Understanding fabric authentication, Configuring ssh server key exchange, Configuring an authentication policy – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

• A port mode change is not allowed when port security is enabled on the interface.
• Organizationally Unique Identifier (OUI)-based port security is not supported on the Brocade VDX

6710 and VDX 6720 platforms.

• A maximum of 4 OUIs are allowed per secure port. A maximum of 20 secure ports are allowed to

enable OUI-based port security.

• Static secure MAC addresses are not supported for OUI-based port security.
• When the user tries to configure the first OUI IPv4 address on a secure port, traffic is flooded until all

entries are programmed in the hardware.

• If a port-security-based change occurs when a port is shut down, the shutdown timer is not triggered.

Consequently, the user must restore the full functionality of the port.

• When port security causes a port to be shut down and the user manually changes the shutdown

time, the shutdown timer is reset and the timer starts with the new shutdown time.

• A secure port cannot be a destination port for Switch Port Analyzer (SPAN) purposes, because the

port cannot be a Layer 2 port.

• Port security configurations are not allowed on member interfaces of a link aggregation group (LAG).

They are allowed on the LAG interface, however, as they are in other Layer 2 configurations.

• Static MAC addresses cannot be configured on a secure port. They must be configured as secure

MAC addresses on the secure port.

• Access control lists (ACLs) take precedence over the port security feature.

Understanding fabric authentication

This section presents a brief overview of SSH server key exchange, configuring an authentication policy
and device authentication, and configuring SCC policy sets.

Configuring SSH server key exchange

The SSH server key-exchange specifies the method used for generating one-time session keys for
encryption and authentication with the SSH server. Currently, you can configure the SSH server key-
exchange method to DH Group 14.

If you are in logical chassis cluster mode, the command is not distributed across the cluster. The
RBridge ID of the node should be used to configure service on individual nodes.

When the SSH server key exchange method is configured to DH Group 14, SSH connection from a
remote SSH client is allowed only if the key-exchange method at the client end is also configured to DH
Group 14.

By default, SSH server key-exchange is not configured as DH Group 14. Enter no ssh server key-
exchange dh-group-14 to restore SSH server key-exchange to the default value.

Configuring an authentication policy

The switch authentication (AUTH) policy initiates DH-CHAP authentication on all E_Ports. This policy is
persistent across reboots, which means authentication will be initiated automatically on ports or
switches brought online if the policy is active. You must configure the AUTH policy on all connected
fabric entities.

If you are in logical chassis cluster mode, this command is not distributed across the cluster. The
RBridge ID of the node should be used to configure protocol and policy configurations.

Understanding fabric authentication

Network OS Administrator’s Guide

307

53-1003225-04