Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Fastiron ethernet switch, Security configuration guide
Table of contents
Document Outline
- Contents
- Preface
- About This Document
- Security Access
- Supported security access features
- Securing access methods
- Remote access to management function restrictions
- ACL usage to restrict remote access
- Defining the console idle time
- Remote access restrictions
- Restricting access to the device based on IP orMAC address
- Defining the Telnet idle time
- Specifying the maximum number of login attemptsfor Telnet access
- Changing the login timeout period for Telnet sessions
- Restricting remote access to the device tospecific VLAN IDs
- Designated VLAN for Telnet management sessionsto a Layer 2 Switch
- Device management security
- Disabling specific access methods
- Passwords used to secure access
- Local user accounts
- TACACS and TACACS+ security
- How TACACS+ differs from TACACS
- TACACS/TACACS+ authentication, authorization,and accounting
- TACACS authentication
- TACACS/TACACS+ configuration considerations
- Enabling TACACS
- Identifying the TACACS/TACACS+ servers
- Specifying different servers for individual AAA functions
- Setting optional TACACS and TACACS+ parameters
- Configuring authentication-method lists forTACACS and TACACS+
- Configuring TACACS+ authorization
- TACACS+ accounting configuration
- Configuring an interface as the source for allTACACS and TACACS+ packets
- Displaying TACACS/TACACS+ statistics andconfiguration information
- RADIUS security
- RADIUS authentication, authorization, and accounting
- RADIUS configuration considerations
- Configuring RADIUS
- Brocade-specific attributes on the RADIUS server
- Enabling SNMP to configure RADIUS
- Identifying the RADIUS server to the Brocade device
- Specifying different servers for individual AAA functions
- RADIUS server per port
- RADIUS server to individual ports mapping
- RADIUS parameters
- Setting authentication-method lists for RADIUS
- RADIUS authorization
- RADIUS accounting
- Configuring an interface as the source for allRADIUS packets
- Displaying RADIUS configuration information
- SSL security
- Authentication-method lists
- TCP Flags - edge port security
- SSH2 and SCP
- Supported SSH2 and Secure Copy features
- SSH version 2 overview
- SSH2 authentication types
- Optional SSH parameters
- Filtering SSH access using ACLs
- Terminating an active SSH connection
- Displaying SSH information
- Secure copy with SSH2
- Enabling and disabling SCP
- Secure copy configuration notes
- Example file transfers using SCP
- Copying a file to the running config
- Copying a file to the startup config
- Copying the running config file to an SCP-enabled client
- Copying the startup config file to an SCP-enabled client
- Copying a software image file to flash memory
- Copying a Software Image file from flash memory
- Importing a digital certificate using SCP
- Importing an RSA private key
- Importing a DSA or RSA public key
- Copying license files
- SSH2 client
- Rule-Based IP ACLs
- Supported Rule-Based IP ACL Features
- ACL overview
- How hardware-based ACLs work
- ACL configuration considerations
- Configuring standard numbered ACLs
- Standard named ACL configuration
- Extended numbered ACL configuration
- Extended named ACL configuration
- Applying egress ACLs to Control (CPU) traffic
- Preserving user input for ACL TCP/UDP port numbers
- ACL comment text management
- Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN
- ACL logging
- Enabling strict control of ACL filtering of fragmented packets
- Enabling ACL support for switched traffic in the router image
- Enabling ACL filtering based on VLAN membership or VE port membership
- ACLs to filter ARP packets
- Filtering on IP precedence and ToS values
- QoS options for IP ACLs
- ACL-based rate limiting
- ACL statistics
- ACL accounting
- ACLs to control multicast features
- Enabling and viewing hardware usage statistics for an ACL
- Displaying ACL information
- Troubleshooting ACLs
- Policy-based routing (PBR)
- Configuration considerations for policy-based routing
- Configuring a PBR policy
- Configuring the ACLs
- Configuring the route map
- Enabling PBR
- Configuration examples for policy based routing
- Basic example of policy based routing
- Setting the next hop
- Setting the output interface to the null interface
- Trunk formation with PBR policy
- IPv6 ACLs
- Supported IPv6 ACL features
- IPv6 ACL overview
- IPv6 ACL configuration notes
- Configuring an IPv6 ACL
- Creating an IPv6 ACL
- Enabling IPv6 on an interface to which an ACL will be applied
- Applying an IPv6 ACL to an interface
- Adding a comment to an IPv6 ACL entry
- Deleting a comment from an IPv6 ACL entry
- Support for ACL logging
- Configuring IPv6 ACL accounting
- Displaying IPv6 ACLs
- 802.1X Port Security
- Supported 802.1X port security features
- IETF RFC support
- How 802.1X port security works
- 802.1X port security configuration
- Configuring an authentication method list for 802.1X
- Setting RADIUS parameters
- Dynamic VLAN assignment for 802.1X port configuration
- Dynamically applying IP ACLs and MAC address filtersto 802.1X ports
- Configuration considerations for applying IP ACLs and MAC address filters to 802.1x ports
- Disabling and enabling strict security mode for dynamic filter assignment
- Disabled strict security mode
- Disabling strict security mode globally
- Dynamically applying existing ACLs or MAC address filters
- Notes for dynamically applying ACLs or MAC address filters
- Configuring per-user IP ACLs or MAC address filters
- Enabling 802.1X port security
- Setting the port control
- Configuring periodic re-authentication
- Re-authenticating a port manually
- Setting the quiet period
- Specifying the wait interval and number of EAP-request/identity frame retransmissions from the Brocade device
- Wait interval and number of EAP-request/identity frame retransmissions from the RADIUS server
- Specifying a timeout for retransmission of messages to the authentication server
- Initializing 802.1X on a port
- Allowing access to multiple hosts
- MAC address filters for EAP frames
- Configuring VLAN access for non-EAP-capable clients
- 802.1X accounting configuration
- Displaying 802.1X information
- Sample 802.1X configurations
- Multi-device port authentication and 802.1Xsecurity on the same port
- MAC Port Security
- Supported MAC port security features
- MAC port security overview
- MAC port security configuration
- Clearing port security statistics
- Displaying port security information
- MAC-based VLANs
- Supported MAC-based VLAN features
- MAC-based VLAN overview
- Dynamic MAC-based VLAN
- MAC-based VLAN configuration
- Using MAC-based VLANs and 802.1X securityon the same port
- Configuring generic and Brocade vendor-specificattributes on the RADIUS server
- Aging for MAC-based VLAN
- Disabling aging for MAC-based VLAN sessions
- Configuring the maximum MAC addresses per port
- Configuring a MAC-based VLAN for a static host
- Configuring MAC-based VLAN for a dynamic host
- Configuring dynamic MAC-based VLAN
- Configuring MAC-based VLANs using SNMP
- Displaying Information about MAC-based VLANs
- Displaying the MAC-VLAN table
- Displaying the MAC-VLAN table for a specific MAC address
- Displaying allowed MAC addresses
- Displaying denied MAC addresses
- Displaying detailed MAC-VLAN data
- Displaying MAC-VLAN information for a specific interface
- Displaying MAC addresses in a MAC-based VLAN
- Displaying MAC-based VLAN logging
- Clearing MAC-VLAN information
- Sample MAC-based VLAN application
- Defining MAC Address Filters
- Multi-Device Port Authentication
- Supported Multi-device port authentication (MDPA) features
- How multi-device port authentication works
- RADIUS authentication
- Authentication-failure actions
- Unauthenticated port behavior
- Supported RADIUS attributes
- Support for dynamic VLAN assignment
- Support for dynamic ACLs
- Support for authenticating multiple MAC addresseson an interface
- Support for dynamic ARP inspection with dynamic ACLs
- Support for DHCP snooping with dynamic ACLs
- Support for source guard protection
- Multi-device port authentication and 802.1Xsecurity on the same port
- Multi-device port authentication configuration
- Enabling multi-device port authentication
- Specifying the format of the MAC addresses sent to theRADIUS server
- Specifying the authentication-failure action
- Generating traps for multi-device port authentication
- Defining MAC address filters
- Configuring dynamic VLAN assignment
- Configuring a port to remain in the restricted VLAN after a successful authentication attempt
- Configuration notes for configuring a port to remain in the restricted VLAN
- Configuring the RADIUS server to support dynamic VLAN assignment
- Enabling dynamic VLAN support for tagged packets on non-member VLAN ports
- Specifying to which VLAN a port is moved after its RADIUS-specified VLAN assignment expires
- Automatic removal of dynamic VLAN assignments for MAC authenticated ports
- Saving dynamic VLAN assignments to the running-config file
- Dynamically applying IP ACLs to authenticated MAC addresses
- Enabling denial of service attack protection
- Enabling source guard protection
- Clearing authenticated MAC addresses
- Disabling aging for authenticated MAC addresses
- Changing the hardware aging period for blockedMAC addresses
- Specifying the aging time for blocked MAC addresses
- Specifying the RADIUS timeout action
- Multi-device port authentication password override
- Limiting the number of authenticated MAC addresses
- Displaying multi-device port authentication information
- Displaying authenticated MAC address information
- Displaying multi-device port authenticationconfiguration information
- Displaying multi-device port authentication informationfor a specific MAC address or port
- Displaying the authenticated MAC addresses
- Displaying the non-authenticated MAC addresses
- Displaying multi-device port authentication information for a port
- Displaying multi-device port authentication settingsand authenticated MAC addresses
- Displaying the MAC authentication table for FCX and ICX devices
- Example port authentication configurations
- Web Authentication
- Supported Web Authentication features
- Web authentication overview
- Web authentication configuration considerations
- Web authentication configuration tasks
- Enabling and disabling web authentication
- Web authentication mode configuration
- Using local user databases
- Configuring a local user database
- Creating a local user database
- Adding a user record to a local user database
- Deleting a user record from a local user database
- Deleting All user records from a local user database
- Creating a text file of user records
- Importing a text file of user records from a TFTP server
- Using a RADIUS server as the web authentication method
- Setting the local user database authentication method
- Setting the web authentication failover sequence
- Assigning a local user database to a web authentication VLAN
- Passcodes for user authentication
- Configuring passcode authentication
- Creating static passcodes
- Enabling passcode authentication
- Configuring the length of dynamically-generated passcodes
- Configuring the passcode refresh method
- Configuring a grace period for an expired passcode
- Flushing all expired passcodes that are in the grace period
- Disabling and re-enabling passcode logging
- Re-sending the passcode log message
- Manually refreshing the passcode
- Automatic authentication
- Using local user databases
- Web authentication options configuration
- Enabling RADIUS accounting for web authentication
- Changing the login mode (HTTPS or HTTP)
- Specifying trusted ports
- Specifying hosts that are permanently authenticated
- Configuring the re-authentication period
- Defining the web authentication cycle
- Limiting the number of web authentication attempts
- Clearing authenticated hosts from the webauthentication table
- Setting and clearing the block duration for webauthentication attempts
- Manually blocking and unblocking a specific host
- Limiting the number of authenticated hosts
- Filtering DNS queries
- Forcing re-authentication when ports are down
- Forcing re-authentication after an inactive period
- Defining the web authorization redirect address
- Deleting a web authentication VLAN
- Web authentication pages
- Displaying web authentication information
- DoS Attack Protection
- DHCP
- Supported DHCP packet inspection and tracking features
- Dynamic ARP inspection
- DHCP snooping
- How DHCP snooping works
- System reboot and the binding database
- Configuration notes and feature limitations for DHCP snooping
- Configuring DHCP snooping
- Clearing the DHCP binding database
- Displaying DHCP snooping status and ports
- Displaying the DHCP snooping binding database
- Displaying DHCP binding entry and status
- DHCP snooping configuration example
- Multi-VRF support
- DHCP relay agent information
- IP source guard
- DHCPv6
- Supported DHCPv6 packet inspection and tracking features
- Securing IPv6 address configuration
- DHCPv6 snooping
- How DHCPv6 snooping works
- Configuration notes and feature limitations for DHCPv6 snooping
- Configuring DHCPv6 snooping
- Clearing the DHCPv6 binding database
- Displaying DHCPv6 snooping status and ports
- Displaying the DHCPv6 snooping binding database
- DHCPv6 snooping configuration example
- Multi-VRF support for DHCPv6 snooping
- IPv6 RA Guard
- Security Commands
- access-list enable accounting
- clear access-list accounting
- clear ipv6 raguard
- enable-accounting
- logging
- ipv6 raguard policy
- ipv6 raguard vlan
- ipv6 raguard whitelist
- mac filter enable-accounting
- preference-maximum
- prefix-list
- raguard
- show access-list accounting
- show ipv6 raguard
- show ipv6 raguard counts
- ip bootp-use-intf-ip
- whitelist
- Index