ethernet 1/2/1 Brocade(config-if-e10000-1/2/1)# dot1x port-control auto Brocade(config-if-e10000-1/2/1)# exit Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 217: Hub Configuration

    Brocade(config)# radius-server host 192.168.9.22 auth-port 1812 acct-port 1813 default key mirabeau dot1x Brocade(config)# dot1x-enable ethernet 1/2/1 Brocade(config-dot1x)# re-authentication Brocade(config-dot1x)# timeout re-authperiod 2000 Brocade(config-dot1x)# timeout quiet-period 30 Brocade(config-dot1x)# timeout tx-period 60 Brocade(config-dot1x)# maxreq 6 Brocade(config-dot1x)# exit Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 218: 802.1X Authentication With Dynamic Vlan Assignment

    VLAN, where it could gain access to the network. The portion of the running-config related to 802.1X authentication is as follows. dot1x-enable re-authentication servertimeout 10 timeout re-authperiod 10 auth-fail-action restricted-vlan Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 219: Multi-Device Port Authentication And 802.1X Security On The Same Port

    (VSA) in the profile for the MAC address on the RADIUS server. For more information, including configuration examples, see “Multi-device port authentication and 802.1X security on the same port” on page 234. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 220 Multi-device port authentication and 802.1X security on the same port Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 221: Mac Port Security

    Table 39 lists the Media Access Control (MAC) port security features that are supported Brocade ICX 6650. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 222: Mac Port Security Overview

    MAC port security applies only to Ethernet interfaces. • MAC port security is not supported on static trunk group members or ports that are configured for link aggregation. • MAC port security is not supported on 802.1X port security-enabled ports. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 223: Mac Port Security Configuration

    Brocade(config)# port security Brocade(config-port-security)# no enable To enable the feature on a specific interface, enter the following commands. Brocade(config)# interface ethernet 1/1/7 Brocade(config-if-e10000-1/1/7)# port security Brocade(config-port-security-e10000-1/1/7)# enable Syntax: port security Syntax: [no] enable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 224: Setting The Maximum Number Of Secure Mac Addresses For An Interface

    Thus, if you set the age timer to 3 minutes for the port, and 10 minutes for the device, the port MAC aging happens in 10 minutes (the device-level setting), which is greater than the port setting that you have configured. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 225: Specifying Secure Mac Addresses

    The autosave feature saves learned MAC addresses by copying the running configuration to the startup configuration. For example, to automatically save learned secure MAC addresses every 20 minutes, enter the following commands. Brocade(config)# port security Brocade(config-port-security)# autosave 20 Syntax: [no] autosave minutes Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 226: Specifying The Action Taken When A Security

    Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of one minute from the specified time. The restricted MAC addresses are denied in hardware. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 227: Clearing Port Security Statistics

    To clear violation statistics on a specific port, enter a command such as the following. Brocade# clear port security statistics ethernet 1/1/5 Syntax: clear port security statistics all | ethernet port Specify the port variable in stack-unit/slotnum/portnum format. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 228: Displaying Port Security Information

    Brocade# show port security mac Port Num-Addr Secure-Src-Addr Resource Age-Left Shutdown/Time-Left ----- -------- --------------- -------- --------- ------------------ 1/1/7 0000.0018.747c Local Syntax: show port security mac Table 41 describes the output from the show port security mac command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 229: Displaying Port Security Statistics

    Whether the port has been shut down due to a security violation and the number of seconds before it is enabled again. For example, to display port security statistics for interface module 7, enter the show port security statistics command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 230: Displaying Restricted Mac Addresses On A Port

    To display a list of restricted MAC addresses on a port, enter a command such as the following. Brocade# show port security ethernet 1/1/5 restricted-macs Syntax: show port security ethernet port restricted-macs Specify the port variable in stack-unit/slotnum/portnum format. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 231: Mac-Based Vlans

    MAC-based VLANs Table 44 lists the MAC-based VLAN features that are supported on Brocade ICX 6650 device. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 232: Mac-Based Vlan Feature Structure

    MAC-based VLAN and port up or down events When the state of a port is changed to down, all authorized and unauthorized MAC addresses are removed from the MAC-to-VLAN mapping table, any pending authentication requests are cancelled. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 233: Dynamic Mac-Based Vlan

    Brocade ICX 6650 devices do not support UDLD link-keepalives on ports with MAC-based VLAN enabled. • Brocade ICX 6650 devices do not support STP BPDU packets on ports with MAC-based VLAN enabled. • MAC-to-VLAN mapping must be associated with VLANs that exist on the switch. Create the VLANs before you configure the MAC-based VLAN feature.

  • Page 234: Dynamic Mac-Based Vlan Configuration Example

    222 name RESTRICTED_MBV by port untagged ethe 1/1/4 mac-vlan-permit ethernet 1/1/1 to 1/1/3 vlan 666 name RESTRICTED_MAC_AUTH by port untagged ethe 1/1/20 mac-vlan-permit ethernet 1/1/1 to 1/1/3 spanning-tree 802-1w vlan 4000 name DEFAULT-VLAN by port Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 235: Mac-Based Vlan Configuration

    Do not configure MAC-based VLAN on ports that are tagged to any VLAN. Do not use ports on which MAC-based VLAN is configured as tagged ports. NOTE MAC-based VLAN is not supported on trunk or LACP ports. Do not configure trunks on MAC-based VLAN-enabled ports. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 236: Using Mac-Based Vlans And 802.1X Security On The Same Port

    Optional or Description mandatory Tunnel-Type Mandatory RFC 2868. decimal VLAN Tunnel-Medium-Type Mandatory RFC 2868. decimal Tunnel-Private-Group-ID decimal Mandatory RFC 2868. vlan-id or U:vlan -id – a MAC-based VLAN ID configured on the Brocade device. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 237: Aging For Mac-Based Vlan

    The default is 70 seconds. The software aging time for MAC-based VLAN MACs can be configured using the mac-authentication max-age command. When the Brocade device is no longer receiving traffic from a MAC-based VLAN MAC address, the hardware aging Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 238: Disabling Aging For Mac-Based Vlan Sessions

    Enter the command at the global or interface configuration level. The denied-mac-only parameter prevents denied sessions from being aged out, but ages out permitted sessions. The permitted-mac-only parameter prevents permitted (authenticated and restricted) sessions from being aged out and ages denied sessions. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 239: Configuring The Maximum Mac Addresses Per Port

    10 priority 5 4. To enable MAC-based VLAN on the port. Brocade(config)# interface ethernet 1/1/1 Brocade(config-if-e10000-1/1/1)# mac-authentication mac-vlan enable 5. To disable MAC-based VLAN on the port. Brocade(config)# interface ethernet 1/1/1 Brocade(config-if-e10000-1/1/1)# mac-auth mac-vlan disable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 240: Configuring Mac-Based Vlan For A Dynamic Host

    To disable Dynamic MAC-based VLAN, enter the following command. Brocade(config)# no mac-authentication mac-vlan-dyn-activation NOTE If static Mac-Based VLAN is configured on a port, the port will be added only to the VLAN table for which the static MAC-based VLAN configuration exists. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 241: Configuring Mac-Based Vlans Using Snmp

    Static Macs The number of currently connected active static hosts. Static Conf The number of static hosts that are configured on the physical port. Max Macs The maximum number of allowed MAC addresses. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 242: Displaying The Mac-Vlan Table For A Specific Mac Address

    TABLE 50 Output field description of the show table-mac-vlan allowed-mac command Field Description MAC Address The allowed MAC addresses for which the information is displayed. Port The port where MAC-based VLAN is enabled. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 243: Displaying Denied Mac Addresses

    The time at which authenticated failed. The age of the MAC address entry in the authenticated MAC address list. Dot1x Indicates whether 802.1X authentication is disabled (Dis) or enabled (Ena) for this MAC address. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 244: Displaying Detailed Mac-Vlan Data

    MAC Address RADIUS Authenticated Time Age Dot1x Type Pri Index Index ------------------------------------------------------------------------------ 0000.00ed.1111 0.0.0.0 07d17h00m43s S0 0000 4000 Dis 0000.00ed.1112 0.0.0.0 07d17h01m51s S0 0001 4000 Dis 0000.00ed.1113 0.0.0.0 07d17h03m00s S0 0002 4000 Dis Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 245: Displaying Mac-Vlan Information For A Specific Interface

    “ff” indicates that the index is not used. MAC Index The index of the entry in the hardware MAC table. Dot1x Indicates whether 802.1X authentication is enabled or disabled for this MAC address. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 246: Displaying Mac Addresses In A Mac-Based Vlan

    Type Dynamic (MBV) Indicates a dynamic host. Static (MBV) indicates a static host. Index The index of the entry in the hardware MAC table. VLAN The VLAN to which these addresses are assigned. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 247: Displaying Mac-Based Vlan Logging

    Host A MAC address is statically configured on port e 1/1/1. The profile for Host B MAC address on the RADIUS server specifies that the PC should be assigned to VLAN 2. Host C profile does not exist in the RADIUS server, and will be put into a restricted VLAN. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 248 4000 name DEFAULT-VLAN by port no spanning-tree vlan 4004 by port mac-vlan-permit ethe 1/1/1 default-vlan-id 4000 ip address 10.44.3.8 255.255.255.0 ip default-gateway 10.44.3.1 radius-server host 10.44.3.111 radius-server key 1 $-ndUno mac-authentication enable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 249 MAC Address Port Vlan Authenticated Time Age Dot1x Type Pri Index Index ------------------------------------------------------------------------------- 0000.0075.3f73 1/1/1 00d00h00m46s S32 0001 3728 Dis 0000.0088.b9fe 1/1/1 00d00h00m08s Dis 0000 0970 Dis 0000.0075.3ff5 1/1/1 01d18h47m58s S8 0002 1ee4 Dis Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 250 Sample MAC-based VLAN application Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 251: Multi-Device Port Authentication

    Multi-Device Port Authentication Table 54 lists the multi-device port authentication features supported on Brocade ICX 6650. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 252: Radius Authentication

    Brocade device can either drop traffic from the MAC address in hardware (the default), or move the port on which the traffic was received to a restricted VLAN. Supported RADIUS attributes Brocade devices support the following RADIUS attributes for multi-device port authentication: Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 253: Support For Dynamic Vlan Assignment

    Support for dynamic ARP inspection with dynamic ACLs Multi-device port authentication and Dynamic ARP Inspection (DAI) are supported in conjunction with dynamic ACLs. Support is available in the Layer 3 software images only. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 254: Support For Dhcp Snooping With Dynamic Acls

    On Brocade ICX 6650, multi-device port authentication and 802.1X security can be configured on the same port, as long as the port is not a trunk port or an LACP port. When both of these features are enabled on the same port, multi-device port authentication is performed prior to 802.1X...

  • Page 255: Configuring Brocade-Specific Attributes On The Radius Server

    You add these Brocade vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the devices that will be authenticated. The Brocade Vendor-ID is 1991, with Vendor-Type 1. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 256: Multi-Device Port Authentication Configuration

    Enabling and disabling SNMP traps for multi-device port authentication • Defining MAC address filters (optional) • Configuring dynamic VLAN assignment (optional) • Dynamically Applying IP ACLs to authenticated MAC addresses • Enabling denial of service attack protection (optional) Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 257: Enabling Multi-Device Port Authentication

    You can also configure multi-device port authentication commands on a range of interfaces. Example of enabling multi-device port authentication on a range of interfaces Brocade(config)# internet ethernet 1/3/1 to 1/3/5 Brocade(config-mif-1/3/1-1/3/5)# mac-authentication enable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 258: Specifying The Format Of The Mac Addresses Sent To The Radius Server

    VLAN as the authentication-failure action. To configure the device to drop traffic from non-authenticated MAC addresses in hardware, enter commands such as the following. Brocade(config)# interface ethernet 1/3/1 Brocade(config-if-e10000-1/3/1)# mac-authentication auth-fail-action block-traffic Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 259: Generating Traps For Multi-Device Port Authentication

    Brocade device a RADIUS Access-Accept message that allows the Brocade device to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain attributes set for the MAC address in its access profile on the RADIUS server. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 260 VLAN ID in the tagged packet that contains the authenticated MAC address as its source address, then it is considered an authentication failure, and the configured authentication failure action is performed for the MAC address. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 261: Dynamic Vlan Assignment

    Brocade(config-if-e10000-1/3/1)# mac-authentication disable-ingress-filtering If the client MAC address is successfully authenticated and the correct VLAN attribute is sent by the RADIUS server, the MAC address will be successfully authenticated on the VLAN. Syntax: mac-authentication disable-ingress-filtering Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 262 When a MAC session is deleted, if the port is moved back to a VLAN that is different than the running- config file, the system will update the running-config file to reflect the changes. This will occur even if mac-authentication save-dynamicvlan-to-config" is not configured. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 263: Dynamically Applying Ip Acls To Authenticated

    IP ACL, the port ACL will not be applied. Also, future clients on the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic ACL, then the port ACL will be applied to all traffic. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 264 ACLs. For example, a user-defined ACL bound to a VE or a port on a VE is not allowed. There are no restrictions on ports that do not have VE interfaces. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 265: Enabling Denial Of Service Attack Protection

    CPU to be overwhelmed with performing RADIUS authentication for these MAC addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response from reaching the CPU in time, causing the device to make additional authentication attempts. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 266: Enabling Source Guard Protection

    DHCP Snooping and Static ARP Inspection entries. The Source Guard ACL permit entry is added to the hardware table after all of the following events occur: • The MAC address is authenticated • The IP address is learned Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 267: Clearing Authenticated Mac Addresses

    MAC session for an address learned on a specific interface. To clear the entire contents of the authenticated MAC address table, enter the clear auth-mac-table command. Brocade# clear auth-mac-table Syntax: clear auth-mac-table Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 268: Disabling Aging For Authenticated Mac Addresses

    On most devices, you can disable aging for all MAC addresses on all interfaces where multi-device port authentication has been enabled by entering the mac-authentication disable-aging command. Brocade(config)# mac-authentication disable-aging Syntax: mac-authentication disable-aging Enter the command at the global or interface configuration level. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 269: Changing The Hardware Aging Period For Blocked

    Aging of the Layer 2 hardware entry for a blocked MAC address occurs in two phases, known as hardware aging and software aging. On Brocade ICX 6650 devices, the hardware aging period for blocked MAC addresses is fixed at 70 seconds and is non-configurable. (The hardware aging time for non-blocked MAC addresses is the length of time specified with the mac-age command.) The software aging period for blocked MAC...

  • Page 270: Specifying The Aging Time For Blocked Mac Addresses

    To set the RADIUS timeout behavior to bypass multi-device port authentication and permit user access to the network, enter commands such as the following. Brocade(config)# interface ethernet 1/1/3 Brocade(config-if-e10000-1/1/3)# mac-authentication auth-timeout-action success Syntax: [no] mac-authentication auth-timeout-action success Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 271: Multi-Device Port Authentication Password Override

    Note that the MAC address is still the username and cannot be changed. To change the password for multi-device port authentication, enter a command such as the following at the GLOBAL Config Level of the CLI. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 272: Limiting The Number Of Authenticated Mac Addresses

    Brocade# show auth-mac-address ---------------------------------------------------------------------- Port Vlan Accepted MACs Rejected MACs Attempted-MACs ---------------------------------------------------------------------- 1/1/8 1/2/1 1/2/2 1/3/5 Syntax: show auth-mac-address The following table describes the information displayed by the show auth-mac-address command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 273: Displaying Multi-Device Port Authentication Configuration Information

    Brocade# show auth-mac-address configuration Feature enabled : Yes Number of Ports enabled -------------------------------------------------------------------------- Port Fail-Action Fail-vlan Dyn-vlan MAC-filter -------------------------------------------------------------------------- 1/1/8 Block Traffic 1/2/1 Block Traffic 1/2/2 Block Traffic 1/2/5 Block Traffic Syntax: show auth-mac-address configuration Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 274: Displaying Multi-Device Port Authentication Information For A Specific Mac Address Or Port

    IP address, then the IP address is displayed as well. Port The port on which the MAC address was learned. Vlan The VLAN to which the MAC address was assigned. Authenticated Whether the MAC address was authenticated. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 275: Displaying The Authenticated Mac Addresses

    Vlan Authenticated Time dot1x ------------------------------------------------------------------------------- 0000.0074.3181 1/2/3 Yes 00d01h03m17s 0000.0000.0001 1/1/1 Yes 00d01h03m17s 0000.0000.012d 1/1/1 Yes 00d01h03m17s 0000.0000.0065 1/1/1 Yes 00d01h03m17s 0000.0000.0191 1/1/1 Yes 00d01h03m17s 0000.0000.01f5 1/1/1 Yes 00d01h03m17s Syntax: show auth-mac-addresses authorized-mac Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 276: Displaying The Non-Authenticated Mac Addresses

    IP address, the IP address is also displayed. Port ID of the port on which the MAC address was learned. VLAN VLAN of which the port is a member. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 277: Displaying Multi-Device Port Authentication Settings And Authenticated Mac Addresses

    Syntax: show auth-mac-address [detail] [ethernet port] Specify the port variable in stack-unit/slotnum/portnum format. Omitting the ethernet port parameter displays information for all interfaces where the multi-device port authentication feature is enabled. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 278 The VLAN to which the port is assigned, and whether the port had been dynamically assigned to the VLAN by a RADIUS server. Port VLAN state Indicates the state of the port VLAN. The State can be one of the following “Default”, “RADIUS Assigned” or “Restricted”. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 279 The MAC addresses learned on the port. If the packet for which multi-device port authentication was performed also contained an IP address, then the IP address is displayed as well. RADIUS Server The IP address of the RADIUS server used for authenticating the MAC addresses. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 280: Example Port Authentication Configurations

    Brocade device. The profile for the PC MAC address on the RADIUS server specifies that the PC should be dynamically assigned to VLAN 102, and the RADIUS profile for the IP phone specifies that it should be dynamically assigned to VLAN 3. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 281 The mac-authentication disable-ingress-filtering command enables tagged packets on the port, even if the port is not a member of the VLAN. If this feature is not enabled, authentication works as “Example 1— Multi-device port authentication with dynamic VLAN assignment” Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 282 VLAN, authentication would not occur. In this case, port e1 must be added to that VLAN prior to authentication. The part of the running-config related to multi-device port authentication would be as follows. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 283: Examples Of Multi-Device Port Authentication And 802.1X Authentication Configuration On The Same Port

    RADIUS server. If the phone sends only tagged packets and the port (e 1/1/3) is not a member of that VLAN, authentication would not occur. In this case, port e 1/1/3 must be added to that VLAN prior to authentication. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 284 VLAN, which is 1023, or untagged traffic from port e 1/1/3 can be blocked in hardware. The part of the running-config related to port e 1/1/3 would be as follows. interface ethernet 1/1/3 dot1x port-control auto mac-authentication enable dual-mode Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 285 Multi-device port authentication is initially performed for both devices. The IP phone MAC address has a profile on the RADIUS server. This profile indicates that 802.1X authentication should be skipped for this device, and that the device port be placed into the VLAN named “IP-Phone-VLAN”. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 286 VLAN, authentication would not occur. In this case, port e 1/1/4 must be added to that VLAN prior to authentication. To configure the device to perform 802.1X authentication when a device fails multi-device port authentication, enter the following command. Brocade(config)# mac-authentication auth-fail-dot1x-override Syntax: [no] mac-authentication auth-fail-dot1x-override Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 287: Dos Attack Protection

    Chapter DoS Attack Protection Table 64 lists DoS protection features supported in Brocade ICX 6650. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where noted. TABLE 64...

  • Page 288: Avoiding Being An Intermediary In A Smurf Attack

    VLAN configuration for a port on which ICMP attack protection is enabled. To set threshold values for ICMP packets received on VE 31, enter commands such as the following. Brocade(config)# interface ve 31 Brocade(config-vif-31)# ip icmp burst-normal 5000 burst-max 10000 lockup 300 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 289: Tcp Syn Attacks

    For example, to set threshold values for TCP SYN packets targeted at the router, enter the following command in global CONFIG mode. Brocade(config)# ip tcp burst-normal 10 burst-max 100 lockup 300 To set threshold values for TCP SYN packets received on interface 1/1/3, enter the following commands. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 290: Tcp Security Enhancement

    Also, the attacker does not see the direct effect, the continuing communications between the devices and the impact of the injected packet, but may see the indirect impact of a terminated or corrupted session. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 291: Displaying Statistics About Packets Dropped

    Displaying statistics about packets dropped because of DoS attacks To display information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded, enter the show statistics dos-attack command. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 292 Syntax: show statistics dos-attack To clear statistics about ICMP and TCP SYN packets dropped because burst thresholds were exceeded, enter the clear statistics dos-attack command. Brocade# clear statistics dos-attack Syntax: clear statistics dos-attack Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 293: Rate Limiting And Rate Shaping

    Rate Limiting and Rate Shaping Table 65 lists the rate limiting and rate shaping features supported on Brocade ICX 6650. These features are supported in the Layer 2, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 294: How Port-Based Fixed Rate Limiting Works

    A CAM entry consists of the source and destination addresses of the traffic. The device uses the CAM entry for rate limiting all the traffic within the same flow. A rate limiting CAM entry remains in the CAM for two minutes before aging out. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 295: Configuration Notes For Port-Based Fixed Rate Limiting

    Syntax: [no] rate-limit input fixed average-rate For Brocade ICX 6650 devices, the average-rate parameter specifies the maximum number of packets per second (pkts/s) the port can receive. The minimum rate that can be configured is 125 pkts/s.

  • Page 296: Rate Shaping

    The configured rate shaper values are rounded up to the nearest multiples of minimum values supported on the platform. Table 67 shows the minimum and the maximum values for output rate shaping on Brocade ICX 6650. TABLE 67 Output rate shaping on Brocade ICX 6650 devices Device Module Minimum Maximum Brocade ICX 6650...

  • Page 297: Configuring Outbound Rate Shaping For A Specific Priority

    Unnecessary traffic to the switch CPU lowers the efficiency of the CPU and delays handling of other traffic that requires processing. CPU rate limiting is a CPU protection scheme which limits certain traffic types. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 298 IP tunnel-terminated packets which are fragmented or has options, or IP tunnel-terminated packets with unsupported GRE tunnel header IP Unicast packets mirrored to CPU due to ICMP redirect Bridge packets forward to CPU 5000 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 299: Dhcp

    Dynamic Host Configuration Protocol (DHCP) packet inspection and tracking features supported in Brocade ICX 6650. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

  • Page 300: Dynamic Arp Inspection

    Inspection ARP – statically configured IP/MAC mapping, where the port is initially unspecified. The actual physical port mapping will be resolved and updated from validated ARP packets.Refer to “Configuring an inspection ARP entry” on page 282. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 301: Configuration Notes And Feature Limitations For Dai

    The maximum number of DHCP and static DAI entries depends on the maximum number of ARP table entries allowed on the device. A Brocade ICX 6650 Layer 2 switch can have up to 4096 ARP entries and a Brocade ICX 6650 Layer 3 switch can have up to 64,000 ARP entries.

  • Page 302: Dynamic Arp Inspection Configuration

    The command enables DAI on VLAN 2. ARP packets from untrusted ports in VLAN 2 will undergo DAI inspection. Syntax: [no] ip arp inspection vlan vlan-number The vlan-number variable specifies the ID of a configured VLAN. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 303: Displaying Arp Inspection Status And Ports

    DHCP snooping can also stop unauthorized DHCP servers and prevent errors due to user mis-configuration of DHCP servers. Often DHCP snooping is used together with Dynamic ARP Inspection and IP Source Guard. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 304: How Dhcp Snooping Works

    “ARP entries” page 280. The lease time will be refreshed when the client renews its IP address with the DHCP server; otherwise the Brocade device removes the entry when the lease time expires. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 305: System Reboot And The Binding Database

    • DHCP snooping supports DHCP relay agent information (DHCP Option 82). For details, refer to “DHCP relay agent information” on page 288. Configuring DHCP snooping Configuring DHCP snooping consists of the following steps. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 306 Brocade(config)# interface ethernet 1/1/1 Brocade(config-if-e10000-1/1/1)# dhcp snooping client-learning disable Syntax: [no] dhcp snooping client-learning disable Use the no form of the command to re-enable DHCP client learning on a port once it has been disabled. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 307: Clearing The Dhcp Binding Database

    To display the DHCP binding entry and its current status, use the show arp command. Brocade# show arp Total number of ARP entries: 2, maximum capacity: 6000 IP Address MAC Address Type Port Status 10.43.1.1 0000.0001.c320 Dynamic mgmt1 Valid 10.43.1.199 0000.0002.b263 Dynamic mgmt1 Valid Syntax: show arp Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 308: Dhcp Snooping Configuration Example

    Brocade ICX 6650 will add agent information to the packet. • Before relaying a DHCP reply packet from a DHCP server to a client, the Brocade ICX 6650 will remove relay agent information from the packet. Brocade ICX 6650 Security Configuration Guide...

  • Page 309: Configuration Notes For Dhcp Option 82

    DHCP relay agent information As illustrated in Figure 19, the DHCP relay agent (the Brocade ICX 6650 switch), inserts DHCP option 82 attributes when relaying a DHCP request packet to a DHCP server. FIGURE 19 DHCP Option 82 attributes added to the DHCP packet...
  • Page 310 The Circuit ID (CID) identifies the circuit or port from which a DHCP client request was sent. The Brocade ICX 6650 device uses this information to relay DHCP responses back to the proper circuit, for example, the port number on which the DHCP client request packet was received.

  • Page 311: Dhcp Option 82 Configuration

    DHCP snooping on a VLAN” on page 286. When processing DHCP packets, the Brocade ICX 6650 device applies the following default behavior when DHCP option 82 is enabled: • Subjects all ports in the VLAN to DHCP option 82 processing •...
  • Page 312 Use the no form of the command to disable SID processing once it is enabled. Use the show interfaces ethernet command to view the subscriber ID configured on a port.Refer to “Viewing the status of DHCP option 82 and the subscriber ID” on page 294. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 313: Viewing Information About Dhcp Option 82 Processing

    Output for the show ip dhcp snooping vlan command Field Description IP DHCP snooping VLAN vlan-id The DHCP snooping and DHCP option 82 status for a VLAN: • Enabled • Disabled Trusted Ports A list of trusted ports in the VLAN. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 314: Ip Source Guard

    The Brocade implementation of the IP Source Guard feature supports configuration on a port, on specific VLAN memberships on a port (Layer 2 devices only), and on specific ports on a virtual interface (VE) (Layer 3 devices only). Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 315: Configuration Notes And Feature Limitations

    A port on which IP Source Guard is enabled limits the support of IP addresses, VLANs, and ACL rules per port. An IP Source Guard port supports a maximum of: • 64 IP addresses • 64 VLANs Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 316: Enabling Ip Source Guard On A Port

    You can manually enter valid IP addresses in the binding database. To do so, enter a command such as the following. Brocade(config)# ip source binding 10.10.10.1 ethernet 1/2/4 vlan 4 Syntax: [no] ip source binding ip-addr ethernet stack-iunit/slotnum/portnum [vlan vlannum] For ip-addr, enter a valid IP address. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 317: Enabling Ip Source Guard Per-Port-Per-Vlan

    Brocade(config-vlan-2)# int ve 2 Brocade(config-vif-2)# source-guard enable ethernet 1/1/1 Syntax: [no] source-guard enable Displaying learned IP addresses To display the learned IP addresses for IP Source Guard ports, use the CLI commands show ip source-guard ethernet. Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 318 IP source guard Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 319: Limiting Broadcast, Multicast, And Unknown Unicast Traffic

    Brocade ICX 6650. Configuration notes and feature limitations • Brocade ICX 6650 supports packet-based limiting only. Limits set on such flooded traffic are also in terms of packets per second. Configuring rate limiting for BUM traffic To enable broadcast limiting on a group of ports by counting the number of packets received, enter...

  • Page 320: Viewing Rate Limits Set On Bum Traffic

    1/1/5 broadcast limit 65536 multicast limit unknown-unicast limit interface ethernet 1/1/6 broadcast limit 65536 multicast limit unknown-unicast limit interface ethernet 1/1/7 broadcast limit 65536 multicast limit unknown-unicast limit Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 321 Broadcast + Multicast + Unknown Unicast 1/1/6 65536 Packets Broadcast + Multicast + Unknown Unicast 1/1/7 65536 Packets Broadcast + Multicast + Unknown Unicast 1/1/8 65536 Packets Broadcast + Multicast + Unknown Unicast Syntax: show rate-limit broadcast Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 322 Broadcast, unknown Unicast, and Multicast rate limiting Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

  • Page 323: Index

    VLAN assignments to the running- deleting a comment from an IPv6 entry config file deny | permit setting RADIUS parameters displaying ACL information setting the EAP frame retransmissions displaying filters for ARP Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 324 EXEC mode dot1x-enable authorization Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 325 CPU rate-limiting route-map and traffic policies secure-mac-address servertimeout set interface null0 set ip next hop show users defining Telnet idle time snmp-client Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 326 IP source guard dot1x re-auth-timeout- success Dynamic Host Configuration Protocol (DHCP) enable binding database idhcp snooping trust changing the forwarding policy ip access-group frag deny clearing the binding database ip access-group in configuration example Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 327 SNMP command syntax descriptions displaying information configuring for ICMP displaying logging configuring for TCP dynamic configuration configuring for UDP feature structure deleting a comment from an entry Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 328 CLI commands password logins, enabling configuring accounting for system events passwords configuring accounting for Telnet/SSH (Shell) access Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 329 Brocade device show arp providing the public key to clients show authenticated-mac-address show auth-mac-address show dot1x show dot1x mac-address-filter show dot1x mac-session Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 330 RSA challenge-response authentication local with encrypted passwords use with secure copy local with no passwords SSH2 client local with unencrypted passwords configuring public key authentication user authentication, deactivating displaying information username enabling Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 331 VLAN ip access-group mac-vlan-permit source-guard enable Brocade ICX 6650 Security Configuration Guide 53-1002601-01...
  • Page 332 Brocade ICX 6650 Security Configuration Guide 53-1002601-01...

Table of Contents

Save PDF