53-1003088-03 30 July 2014 FastIron Ethernet Switch Security Configuration Guide Supporting FastIron Software Release 08.0.
© 2014, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.
Contents Preface...................................................................................................................................13 Document conventions....................................................................................13 Text formatting conventions................................................................ 13 Command syntax conventions............................................................ 13 Notes, cautions, and warnings.........................................
Setting optional TACACS and TACACS+ parameters......................49 Configuring authentication-method lists forTACACS and TACACS+....................................................................................50 Configuring TACACS+ authorization................................................ 53 TACACS+ accounting configuration................................................. 55 Configuring an interface as the source for allTACACS and TACACS+ packets...................................................
Filtering SSH access using ACLs................................................................... 90 Terminating an active SSH connection........................................................... 90 Displaying SSH information............................................................................ 90 Displaying SSH connection information.............................................. 91 Displaying SSH configuration information...........................................
Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)............................................................... 132 ACLs to filter ARP packets..........................................................................132 Configuration considerations for filtering ARP packets................... 133 Configuring ACLs for ARP filtering..................................................133 Displaying ACL filters for ARP........................................................
802.1X Port Security.............................................................................................................169 Supported 802.1X port security features.......................................................169 IETF RFC support ........................................................................................ 170 How 802.1X port security works....................................................................170 Device roles in an 802.1X configuration..............................
MAC port security configuration.................................................................. 219 Enabling the MAC port security feature.......................................... 219 Setting the maximum number of secure MAC addresses for an interface.....................................................................................219 Setting the port security age timer.................................................. 220 Specifying secure MAC addresses................................................
MAC address filter logging command syntax....................................250 Configuring MAC filter accounting.................................................................250 MAC address filter override for 802.1X-enabled ports.................................. 251 MAC address filter override configuration notes............................... 251 MAC address filter override configuration syntax..............................251 Multi-Device Port Authentication........................................
Web Authentication............................................................................................................ 291 Supported Web Authentication features..................................................... 291 Web authentication overview...................................................................... 291 Web authentication configuration considerations....................................... 292 Web authentication configuration tasks......................................................
Dynamic ARP inspection configuration............................................. 334 Displaying ARP inspection status and ports..................................... 335 Displaying the ARP table ................................................................. 335 Multi-VRF support............................................................................. 336 DHCP snooping............................................................................................ 336 How DHCP snooping works...............
Example: Configuring IPv6 RA guard on a device.......................... 364 Example: Configuring IPv6 RA guard in a network......................... 364 Example: Verifying the RA guard configuration.............................. 366 Security Commands............................................................................................................367 access-list enable accounting..................................................................... 368 clear access-list accounting.................
Preface ● Document conventions....................................................................................................13 ● Brocade resources.......................................................................................................... 15 ● Getting technical help......................................................................................................15 ● Document feedback......................................................................................................
Notes, cautions, and warnings Convention Description value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. [] Syntax components displayed within square brackets are optional. Default responses to system prompts are enclosed in square brackets. {x|y|z} A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.
Brocade resources Brocade resources Visit the Brocade website to locate related documentation for your product and additional Brocade resources. You can download additional publications supporting your product at www.brocade.com. • Adapter documentation is available on the Downloads and Documentation for Brocade Adapters page. Select your platform and scroll down to the Documentation section.
Document feedback Document feedback To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team. Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you.
About This Document ● What’s new in this document ......................................................................................... 17 ● How command information is presented in this guide.....................................................17 What’s new in this document This document includes the information from IronWare software release 08.0.10d. The following table lists the enhancements for FastIron release 08.0.10d. TABLE 1 Summary of enhancements in FastIron release 08.0.
How command information is presented in this guide 18 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
Security Access ● Supported security access features................................................................................ 19 ● Securing access methods............................................................................................... 20 ● Remote access to management function restrictions..................................................... 23 ● Passwords used to secure access..................................................................................31 ● Local user accounts.....
Securing access methods NOTE Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it. NOTE For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication.
Security Access TABLE 2 Ways to secure management access to Brocade devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page Configure SSH Refer to the Configuring SSH2 section Regulate SSH access using ACLs Using an ACL to restrict SSH access on page 24 Allow Telnet access Restricting Telnet access to a only from specific MAC specific VLAN on page 28 addresses Define the Telnet idle time Defining the Telnet idle time on page 27 Chang
Security Access TABLE 2 Ways to secure management access to Brocade devices (Continued) Access method SNMP access How the access method is secured by default SNMP read or read-write community strings and the password to the Super User privilege level NOTE SNMP read or read-write community strings are always required for SNMP access to the device.
Remote access to management function restrictions Remote access to management function restrictions You can restrict access to management functions from remote sources, including Telnet and SNMP.
Using an ACL to restrict SSH access To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL. device(config)#access-list 10 permit host 10.157.22.32 device(config)#access-list 10 permit 10.157.23.0 0.0.0.255 device(config)#access-list 10 permit 10.157.24.0 0.0.0.255 device(config)#access-list 10 permit 10.157.25.
Defining the console idle time The ro parameter indicates that the community string is for read-only ("get") access. The rw parameter indicates the community string is for read-write ("set") access. The num parameter specifies the number of a standard ACL and must be from 1 - 99. These commands configure ACLs 25 and 30, then apply the ACLs to community strings. ACL 25 is used to control read-only access using the "public" community string.
Restricting Telnet access to a specific IP address Restricting Telnet access to a specific IP address To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command. device(config)#telnet client 10.157.22.39 Syntax: [no] telnet client { ip-addr | ipv6-addr } Restricting SSH access to a specific IP address To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.
Restricting SSH connection The following command allows Telnet access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0. device(config)#telnet client any 0000.000f.e9a0 Syntax: [no] telnet client any mac-addr Restricting SSH connection You can restrict SSH connection to a device based on the client IP address or MAC address. To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.
Changing the login timeout period for Telnet sessions NOTE You need to configure telnet with the enable telnet authentication local command to enable only a certain number of telnet login attempts. Changing the login timeout period for Telnet sessions By default, the login timeout period for a Telnet session is 2 minutes. To change the login timeout period, use the following command. device(config)#telnet login-timeout 5 Syntax: [no] telnet login-timeout minutes For minutes , enter a value from 1 to 10.
Restricting TFTP access to a specific VLAN The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. Syntax: [no] snmp-server enable vlan vlan-id Restricting TFTP access to a specific VLAN To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.
Device management security The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1 - 5. There is no default. The software uses the gateway with the lowest metric. Device management security By default, all management access is disabled. Each of the following management access methods must be specifically enabled as required in your installation: • SSHv2 • SNMP The commands for granting access to each of these management interfaces is described in the following.
Disabling Telnet access Disabling Telnet access You can use a Telnet client to access the CLI on the device over the network. If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device, enter the following command. device(config)#no telnet server To re-enable Telnet operation, enter the following command.
Setting a Telnet password NOTE You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account a management privilege level. Refer to Local user accounts on page 35. Setting a Telnet password By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can assign a password for Telnet access using one of the following methods.
Augmenting management privilege levels on the order you specify in the authentication-method lists. Refer to Authentication-method lists on page 75. Follow the steps given below to set passwords for management privilege levels. 1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode. device> enable device# 2. Access the CONFIG level of the CLI by entering the following command. device#configure terminal device(config)# 3.
Recovering from a lost password Enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG level. device(config)#privilege configure level 4 ip In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access.
Displaying the SNMP community string 1. Start a CLI session over the serial interface to the device. 2. Reboot the device. 3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode. 4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check. 5. Enter boot system flash primary at the prompt. On ICX 6430 and ICX 6450 devices, enter boot_primary. 6.
Enhancements to username and password If you configure local user accounts, you also need to configure an authentication-method list for Telnet access and SNMP access. Refer to Authentication-method lists on page 75. For each local user account, you specify a user name. You also can specify the following parameters: • A password NOTE If you use AAA authentication for SNMP access and set the password same as the username, providing the password during authentication is optional.
Enabling user password masking NOTE Password minimum and combination requirements are strictly enforced. Use the enable strict-password-enforcement command to enable the password security feature. device(config)#enable strict-password-enforcement Syntax: [no] enable strict-password-enforcement This feature is disabled by default.
Enabling user password aging To enable password masking, enter the following command. device(config)#enable user password-masking Syntax: [no] enable user password-masking Enabling user password aging For enhanced security, password aging enforces quarterly updates of all user passwords. After 180 days, the CLI will automatically prompt users to change their passwords when they attempt to sign on.
Enhanced login lockout Enhanced login lockout The CLI provides up to three login attempts. If a user fails to login after three attempts, that user is locked out (disabled). If desired, you can increase or decrease the number of login attempts before the user is disabled. To do so, enter a command such as the following at the global CONFIG level of the CLI.
Local user account configuration Local user account configuration You can create accounts for local users with or without passwords. Accounts with passwords can have encrypted or unencrypted passwords. You can assign privilege levels to local user accounts, but on a new device, you must create a local user account that has a Super User privilege before you can create accounts with other privilege levels.
Changing a local user password The password | nopassword parameter indicates whether the user must enter a password. If you specify password , enter the string for the user's password. You can enter up to 48 characters for password-string .
TACACS and TACACS+ security TACACS and TACACS+ security You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the Brocade device: • • • • Telnet access SSH access Console access Access to the Privileged EXEC level and CONFIG levels of the CLI The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a Brocade device and an authentication database on
Configuring TACACS/TACACS+ for devices in a Brocade traditional stack Configuring TACACS/TACACS+ for devices in a Brocade traditional stack Becausedevices operating in a Brocade traditional stack topology present multiple console ports, you must take additional steps to secure these ports when configuring TACACS/TACACS+. The following is a sample AAA console configuration using TACACS+.
TACACS authentication you are connecting to this session 1 minutes 5 seconds in idle 2 established 1 hours 4 minutes 18 seconds in idle 3 established 1 hours 4 minutes 15 seconds in idle 4 established 1 hours 4 minutes 9 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9# TACACS authentication NOTE Also, multiple challenges are supported for TACACS+ login auth
TACACS+ authorization TACACS+ authorization Brocade devices support two kinds of TACACS+ authorization: • Exec authorization determines a user privilege level when they are authenticated • Command authorization consults a TACACS+ server to get authorization for commands entered by the user When TACACS+ exec authorization takes place, the following events occur. 1. A user logs into the Brocade device using Telnet or SSH 2. The user is authenticated. 3.
Security Access User action Applicable AAA operations System accounting start (TACACS+): aaa accounting system default start-stop method-list User logs in using Telnet/SSH Login authentication: aaa authentication login default method-list Exec authorization (TACACS+): aaa authorization exec default tacacs+ Exec accounting start (TACACS+): aaa accounting exec default method-list System accounting start (TACACS+): aaa accounting system default start-stop method-list User logs out of Telnet/SSH session C
AAA security for commands pasted into the running-config AAA security for commands pasted into the running-config If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually. When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands.
Enabling TACACS Enabling TACACS TACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, you must enable TACACS by entering the following command. device(config)#enable snmp config-tacacs Syntax: [no] enable snmp [ config-radius | config-tacacs ] The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by default. The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by default.
Specifying different servers for individual AAA functions The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the authentication port on the server. The default port number is 49. Specifying different servers for individual AAA functions In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example, you can designate one TACACS+ server to handle authorization and another TACACS+ server to handle accounting.
Setting the retransmission limit To specify a TACACS+ server key, enter a command such as following. device(config)#tacacs-server key rkwong Syntax: tacacs-server key [ 0 ] string When you display the configuration of the Brocade device, the TACACS+ keys are encrypted. For example. device(config)# tacacs-server key abc device(config)#write terminal ... tacacs-server host 10.2.3.5 auth-port 49 tacacs key 2$!2d NOTE Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption.
Security Access When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and CONFIG levels of the CLI. To create an authentication method list that specifies TACACS/TACACS+ as the primary authentication method for securing Telnet/SSH access to the CLI.
Entering privileged EXEC mode after a Telnet or SSH login TABLE 3 Authentication method values (Continued) Method parameter Description none Do not use any authentication method. The device automatically permits access. NOTE For examples of how to define authentication-method lists for types of authentication other than TACACS/TACACS+, refer to Authentication-method lists on page 75.
Configuring TACACS+ authorization Configuring TACACS+ authorization Brocade devices support TACACS+ authorization for controlling access to management functions in the CLI.
Security Access are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5 (read-only) is used. The foundry-privlvl A-V pair can also be embedded in the group configuration for the user. See your TACACS+ documentation for the configuration syntax relevant to your server.
Configuring command authorization Configuring command authorization When TACACS+ command authorization is enabled, the Brocade device consults a TACACS+ server to get authorization for commands entered by the user. You enable TACACS+ command authorization by specifying a privilege level whose commands require authorization.
Configuring TACACS+ accounting for Telnet/SSH (Shell) access Configuring TACACS+ accounting for Telnet/SSH (Shell) access To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when the user logs out.
Displaying TACACS/TACACS+ statistics andconfiguration information Switch. For configuration details, see "Specifying a single source interface for specified packet types" section in the FastIron Ethernet Switch Layer 3 Routing Configuration Guide . Displaying TACACS/TACACS+ statistics andconfiguration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device.
RADIUS security RADIUS security You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the Brocade Layer 2 Switch or Layer 3 Switch: • Telnet access • SSH access • Access to the Privileged EXEC level and CONFIG levels of the CLI RADIUS authentication, authorization, and accounting When RADIUS authentication is implemented, the Brocade device consults a RADIUS server to verify user names and passwords.
RADIUS accounting 3. If the command belongs to a privilege level that requires authorization, the Brocade device looks at the list of commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of the commands in the list.) NOTE After RADIUS authentication takes place, the command list resides on the Brocade device.
AAA security for commands pasted Into the running-config User action Applicable AAA operations EXEC accounting Start: aaa accounting exec default start-stop method-list System accounting Start: aaa accounting system default start-stop method-list User logs out of Telnet/SSH session Command authorization for logout command: aaa authorization commands privilege-level default method-list Command accounting: aaa accounting commands privilege-level default start-stop methodlist EXEC accounting stop: aaa acco
RADIUS configuration considerations AAA operations are performed before the commands are actually added to the running-config. The server performing the AAA operations should be reachable when you paste the commands into the running-config file. If the device determines that a pasted command is invalid, AAA operations are halted on the remaining commands. The remaining commands may not be issued if command authorization is configured.
Brocade-specific attributes on the RADIUS server 8. Optionally configure RADIUS authorization. Refer to RADIUS authorization on page 69. 9. Optionally configure RADIUS accounting. Refer to RADIUS accounting on page 71. Brocade-specific attributes on the RADIUS server NOTE For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication.
Enabling SNMP to configure RADIUS TABLE 6 Brocade vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description foundry-commandexception-flag 3 integer Specifies whether the commands indicated by the foundrycommand-string attribute are permitted or denied to the user. This attribute can be set to one of the following: • • foundry-access-list 5 string 0 - Permit execution of the commands indicated by foundrycommand-string, deny all other commands.
Identifying the RADIUS server to the Brocade device The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by default. The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by default. Identifying the RADIUS server to the Brocade device To use a RADIUS server to authenticate access to a Brocade device, you must identify the server to the Brocade device. device(config)#radius-server host 10.157.22.
RADIUS server per port configuration notes RADIUS server per port configuration notes • This feature works with 802.1X and multi-device port authentication only. • You can define up to eight RADIUS servers per Brocade device. RADIUS configuration example and command syntax The following shows an example configuration.
RADIUS server-to-ports configuration notes RADIUS server-to-ports configuration notes • This feature works with 802.1X and multi-device port authentication only. • You can map a RADIUS server to a physical port only. You cannot map a RADIUS server to a VE. RADIUS server-to-ports configuration example and command syntax To map a RADIUS server to a port, enter commands such as the following.
Setting the retransmission limit NOTE Encryption of the RADIUS keys is done by default and the default value is 2 ( SIMPLE_ENCRYPTION_BASE64). The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts.
Security Access When you configure authentication-method lists for RADIUS, you must create a separate authentication-method list for Telnet or SSH CLI access and for CLI access to the Privileged EXEC level and CONFIG levels of the CLI. To create an authentication-method list that specifies RADIUS as the primary authentication method for securing Telnet access to the CLI.
Entering privileged EXEC mode after a Telnet or SSH login TABLE 7 Authentication method values (Continued) Method parameter Description none Do not use any authentication method. The device automatically permits access. NOTE For examples of how to define authentication-method lists for types of authentication other than RADIUS, refer to Authentication-method lists on page 75.
Configuring command authorization Syntax: aaa authorization exec default [ radius | none ] If you specify none , or omit the aaa authorization exec command from the device configuration, no exec authorization is performed. NOTE If the aaa authorization exec default radius command exists in the configuration, following successful authentication the device assigns the user the privilege level specified by the foundryprivilege-level attribute received from the RADIUS server.
Command authorization and accounting for console commands Command authorization and accounting for console commands The Brocade device supports command authorization and command accounting for CLI commands entered at the console. To configure the device to perform command authorization and command accounting for console commands, enter the following.
Configuring RADIUS accounting for system events NOTE If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place.
SSL security TABLE 8 Output of the show aaa command for RADIUS Field Description Radius key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is displayed instead of the text. Radius retries The setting configured with the radius-server retransmit command. Radius timeout The setting configured with the radius-server timeout command.
Changing the SSL server certificate key size Changing the SSL server certificate key size The default key size for Brocade-issued and imported digital certificates is 1024 bits. If desired, you can change the default key size to a value of 512, 2048, or 4096 bits. To do so, enter a command such as the following at the Global CONFIG level of the CLI.
Generating an SSL certificate Generating an SSL certificate If the certificate does not automatically generate, enter the following command to generate it. Brocade(config)#crypto-ssl certificate generate Syntax: [no] crypto-ssl certificate generate If you did not already import a digital certificate from a client, the device can create a default certificate. To do this, enter the following command.
Configuration considerations for authentication-method lists In an authentication-method list for a particular access method, you can specify up to seven authentication methods. If the first authentication method is successful, the software grants access and stops the authentication process. If the access is rejected by the first authentication method, the software denies access and stops checking.
Security Access Note that the above configuration can be overridden by the command no snmp-server pw-check , which disables password checking for SNMP SET requests. Example 2 To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command. device(config)#aaa authentication enable default local This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.
TCP Flags - edge port security TABLE 9 Authentication method values (Continued) Method parameter Description local Authenticate using a local user name and password you configured on the device. Local user names and passwords are configured using the username... command. Refer to Local user account configuration on page 40. tacacs Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.
Using TCP Flags in combination with other ACL features Using TCP Flags in combination with other ACL features The TCP Flags feature has the added capability of being combined with other ACL features. device(config-ext-nACL)#permit tcp any any match-all +urg +ack +syn -rst trafficpolicy test This command configures the ACL to match incoming traffic with the TCP Flags urg, ack, and syn and also to apply the traffic policy (rate, limit, etc.) to the matched traffic.
Using TCP Flags in combination with other ACL features 80 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
SSH2 and SCP ● Supported SSH2 and Secure Copy features.................................................................. 81 ● SSH version 2 overview.................................................................................................. 81 ● SSH2 authentication types..............................................................................................83 ● Optional SSH parameters...............................................................................................
Tested SSH2 clients used. The highest version of SSH2 supported by both the Brocade device and the client is the version that is used for the session. Once the SSH2 version is negotiated, the encryption algorithm with the highest security ranking is selected to be used for the session. Brocade devices also support Secure Copy (SCP) for securely transferring files between a Brocade device and SCP-enabled remote hosts.
SSH2 unsupported features • Encryption is provided with 3des-cbc , aes128-cbc , aes192-cbc or aes256-cbc . AES encryption has been adopted by the U.S. Government as an encryption standard. • Data integrity is ensured with hmac-sha1. • Supported authentication methods are Password , interactive, and Key authentication. • Five inbound SSH connection at one time are supported. • Five outbound SSH is supported.
Enabling and disabling SSH by generating and deleting host keys Enabling and disabling SSH by generating and deleting host keys To enable SSH, you generate a DSA or RSA host key on the device. The SSH server on the Brocade device uses this host DSA or RSA key, along with a dynamically generated server DSA or RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it.
Generating and deleting an RSA key pair Generating and deleting an RSA key pair To generate an RSA key pair, enter a command such as the following: device(config)#crypto key generate rsa modulus 2048 To delete the RSA host key pair, enter the following command. device(config)#crypto key zeroize rsa Syntax: crypto key { generate | zeroize } rsa [ modulus modulus-size ] The generate keyword places an RSA host key pair in the flash memory and enables SSH on the device, if it is not already enabled.
Configuring DSA or RSA challenge-response authentication Configuring DSA or RSA challenge-response authentication With DSA or RSA challenge-response authentication, a collection of clients’ public keys are stored on the Brocade device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
Enabling DSA or RSA challenge-response authentication The tftp-server-ip-addr variable is the IP address of the tftp server that contains the public key file that you want to import into the Brocade device. The filename variable is the name of the public key file that you want to import into the Brocade device. The remove parameter deletes the public keys from the device. To display the currently loaded public keys, enter the following command.
Optional SSH parameters Optional SSH parameters You can adjust the following SSH settings on the Brocade device: • • • • • • • The number of SSH authentication retries The user authentication method the Brocade device uses for SSH connections Whether the Brocade device allows users to log in without supplying a password The port number for SSH connections The SSH login timeout value A specific interface to be used as the source for all SSH traffic from the device The maximum idle time for SSH sessions Se
Enabling empty password logins The default is yes . To deactivate password authentication, enter the following command. device(config)#ip ssh password-authentication no Syntax: ip ssh password--authentication { no | yes } The default is yes . Enabling empty password logins By default, empty password logins are not allowed. This means that users with an SSH client are always prompted for a password when they log into the device. To gain access to the device, each user must have a user name and password.
Designating an interface as the source for all SSH packets Designating an interface as the source for all SSH packets You can designate a loopback interface, virtual interface, or Ethernet port as the source for all SSH packets from the device. For details, see "Specifying a single source interface for specified packet types" section in the FastIron Ethernet Switch Layer 3 Routing Configuration Guide . Configuring the maximum idle time for SSH sessions By default, SSH sessions do not time out.
Displaying SSH connection information Displaying SSH connection information To display information about SSH connections, enter the show ip ssh command. device#show ip ssh Connection Version Encryption Username HMAC Inbound: 1 SSH-2 3des-cbc Raymond hmac-sha1 Outbound: 6 SSH-2 aes256-cbc Steve hmac-sha1 SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048) Server Hostkey IP Address ssh-dss 10.120.54.2 ssh-dss 10.37.77.
SSH2 and SCP SCP SSH IPv4 clients SSH IPv6 clients SSH IPv4 access-group SSH IPv6 access-group SSH Client Keys Brocade# : Enabled : All : All : : : Syntax: show ip ssh config This display shows the following information. Field Description SSH server SSH server is enabled or disabled SSH port SSH port number Encryption The encryption used for the SSH connection.
Displaying additional SSH connection information Displaying additional SSH connection information The show who command also displays information about SSH connections: device#show who Console connections: Established you are connecting to this session 2 minutes 56 seconds in idle SSH server status: Enabled SSH connections (inbound): 1. established, client ip address 10.2.2.1, server hostkey DSA 1 minutes 15 seconds in idle 2. established, client ip address 10.2.2.
Example file transfers using SCP Example file transfers using SCP The following are examples of using SCP to transfer files to and from a Brocade device. Copying a file to the running config To copy a configuration file (c:\cfg\brocade.cfg) to the running configuration file on a Brocade device at 10.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client. C:\> scp c:\cfg\brocade.cfg terry@10.168.1.
Copying a Software Image file from flash memory To copy a software image file from an SCP-enabled client to the secondary flash on these devices, enter one of the following commands. C:\> scp FCXR08000.bin terry@10.168.1.50:flash:secondary or c:\> scp FCXR08000.bin terry@10.168.1.50:flash:sec:FCXR08000.bin NOTE After the copy operation is completed at the host, you do not get the command prompt back because the switch is synchronizing the image to flash.
Importing an RSA private key Importing an RSA private key To import an RSA private key from a client using SCP, enter a command such as the following one: C:\> scp keyfile user@10.168.9.210:sslPrivKey Syntax: scp key-filenameuser@ip-address sslPrivKey The ip-address variable is the IP address of the server that contains the private key file. The key-filename variable is the file name of the private key that you want to import into the device.
Enabling SSH2 client while you are connected to the device by any connection method (SSH2, Telnet, console). Brocade devices support one outbound SSH2 client session at a time.
Generating and deleting a client RSA key pair Generating and deleting a client RSA key pair To generate a client RSA key pair, enter a command such as the following: device(config)#crypto key client generate rsa modulus 2048 To delete the RSA host key pair, enter the following command. device(config)#crypto key client zeroize rsa Syntax: crypto key client { generate | zeroize } rsa [ modulus modulus-size ] The generate keyword places an RSA host key pair in the flash memory.
Displaying SSH2 client information Displaying SSH2 client information For information about displaying SSH2 client information, see the following sections: • Displaying SSH connection information on page 91 • Displaying additional SSH connection information on page 93 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03 99
Displaying SSH2 client information 100 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
Rule-Based IP ACLs ● Supported Rule-Based IP ACL Features...................................................................... 101 ● ACL overview................................................................................................................ 103 ● How hardware-based ACLs work..................................................................................106 ● ACL configuration considerations.................................................................................
Rule-Based IP ACLs Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800 FSX 1600 ICX 7750 Hardware-based ACLs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 ACL accounting No 08.0.10a 08.0.10a 08.0.10a 08.0.10a 08.0.10a 08.0.10a Standard named and numbered ACLs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Extended named and numbered ACLs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.
ACL overview Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800 FSX 1600 ICX 7750 ACL logging of denied packets No No No No No No No ACL logging with traffic rate limiting (to prevent CPU overload) No No No No No No No Strict control of ACL filtering of fragmented packets 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 ACL support for switched traffic in the router image. No 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.
Types of IP ACLs listed in the Supported ACL features on inbound traffic and Supported ACL features on outbound traffic tables respectively and discussed in more detail in the rest of this chapter. NOTE FastIron devices do not support flow-based ACLs. Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup (or as new ACLs are entered and bound to ports).
Numbered and named ACLs combination in different ACLs. The total number of entries in all ACLs cannot exceed the system maximum listed in the following table.
How hardware-based ACLs work How hardware-based ACLs work When you bind an ACL to inbound or outbound traffic on an interface, the device programs the Layer 4 CAM with the ACL. Permit and deny rules are programmed. Most ACL rules require one Layer 4 CAM entry. However, ACL rules that match on more than one TCP or UDP application port may require several CAM entries. The Layer 4 CAM entries for ACLs do not age out.
Configuring standard numbered ACLs • Inbound ACLs apply to all traffic, including management traffic. By default outbound ACLs are not applied to traffic generated by the CPU. This must be enabled using the enable egress-acl-oncontrol-traffic command. See Applying egress ACLs to Control (CPU) traffic on page 122 for details. • The number of ACLs supported per device is listed in the Maximum number of ACL entries table. • Hardware-based ACLs support only one ACL per port.
Standard numbered ACL syntax Standard numbered ACL syntax Syntax: [no] access-list ACL-num { deny | permit } { source-ip | hostnamewildcard } [ log ] or Syntax: [no] access-list ACL-num { deny | permit } { source-ip/mask-bits | hostname } [ log ] Syntax: [no] access-list ACL-num { deny | permit } { source-ip | hostname } [ log ] Syntax: [no] access-list ACL-num { deny | permit } any [ log ] Syntax: [no] ip access-group ACL-num [ in | out ] The ACL-num parameter is the access list number from 1 - 99.
Configuration example for standard numbered ACLs The log argument configures the device to generate Syslog entries and SNMP traps for inbound packets that are denied by the access policy. The in | out parameter applies the ACL to incoming or outgoing traffic on the interface to which you apply the ACL. You can apply the ACL to an Ethernet port, or virtual interface.
Rule-Based IP ACLs Syntax: [no] ip access-list standard {ACL-name |ACL-num } { deny | permit } { source-ip | hostname } [ log ] Syntax: [no] ip access-list standard {ACL-name |ACL-num } { { deny | permit } any [ log ] Syntax: [no] ip access-group ACL-name [ in | out ] The ACL-name parameter is the access list name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, "ACL for Net1").
Configuration example for standard named ACLs NOTE If you use the CIDR format, the ACL entries appear in this format in the running-config and startupconfig files, but are shown with subnet mask in the display produced by the show ip access-list command. The host source-ip | hostname parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
Extended numbered ACL configuration Extended numbered ACL configuration This section describes how to configure extended numbered ACLs.
Rule-Based IP ACLs If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of "10.157.22.26 0.0.0.255" as "10.157.22.26/24".
Rule-Based IP ACLs The tcp/udp comparison operator parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http . You can enter one of the following operators: • eq - The policy applies to the TCP or UDP port name or number you enter after eq . • established - This operator applies only to TCP packets.
Rule-Based IP ACLs • network or 7 - The ACL matches packets that have the network control precedence. If you specify the option number instead of the name, specify number 7. • priority or 1 - The ACL matches packets that have the priority precedence. If you specify the option number instead of the name, specify number 1. • routine or 0 - The ACL matches packets that have the routine precedence. If you specify the option number instead of the name, specify number 0.
Rule-Based IP ACLs The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 - 63. This option does not change the packet’s forwarding priority through the device or mark the packet. Refer to DSCP matching on page 140. The log parameter enables SNMP traps and Syslog messages for inbound packets denied by the ACL: • You can enable logging on inbound ACLs and filters that support logging even when the ACLs and filters are already in use.
Rule-Based IP ACLs The second entry denies IGMP traffic from the host device named "rkwong" to the 10.157.21.x network. The third entry denies IGMP traffic from the 10.157.21.x network to the host device named "rkwong". The fourth entry denies all IP traffic from host 10.157.21.100 to host 10.157.22.1 and generates Syslog entries for packets that are denied by this entry. The fifth entry denies all OSPF traffic and generates Syslog entries for denied traffic.
Extended named ACL configuration Extended named ACL configuration The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command.
Rule-Based IP ACLs The wildcard parameter specifies the portion of the source IP host address to match against. The wildcard is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the packet’s source address must match the source-ip . Ones mean any value matches.
Rule-Based IP ACLs NOTE The QoS options listed below are only available if a specific ICMP type is specified for the icmp-type parameter and cannot be used with the any-icmp-type option above. See QoS options for IP ACLs on page 135 for more information on using ACLs to perform QoS. The tcp/udp comparison operator parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol.
Rule-Based IP ACLs • flash-override or 4 - The ACL matches packets that have the flash override precedence. If you specify the option number instead of the name, specify number 4. • immediate or 2 - The ACL matches packets that have the immediate precedence. If you specify the option number instead of the name, specify number 2. • internet or 6 - The ACL matches packets that have the internetwork control precedence. If you specify the option number instead of the name, specify number 6.
Applying egress ACLs to Control (CPU) traffic NOTE The dscp-cos-mapping option is supported on FSX devices only. The dscp-marking option enables you to configure an ACL that marks matching packets with a specified DSCP value. Enter a value from 0 - 63. Refer to Using an IP ACL to mark DSCP values (DSCP marking) on page 137. The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 - 63.
ACL comment text management To enable this feature, enter the ip preserve-ACL-user-input-format command. device(config)#ip preserve-ACL-user-input-format Syntax: ip preserve-ACL-user-input-format The following example shows how this feature works for a TCP port (this feature works the same way for UDP ports). In this example, the user identifies the TCP port by number (80) when configuring ACL group 140. However, show ip access-list 140 reverts to the port name for the TCP port (http in this example).
Adding a comment to an entry in a named ACL Syntax: [no] ip access-list [ standard | extended ] ACL-num Syntax:remark comment-text For ACL-num , enter the number of the ACL. The comment-text can be up to 128 characters in length. The comment must be entered separately from the actual ACL entry; that is, you cannot enter the ACL entry and the ACL comment with the same access-list or ip access-list command.
Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN The following shows the comment text for a numbered ACL, ACL 100, in a show running-config display. device#show ... access-list access-list access-list access-list access-list running-config 100 100 100 100 100 remark The following line permits TCP packets permit tcp 192.168.4.40/24 2.2.2.2/24 remark The following line permits UDP packets permit udp 192.168.2.52/24 2.2.2.
ACL logging ACL logging Brocade devices support ACL logging of inbound packets that are sent to the CPU for processing (denied packets). NOTE ACL logging is not supported for outbound packets or any packets that are processed in hardware (permitted packets). You may want the software to log entries in the Syslog for packets that are denied by ACL filters. ACL logging is disabled by default; it must be explicitly enabled on a port.
Configuration tasks for ACL logging NOTE The above limitation applies only to IPv4 ACLs, it does not apply to the use of ACLs to log IPv6 traffic. • When ACL logging is enabled on Brocade FCX Series and ICX devices, packets sent to the CPU are automatically rate limited to prevent CPU overload. • When ACL logging is enabled on FastIron X Series devices, Brocade recommends that you configure a traffic conditioner, then link the ACL to the traffic conditioner to prevent CPU overload.
Displaying ACL Log Entries The above commands create ACL entries that include the log option, then bind the ACL to interface e 9/12. Statistics for packets that match the deny statement will be logged. Syntax: logging-enable NOTE The logging-enabled command applies to IPv6 devices only. For IPv4 devices, use the ACL-logging command as shown in the previous example.
Enabling ACL support for switched traffic in the router image or applies the interface's ACL entries to the packet and permits or denies the packet according to the first matching ACL. • For other fragments of the same packet, they are subject to a rule only if there is no Layer 4 information in the rule or in any preceding rules. The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was denied.
Enabling ACL filtering based on VLAN membership or VE port membership device(config-vlan-101)#router-interface ve 101 device(config-vlan-101)#exit device(config)#enable ACL-per-port-per-vlan device(config)#ip access-list extended 101 device(config-ext-nacl)#bridged-routed device(config)#write memory device(config)#exit device#reload ...
Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only) 202, 203, and 204, but not 300, 401, 600, and 900. See the release notes for a list of supported modules. • Brocade devices do not support a globally-configured PBR policy together with per-port-per-VLAN ACLs. • IPv4 ACLs that filter based on VLAN membership or VE port membership (ACL-per-port-per-VLAN), are supported together with IPv6 ACLs on the same device, as long as they are not bound to the same port or virtual interface.
Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only) Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only) NOTE This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VE port membership. You can apply an IPv4 ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and contains all the ports within the VLAN.
Configuration considerations for filtering ARP packets address. This behavior can cause a condition called "ARP hijacking", when two hosts with the same IP address try to send an ARP request to the Brocade device. Normally ARP hijacking is not a problem because IP assignments are done dynamically; however, in some cases, ARP hijacking can occur, such as when a configuration allows a router interface to share the IP address of another router interface.
Displaying ACL filters for ARP The access-list-number parameter identifies the ID of the standard ACL that will be used to filter the packet. Only the source and destination IP addresses will be used to filter the ARP packet. You can do one of the following for access-list-number : • Enter an ACL ID to explicitly specify the ACL to be used for filtering. In the example above, the line device#ip use-ACL-on-arp 103 specifies ACL 103 to be used as the filter.
TCP flags - edge port security precedence 6 device(config)#access-list 103 permit ip any any The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x network, if the traffic has the IP precedence option "internet" (equivalent to "6"). The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if the traffic has the IP precedence value "6" (equivalent to "internet").
Configuration notes for QoS options on FCX and ICX devices • dscp-marking - Marks the DSCP value in the outgoing packet with the value you specify. • internal-priority-marking and 802.1p-priority-marking - Supported with the DSCP marking option, these commands assign traffic that matches the ACL to a hardware forwarding queue (internal-priority-marking ), and re-mark the packets that match the ACL with the 802.1p priority (802.1p-priority-marking ). • dscp-matching - Matches on the packet DSCP value.
Using an IP ACL to mark DSCP values (DSCP marking) The dscp-cos-mapping option maps the DSCP value in incoming packets to a hardware table that provides mapping of each of the 0 - 63 DSCP values, and distributes them among eight traffic classes (internal priorities) and eight 802.1p priorities. NOTE The dscp-cos-mapping option overrides port-based priority settings. By default, the Brocade device does the 802.1p to CoS mapping.
Rule-Based IP ACLs provide DSCP-marking and DSCP-matching information in order to assign 802.1p priority values, which required the deployment of a 64-line ACL to match all possible DSCP values. Users were also required to configure an internal priority marking value. Now, users can easily specify 802.1p priority marking values directly, and change internal priority marking from required to optional . NOTE This feature is not applicable to outbound traffic.
Using an ACL to change the forwarding queue Syntax: access-list num (100-199) permit tcp any any 802.1p-priority-marking priority value (0-7) [ internal-priority-marking value (0-7) ] For UDP device(config)#acc 105 per udp any any 802.1p-priority-marking 1 or the following command, which also assigns an optional internal-priority-marking value. device(config)#acc 105 per udp any any 802.1p-priority-marking 1 internal-prioritymarking 5 Syntax: access-list num (100-199) permit udp any any 802.
DSCP matching DSCP matching The dscp-matching option matches on the packet DSCP value. This option does not change the packet forwarding priority through the device or mark the packet. To configure an ACL that matches on a packet with DSCP value 29, enter a command such as the following. device(config)#access-list 112 permit ip 1 0.1.1.0 0.0.0.255 10.2.2.x 0.0.0.
ACL accounting ACL accounting ACL accounting helps to collect usage information for access lists configured on the device. Counters, stored in hardware, keep track of the number of times an ACL filter is used. ACL accounting provides statistics for permit rules, deny rules, and implicit rules that help in identifying usage of particular traffic. ACL accounting is supported on IPv4 ACLs, IPv6 ACLs, and Layer 2 MAC filters and provides accounting information for inbound ACLs.
ACLs to control multicast features ------------------------------------------------65533: Implicit ND_NA Rule: permit any any Hit Count: (1Min) 0 (5Sec) 0 (PktCnt) 0 (ByteCnt) 0 ------------------------------------------------65534: Implicit ND_NS Rule: permit any any Hit Count: (1Min) 0 (5Sec) 0 (PktCnt) 0 (ByteCnt) 0 ------------------------------------------------65535: Implicit Rule: deny any any Hit Count: (1Min) 0 (5Sec) 0 (PktCnt) 0 (ByteCnt) 0 ------------------------------------------------- 3.
Displaying ACL information by the show access-list access-list-id command to determine the hardware usage for an ACL. To gain more hardware resources, you can modify the ACL rules so that it uses less hardware resource.
Troubleshooting ACLs use: 3) permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule cam use: 1) permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1) deny ip any any (Flows: N/A, Packets: N/A, Rule cam use: 1) Syntax: show access-list [ ACL-num | ACL-name | all ] The Rule cam use field lists the number of CAM entries used by the ACL or entry. The number of CAM entries listed for the ACL itself is the total of the CAM entries used by the ACL entries.
Configuring a PBR policy • You cannot apply PBR on a port if that port already has ingress ACLs, ACL-based rate limiting, DSCP-based QoS, MAC address filtering. • The number of route maps that you can define is limited by the available system memory, which is determined by the system configuration and how much memory other features use.
Rule-Based IP ACLs NOTE Do not use an access group to apply the ACL to an interface. Instead, use a route map to apply the ACL globally or to individual interfaces for PBR, as shown in the following sections.
Configuring the route map NOTE If you use the CIDR format, the ACL entries appear in this format in the running-config and startupconfig files, but are shown with subnet mask in the display produced by the show ip access-list command. The host source-ip | hostname parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. The any parameter configures the policy to match on all host addresses.
Enabling PBR The map-name variable is a string of characters that names the map. Map names can be up to 32 characters in length. You can define an unlimited number of route maps on the Brocade device, as long as system memory is available. The permit | deny parameter specifies the action the Brocade device will take if a route matches a match statement: • If you specify deny routemap instance, it is ignored and not programmed in Layer 4 CAM.
Configuration examples for policy based routing Syntax: ip policy route-map map-name Enter the name of the route map you want to use for the route-map map-name parameter. Configuration examples for policy based routing This section presents configuration examples for configuring and applying a PBR policy. Basic example of policy based routing The following commands configure and apply a PBR policy that routes HTTP traffic received on virtual routing interface 1 from the 10.10.10.x/24 network to 5.5.5.
Setting the output interface to the null interface device(config-routemap test-route)#set ip next-hop 192.168.2.1 device(config-routemap test-route)#exit The following commands configure the second entry in the route map. This entry (permit 51) matches on the IP address information in ACL 51 above. For IP traffic from subnet 209.157.24.0/24, this route map entry sets the next-hop IP address to 192.168.2.2.
Trunk formation with PBR policy Trunk formation with PBR policy PBR can be applied on trunk primary port ,only if the port is untagged. When a trunk is formed, the PBR policy on the primary port applies to all the secondary ports. If a different PBR policy exists on a secondary port at the time of a trunk formation, that policy is overridden by the PBR policy on the primary port. If the primary port does not have a PBR policy, then the secondary ports will not have a PBR policy.
Trunk formation with PBR policy 152 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
IPv6 ACLs ● Supported IPv6 ACL features....................................................................................... 153 ● IPv6 ACL overview........................................................................................................153 ● IPv6 ACL configuration notes........................................................................................155 ● Configuring an IPv6 ACL...............................................................................................
IPv6 ACL traffic filtering criteria with 4000 entries, two ACLs with 2000 and 2093 entries respectively (combining IPv4 and IPv6 ACLs), etc. An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or deny) if a packet matches a specified source or destination prefix. For FSX devices, there can be up to 1024 statements per port region, including IPv6, IPv4, MAC address filters, and default statements.
IPv6 ACL configuration notes • • • • • • • Authentication Header (AHP) Encapsulating Security Payload (ESP) Internet Control Message Protocol (ICMP) Internet Protocol Version 6 (IPv6) Stream Control Transmission Protocol (SCTP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) NOTE TCP and UDP filters will be matched only if they are listed as the first option in the extension header. For TCP and UDP, you also can specify a comparison operator and port name or number.
Configuring an IPv6 ACL To disable IPv6, first remove the ACL from the interface. • For notes on applying IPv6 ACLs to trunk ports, see Applying an IPv6 ACL to a trunk group on page 165. • For notes on applying IPv6 ACLs to virtual ports, see Applying an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN on page 165. • The dscp-cos-mapping option is supported on FSX devices only. Configuring an IPv6 ACL Follow the steps given below to configure an IPv6 ACL. 1. Create the ACL. 2.
Default and implicit IPv6 ACL action device(config-if-4/3)# ipv6 traffic-filter netw in device(config)# write memory Here is another example.
Creating an IPv6 ACL • permit icmp any any nd-na - Allows ICMP neighbor discovery acknowledgements. • permit icmp any any nd-ns - Allows ICMP neighbor discovery solicitations. • deny ipv6 any any - Denies IPv6 traffic. You must enter a permit ipv6 any any as the last statement in the access-list if you want to permit IPv6 traffic that were not denied by the previous statements.
Syntax for creating an IPv6 ACL Syntax for creating an IPv6 ACL NOTE The following features are not supported: • ipv6-operator flow-label • ipv6-operator fragments when any protocol is specified. The option " fragments" can be specified only when "permit/deny ipv6" is specified. If you specify "tcp" or any other protocol instead of "ipv6" the keyword, "fragments" cannot be used. • ipv6-operator routing when any protocol is specified.
For UDP [ 802.1p-priority-matching number ] [ dscp-marking number 802.
IPv6 ACLs TABLE 13 Syntax descriptions (Continued) IPv6 ACL arguments Description ipv6-sourceprefix/prefixlength The ipv6-source-prefix/prefix-length parameter specify a source prefix and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the ipv6-source-prefix parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the prefix-length parameter as a decimal value.
IPv6 ACLs TABLE 13 Syntax descriptions (Continued) IPv6 ACL arguments Description tcp-udp-operator The tcp-udp-operator parameter can be one of the following: • eq - The policy applies to the TCP or UDP port name or number you enter after eq . • gt - The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt . Enter " ?" to list the port names.
ICMP message configurations TABLE 13 Syntax descriptions (Continued) IPv6 ACL arguments Description 802.1p-priority- Use the 802.1p-priority-markingnumber parameter to specify a new QoS value to the packet marking number (0-7). If a packet matches the filters in the ACL statement, the following actions happen: • On FSX devices, this parameter assigns the 802.1p priority that you specify to the packet. • On all platforms other than FSX, this parameter assigns the priority that you specify to the 802.
Enabling IPv6 on an interface to which an ACL will be applied • • • • • • • • • • • • • • • • • nd-ns next-header no-admin no-route packet-too-big parameter-option parameter-problem port-unreachable reassembly-timeout renum-command renum-result renum-seq-number router-advertisement router-renumbering router-solicitation time-exceeded unreachable NOTE If you do not specify a message type, the ACL applies to all types ICMP messages types.
Syntax for applying an IPv6 ACL • • • • Gbps Ethernet ports 10 Gbps Ethernet ports Trunk groups Virtual routing interfaces To apply an IPv6 ACL to an interface, enter commands such as the following. device(config)#interface ethernet 3/1 device(config-if-e100-3/1)#ipv6 traffic-filter access1 in This example applies the IPv6 ACL "access1" to incoming IPv6 packets on Ethernet interface 3/1.
Deleting a comment from an IPv6 ACL entry You can add a comment by entering the remark command immediately preceding an ACL entry, For example, to enter comments preceding an ACL entry, enter commands such as the following.
Configuring IPv6 ACL accounting Configuring IPv6 ACL accounting Steps to enable, display, and clear IPv6 ACL accounting 1. To enable IPv6 ACL accounting, use the enable-accounting command. device(config-ipv6-access-list v6)#enable-accounting NOTE When the ACL on which accounting is enabled is shared between multiple interfaces, enable ACLPER-PORT-PER-VLAN flag to get statistics at the port level. 2. To display ACL accounting information, use the show access list accounting command.
Displaying IPv6 ACLs Displaying IPv6 ACLs To display the IPv6 ACLs configured on a device, enter the show ipv6 access-list command. Here is an example.
802.1X Port Security ● Supported 802.1X port security features.......................................................................169 ● IETF RFC support ........................................................................................................ 170 ● How 802.1X port security works....................................................................................170 ● 802.1X port security configuration.................................................................................180 ● 802.
IETF RFC support IETF RFC support Brocade FastIron devices support the IEEE 802.1X standard for authenticating devices attached to LAN ports. Using 802.1X port security, you can configure a FastIron device to grant access to a port based on information supplied by a client to an authentication server. When a user logs on to a network that uses 802.1X port security, the Brocade device grants (or does not grant) access to network services after the user is authenticated by an authentication server.
802.1X Port Security FIGURE 1 Authenticator, client/supplicant, and authentication server in an 802.1X configuration Authenticator - The device that controls access to the network. In an 802.1X configuration, the Brocade device serves as the Authenticator. The Authenticator passes messages between the Client and the Authentication Server.
Communication between the devices Communication between the devices For communication between the devices, 802.1X port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284. The 802.1X standard specifies a method for encapsulating EAP messages so that they can be carried over a LAN. This encapsulated form of EAP is known as EAP over LAN (EAPOL).
Message exchange during authentication FIGURE 3 Controlled and uncontrolled ports before and after client authentication Before a Client is authenticated, only the uncontrolled port on the Authenticator is open. The uncontrolled port allows only EAPOL frames to be exchanged between the Client and the Authentication Server. The controlled port is in the unauthorized state and allows no traffic to pass through.
802.1X Port Security FIGURE 4 Message exchange between client/supplicant, authenticator, and authentication server In this example, the Authenticator (the FastIron switch) initiates communication with an 802.1Xenabled Client. When the Client responds, it is prompted for a username (255 characters maximum) and password. The Authenticator passes this information to the Authentication Server, which determines whether the Client can access services provided by the Authenticator.
Setting the IP MTU size authentication server to protect messages from unauthorized users’ eavesdropping activities. Since EAP-TLS requires PKI digital certificates on both the clients and the authentication servers, the roll out, maintenance, and scalability of this authentication method is much more complex than other methods. EAP-TLS is best for installations with existing PKI certificate infrastructures.
EAP pass-through support NOTE IP MTU cannot be configured globally. EAP pass-through support EAP pass-through is supported on FastIron devices that have 802.1X enabled. EAP pass-through support is fully compliant with RFC 3748, in which, by default, compliant pass-through authenticator implementations forward EAP challenge request packets of any type, including those listed in the previous section. Configuration notes for setting the IP MTU size If the 802.
How 802.1X host authentication works FIGURE 5 Multiple hosts connected to a single 802.1X-enabled port If there are multiple hosts connected to a single 802.1X-enabled port, the Brocade device authenticates each of them individually. Each host authentication status is independent of the others, so that if one authenticated host disconnects from the network, it has no effect on the authentication status of any of the other authenticated hosts.
802.1X Port Security 1. One of the 802.1X-enabled Clients attempts to log into a network in which a Brocade device serves as an Authenticator. 2. The Brocade device creates an internal session (called a dot1x-mac-session) for the Client. A dot1x-mac-session serves to associate a Client MAC address and username with its authentication status. 3. The Brocade device performs 802.1X authentication for the Client.
How 802.1x host authentication works for multiple clients ‐ ‐ ‐ ‐ ‐ ‐ ‐ ‐ Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to Configurable hardware aging period for denied client dot1x-mac-sessions on page 179. Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations. Refer to Dynamically applying IP ACLs and MAC address filtersto 802.1X ports on page 187. Dynamic multiple VLAN assignment for 802.1X ports.
802.1X port security and sFlow period ends, the denied Client's dot1x-mac-session ages out, and the Client can be authenticated again. 802.1X port security and sFlow sFlow is a standards-based protocol that allows network traffic to be sampled at a user-defined rate for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on user-specified interfaces. When you enable sFlow forwarding on an 802.
Configuring an authentication method list for 802.1X ‐ ‐ Dynamic VLAN assignment for 802.1X port configuration on page 184 (optional) Dynamically applying IP ACLs and MAC address filtersto 802.1X ports on page 187 2. Configure the device role as the Authenticator: • ‐ ‐ Enabling 802.1X port security on page 191 Initializing 802.1X on a port on page 195 (optional) 3.
Supported RADIUS attributes The dot1x parameter indicates that this RADIUS server supports the 802.1X standard. A RADIUS server that supports the 802.1X standard can also be used to authenticate non-802.1X authentication requests. NOTE To implement 802.1X port security, at least one of the RADIUS servers identified to the Brocade device must support the 802.1X standard. Supported RADIUS attributes Many IEEE 802.1X Authenticators will function as RADIUS clients.
Allow user access to a restricted VLAN after a RADIUS timeout Permit user access to the network after a RADIUS timeout To set the RADIUS timeout behavior to bypass 802.
Dynamic VLAN assignment for 802.1X port configuration NOTE The commands auth-fail-action restrict-vlan and auth-fail-vlanid are supported in the global dot1x mode and are not supported at the port-level. The failure action of dot1x auth-timeout-action failure will follow the auth-fail-action defined at the global dot1x level. Dynamic VLAN assignment for 802.
Dynamic multiple VLAN assignment for 802.1X ports • When the Brocade device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks whether the vlan-name string matches the name of a VLAN configured on the device. If there is a VLAN on the device whose name matches the vlan-name string, then the client port is placed in the VLAN whose ID corresponds to the VLAN name.
Saving dynamic VLAN assignments to the running-config file In this example, the port is added to VLANs 12 and 20 or VLANs 12 and the VLAN named "marketing". When a tagged packet is authenticated, and a list of VLANs is specified on the RADIUS server for the MAC address, then the packet tag must match one of the VLANs in the list in order for the Client to be successfully authenticated. If authentication is successful, then the port is added to all of the VLANs specified in the list.
Dynamically applying IP ACLs and MAC address filtersto 802.1X ports • If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept message specifies the name or ID of a valid VLAN on the Brocade device, then the port is placed in that VLAN. • If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept message specifies the name or ID of a different VLAN, then it is considered an authentication failure. The port VLAN membership is not changed.
Disabling and enabling strict security mode for dynamic filter assignment • Concurrent operation of MAC address filters and IP ACLs is not supported. • A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a client authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic ACL, then the port ACL will be applied to all traffic.
Dynamically applying existing ACLs or MAC address filters Syntax: [no] global-filter-strict-security To disable strict security mode for a specific interface, enter commands such as the following. device(config)#interface e 1 device(config-if-e1000-1)#dot1x disable-filter-strict-security To re-enable strict security mode for an interface, enter the following command.
Notes for dynamically applying ACLs or MAC address filters Notes for dynamically applying ACLs or MAC address filters • The name in the Filter ID attribute is case-sensitive. • You can specify only numbered MAC address filters in the Filter ID attribute. Named MAC address filters are not supported. • Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are not supported. • MAC address filters are supported only for the inbound direction.
Enabling 802.1X port security Enabling 802.1X port security By default, 802.1X port security is disabled on Brocade devices. To enable the feature on the device and enter the dot1x configuration level, enter the following command. device(config)#dot1x-enable device(config-dot1x)# Syntax: [no] dot1x-enable At the dot1x configuration level, you can enable 802.1X port security on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to enable 802.
Configuring periodic re-authentication When an interface control type is set to auto, the controlled port is initially set to unauthorized, but is changed to authorized when the connecting Client is successfully authenticated by an Authentication Server. The port control type can be one of the following force-authorized - The controlled port is placed unconditionally in the authorized state, allowing all traffic. This is the default state for ports on the Brocade device.
Setting the quiet period For example, to re-authenticate Clients connected to interface 3/1, enter the following command. device#dot1x re-authenticate e 3/1 Syntax: dot1x re-authenticate ethernet port Setting the quiet period If the Brocade device is unable to authenticate the Client, the Brocade device waits a specified amount of time before trying again. The amount of time the Brocade device waits is specified with the quietperiod parameter.
Wait interval and number of EAP-request/identity frame retransmissions from the RADIUS server You can optionally change the number of times the Brocade device should retransmit the EAPrequest/identity frame. You can specify between 1 - 10 frame retransmissions. For example, to configure the device to retransmit an EAP-request/identity frame to a Client a maximum of three times, enter the following command: device(config-dot1x)#auth-max 3 Syntax: auth-max value value is a number from 1 - 10.
Specifying a timeout for retransmission of messages to the authentication server Specifying a timeout for retransmission of messages to the authentication server When performing authentication, the Brocade device receives EAPOL frames from the Client and passes the messages on to the RADIUS server. The device expects a response from the RADIUS server within 30 seconds. If the RADIUS server does not send a response within 30 seconds, the Brocade device retransmits the message to the RADIUS server.
802.1X Port Security You can configure the authentication-failure action using one of the following methods: • Configure the same authentication-failure action for all ports on the device (globally). • Configure an authentication-failure action on individual ports. If a previous authentication failed, and as a result the port was placed in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port.
802.1X Port Security Disabling aging for dot1x-mac-sessions The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no traffic is received from the Client MAC address for a certain period of time.
MAC address filters for EAP frames You can specify from 1 - 65535 seconds. The default is 120 seconds. Moving native VLAN mac-sessions to restrict VLAN You can move the native VLAN mac-sessions to restrict VLAN on authentication failure. You can configure the option of overriding the dual-mode port native untagged VLAN with restricted VLAN in case 802.1x authentication fails and there is no RADIUS assigned VLAN. Use this command when you configure multi-device port authentication and 802.
802.1X accounting configuration This feature is disabled by default. To enable this feature and change the timeout period, enter commands such as the following. device(config)#dot1x-enable device(config-dot1x)#restrict-forward-non-dot1x device(config-dot1x)#timeout restrict-fwd-period 15 Once the success timeout action is enabled, use the no form of the command to reset the RADIUS timeout behavior to retry . Syntax: timeout restrict-fwd-period num The num parameter is a value from 0 to 4294967295.
Enabling 802.1X accounting TABLE 14 802.1X accounting attributes for RADIUS (Continued) Attribute name Attribute ID Data Type Description Acct-Status-Type 40 integer Indicates whether the accounting request marks the beginning (start) or end (stop) of the user service. 1 - Start 2 - Stop Calling-Station-Id 31 string The supplicant MAC address in ASCII format (upper case only), with octet values separated by a dash (-).
Displaying 802.1X configuration information Displaying 802.1X configuration information To display information about the 802.1X configuration on the Brocade device, enter the show dot1x command.
802.1X Port Security TABLE 15 Output from the show dot1x command (Continued) Field Description servertimeout When the Authentication Server does not respond to a message sent from the Client, the amount of time before the Brocade device retransmits the message. Refer to Specifying a timeout for retransmission of messages to the authentication server on page 195.
802.1X Port Security TABLE 16 Output from the show dot1x configuration command. (Continued) Field Description Authentication-fail-action The configured authentication-failure action. This can be Restricted VLAN or Block Traffic. Mac Session Aging Whether aging for dot1x-mac-sessions has been enabled or disabled for permitted or denied dot1x-mac-sessions. Mac Session max-age The configured software aging time for dot1x-mac-sessions. Protocol Version The version of the 802.
802.1X Port Security Original PVID Authorized PVID ref count Restricted PVID ref count Radius assign PVID ref count num mac sessions num mac authorized num Dynamic Tagged Vlan Number of Auth filter : : : : : : : : 1 2 0 0 2 2 0 0 Syntax: show dot1x config ethernet port The following additional information is displayed in the show dot1x config command for an interface.
Displaying 802.1X statistics TABLE 17 Output from the show dot1x config command for an interface (Continued) Field Description num mac authorized The number of authorized dot1x-mac-sessions on the port. num Dynamic Tagged Vlan The number of dynamically tagged VLANs on the port. Number of Auth filter The number of dynamic MAC filters applied to the port. Displaying 802.1X statistics To display 802.1X statistics for an individual port, enter the show dot1x statistics command.
Clearing 802.1X statistics TABLE 18 Output from the show dot1x statistics command (Continued) Field Statistics Last EAPOL Source The source MAC address in the last EAPOL frame received on the port. TX EAPOL Total The total number of EAPOL frames transmitted on the port. TX EAP Req/Id The number of EAP-Request/Identity frames transmitted on the port. TX EAP Req other than Req/Id The number of EAP-Request frames transmitted on the port that were not EAPRequest/Identity frames. Clearing 802.
Displaying information about dynamically appliedMAC address filters and IP ACLs In this example, the 802.1X-enabled port has been moved from VLAN 1 to VLAN 2. When the client disconnects, the port will be moved back to VLAN 1. The show run command also indicates the VLAN to which the port has been dynamically assigned.
Displaying the status of strict security mode Syntax: show dot1x mac-address-filter [ all | ethernet port ] The all keyword displays all dynamically applied MAC address filters active on the device. To display the dynamically applied IP ACLs active on an interface, enter a command such as the following. device#show dot1x ip-ACL e 1/3 Port 1/3 IP ACL information: 802.1X dynamic IP ACL (user defined) in: ip access-list extended Port_1/3_E_IN in Port default IP ACL in: No inbound ip access-list is set 802.
Displaying 802.1X multiple-host authentication information Syntax: show dot1x config ethernet port Displaying 802.1X multiple-host authentication information You can display the following information about 802.1X multiple-host authentication: • The dot1x-mac-sessions on each port • The number of users connected on each port in a 802.
Displaying information about the ports in an 802.1X multiple-host configuration TABLE 19 Output from the show dot1x mac-session command (Continued) Field Description PAE State The current status of the Authenticator PAE state machine. This canbe INITIALIZE, DISCONNECTED, CONNECTING,AUTHENTICATING, AUTHENTICATED, ABORTING, HELD,FORCE_AUTH, or FORCE_UNAUTH.
Point-to-point configuration Point-to-point configuration The following figure illustrates a sample 802.1X configuration with Clients connected to three ports on the Brocade device. In a point-to-point configuration, only one 802.1X Client can be connected to each port. FIGURE 6 Sample point-to-point 802.1X configuration Same point-to-point 802.1x configuration The following commands configure the Brocade device in the Sample point-to-point 802.1X configuration figure.
Hub configuration default key mirabeau dot1x device(config)#dot1x-enable e 1 to 3 device(config-dot1x)#re-authentication device(config-dot1x)#timeout re-authperiod 2000 device(config-dot1x)#timeout quiet-period 30 device(config-dot1x)#timeout tx-period 60 device(config-dot1x)#maxreq 6 device(config-dot1x)#exit device(config)#interface e 1 device(config-if-e1000-1)#dot1x port-control auto device(config-if-e1000-1)#exit device(config)#interface e 2 device(config-if-e1000-2)#dot1x port-control auto device(con
Sample 802.1x configuration using a hub FIGURE 7 Sample 802.1X configuration using a hub Sample 802.1x configuration using a hub The following commands configure the Brocade device in the Sample 802.1X configuration using a hub figure. device(config)#aaa authentication dot1x default radius device(config)#radius-server host 192.168.9.
802.1X Authentication with dynamic VLAN assignment device(config-if-e1000-1)#dot1x port-control auto device(config-if-e1000-1)#exit 802.1X Authentication with dynamic VLAN assignment The following figure illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port e2. Port e2 is configured as a dual-mode port. Both PCs transmit untagged traffic.
Multi-device port authentication and 802.1Xsecurity on the same port 2 is authenticated first, then the PVID for port e2 is changed to VLAN 20. Since a PVID cannot be changed by RADIUS authentication after it has been dynamically assigned, if User 2 is authenticated after the port PVID was changed to VLAN 3, then User 2 would not be able to gain access to the network.
Multi-device port authentication and 802.
MAC Port Security ● Supported MAC port security features.......................................................................... 217 ● MAC port security overview.......................................................................................... 217 ● MAC port security configuration.................................................................................... 219 ● Clearing port security statistics.....................................................................................
Local and global resources used for MAC port security if the interface then receives a packet with a source MAC address that does not match the learned addresses, it is considered a security violation. When a security violation occurs, a Syslog entry and an SNMP trap are generated. In addition, the device takes one of two actions: it either drops packets from the violating address (and allows packets from the secure addresses), or disables the port for a specified amount of time.
Secure MAC movement Secure MAC movement If you move a connected device that has MAC address configured as secure on one port to another port, the FastIron device connects through the new port without waiting for the MAC address to age out on the previous port. This MAC movement feature is supported when the connected device moves from a secure port to another secure or non-secure port.
Setting the port security age timer For example, to configure interface 7/11 to have a maximum of 10 secure MAC addresses, enter the following commands. device(config)#interface ethernet 7/11 device(config-if-e1000-7/11)#port security device(config-port-security-e1000-7/11)#maximum 10 Syntax: maximum number-of-addresses The number-of-addresses parameter can be set to a number from 0 through 64 plus (the total number of global resources available).
Specifying secure MAC addresses On the ICX 7750 device, the port security age can only be set to the global hardware age. The absolute age and no age secure MACs are configured as static in hardware.
Specifying the action taken when a security violation occurs For example, to automatically save learned secure MAC addresses every 20 minutes, enter the following commands. device(config)#port security device(config-port-security)#autosave 20 Syntax: [no] autosave minutes ] The minutes variable can be from 15 through 1440 minutes. By default, secure MAC addresses are not autosaved to the startup-config file.
Disabling the port for a specified amount of time Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of one minute from the specified time. The restricted MAC addresses are denied in hardware. Disabling the port for a specified amount of time You can configure the device to disable the port for a specified amount of time when a security violation occurs. To shut down the port for 5 minutes when a security violation occurs, enter the following commands.
Displaying port security information Displaying port security information You can display the following information about the MAC port security feature: • The port security settings for an individual port or for all the ports on a specified module • The secure MAC addresses configured on the device • Port security statistics for an interface or for a module Displaying port security settings You can display the port security settings for an individual port or for all the ports on a specified module.
Displaying port security statistics TABLE 22 Output from the show port security mac command Field Description Port The slot and port number of the interface. Num-Addr The number of MAC addresses secured on this interface. Secure-Src-Addr The secure MAC address. Resource Whether the address was secured using a local or global resource.Refer to Local and global resources used for MAC port security on page 218 for more information. Age-Left The number of minutes the MAC address will remain secure.
Displaying restricted MAC addresses on a port For example, to display port security statistics for interface module 7, enter the show port security statistics command. device#show port security statistics 7 Module 7: Total ports: 0 Total MAC address(es): 0 Total violations: 0 Total shutdown ports 0 Syntax: show port security statistics module The following table describes the output from the show port security statisticsmodule command.
MAC-based VLANs ● Supported MAC-based VLAN features......................................................................... 227 ● MAC-based VLAN overview..........................................................................................227 ● Dynamic MAC-based VLAN..........................................................................................229 ● MAC-based VLAN configuration...................................................................................
Static and dynamic hosts from the new MAC address will be blocked or dropped until the authentication succeeds. Traffic is dropped if the authentication fails. Static and dynamic hosts Static hosts are devices on the network that do not speak until spoken to. Static hosts may not initiate a request for authentication on their own. Such static hosts can be managed through a link up or link down notification. Dynamic hosts are "chatty" devices that generate packets whenever they are in the link up state.
MAC-based VLAN and port up or down events NOTE Even though the feature supports up tp a maximum of 32 MAC address per physical port, the configuration of the maximum number of MAC addresses per port is limited by the available hardware resources. Once a client MAC address is successfully authenticated and registered, the MAC-to-VLAN association remains until the port connection is dropped, or the MAC entry expires.
Dynamic MAC-based VLAN configuration example TABLE 25 CLI commands for MAC-based VLANs CLI command Description CLI level mac-auth mac-vlan enable Enables per-port MAC-based VLAN Interface mac-auth mac-vlan disable Disables per-port MAC-based VLAN interface mac-auth mac-vlan-dyn-activation Enables Dynamic MAC-based VLAN global no mac-auth mac-vlan-dyn-activation Disables Dynamic MAC-based VLAN global no mac-auth mac-vlan Removes the MAC-VLAN configuration from the port interface mac-auth m
MAC-based VLAN configuration vlan 222 name RESTRICTED_MBV by port untagged ethe 0/1/4 mac-vlan-permit ethe 0/1/1 to 0/1/3 vlan 666 name RESTRICTED_MAC_AUTH by port untagged ethe 0/1/20 mac-vlan-permit ethe 0/1/1 to 0/1/3 spanning-tree 802-1w vlan 4000 name DEFAULT-VLAN by port vlan 4004 by port mac-vlan-permit ethe 0/1/1 ethe 0/1/3 default-vlan-id 4000 ip address 10.44.3.3 255.255.255.0 ip default-gateway 10.44.3.1 radius-server host 10.44.3.
Using MAC-based VLANs and 802.1X securityon the same port NOTE MAC-based VLAN is not supported on trunk or LACP ports. Do not configure trunks on MAC-based VLAN-enabled ports. Using MAC-based VLANs and 802.1X securityon the same port On Brocade devices, MAC-based VLANs and 802.1X security can be configured on the same port. When both of these features are enabled on the same port, MAC-based VLAN is performed prior to 802.1X authentication. If MAC-based VLAN is successful, 802.
Aging for MAC-based VLAN TABLE 27 Brocade vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Optional ormandatory Description Foundry-MAC-based 8 VLAN-QoS decimal Optional The QoS attribute specifies the priority of the incoming traffic based on any value between 0 (lowest priority) and 7 (highest priority). Default is 0. Foundry-802_1xenable integer Optional Specifies whether 802.1X authentication is performed when MAC-based VLAN is successful for a device.
Disabling aging for MAC-based VLAN sessions For blocked hosts For blocked hosts, as long as the Brocade device is receiving traffic, aging does not occur. In the output of the show table-mac-vlan command, the age column displays H0 to H70, S0, and H0 to H70, etc. Aging of the MAC-based VLAN MAC occurs in two phases: hardware aging and software aging. The hardware aging period can be configured using the mac-authentication hw-deny-age command in config mode. The default is 70 seconds.
Disabling the aging on interfaces Enter the command at the global or interface configuration level. The denied-mac-only parameter prevents denied sessions from being aged out, but ages out permitted sessions. The permitted-mac-only parameter prevents permitted (authenticated and restricted) sessions from being aged out and ages denied sessions. Disabling the aging on interfaces To disable aging on a specific interface where MAC-based VLAN has been enabled, enter the command at the interface level.
Configuring MAC-based VLAN for a dynamic host 4. To enable MAC-based VLAN on the port. device(config)#interface e 0/1/1 device(config-if-e1000-0/1/1)#mac-authentication mac-vlan enable 5. To disable MAC-based VLAN on the port. device(config)#interface e 0/1/1 device(interface-0/1/1)#mac-auth mac-vlan disable 6. To remove and disable the MAC-based VLAN configuration.
Configuring MAC-based VLANs using SNMP NOTE If static Mac-Based VLAN is configured on a port, the port will be added only to the VLAN table for which the static MAC-based VLAN configuration exists. NOTE If the Dynamic MAC-based VLAN is enabled after any MAC-based VLAN sessions are established, all sessions are flushed and the mac-vlan-permit ports are removed from the VLAN. The ports are then added back to the VLAN dynamically after they successfully pass the RADIUS authentication process.
Displaying the MAC-VLAN table for a specific MAC address Field Description Static Macs The number of currently connected active static hosts. Static Conf The number of static hosts that are configured on the physical port. Max Macs The maximum number of allowed MAC addresses. Displaying the MAC-VLAN table for a specific MAC address Enter the show table-mac-vlan command to display the MAC-VLAN table information for a specific MAC address. device(config)#show table-mac-vlan 0000.0010.
Displaying denied MAC addresses ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------0000.0074.3181 2/1/17 76 Yes 00d01h17m22s Ena Dis Syntax: show table-mac-vlan allowed-mac The following table describes the information in this output. Field Description MAC Address The allowed MAC addresses for which the information is displayed.
Displaying detailed MAC-VLAN data Field Description Authenticated No indicates that authentication has failed. Inp indicates that authentication is in progress. Time The time at which authenticated failed. Age The age of the MAC address entry in the authenticated MAC address list. Dot1x Indicates whether 802.1X authentication is disabled (Dis) or enabled (Ena) for this MAC address.
Displaying MAC-VLAN information for a specific interface Displaying MAC-VLAN information for a specific interface Enter the show table-mac-vlan e command to display MAC-VLAN information for a specific interface. device#show table-mac-vlan e 0/1/1 ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age CAM MAC Dot1x Type Pri Index Index ------------------------------------------------------------------------------0000.0000.
Displaying MAC addresses in a MAC-based VLAN Field Description Pri This field indicates the value set for Foundry-MAC-based VLAN-QoS attribute in the RADIUS configuration for dynamic hosts, if configured. If the Foundry-MAC-based VLAN-QoS attribute is not configured, the value will be zero. For static hosts, the user-configured priority value for the MAC address is displayed.
Clearing MAC-VLAN information 0d18h46m28s:I:running-config was changed from console 0d02h12m25s:A:MAC Based Vlan Mapping failed for [0000.0011.0108 (Invalid User) 0d02h08m52s:A:MAC Based Vlan Mapping failed for [0000.0011.011b (Invalid User) 0d02h05m01s:A:MAC Based Vlan Mapping failed for [0000.0011.00df (Invalid User) 0d02h01m15s:A:MAC Based Vlan Mapping failed for [0000.0011.0108 (Invalid User) 0d02h01m15s:A:MAC Based Vlan Mapping failed for [0000.0011.
MAC-based VLANs FIGURE 9 Sample MAC-based VLAN configuration Host A MAC address is statically mapped to VLAN 1 with priority 1 and is not subjected to RADIUS authentication. When Host B MAC address is authenticated, the Access-Accept message from the RADIUS server specifies that Host B MAC address be placed into VLAN 2. Since Host C MAC address is not present in the RADIUS server, Host C will be rejected by the server and its MAC address will be placed into a restricted VLAN.
MAC-based VLANs radius-server host 10.44.3.111 radius-server key 1 $-ndUno mac-authentication enable mac-authentication max-age 60 mac-authentication hw-deny-age 30 mac-authentication auth-passwd-format xxxx.xxxx.xxxx interface ethernet 0/1/1 mac-authentication mac-vlan max-mac-entries 5 mac-authentication mac-vlan 0000.0088.
Sample MAC-based VLAN application 246 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
Defining MAC Address Filters ● Supported MAC address filter features......................................................................... 247 ● MAC address filters configuration notes and limitations............................................... 247 ● MAC address filters command syntax...........................................................................248 ● Enabling logging of management traffic permitted by MAC address filters...................249 ● Configuring MAC filter accounting...........
MAC address filters command syntax MAC address filters command syntax To configure and apply a MAC address filter, enter commands such as the following. device(config)# mac filter device(config)# mac filter device(config)# mac filter device(config)# mac filter device(config)# mac filter device(config)# mac filter device(config)# int e 1 device(config-if-e1000-1)# 1 deny 0000.0075.3676 ffff.0000.0000 2 deny any ffff.ffff.ffff ffff.ffff.ffff 3 deny any 0180.c200.0000 ffff.ffff.fff0 4 deny any 0000.0034.
Enabling logging of management traffic permitted by MAC address filters NOTE You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port. NOTE If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group.
MAC address filter logging command syntax MAC address filter logging command syntax To configure MAC address filter logging globally, enter the following CLI commands at the global CONFIG level. device(config)#mac filter log-enable device(config)#write memory Syntax: [no] mac filter log-enable To configure MAC address filter logging for MAC address filters applied to ports 1 and 3, enter the following CLI commands.
MAC address filter override for 802.1X-enabled ports MAC address filter override for 802.1X-enabled ports The MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X devices to share the same physical port. For example, this feature enables you to connect a PC and a non-802.1X device, such as a Voice Over IP (VOIP) phone, to the same 802.1X-enabled port on the Brocade device. The IP phone will bypass 802.1X authentication and the PC will require 802.1X authentication.
Defining MAC Address Filters The filter-num command identifies the MAC address filter. The maximum number of supported MAC address filters is determined by the mac-filter-sys default or configured value. The dot1x auth-filterfilter-list command binds MAC address filters to a port. The following rules apply when using the dot1x auth-filter command: • When you add filters to or modify the dot1x auth-filter , the system clears all 802.1X sessions on the port.
Multi-Device Port Authentication ● Supported Multi-device port authentication (MDPA) features....................................... 253 ● How multi-device port authentication works..................................................................254 ● Multi-device port authentication and 802.1Xsecurity on the same port.........................257 ● Multi-device port authentication configuration...............................................................
How multi-device port authentication works Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800 FSX 1600 ICX 7750 Multi-Device Port Authentication 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Automatic removal of Dynamic VLAN for MAC authenticated ports 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10 Authenticating multiple MAC addresses on an interface 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.
RADIUS authentication the device to move the port on which the non-authenticated MAC address was learned into a restricted or "guest" VLAN, which may have limited access to the network. RADIUS authentication The multi-device port authentication feature communicates with the RADIUS server to authenticate a newly found MAC address. The Brocade device supports multiple RADIUS servers; if communication with one of the RADIUS servers times out, the others are tried in sequential order.
Support for dynamic VLAN assignment • • • • • • • • • • • • Vendor-Specific (26) - RFC 2865 Session-Timeout (27) - RFC 2865 Termination-Action (29) - RFC 2865 Calling-Station-ID (31) - RFC 2865 NAS-Identifier (32) - RFC 2865 NAS-Port-Type (61) - RFC 2865 Tunnel-Type (64) - RFC 2868 Tunnel-Medium-Type (65) - RFC 2868 EAP Message (79) - RFC 2579 Message-Authenticator (80) RFC 3579 Tunnel-Private-Group-Id (81) - RFC 2868 NAS-Port-id (87) - RFC 2869 NOTE NAS-Identifier attribute supports a maximum number of
Support for DHCP snooping with dynamic ACLs Support for DHCP snooping with dynamic ACLs NOTE This feature is not supported on FCX devices. Multi-device port authentication and DHCP snooping are supported in conjunction with dynamic ACLs. Support is available in the Layer 3 software images only. DHCP Snooping is supported together with multi-device port authentication as long as ACL-per-portper-vlan is enabled.
Configuring Brocade-specific attributes on theRADIUS server If multi-device port authentication fails for a device, then by default traffic from the device is either blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the Brocade device to perform 802.1X authentication on a device when it fails multi-device port authentication.
Multi-device port authentication configuration Multi-device port authentication configuration Configuring multi-device port authentication on the Brocade device consists of the following tasks: • • • • • • • • • • • • Enabling multi-device port authentication globally and on individual interfaces Specifying the format of the MAC addresses sent to the RADIUS server (optional) Specifying the authentication-failure action (optional) Enabling and disabling SNMP traps for multi-device port authentication Defin
Specifying the format of the MAC addresses sent to theRADIUS server device(config)#int e 3/1 to 3/12 device(config-mif-3/1-3/12)#mac-authentication enable Specifying the format of the MAC addresses sent to theRADIUS server When multi-device port authentication is configured, the Brocade device authenticates MAC addresses by sending username and password information to a RADIUS server.
Generating traps for multi-device port authentication Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled. Generating traps for multi-device port authentication You can enable and disable SNMP traps for multi-device port authentication. SNMP traps are enabled by default.
Configuring a port to remain in the restricted VLAN after a successful authentication attempt To enable dynamic VLAN assignment for authenticated MAC addresses, you must add attributes to the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port authentication-enabled interfaces. Refer to Configuring the RADIUS server to support dynamic VLAN assignment on page 263 for a list of the attributes that must be set on the RADIUS server.
Configuring the RADIUS server to support dynamic VLAN assignment Configuring the RADIUS server to support dynamic VLAN assignment To specify VLAN identifiers on the RADIUS server, add the following attributes to the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port authentication-enabled interfaces.
Specifying to which VLAN a port is moved after its RADIUS-specified VLAN assignment expires • Enabling dynamic VLAN support for tagged packets on non-member VLAN ports is not supported on FWS and FCX devices. • The mac-authentication disable-ingress-filtering command is not available on the ICX 6610 and ICX 6450 platforms.
Saving dynamic VLAN assignments to the running-config file displayed, although they can be displayed with the show vlan , show auth-mac-addresses detail , and show auth-mac-addresses authorized-mac commands. You can optionally configure the Brocade device to save the RADIUS-specified VLAN assignments to the device's running-config file. Refer to Saving dynamic VLAN assignments to the running-config file on page 265, next.
Configuration considerations and guidelines for multi-device port authentication Support is automatically enabled when all of the required conditions are met. The following describes the conditions and feature limitations: • On Layer 3 router code, dynamic IP ACLs are allowed on physical ports when ACL-per-port-pervlan is enabled. • On Layer 3 router code, dynamic IP ACLs are allowed on tagged and dual-mode ports when ACLper-port-per-vlan is enabled.
Enabling denial of service attack protection configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the Brocade IP ACL. The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a Brocade IP ACL. Value Description ip.number .in2 Applies the specified numbered ACL to the authenticated port in the inbound direction. ip.name .
Enabling source guard protection To specify a maximum rate for RADIUS authentication attempts, enter commands such as the following. device(config)#interface e 3/1 device(config-if-e1000-3/1)#mac-authentication dos-protection mac-limit 256 Syntax: [no] mac-authentication dos-protection mac-limit number You can specify a rate from 1 - 65535 authentication attempts per second. The default is a rate of 512 authentication attempts per second.
Viewing the assigned ACL for ports on which source guard protection is enabled NOTE Source guard protection is supported only on the router image and not on the switch image. Viewing the assigned ACL for ports on which source guard protection is enabled Use the following command to view whether a Source Guard ACL or dynamic ACL is applied to ports on which Source Guard Protection is enabled.
Disabling aging for authenticated MAC addresses Disabling aging for authenticated MAC addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time: • Authenticated MAC addresses or non-authenticated MAC addresses that have been placed in the restricted VLAN are aged out if no traffic is received from the MAC address over the device normal MAC aging interval.
Specifying the aging time for blocked MAC addresses configurable through the CLI, with the mac-authentication max-age command. Once the hardware aging period ends, the software aging period begins. When the software aging period ends, the blocked MAC address ages out, and can be authenticated again if the Brocade device receives traffic from the MAC address. On FastIron X Series devices, the hardware aging period for blocked MAC addresses is not fixed at 70 seconds.
Permit User access to the network after a RADIUS timeout process and blocks user access to the network, unless restrict-vlan is configured, in which case, the user is placed into a VLAN with restricted or limited access. By default, the Brocade device will reset the authentication process and retry to authenticate the user. Specify the RADIUS timeout action at the Interface level of the CLI.
Limiting the number of authenticated MAC addresses the request sent to the RADIUS server. For example, given a MAC address of 0000000feaa1, the users file on the RADIUS server would be configured with a username and password both set to 0000000feaa1. When traffic from this MAC address is encountered on a MAC-authentication-enabled interface, the device sends the RADIUS server an Access-Request message with 0000000feaa1 as both the username and password.
Displaying multi-device port authenticationconfiguration information 1/22 4/5 100 30 0 0 0 0 0 0 Syntax: show auth-mac-address The following table describes the information displayed by the show auth-mac-address command. TABLE 29 Output from the show authenticated-mac-address command Field Description Port The port number where the multi-device port authentication feature is enabled. Vlan The VLAN to which the port has been assigned.
Displaying multi-device port authentication informationfor a specific MAC address or port TABLE 30 Output from theshow authenticated-mac-address configuration command (Continued) Field Description Dyn-vlan Whether RADIUS dynamic VLAN assignment is enabled for the port. MAC-filter Whether a MAC address filter has been applied to specify pre-authenticated MAC addresses.
Displaying the authenticated MAC addresses TABLE 31 Output from the show authenticated-mac-address address command (Continued) Field Description CAM Index If the MAC address is blocked, this is the index entry for the Layer 2 CAM entry created for this MAC address. If the MAC address is not blocked, either through successful authentication or through being placed in the restricted VLAN, then "N/A" is displayed.
Displaying multi-device port authentication settingsand authenticated MAC addresses 0000.0000.0321 0000.0000.0259 0000.0000.0065 0000.0000.0385 0000.0000.0191 0000.0000.02bd 0000.0000.00c9 000f.ed00.
Multi-Device Port Authentication Authentication attempts : 0 RADIUS timeouts : 0 RADIUS timeouts action : Success MAC Address on PVID : 1 MAC Address authorized on PVID : 1 Aging of MAC-sessions : Enabled Port move-back vlan : Port-configured-vlan Max-Age of sw mac session : 120 seconds hw age for denied mac : 70 seconds MAC Filter applied : No Dynamic ACL applied : No num Dynamic Tagged Vlan : 2 Dynamic Tagged Vlan list : 1025 (1/1) 4060 (1/0) --------------------------------------------------------------
Multi-Device Port Authentication TABLE 33 Output from the show auth-mac-addresses detailed command (Continued) Field Description Accepted Mac Addresses The number of MAC addresses that have been successfully authenticated. Rejected Mac Addresses The number of MAC addresses for which authentication has failed. Authentication in progress The number of MAC addresses for which authentication is pending.
Displaying the MAC authentication table for FCX and ICX devices TABLE 33 Output from the show auth-mac-addresses detailed command (Continued) Field Description RADIUS Server The IP address of the RADIUS server used for authenticating the MAC addresses. Authenticated Whether the MAC address has been authenticated by the RADIUS server. Time The time at which the MAC address was authenticated. If the clock is set on the Brocade device, then the actual date and time are displayed.
Example port authentication configurations To display the table of allowed mac addresses enter the show table denied-mac command as shown. Syntax: show table mac address The mac address variable is the specified MAC address. device#show table denied-mac ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------0000.0010.
Multi-Device Port Authentication FIGURE 10 Using multi-device port authentication with dynamic VLAN assignment In this example, multi-device port authentication is performed for both devices. If the PC is successfully authenticated, port e1 PVID is changed from VLAN 1 (the DEFAULT-VLAN) to VLAN 102. If authentication for the PC fails, then the PC can be placed in a specified "restricted" VLAN, or traffic from the PC can be blocked in hardware.
Example 2 -- multi-device port authentication with dynamic VLAN assignment mac-authentication auth-fail-action restrict-vlan mac-authentication enable-dynamic-vlan mac-authentication disable-ingress-filtering The mac-authentication disable-ingress-filtering command enables tagged packets on the port, even if the port is not a member of the VLAN.
Multi-Device Port Authentication FIGURE 11 Using multi-device port authentication with dynamic VLAN assignment In this example, multi-device port authentication is performed for both devices. If the PC is successfully authenticated, dual-mode port e1 PVID is changed from the VLAN 1 (the DEFAULTVLAN) to VLAN 102. If authentication for the PC fails, then the PC can be placed in a specified "restricted" VLAN, or traffic from the PC can be blocked in hardware.
Examples of multi-device port authentication and 802.1X authentication configuration on the same port VLAN, authentication would not occur. In this case, port e1 must be added to that VLAN prior to authentication. The part of the running-config related to multi-device port authentication would be as follows.
Multi-Device Port Authentication FIGURE 12 Using multi-device port authentication and 802.1X authentication on the same port When the devices attempt to connect to the network, they are first subject to multi-device port authentication. When the MAC address of the IP phone is authenticated, the Access-Accept message from the RADIUS server specifies that the IP phone port be placed into the VLAN named "IP-Phone-VLAN". which is VLAN 7. The Foundry-802_1x-enable attribute is set to 0, meaning that 802.
Example 2 -- Creating a profile on the RADIUS server for each MAC address that the PVID for User 1 port be changed to the VLAN named "User-VLAN", which is VLAN 3. If 802.1X authentication for User 1 is unsuccessful, the PVID for port e 1/3 is changed to that of the restricted VLAN, which is 1023, or untagged traffic from port e 1/3 can be blocked in hardware. The part of the running-config related to port e 1/3 would be as follows.
Multi-Device Port Authentication FIGURE 13 802.1X Authentication is performed when a device fails multi-device port authentication Multi-device port authentication is initially performed for both devices. The IP phone MAC address has a profile on the RADIUS server. This profile indicates that 802.1X authentication should be skipped for this device, and that the device port be placed into the VLAN named "IP-Phone-VLAN".
Multi-Device Port Authentication To configure the device to perform 802.1X authentication when a device fails multi-device port authentication, enter the following command.
Example 2 -- Creating a profile on the RADIUS server for each MAC address 290 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
Web Authentication ● Supported Web Authentication features....................................................................... 291 ● Web authentication overview........................................................................................ 291 ● Web authentication configuration considerations..........................................................292 ● Web authentication configuration tasks........................................................................
Web authentication configuration considerations The Brocade Web authentication method provides an ideal port-based authentication alternative to multi-device port authentication without the complexities and cost of 802.1x authentication. Hosts gain access to the network by opening a Web browser and entering a valid URL address using HTTP or HTTPS services. Instead of being routed to the URL, the host browser is directed to an authentication Web page on the FastIron switch.
Web Authentication • If you are using DHCP addressing, a DHCP server must be in the same broadcast domain as the host. This DHCP server does not have to be physically connected to the switch. Also, DHCP assist from a router may be used. • Web Authentication, 802.1X port security, and multi-device port authentication are not supported concurrently on the same port. • Web Authentication is not supported on an MCT VLAN.
Web authentication configuration tasks Web authentication configuration tasks Follow the steps given below to configure Web Authentication on a device. 1. Set up any global configuration required for the FastIron switch, RADIUS server, Web server and other servers. • ‐ On a Layer 2 FastIron switch, make sure the FastIron switch has an IP address. device#configure terminal device(config)#ip address 10.1.1.
Enabling and disabling web authentication 5. Create a Web Authentication VLAN and enable Web Authentication on that VLAN. device(config)#vlan 10 device(config-vlan-10)#webauth device(config-vlan-10-webauth)#enable Once enabled, the CLI changes to the "webauth" configuration level. In the example above, VLAN 10 will require hosts to be authenticated using Web Authentication before they can forward traffic. 6.
Using local user databases Using local user databases Web Authentication supports the use of local user databases consisting of usernames and passwords, to authenticate devices. Users are blocked from accessing the switch until they enter a valid username and password on a web login page.
Deleting a user record from a local user database Syntax: username username password password For username , enter up to 31 ASCII characters. For username , enter up to 29 ASCII characters. You can add up to 30 usernames and passwords to a local user database. To view a list of users in a local user database, use the CLI command vlan-mod-port-userdb . Refer to Displaying a list of local user databases on page 321.
Importing a text file of user records from a TFTP server For password1 , password2 , etc., enter up to 29 ASCII characters. Be sure to Insert a cursor return (cr ) after each user record. You can enter up to 30 user records per text file. Importing a text file of user records from a TFTP server NOTE Before importing the file, make sure it adheres to the ASCII text format described in the previous section, Creating a text file of user records on page 297.
Setting the web authentication failover sequence To revert back to using the RADIUS server, enter the following command. device(config-vlan-10-webauth)# auth-mode username-password auth-methods radius Syntax: auth-mode username-password auth-methods radius Setting the web authentication failover sequence You can optionally specify a failover sequence for RADIUS and local user database authentication methods.
Creating static passcodes Creating static passcodes Static passcodes can be used for troubleshooting purposes, or for networks that want to use passcode authentication, but do not have the ability to support automatically-generated passcodes (for example, the network does not fully support the use of SNMP traps or Syslog messages with passcodes). Manually-created passcodes are used in conjunction with dynamic passcodes . You can configure up to four static passcodes that never expire.
Web Authentication • Duration of time - By default, dynamically-created passcodes are refreshed every 1440 minutes (24 hours). When refreshed, a new passcode is generated and the old passcode expires. You can increase or decrease the duration of time after which passcodes are refreshed, or you can configure the device to refresh passcodes at a certain time of day instead of after a duration of time.
Configuring a grace period for an expired passcode hh:mm is the hour and minutes. If you do not enter a value for hh:mm , by default, passcodes will be refreshed at 00:00 (12:00 midnight). You can configure up to 24 refresh times. Each must be at least five minutes apart. Enter the no form of the command to remove the passcode refresh time of day.
Re-sending the passcode log message The following shows an example Syslog message and SNMP trap message related to passcode authentication. New passcode: 01234567. Expires in 1440 minutes. Old passcode is valid for another 5 minutes. To disable Syslog messages for passcodes, enter the no auth-mode passcode log syslog command. device(config-vlan-10-webauth)# no auth-mode passcode log syslog Enter the following command to disable SNMP trap messages for passcodes.
Automatic authentication Automatic authentication By default, if Web Authentication is enabled, hosts need to login and enter authentication credentials in order to gain access to the network. If a re-authentication period is configured, the host will be asked to re-enter authentication credentials once the re-authentication period ends. You can configure Web Authentication to authenticate a host when the user presses the ’Login’ button.
Changing the login mode (HTTPS or HTTP) Syntax: [no] accounting Enter the no accounting command to disable RADIUS accounting for Web Authentication. Changing the login mode (HTTPS or HTTP) Web Authentication can be configured to use secure (HTTPS) or non-secure (HTTP) login and logout pages. By default, HTTPS is used. Web authentication pages on page 310 shows an example Login page. To change the login mode to non-secure (HTTP), enter the no secure-login command.
Configuring the re-authentication period Entering a no add mac mac-addressdurationseconds|ethernetportdurationseconds command sets duration and ethernet to their default values. If you want to remove a host, enter the no add mac macaddress command. NOTE If a MAC address is statically configured, this MAC address will not be allowed to be dynamically configured on any port. Configuring the re-authentication period After a successful authentication, a user remains authenticated for a duration of time.
Clearing authenticated hosts from the webauthentication table Clearing authenticated hosts from the webauthentication table Use the following commands to clear dynamically-authenticated hosts from the Web Authentication table. To clear all authenticated hosts in a Web authentication VLAN, enter a command such as the following. device#clear webauth vlan 25 authenticated-mac This command clears all the authenticated hosts in VLAN 25.
Limiting the number of authenticated hosts Limiting the number of authenticated hosts You can limit the number of hosts that are authenticated at any one time by entering a command such as the following. device(config-vlan-10-webauth)# host-max-num 300 Syntax: [no] host-max-num number You can enter 0 - 8192, where 0 means there is no limit to the number of hosts that can be authenticated. The default is 0. The maximum is 8192 or the maximum number of MAC addresses the device supports.
Forcing re-authentication after an inactive period Forcing re-authentication after an inactive period You can force Web Authenticated hosts to be re-authenticated if they have been inactive for a period of time. The inactive duration is calculated by adding the mac-age-time that has been configured for the device and the configured authenticated-mac-age-time . (The mac-age-time command defines how long a port address remains active in the address table.
Deleting a web authentication VLAN Deleting a web authentication VLAN To delete a Web Authentication VLAN, enter the following commands: device(config)# vlan 10 device(config-vlan-10)# no webauth Syntax: [no] webauth Web authentication pages There are several pages that can be displayed for Web Authentication. When a user first enters a valid URL address on the Web browser, the browser is redirected to the Web Authentication URL (refer to Defining the web authorization redirect address on page 309).
Web Authentication FIGURE 16 Example of a login page when automatic authentication is disabled and passcode Authentication is Enabled The user enters a passcode, which is then sent for authentication. If the Web Authentication fails, the page to try again is displayed as shown below. FIGURE 17 Example of a try again page If the limit for the number of authenticated users on the network is exceeded, the Maximum Host Limit page is displayed as shown below.
Web Authentication FIGURE 18 Example of a maximum Host limit page If the number of Web Authentication attempts by a user has been exceeded, the Maximum Attempts Limit page is displayed as shown below. The user is blocked from attempting any Web Authentication unless either the user MAC address is removed from the blocked list (using the clear webauth blockmac mac-address command) or when the block duration timer expires.
Web Authentication FIGURE 20 Example of a web authentication success page Once a host is authenticated, that host can manually de-authenticate by clicking the Logout button in the Login Success page. The host remains logged in until the re-authentication period expires. At that time, the host is automatically logged out. However, if a re-authentication period is not configured, then the host remains logged in indefinitely. NOTE If you accidentally close the Success page, you will not be able to log out.
Displaying text for web authentication pages Displaying text for web authentication pages Use the show webauth vlan vlan-ID webpage command to determine what text has been configured for Web Authentication pages. device#show webauth vlan 25 webpage ================================= Web Page Customizations (VLAN 25): Top (Header): Default Text "
Welcome to Brocade Communications, Inc.
Web Authentication FIGURE 21 Objects in the web authentication pages that can be customized Customizing the title bar You can customize the title bar that appears on all Web Authentication pages. To do so, enter a command such as the following. device(config-vlan-10-webauth)#webpage custom-text title "Brocade Secure Access Page" Syntax: [no] webpage custom-text title title For title , enter up to 128 alphanumeric characters. The default title bar is "Web Authentication".
Web Authentication The filename parameter specifies the name of the image file on the TFTP server. Use the no webpage logo command to delete the logo from all Web Authentication pages and remove it from flash memory. Aligning the banner image (Logo) You can optionally configure the placement of the logo that appears on all Web Authentication pages. By default, the logo is left-aligned at the top of the page. To center the logo at the top of the page, enter the following command.
Displaying web authentication information Customizing the login button You can customize the Login button that appears on the bottom of the Web Authentication Login page. To do so, enter a command such as the following. device(config-vlan-10-webauth)#webpage custom-text login-button "Press to Log In" Syntax: [no] webpage custom-text login-button text For text , enter up to 32 alphanumeric characters.
Web Authentication Bottom (Footer): Custom Text "SNL Copyright 2009" Title: Default Text Login Button: Custom Text "Sign On" Web Page Logo: blogo.gif align: left (Default) Web Page Terms and Conditions: policy1.txt Host statistics: Number of hosts dynamically authenticated: 0 Number of hosts statically authenticated: 2 Number of hosts dynamically blocked: 0 Number of hosts statically blocked: 0 Number of hosts authenticating: 1 The show webauth command displays the following information.
Displaying a list of authenticated hosts Field Description Web Page Customizations The current configuration for the text that appears on the Web Authentication pages. Either "Custom Text" or "Default Text" displays for each page type: • "Custom Text" means the message for the page has been customized. The custom text is also displayed. • "Default Text" means the default message that ships with the FastIron switch is used.
Displaying a list of hosts attempting to authenticate Displaying a list of hosts attempting to authenticate Enter the show webauth authenticating-list command to display a list of hosts that are trying to authenticate.
Displaying a list of local user databases Field Description User Name The User Name associated with the MAC address. Configuration Static/Dynamic If the MAC address was dynamically or statically blocked. The block mac command statically blocks MAC addresses. Block Duration Remaining The remaining time the MAC address has before the user with that MAC address can attempt Web Authentication.
Displaying passcodes 322 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
DoS Attack Protection ● Supported DoS protection features...............................................................................323 ● Smurf attacks................................................................................................................ 323 ● TCP SYN attacks.......................................................................................................... 326 Supported DoS protection features Lists DoS protection features supported on FastIron devices.
Avoiding being an intermediary in a Smurf attack FIGURE 22 How a Smurf attack floods a victim with ICMP replies The attacker sends an ICMP echo request packet to the broadcast address of an intermediary network. The ICMP echo request packet contains the spoofed address of a victim network as its source. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary network.
DoS Attack Protection For example, to set threshold values for ICMP packets targeted at the router, enter the following command in global CONFIG mode. device(config)#ip icmp burst-normal 5000 burst-max 10000 lockup 300 For a ICX 7750 device, enter the following command in global CONFIG mode. device(config)#ip icmp attack-rate burst-normal 2500 burst-max 3450 lockup 50 To set threshold values for ICMP packets received on interface 3/11, enter the following commands.
TCP SYN attacks • If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped. • If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted. In the example, if the number of ICMP packets received per second exceeds 5,000, the excess packets are dropped.
TCP security enhancement NOTE For ICX 7750 devices, the "attack rate" parameter is only applicable for smurf attacks and not for TCP/SYN attacks. To set threshold values for TCP/SYN packets received on VE 31, enter commands such as the following.
Protecting against a blind TCP reset attack using the RST bit Protecting against a blind TCP reset attack using the RST bit In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bits to prematurely terminate an active TCP session.
DoS Attack Protection Syntax: clear statistics dos-attack FastIron Ethernet Switch Security Configuration Guide 53-1003088-03 329
Displaying statistics about packets dropped because of DoS attacks 330 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
DHCP ● Supported DHCP packet inspection and tracking features........................................... 331 ● Dynamic ARP inspection ..............................................................................................331 ● DHCP snooping............................................................................................................ 336 ● DHCP relay agent information ..................................................................................... 342 ● IP source guard..............
About Dynamic ARP Inspection mapping. All computers on the subnet will receive and process the ARP requests, and the host whose IP address matches the IP address in the request will send an ARP reply. An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.
ARP entries FIGURE 23 Dynamic ARP inspection at work ARP entries DAI uses the IP/MAC mappings in the ARP table to validate ARP packets received on untrusted ports. ARP entries in the ARP table derive from the following: • Dynamic ARP - normal ARP learned from trusted ports. • Static ARP - statically configured IP/MAC/port mapping. • Inspection ARP - statically configured IP/MAC mapping, where the port is initially unspecified.
Dynamic ARP inspection configuration NOTE You must save the configuration and reload the software to place the change into effect. • Brocade does not support DAI on trunk or LAG ports. • The maximum number of DHCP and static DAI entries depends on the maximum number of ARP table entries allowed on the device. A FastIron Layer 2 switch can have up to 4096 ARP entries and a FastIron Layer 3 switch can have up to 64,000 ARP entries.
Enabling DAI on a VLAN The ARP entry will be in Pend (pending) status until traffic with the matching IP-to-MAC is received on a port. Syntax: [no] arp ip-addr mac-addr inspection The ip-addr mac-addr parameter specifies a device IP address and MAC address pairing. Enabling DAI on a VLAN DAI is disabled by default. To enable DAI on an existing VLAN, enter the following command. device(config)#ip arp inspection vlan 2 The command enables DAI on VLAN 2.
Multi-VRF support 2 10.43.1.78 Dynamic 2 mgmt1 Valid 0000.0060.6ab1 The command displays all ARP entries in the system. For field definitions, refer to Table 25 in the FastIron Ethernet Switch Layer 3 Routing Configuration Guide . Syntax: show arp Multi-VRF support DAI supports Multi-VRF (Virtual Routing and Forwarding) instances. You can deploy multiple VRFs on a Brocade Ethernet switch. Each VLAN having a Virtual Interface (VE) is assigned to a VRF.
How DHCP snooping works other users. DHCP snooping can also stop unauthorized DHCP servers and prevent errors due to user mis-configuration of DHCP servers. Often DHCP snooping is used together with Dynamic ARP Inspection and IP Source Guard. How DHCP snooping works When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to DHCP servers).
About client IP-to-MAC address mappings The lease time will be refreshed when the client renews its IP address with the DHCP server; otherwise the Brocade device removes the entry when the lease time expires. About client IP-to-MAC address mappings Client IP addresses need not be on directly-connected networks, as long as the client MAC address is learned on the client port and the client port is in the same VLAN as the DHCP server port.
Configuring DHCP snooping Configuring DHCP snooping Configuring DHCP snooping consists of the following steps. 1. Enable DHCP snooping on a VLAN.Refer to Enabling DHCP snooping on a VLAN on page 339. 2. For ports that are connected to a DHCP server, change their trust setting to trusted.Refer to Enabling DHCP snooping on a VLAN on page 339. The following shows the default settings of DHCP snooping.
Clearing the DHCP binding database Clearing the DHCP binding database You can clear the DHCP binding database using the CLI command clear DHCP . You can remove all entries in the database, or remove entries for a specific IP address only. To remove all entries from the DHCP binding database, enter the clear dhcp command. device#clear dhcp To clear entries for a specific IP address, enter a command such as the following. device#clear dhcp 10.10.102.
DHCP snooping configuration example DHCP snooping configuration example The following example configures VLAN 2 and VLAN 20, and changes the CLI to the global configuration level to enable DHCP snooping on the two VLANs. The commands are as follows.
DHCP relay agent information Syntax: enable acl-per-port-per-vlan • Configure DHCP IPv4 snooping on a specific VLAN using ip dhcp snooping vlan vlan-id . For example: Brocade(config)# ip dhcp snooping vlan 2 Syntax: ip dhcp snooping vlan vlan-id • The trust port setting for DHCP snooping can be specified per VRF. Set the port as a trust port using dhcp snooping trust vrf vrf-id . The default trust setting for a port is untrusted.
Configuration notes for DHCP option 82 • Before relaying a DHCP discovery packet or DHCP request packet from a client to a DHCP server, the FastIron switch will add agent information to the packet. • Before relaying a DHCP reply packet from a DHCP server to a client, the FastIron switch will remove relay agent information from the packet.
DHCP Option 82 sub-options DHCP Option 82 sub-options The Brocade implementation of DHCP Option 82 supports the following sub-options: • Sub-Option 1 - Circuit ID • Sub-Option 2 - Remote ID • Sub-Option 6 - Subscriber ID These sub-options are described in the following sections. Sub-option 1 - circuit id The Circuit ID (CID) identifies the circuit or port from which a DHCP client request was sent.
DHCP option 82 configuration The following figure illustrates the SID packet format. FIGURE 30 SID packet format The second byte (N in the figure) is the length of the ASCII string that follows. The FastIron switch supports up to 50 ASCII characters. DHCP option 82 configuration When DHCP snooping is enabled on a VLAN, DHCP option 82 also is enabled by default. You do not need to perform any extra configuration steps to enable this feature.
Changing the forwarding policy To re-enable DHCP option 82 on an interface after it has been disabled, enter the following command at the Interface level of the CLI. device(config-if-e1000-1/4)#dhcp snooping relay information Syntax: [no] dhcp snoopingrelay information Use the show ip dhcp snooping vlan command to view the ports on which DHCP option 82 processing is disabled. For more information, refer to Viewing the ports on which DHCP option 82 is disabled on page 347.
Viewing information about DHCP option 82 processing Use the show interfaces ethernet command to view the subscriber ID configured on a port.Refer to Viewing the status of DHCP option 82 and the subscriber id on page 348. Viewing information about DHCP option 82 processing Use the commands in this section to view information about DHCP option 82 processing.
Viewing the status of DHCP option 82 and the subscriber id TABLE 35 Output for the show ip dhcp snooping vlan command Field Description IP DHCP snooping VLAN vlan-id The DHCP snooping and DHCP option 82 status for a VLAN: • Enabled • Disabled Trusted Ports A list of trusted ports in the VLAN. Untrusted Ports A list of untrusted ports in the VLAN. Relay Info. disabled Ports Ports on which DHCP option 82 was disabled.
Configuring the source IP address of a DHCP-client packet on the DHCP relay agent Configuring the source IP address of a DHCP-client packet on the DHCP relay agent Enables the DHCP server to know the source subnet or network of a DHCP-client packet. By default, a DHCP relay agent forwards a DHCP-client packet with the source IP address set to the IP address of the outgoing interface to the DHCP server.
DHCP NOTE You must save the configuration and reload the software to place the change into effect. • Brocade FCX devices do not support IP Source Guard and dynamic ACLs on the same port. • Brocade devices support IP Source Guard together with IPv4 ACLs (similar to ACLs for Dot1x), as long as both features are configured at the port-level or per-port-per-VLAN level.
Enabling IP source guard on a port Enabling IP source guard on a port You can enable IP Source Guard on DHCP snooping untrusted ports. Refer to DHCP snooping on page 336 for how to configure DHCP and DHCP untrusted ports. By default, IP Source Guard is disabled. To enable IP Source Guard on a DHCP untrusted port, enter the following commands.
Enabling IP Source Guard to support a Multi-VRF instance device(config-vlan-2)#tag e1 Added tagged port(s) ethe 1 to port-vlan 2 device(config-vlan-2)#router-int ve 2 device(config-vlan-2)#int ve 2 device(config-vif-2)#source-guard enable e 1 Syntax: [no] source-guard enable Enabling IP Source Guard to support a Multi-VRF instance You can use IP Source Guard (IPSG) together with Dynamic ARP Inspection on untrusted ports.
DHCP for FWS, FCX, and ICX stackable switches. Syntax: show ip source-guard ethernet slotnum/portnum for FSX, 800, and FSX 1600 chassis devices.
Displaying learned IP addresses 354 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
DHCPv6 ● Supported DHCPv6 packet inspection and tracking features....................................... 355 ● Securing IPv6 address configuration............................................................................ 355 ● DHCPv6 snooping.........................................................................................................
How DHCPv6 snooping works How DHCPv6 snooping works When enabled on a VLAN, DHCPv6 snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to DHCPv6 servers).
Configuration notes and feature limitations for DHCPv6 snooping Configuration notes and feature limitations for DHCPv6 snooping The following limits and restrictions apply to DHCPv6 snooping: • To run DHCPv6 snooping, you must first enable support for ACL filtering based on VLAN membership or VE port membership. To do so, enter the following commands at the Global CONFIG Level of the CLI.
Enabling trust on a port connected to a DHCPv6 server Enabling trust on a port connected to a DHCPv6 server The default trust setting for a port is untrusted. To enable trust on a port connected to a DHCPv6 server, enter commands such as the following. device(config)#interface ethernet 1/1 device(config-if-e10000-1/1)#dhcp6 snooping trust Port 1/1 is connected to a DHCPv6 server. The commands change the CLI to the interface configuration level of port 1/1 and set the trust setting of port 1/1 to trusted.
Displaying the DHCPv6 snooping binding database Syntax: show ipv6 dhcp6 snooping vlan vlan-id Displaying the DHCPv6 snooping binding database To see DHCPv6 snooping binding database, enter the show ipv6 dhcp6 snooping info command. The following is an example of the output. Brocade# show ipv6 dhcp6 snooping info IP dhcpv6 snooping enabled on 1 VLANS(s): IPv6 Address LinkLayer-Addr Age VRF 2002::24 0000.0343.0958 259198 0 2002::4a 7c00.030c.
DHCPv6 Syntax: enable acl-per-port-per-vlan • Configure DHCPv6 snooping on a specific VLAN using ipv6 dhcp6 snooping vlan vlan-id. For example: Brocade(config)# ipv6 dhcp6 snooping vlan 10 Syntax: ipv6 dhcp6 snooping vlan vlan-id • The trust port setting for DHCPv6 snooping can be specified per VRF. Set the port as a trust port using dhcp6 snooping trust vrf vrf-id.
IPv6 RA Guard ● Supported platforms for the IPv6 RA guard feature...................................................... 361 ● Securing IPv6 address configuration............................................................................ 361 ● IPv6 RA guard overview................................................................................................361 ● Configuration notes and feature limitations for IPv6 RA guard..................................... 363 ● Configuring IPv6 RA guard..............
RA guard policy link. This helps the nodes to autoconfigure themselves on the network. Unintended misconfigurations or malicious attacks on the network lead to false RAs being present, which in turn causes operational problems for hosts on the network. IPv6 RA guard improves security of the local IPv6 networks. The IPv6 RA guard is useful in network segments that are designed around a single Layer 2 switching device or a set of Layer 2 switching devices.
Configuration notes and feature limitations for IPv6 RA guard the VLAN the ports are a part of. By default, all interfaces are configured as host ports. On a host port, all the RAs are dropped with a policy configured on the VLAN. Trusted ports are those that receive RAs within the network. Trusted ports allow received RAs to pass through without checking. Depending on the configured policy settings, an RA packet is either forwarded through the interface or dropped.
Example of configuring IPv6 RA guard 10.(Optional) Clear the RA packet counter using the clear ipv6 raguard command. 11.(Optional) Verify the RA packet counts using the show ipv6 raguard counts command. Logging has to be enabled to verify the counts. Example of configuring IPv6 RA guard The following sections describe how to configure IPv6 RA guard on a device or in a network. Example: Configuring IPv6 RA guard on a device The following example shows how to configure RA guard on a device.
IPv6 RA Guard FIGURE 33 IPv6 RA guard configuration in a network Configuring port A: Configure port A as a trusted port. Brocade(config)# interface ethernet 1/1/1 Brocade(config-int-e1000-1/1/1)# raguard trust Configuring port C: On port C, create an RA Guard policy with no other options and associate the policy with a VLAN of which C is a member of. This helps block all RAs from C ports.
Example: Verifying the RA guard configuration Brocade(config)# prefix-list raguard-prefix-list1 permit 2001:db8::/16 Brocade(config)# ipv6 raguard policy policyB Brocade(ipv6-RAG-policy policyB)# whitelist 1 Brocade(ipv6-RAG-policy policyB)# prefix-list raguard-prefix-list1 Brocade(ipv6-RAG-policy policyB)# exit Brocade(config)# interface ethernet 1/1/2 Brocade(config-int-e1000-1/1/2)# raguard untrust Brocade(config-int-e1000-1/1/2)# exit Brocade(config)# ipv6 raguard vlan 2 policyB Example: Verifying the
Security Commands ● access-list enable accounting....................................................................................... 368 ● clear access-list accounting.......................................................................................... 369 ● clear ipv6 raguard ........................................................................................................ 369 ● enable-accounting.................................................................................................
access-list enable accounting access-list enable accounting Configures ACL accounting. Enables ACL accounting for IPv4 numbered ACLs. The no form disables ACL accounting for IPv4 numbered ACLs. Syntax access-list number enable-accounting no access-list number enable-accounting Command Default Parameters This option is disabled. number Defines the IPv4 ACL ID. enable-accounting Enables ACL accounting on the specified interface. Modes Usage Guidelines Examples Global configuration.
clear access-list accounting clear access-list accounting Clears ACL accounting statistics. Clears ACL accounting statistics for IPv4 ACLs, IPv6 ACLs, and Layer 2 MAC filters. Syntax Parameters clear access-list accounting [all | [ethernet | ve] port in] all Clears all statistics for all ACLs. ethernet Clears statistics for ACLs bound to a physical port. ve Clears statistics for all ACLs bound to ports that are members of a virtual routing interface. port Specifies the port ID.
Security Commands Modes Usage Guidelines Global configuration To clear RA guard packet counters for all RA guard policies, use the all keyword. To clear the RA guard packet counters for a specific RA guard policy, specify the name of the policy. You can use the show ipv6 raguard counts command to view the total count of RA packets dropped or permitted.
enable-accounting enable-accounting Configures ACL accounting Enables ACL accounting for IPv4 and IPv6 named ACLs. The no form disables ACL accounting for IPv4 and IPv6 named ACLs. Syntax enable-accounting no enable-accounting Command Default Modes Usage Guidelines Examples This option is disabled. Interface level configuration. This is only applicable to named ACLs . The no form of this command disables ACL accounting on the associated ACL interface.
ipv6 raguard policy RA packets drop due to congestion if they are received at the line rate. For less load on the CPU, logging can be disabled on the RA guard policy. Examples The following example shows how to enable logging on an RA guard policy: Brocade(config)# ipv6 raguard policy p1 Brocade(config-ipv6-RAG-policy p1)# logging ipv6 raguard policy Configures the specified RA guard policy and enters RA guard policy configuration mode. The no form of this command removes the specified RA guard policy.
ipv6 raguard whitelist Usage Guidelines Examples You can associate only one RA guard policy with a VLAN. If you associate a new RA guard policy with a VLAN that already has a policy configured, the new RA guard policy replaces the old one. The following example shows how to associate an RA guard policy with a VLAN: Brocade(config)# ipv6 raguard vlan 1 policy p1 ipv6 raguard whitelist Configures the RA guard whitelist and adds the IPv6 address as the allowed source IP address.
mac filter enable-accounting mac filter enable-accounting Configures ACL accounting for MAC filters. Enables ACL accounting on Layer 2 MAC filters. The no form disables ACL accounting on Layer 2 MAC filters. Syntax mac filter num enable-accounting no mac filter num enable-accounting Command Default Parameters This option is disabled. num Specifies the MAC filter ID. enable-accounting Enables MAC filter accounting on the specified interface. Modes Usage Guidelines Examples Global configuration.
prefix-list Allows RAs of low and medium router preference. Modes Usage Guidelines Examples RA guard policy configuration If a very low value is set, then the RAs expected to be forwarded might get dropped. The following example shows how to set the RA guard policy router preference: Brocade(config)# ipv6 raguard policy p1 Brocade(config-ipv6-RAG-policy p1)# preference-maximum low prefix-list Associates an IPv6 prefix list with an RA guard policy.
Security Commands Configures an interface as a trusted RA guard port. untrust Configures an interface as an untrusted RA guard port. host Configures an interface as a host RA guard port. Modes Usage Guidelines Examples Interface configuration A trusted RA guard port forwards all the receive RA packets without inspecting. An untrusted port inspects the received RAs against the RA guard policy’s whitelist, prefix list and preference maximum settings before forwarding the RA packets.
show access-list accounting show access-list accounting Displays ACL accounting statistics Displays ACL accounting statistics for IPv4 ACLs, IPv6 ACLs, and Layer 2 MAC filters. Syntax Parameters show access-list accounting [ethernet | ve] num in ethernet Displays accounting statistics for an Ethernet interface. ve Displays accounting statistics for a virtual interface. num Specifies the ID of the Ethernet or virtual interface. in Used for incoming traffic. Modes Command Output Privileged EXEC.
Security Commands Examples The output displayed will give information about IPv4 ACLs or IPv6 ACLs, or MAC filters based on the configuration of the port or interface. If both IPv4 and IPv6 ACLs are configured on the same port, it will give both IPv4 and IPv6 ACL accounting information in a single output. The following sample output shows a virtual interface that has both IPv4 and IPv6 ACLs applied to the same port and has ACL accounting enabled.
Security Commands The following sample output from the FastIron SX device shows the per-port display when the device has "acl-per-port-per-vlan" configured for IPv4 and IPv6 on interface 121, which has ports 3/21 and 3/20. NOTE In FastIron SX devices, ACL accounting displays only the Byte counter field, and all other fields will display “N/A”. device#show access-list accounting ve 121 in IPV4 ACL Accounting Information perPort[3/20] => Inbound ACL: 10 0: permit host 10.10.10.
show ipv6 raguard Hit Count: (1Min) N/A (5Sec) N/A (PktCnt) N/A (ByteCnt) 0 --------------------------------------------------------------- The following sample output shows an Ethernet interface that has a MAC filter applied and ACL accounting enabled. device#show access-list accounting ethernet 3/1/2 in MAC Filters Accounting Information 0: DA ANY SA 0000.0000.0001 - MASK FFFF.FFFF.
Security Commands Displays the permit or drop counts for the specified RA guard policy. all Displays the permit or drop counts for all RA guard policies. Modes Usage Guidelines Examples Global configuration This command is applicable only when logging is enabled on the policy.
ip bootp-use-intf-ip ip bootp-use-intf-ip Configures the source IP address of a DHCP-client packet in a DHCP relay agent. Configures a DHCP relay agent to set the source IP address of a DHCP-client packet with the IP address of the interface in which the DHCP-client packet is received. The no form of the command reverts the FastIron device to the default behaviour where the DHCP relay agent sets the source IP address of a DHCP-client packet with the IP address of the outgoing interface to the DHCP server.
Security Commands The no form of this command removes the associated RA guard whitelist from the RA guard policy. When a whitelist associated with an RA guard policy is removed, the policy drops all RA packets because no white list is associated with the policy.
whitelist 384 FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
Index 802.1x port security accounting 180 accounting attributes for RADIUS802.
enabling accounting 199 accounting configuration 199 allowing access to multiple hosts 195 and sFlow 180 applying IP ACLs and MAC address filters 187 authenticating multiple hosts 176 authentication with dynamic VLAN assignment 214 clearing statistics 206 communication between the devices 172 configuration 180 configuring an authentication method 181 configuring per-user IP ACLs or MAC address filters 190 configuring re-authentication 192 device roles in a configuration 170 disabling strict security mode 18
accounting, pre-requisites for ACL accounting 141 adding a comment to an entry 124 adding a comment to an IPv6 entry 165 applying an IPv4 ACL to a subset of ports (Layer 3) 132 applying an IPv4 ACL to VLAN members (Layer 2) 131 applying egress to CPU traffic 122 applying IPv6 to a trunk group 165 applying to a virtual interface in a VLAN 125 comment text management 123 configuration example 109 configuration example for extended named 118 configuration examples for extended 112 configuration notes for filte
TCP flags 76 aaa authorization commands 70 aaa authorization commands < 55 access-list 108, 112, 123, 137, 145 accounting 304 ACL-logging 127 age 220 all-client 26 attempt-max-num 306 auth-fail-action restricted-vlan 195 auth-fail-max-attempts 195 auth-fail-vlanid 195 auth-mode none 304 autosave 221 bridged-routed 129 clear ACL-on-arp 134 clear auth-mac-table 269 clear dhcp 340, 358 clear dot1x statistics 206 clear port security 223 clear statistics dos-attack 328 clear table-mac-vlan 243 console timeo
auth-fail-action restricted-vlan 195 auth-fail-action restrict-vlan 195 auth-fail-max-attempts 195 auth-fail-vlanid 195 auth-max 193 dot1x disable-filter-strict-security 188 dot1x initialize ethernet 195 enable all 191 enable ethernet 191 global-filter-strict-security 188 mac-session-aging no-aging denied-mac-only 195 mac-session-aging no-aging permitted-mac-only 195 max-req 194 re-authentication 192 save-dynamicvlan-to-config 186 servertimeout 195 supptimeoutcommand changing the forwarding policy 346 clea
age 220 arp inspection trust 335 dhcp snooping relay information 345 dhcp snooping relay information option subscriberid 346 dot1x auth-filter 251 dot1x auth-timeout-action failure 182, 183 dot1x auth-timeout-action success 182 dot1x port-control auto 191 dot1x re-auth-timeout- success 182 enable 219 idhcp snooping trust 339, 358 ip access-group frag deny 128 ip icmp burst-normal burst-max lockupcommand ip icmp burst-normal 324 ip policy route-map 148 ip tcp burst-normal burst-max lockupcommand ip tcp bur
802.
changing a local user password 41 configuring 36 configuring password history 38 enabling user password aging 38 enabling user password masking 37 enhanced login lockout 39 recovering from a lost password 34 setting a Telnet password 32 setting for management privilege levels 32 setting to expire 39 specifying a minimum password length 35 passwords, used to secure access 31 policy-based routing (PBR) basic example 149 enabling 148 setting the next hop 149 setting the output interface 150 trunk formation 15
configuring challenge-response authentication 86 enabling challenge-response 87 exporting client public keys 98 generating a client key pair 98 generating and deleting a key pair 85 importing public keys into Brocade device 86 S secure access passwords 31 secure copy (SCP) configuration notes 93 copying a software image file from flash memory 95 enabling and disabling 93 example file transfers 94 importing a digital certificate 95 importing a DSA or RSA public key 96 importing an RSA private key 96 with
SSH2 DSA challenge-response authentication 83 password authenticationSSH2 configuration 83 RSA challenge-response authentication 83 use with secure copy 93 SSH2 client configuring public key authentication 97 displaying information 99 enabling 97 overview 96 using 98 SSH authentication defining localmanagement privileges 35 local configuration 40 local with no passwords 40 local with unencrypted passwords 40 user authentication, deactivating 88 username configuration 36 username> 296 V VLAN ip access
auth-mode passcode static 300 auth-mode username-password auth-methods 299 auth-mode username-password auth-methods local 298 auth-mode username-password auth-methods radius 298 auth-mode username-password local-userdatabase 299 block duration 307 block mac 307 block mac duration 307 cycle time 306 dns-filter 308 enable 295 host-max-num 308 port-down-auth-mac-cleanup 308 reauth-time 306 secure-login 305 trust-port ethernetcommand trust-port ethernet 305 webauth-redirect-address 309 webpage custom-text bott
FastIron Ethernet Switch Security Configuration Guide 53-1003088-03
