Brocade Communications Systems Icx 6650 Users Manual Security Configuration Guide, 07.5.00

2015-02-02

• Contents
• About This Document
  • Audience
  • Supported hardware and software
  • Brocade ICX 6650 slot and port numbering
  • How this document is organized
  • Document conventions
    • Text formatting
    • Command syntax conventions
    • Notes, cautions, and warnings
  • Notice to the reader
  • Related publications
  • Additional information
    • Brocade resources
    • Other industry resources
  • Getting technical help
  • Document feedback
• Security Access
  • Securing access methods
  • Remote access to management function restrictions
    • ACL usage to restrict remote access
    • Defining the console idle time
    • Remote access restrictions
    • Restricting access to the device based on IP or MAC address
    • Defining the Telnet idle time
    • Changing the login timeout period for Telnet sessions
    • Specifying the maximum number of login attempts for Telnet access
    • Changing the login timeout period for Telnet sessions
    • Restricting remote access to the device to specific VLAN IDs
    • Designated VLAN for Telnet management sessions to a Layer 2 switch
    • Device management security
    • Disabling specific access methods
  • Passwords used to secure access
    • Setting a Telnet password
    • Setting passwords for management privilege levels
    • Recovering from a lost password
    • Displaying the SNMP community string
    • Specifying a minimum password length
  • Local user accounts
    • Enhancements to username and password
    • Local user account configuration
    • Creating a password option
    • Changing a local user password
  • TACACS and TACACS+ security
    • How TACACS+ differs from TACACS
    • TACACS/TACACS+ authentication, authorization, and accounting
    • TACACS authentication
    • TACACS/TACACS+ configuration considerations
    • Enabling TACACS
    • Identifying the TACACS/TACACS+ servers
    • Specifying different servers for individual AAA functions
    • Setting optional TACACS and TACACS+ parameters
    • Configuring authentication-method lists for TACACS and TACACS+
    • Configuring TACACS+ authorization
    • TACACS+ accounting configuration
    • Configuring an interface as the source for all TACACS and TACACS+ packets
    • Displaying TACACS/TACACS+ statistics and configuration information
  • RADIUS security
    • RADIUS authentication, authorization, and accounting
    • RADIUS configuration considerations
    • Configuring RADIUS
    • Brocade-specific attributes on the RADIUS server
    • Enabling SNMP to configure RADIUS
    • Identifying the RADIUS server to the Brocade device
    • Specifying different servers for individual AAA functions
    • RADIUS server per port
    • RADIUS server to individual ports mapping
    • RADIUS parameters
    • Setting authentication-method lists for RADIUS
    • RADIUS authorization
    • RADIUS accounting
    • Configuring an interface as the source for all RADIUS packets
    • Displaying RADIUS configuration information
  • Authentication-method lists
    • Examples of authentication-method lists
  • TCP Flags - edge port security
    • Using TCP Flags in combination with other ACL features
• SSH2 and SCP
  • SSH version 2 overview
    • Tested SSH2 clients
    • SSH2 supported features
    • SSH2 unsupported features
  • SSH2 authentication types
    • Configuring SSH2
    • Enabling and disabling SSH by generating and deleting host keys
    • Configuring DSA or RSA challenge-response authentication
  • Optional SSH parameters
    • Setting the number of SSH authentication retries
    • Deactivating user authentication
    • Enabling empty password logins
    • Setting the SSH port number
    • Setting the SSH login timeout value
    • Designating an interface as the source for all SSH packets
    • Configuring the maximum idle time for SSH sessions
  • Filtering SSH access using ACLs
  • Terminating an active SSH connection
  • Displaying SSH information
    • Displaying SSH connection information
    • Displaying SSH configuration information
    • Displaying additional SSH connection information
  • Secure copy with SSH2
    • Enabling and disabling SCP
    • Secure copy configuration notes
    • Example file transfers using SCP
  • SSH2 client
    • Enabling SSH2 client
    • Configuring SSH2 client public key authentication
    • Using SSH2 client
    • Displaying SSH2 client information
• Rule-Based IP ACLs
  • ACL overview
    • Types of IP ACLs
    • ACL IDs and entries
    • Numbered and named ACLs
    • Default ACL action
  • How hardware-based ACLs work
    • How fragmented packets are processed
    • Hardware aging of Layer 4 CAM entries
  • ACL configuration considerations
  • Configuring standard numbered ACLs
    • Standard numbered ACL syntax
    • Configuration example for standard numbered ACLs
  • Standard named ACL configuration
    • Standard named ACL syntax
    • Configuration example for standard named ACLs
  • Extended numbered ACL configuration
    • Extended numbered ACL syntax
    • Configuration examples for extended numbered ACLs
  • Extended named ACL configuration
    • Extended named ACL syntax
  • Applying egress ACLs to Control (CPU) traffic
  • Preserving user input for ACL TCP/UDP port numbers
  • ACL comment text management
    • Adding a comment to an entry in a numbered ACL
    • Adding a comment to an entry in a named ACL
    • Deleting a comment from an ACL entry
    • Viewing comments in an ACL
  • Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN
  • ACL logging
    • Configuration notes for ACL logging
    • Configuration tasks for ACL logging
    • Example ACL logging configuration
    • Displaying ACL Log Entries
  • Enabling strict control of ACL filtering of fragmented packets
  • Enabling ACL support for switched traffic in the router image
  • Enabling ACL filtering based on VLAN membership or VE port membership
    • Configuration notes for ACL filtering
    • Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)
    • Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)
  • ACLs to filter ARP packets
    • Configuration considerations for filtering ARP packets
    • Configuring ACLs for ARP filtering
    • Displaying ACL filters for ARP
    • Clearing the filter count
  • Filtering on IP precedence and ToS values
    • TCP flags - edge port security
  • QoS options for IP ACLs
    • Configuration notes for QoS options on Brocade ICX 6650
    • Using an IP ACL to mark DSCP values (DSCP marking)
    • DSCP matching
  • ACL-based rate limiting
  • ACL statistics
  • ACLs to control multicast features
  • Enabling and viewing hardware usage statistics for an ACL
  • Displaying ACL information
  • Troubleshooting ACLs
  • Policy Based Routing
    • Configuration considerations for policy-based routing
    • Configuring a PBR policy
    • Configuring the ACLs
    • Configuring the route map
    • Enabling PBR
    • Configuration examples for PBR
    • Setting the next hop
    • Setting the output interface to the null interface
    • Trunk formation with PBR policy
• IPv6 ACLs
  • IPv6 ACL overview
    • IPv6 ACL traffic filtering criteria
    • IPv6 protocol names and numbers
  • IPv6 ACL configuration notes
  • Configuring an IPv6 ACL
    • Example IPv6 configurations
    • Default and implicit IPv6 ACL action
  • Creating an IPv6 ACL
    • Syntax for creating an IPv6 ACL
  • Enabling IPv6 on an interface to which an ACL will be applied
  • Applying an IPv6 ACL to an interface
    • Syntax for applying an IPv6 ACL
    • Applying an IPv6 ACL to a trunk group
    • Applying an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN
  • Adding a comment to an IPv6 ACL entry
  • Deleting a comment from an IPv6 ACL entry
  • Support for ACL logging
  • Displaying IPv6 ACLs
• ACL-based Rate Limiting
  • ACL-based rate limiting overview
    • Types of ACL-based rate limiting
  • Traffic policies overview
    • Traffic policy structure
    • Configuration notes for traffic policies
  • Configuring fixed rate limiting
  • Configuring adaptive rate limiting
    • Marking Class of Service parameters in adaptive rate limiting
  • Handling packets that exceed the rate limit
    • Dropping packets
    • Permitting packets at low priority
  • Enabling and using ACL statistics
    • Enabling ACL statistics
    • Enabling ACL statistics with rate limiting traffic policies
    • Viewing ACL and rate limit counters
    • Clearing ACL and rate limit counters
  • Viewing traffic policies
• 802.1X Port Security
  • IETF RFC support
  • How 802.1X port security works
    • Device roles in an 802.1X configuration
    • Communication between the devices
    • Controlled and uncontrolled ports
    • Message exchange during authentication
    • Authenticating multiple hosts connected to the same port
    • 802.1X port security and sFlow
    • 802.1X accounting
  • 802.1X port security configuration
    • Configuring an authentication method list for 802.1X
    • Setting RADIUS parameters
    • Dynamic VLAN assignment for 802.1X port configuration
    • Dynamically applying IP ACLs and MAC address filters to 802.1X ports
    • Enabling 802.1X port security
    • Setting the port control
    • Configuring periodic re-authentication
    • Re-authenticating a port manually
    • Setting the quiet period
    • Specifying the wait interval and number of EAP-request/ identity frame retransmissions from the Brocade device
    • Wait interval and number of EAP-request/ identity frame retransmissions from the RADIUS server
    • Specifying a timeout for retransmission of messages to the authentication server
    • Initializing 802.1X on a port
    • Allowing access to multiple hosts
    • MAC address filters for EAP frames
    • Configuring VLAN access for non-EAP-capable clients
  • 802.1X accounting configuration
    • 802.1X accounting attributes for RADIUS
    • Enabling 802.1X accounting
  • Displaying 802.1X information
    • Displaying 802.1X configuration information
    • Displaying 802.1X statistics
    • Clearing 802.1X statistics
    • Displaying dynamically assigned VLAN information
    • Displaying information about dynamically applied MAC address filters and IP ACLs
    • Displaying 802.1X multiple-host authentication information
  • Sample 802.1X configurations
    • Point-to-point configuration
    • Hub configuration
    • 802.1X authentication with dynamic VLAN assignment
  • Multi-device port authentication and 802.1X security on the same port
• MAC Port Security
  • MAC port security overview
    • Local and global resources used for MAC port security
    • Configuration notes and feature limitations for MAC port security
  • MAC port security configuration
    • Enabling the MAC port security feature
    • Setting the maximum number of secure MAC addresses for an interface
    • Setting the port security age timer
    • Specifying secure MAC addresses
    • Autosaving secure MAC addresses to the startup configuration
    • Specifying the action taken when a security violation occurs
  • Clearing port security statistics
    • Clearing restricted MAC addresses
    • Clearing violation statistics
  • Displaying port security information
    • Displaying port security settings
    • Displaying the secure MAC addresses
    • Displaying port security statistics
    • Displaying restricted MAC addresses on a port
• MAC-based VLANs
  • MAC-based VLAN overview
    • Static and dynamic hosts
    • MAC-based VLAN feature structure
  • Dynamic MAC-based VLAN
    • Configuration notes and feature limitations for dynamic MAC-based VLAN
    • Dynamic MAC-based VLAN CLI commands
    • Dynamic MAC-based VLAN configuration example
  • MAC-based VLAN configuration
    • Using MAC-based VLANs and 802.1X security on the same port
    • Configuring generic and Brocade vendor-specific attributes on the RADIUS server
    • Aging for MAC-based VLAN
    • Disabling aging for MAC-based VLAN sessions
    • Configuring the maximum MAC addresses per port
    • Configuring a MAC-based VLAN for a static host
    • Configuring MAC-based VLAN for a dynamic host
    • Configuring dynamic MAC-based VLAN
  • Configuring MAC-based VLANs using SNMP
  • Displaying information about MAC-based VLANs
    • Displaying the MAC-VLAN table
    • Displaying the MAC-VLAN table for a specific MAC address
    • Displaying allowed MAC addresses
    • Displaying denied MAC addresses
    • Displaying detailed MAC-VLAN data
    • Displaying MAC-VLAN information for a specific interface
    • Displaying MAC addresses in a MAC-based VLAN
    • Displaying MAC-based VLAN logging
  • Clearing MAC-VLAN information
  • Sample MAC-based VLAN application
• Multi-Device Port Authentication
  • How multi-device port authentication works
    • RADIUS authentication
    • Authentication-failure actions
    • Supported RADIUS attributes
    • Support for dynamic VLAN assignment
    • Support for dynamic ACLs
    • Support for authenticating multiple MAC addresses on an interface
    • Support for dynamic ARP inspection with dynamic ACLs
    • Support for DHCP snooping with dynamic ACLs
    • Support for source guard protection
  • Multi-device port authentication and 802.1X security on the same port
    • Configuring Brocade-specific attributes on the RADIUS server
  • Multi-device port authentication configuration
    • Enabling multi-device port authentication
    • Specifying the format of the MAC addresses sent to the RADIUS server
    • Specifying the authentication-failure action
    • Generating traps for multi-device port authentication
    • Defining MAC address filters
    • Configuring dynamic VLAN assignment
    • Dynamically applying IP ACLs to authenticated MAC addresses
    • Enabling denial of service attack protection
    • Enabling source guard protection
    • Clearing authenticated MAC addresses
    • Disabling aging for authenticated MAC addresses
    • Changing the hardware aging period for blocked MAC addresses
    • Specifying the aging time for blocked MAC addresses
    • Specifying the RADIUS timeout action
    • Multi-device port authentication password override
    • Limiting the number of authenticated MAC addresses
  • Displaying multi-device port authentication information
    • Displaying authenticated MAC address information
    • Displaying multi-device port authentication configuration information
    • Displaying multi-device port authentication information for a specific MAC address or port
    • Displaying the authenticated MAC addresses
    • Displaying the non-authenticated MAC addresses
    • Displaying multi-device port authentication information for a port
    • Displaying multi-device port authentication settings and authenticated MAC addresses
  • Example port authentication configurations
    • Multi-device port authentication with dynamic VLAN assignment
    • Examples of multi-device port authentication and 802.1X authentication configuration on the same port
• DoS Attack Protection
  • Smurf attacks
    • Avoiding being an intermediary in a Smurf attack
    • Avoiding being a victim in a Smurf attack
  • TCP SYN attacks
    • TCP security enhancement
    • Displaying statistics about packets dropped because of DoS attacks
• Rate Limiting and Rate Shaping
  • Port-based rate limiting
    • How port-based fixed rate limiting works
    • Rate limiting in hardware
    • Configuration notes for port-based fixed rate limiting
    • Configuring a port-based fixed rate limiting policy
    • Displaying the port-based fixed rate limiting configuration
  • Rate shaping
    • Configuration notes for rate shaping
    • Configuring outbound rate shaping for a port
    • Configuring outbound rate shaping for a specific priority
    • Configuring outbound rate shaping for a trunk port
    • Displaying rate shaping configurations
  • CPU rate-limiting
• DHCP
  • Dynamic ARP inspection
    • ARP poisoning
    • Dynamic ARP Inspection
    • Configuration notes and feature limitations for DAI
    • Dynamic ARP inspection configuration
    • Displaying ARP inspection status and ports
    • Displaying the ARP table
  • DHCP snooping
    • How DHCP snooping works
    • System reboot and the binding database
    • Configuration notes and feature limitations for DHCP snooping
    • Configuring DHCP snooping
    • Clearing the DHCP binding database
    • Displaying DHCP snooping status and ports
    • Displaying the DHCP snooping binding database
    • Displaying DHCP binding entry and status
    • DHCP snooping configuration example
  • DHCP relay agent information
    • Configuration notes for DHCP option 82
    • DHCP option 82 sub-options
    • DHCP option 82 configuration
    • Viewing information about DHCP option 82 processing
  • IP source guard
    • Configuration notes and feature limitations for IP source guard
    • Enabling IP source guard on a port
    • Defining static IP source bindings
    • Enabling IP source guard per-port-per-VLAN
    • Enabling IP source guard on a VE
    • Displaying learned IP addresses
• Limiting Broadcast, Multicast, and Unknown Unicast Traffic
  • Broadcast, unknown Unicast, and Multicast rate limiting
    • Configuration notes and feature limitations
    • Configuring rate limiting for BUM traffic
    • Viewing rate limits set on BUM traffic
• Index