Brocade FastIron Ethernet Switch Security Configuration Gu Manual de usuario

53-1003088-0330 July 2014FastIron Ethernet SwitchSecurity Configuration GuideSupporting FastIron Software Release 08.0.10d

Web Authentication... 291Supported Web Authen

Displaying SSH2 client information100 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

Rule-Based IP ACLs● Supported Rule-Based IP ACL Features... 101● ACL overview...

Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800FSX 1600ICX 7750Hardware-based ACLs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10ACL

Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800FSX 1600ICX 7750ACL logging of denied packets No No No No No No NoACL logging with traffic rate

listed in the Supported ACL features on inbound traffic and Supported ACL features on outboundtraffic tables respectively and discussed in more detail

combination in different ACLs. The total number of entries in all ACLs cannot exceed the systemmaximum listed in the following table.Maximum number of

How hardware-based ACLs workWhen you bind an ACL to inbound or outbound traffic on an interface, the device programs the Layer 4CAM with the ACL. Perm

• Inbound ACLs apply to all traffic, including management traffic. By default outbound ACLs are notapplied to traffic generated by the CPU. This must

Standard numbered ACL syntaxSyntax: [no] access-list ACL-num { deny | permit } { source-ip | hostnamewildcard } [ log ]orSyntax: [no] access-list ACL-

The log argument configures the device to generate Syslog entries and SNMP traps for inboundpackets that are denied by the access policy.The in | out

Dynamic ARP inspection configuration... 334Displaying ARP inspection status and ports...

Syntax: [no] ip access-list standard {ACL-name |ACL-num } { deny | permit } { source-ip |hostname } [ log ]Syntax: [no] ip access-list standard {ACL-n

NOTEIf you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with subnet mask i

Extended numbered ACL configurationThis section describes how to configure extended numbered ACLs.Extended ACLs let you permit or deny packets based o

If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, youcan enter a forward slash after the IP address,

The tcp/udp comparison operator parameter specifies a comparison operator for the TCP or UDP portnumber. This parameter applies only when you specify

• network or 7 - The ACL matches packets that have the network control precedence. If you specifythe option number instead of the name, specify number

The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 - 63. Thisoption does not change the packet’s forwarding priority th

The second entry denies IGMP traffic from the host device named "rkwong" to the 10.157.21.x network.The third entry denies IGMP traffic from

Extended named ACL configurationThe commands for configuring named ACL entries are different from the commands for configuringnumbered ACL entries. Th

The wildcard parameter specifies the portion of the source IP host address to match against. Thewildcard is in dotted-decimal notation (IP address for

Example: Configuring IPv6 RA guard on a device...364Example: Configuring IPv6 RA guard in a network...364

NOTEThe QoS options listed below are only available if a specific ICMP type is specified for the icmp-typeparameter and cannot be used with the any-ic

• flash-override or 4 - The ACL matches packets that have the flash override precedence. If youspecify the option number instead of the name, specify

NOTEThe dscp-cos-mapping option is supported on FSX devices only.The dscp-marking option enables you to configure an ACL that marks matching packets w

To enable this feature, enter the ip preserve-ACL-user-input-format command.device(config)#ip preserve-ACL-user-input-formatSyntax: ip preserve-ACL-us

Syntax: [no] ip access-list [ standard | extended ] ACL-numSyntax:remark comment-textFor ACL-num , enter the number of the ACL.The comment-text can be

The following shows the comment text for a numbered ACL, ACL 100, in a show running-configdisplay.device#show running-config...access-list 100 remark

ACL loggingBrocade devices support ACL logging of inbound packets that are sent to the CPU for processing(denied packets).NOTEACL logging is not suppo

NOTEThe above limitation applies only to IPv4 ACLs, it does not apply to the use of ACLs to log IPv6 traffic.• When ACL logging is enabled on Brocade

The above commands create ACL entries that include the log option, then bind the ACL to interface e9/12. Statistics for packets that match the deny st

or applies the interface's ACL entries to the packet and permits or denies the packet according to thefirst matching ACL.• For other fragments of

Preface● Document conventions...13● Brocade resources

device(config-vlan-101)#router-interface ve 101device(config-vlan-101)#exitdevice(config)#enable ACL-per-port-per-vlandevice(config)#ip access-list ex

202, 203, and 204, but not 300, 401, 600, and 900. See the release notes for a list of supportedmodules.• Brocade devices do not support a globally-co

Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3devices only)NOTEThis section applies to IPv4 ACLs only. IPv6 ACLs do not sup

address. This behavior can cause a condition called "ARP hijacking", when two hosts with the same IPaddress try to send an ARP request to th

The access-list-number parameter identifies the ID of the standard ACL that will be used to filter thepacket. Only the source and destination IP addre

precedence 6device(config)#access-list 103 permit ip any any The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157

• dscp-marking - Marks the DSCP value in the outgoing packet with the value you specify.• internal-priority-marking and 802.1p-priority-marking - Supp

The dscp-cos-mapping option maps the DSCP value in incoming packets to a hardware table thatprovides mapping of each of the 0 - 63 DSCP values, and di

provide DSCP-marking and DSCP-matching information in order to assign 802.1p priority values,which required the deployment of a 64-line ACL to match a

Syntax: access-list num (100-199) permit tcp any any 802.1p-priority-marking priority value (0-7) [internal-priority-marking value (0-7) ]For UDPdevic

Convention Descriptionvalue In Fibre Channel products, a fixed value provided as input to a commandoption is printed in plain text, for example, --sho

DSCP matchingThe dscp-matching option matches on the packet DSCP value. This option does not change thepacket forwarding priority through the device o

ACL accountingACL accounting helps to collect usage information for access lists configured on the device. Counters,stored in hardware, keep track of

------------------------------------------------- 65533: Implicit ND_NA Rule: permit any any Hit Count: (1Min) 0 (5Sec)

by the show access-list access-list-id command to determine the hardware usage for an ACL. Togain more hardware resources, you can modify the ACL rule

use: 3)permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule cam use: 1)permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1)den

• You cannot apply PBR on a port if that port already has ingress ACLs, ACL-based rate limiting,DSCP-based QoS, MAC address filtering.• The number of

NOTEDo not use an access group to apply the ACL to an interface. Instead, use a route map to apply theACL globally or to individual interfaces for PBR

NOTEIf you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with subnet mask i

The map-name variable is a string of characters that names the map. Map names can be up to 32characters in length. You can define an unlimited number

Syntax: ip policy route-map map-nameEnter the name of the route map you want to use for the route-map map-name parameter.Configuration examples for po

Brocade resourcesVisit the Brocade website to locate related documentation for your product and additional Brocaderesources.You can download additiona

device(config-routemap test-route)#set ip next-hop 192.168.2.1device(config-routemap test-route)#exitThe following commands configure the second entry

Trunk formation with PBR policyPBR can be applied on trunk primary port ,only if the port is untagged. When a trunk is formed, the PBRpolicy on the pr

Trunk formation with PBR policy152 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

IPv6 ACLs● Supported IPv6 ACL features... 153● IPv6 ACL overview..

with 4000 entries, two ACLs with 2000 and 2093 entries respectively (combining IPv4 and IPv6 ACLs),etc.An IPv6 ACL is composed of one or more conditio

• Authentication Header (AHP)• Encapsulating Security Payload (ESP)• Internet Control Message Protocol (ICMP)• Internet Protocol Version 6 (IPv6)• Str

To disable IPv6, first remove the ACL from the interface.• For notes on applying IPv6 ACLs to trunk ports, see Applying an IPv6 ACL to a trunk group o

device(config-if-4/3)# ipv6 traffic-filter netw indevice(config)# write memoryHere is another example.device(config)# ipv6 access-list nextonedevice(c

• permit icmp any any nd-na - Allows ICMP neighbor discovery acknowledgements.• permit icmp any any nd-ns - Allows ICMP neighbor discovery solicitatio

Syntax for creating an IPv6 ACLNOTEThe following features are not supported:• ipv6-operator flow-label• ipv6-operator fragments when any protocol is s

Document feedbackTo send feedback and report errors in the documentation you can use the feedback form posted withthe document or you can e-mail the d

[ 802.1p-priority-matching number ][ dscp-marking number 802.1p-priority-markingnumber internal-priority-marking number ][dscp-marking dscp-value dscp

Syntax descriptions (Continued)TABLE 13 IPv6 ACLargumentsDescriptionipv6-source-prefix/prefix-lengthThe ipv6-source-prefix/prefix-length parameter s

Syntax descriptions (Continued)TABLE 13 IPv6 ACLargumentsDescriptiontcp-udp-operator The tcp-udp-operator parameter can be one of the following:• eq

Syntax descriptions (Continued)TABLE 13 IPv6 ACLargumentsDescription802.1p-priority-marking numberUse the 802.1p-priority-markingnumber parameter to

• nd-ns• next-header• no-admin• no-route• packet-too-big• parameter-option• parameter-problem• port-unreachable• reassembly-timeout• renum-command• re

• Gbps Ethernet ports• 10 Gbps Ethernet ports• Trunk groups• Virtual routing interfacesTo apply an IPv6 ACL to an interface, enter commands such as th

You can add a comment by entering the remark command immediately preceding an ACL entry, Forexample, to enter comments preceding an ACL entry, enter c

Configuring IPv6 ACL accountingSteps to enable, display, and clear IPv6 ACL accounting1. To enable IPv6 ACL accounting, use the enable-accounting comm

Displaying IPv6 ACLsTo display the IPv6 ACLs configured on a device, enter the show ipv6 access-list command. Here isan example.device#show ipv6 acces

802.1X Port Security● Supported 802.1X port security features...169● IETF RFC supp

About This Document● What’s new in this document ... 17● How com

IETF RFC supportBrocade FastIron devices support the IEEE 802.1X standard for authenticating devices attached toLAN ports. Using 802.1X port security,

FIGURE 1 Authenticator, client/supplicant, and authentication server in an 802.1X configurationAuthenticator - The device that controls access to the

Communication between the devicesFor communication between the devices, 802.1X port security uses the Extensible AuthenticationProtocol (EAP), defined

FIGURE 3 Controlled and uncontrolled ports before and after client authenticationBefore a Client is authenticated, only the uncontrolled port on the A

FIGURE 4 Message exchange between client/supplicant, authenticator, and authentication serverIn this example, the Authenticator (the FastIron switch)

authentication server to protect messages from unauthorized users’ eavesdropping activities. SinceEAP-TLS requires PKI digital certificates on both th

NOTEIP MTU cannot be configured globally.EAP pass-through supportEAP pass-through is supported on FastIron devices that have 802.1X enabled. EAP pass-

FIGURE 5 Multiple hosts connected to a single 802.1X-enabled portIf there are multiple hosts connected to a single 802.1X-enabled port, the Brocade de

1. One of the 802.1X-enabled Clients attempts to log into a network in which a Brocade device servesas an Authenticator.2. The Brocade device creates

‐ Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to Configurable hardware aging period for denied client dot1x-mac-ses

How command information is presented in this guide18 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

period ends, the denied Client's dot1x-mac-session ages out, and the Client can be authenticatedagain.802.1X port security and sFlowsFlow is a st

‐ Dynamic VLAN assignment for 802.1X port configuration on page 184 (optional)‐ Dynamically applying IP ACLs and MAC address filtersto 802.1X ports on

The dot1x parameter indicates that this RADIUS server supports the 802.1X standard. A RADIUSserver that supports the 802.1X standard can also be used

Permit user access to the network after a RADIUS timeoutTo set the RADIUS timeout behavior to bypass 802.1X authentication and permit user access to t

NOTEThe commands auth-fail-action restrict-vlan and auth-fail-vlanid are supported in the global dot1xmode and are not supported at the port-level. Th

• When the Brocade device receives the value specified for the Tunnel-Private-Group-ID attribute, itchecks whether the vlan-name string matches the na

In this example, the port is added to VLANs 12 and 20 or VLANs 12 and the VLAN named"marketing". When a tagged packet is authenticated, and

• If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Acceptmessage specifies the name or ID of a valid VLAN on the

• Concurrent operation of MAC address filters and IP ACLs is not supported.• A dynamic IP ACL will take precedence over an IP ACL that is bound to a p

Syntax: [no] global-filter-strict-securityTo disable strict security mode for a specific interface, enter commands such as the following.device(config

Security Access● Supported security access features... 19● Securing acces

Notes for dynamically applying ACLs or MAC address filters• The name in the Filter ID attribute is case-sensitive.• You can specify only numbered MAC

Enabling 802.1X port securityBy default, 802.1X port security is disabled on Brocade devices. To enable the feature on the deviceand enter the dot1x c

When an interface control type is set to auto, the controlled port is initially set to unauthorized, but ischanged to authorized when the connecting C

For example, to re-authenticate Clients connected to interface 3/1, enter the following command.device#dot1x re-authenticate e 3/1Syntax: dot1x re-aut

You can optionally change the number of times the Brocade device should retransmit the EAP-request/identity frame. You can specify between 1 - 10 fram

Specifying a timeout for retransmission of messages to theauthentication serverWhen performing authentication, the Brocade device receives EAPOL frame

You can configure the authentication-failure action using one of the following methods:• Configure the same authentication-failure action for all port

Disabling aging for dot1x-mac-sessionsThe dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if notraffic is recei

You can specify from 1 - 65535 seconds. The default is 120 seconds.Moving native VLAN mac-sessions to restrict VLANYou can move the native VLAN mac-se

This feature is disabled by default. To enable this feature and change the timeout period, entercommands such as the following.device(config)#dot1x-en

© 2014, Brocade Communications Systems, Inc. All Rights Reserved.Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron,

NOTEWeb management is not supported in Release 8.0.00a and later releases. If web management isenabled, you must configure the no web-management comma

802.1X accounting attributes for RADIUS (Continued)TABLE 14 Attribute name Attribute ID Data Type DescriptionAcct-Status-Type 40 integer Indicates w

Displaying 802.1X configuration informationTo display information about the 802.1X configuration on the Brocade device, enter the show dot1xcommand.de

Output from the show dot1x command (Continued)TABLE 15 Field Descriptionservertimeout When the Authentication Server does not respond to a message s

Output from the show dot1x configuration command. (Continued)TABLE 16 Field DescriptionAuthentication-fail-action The configured authentication-fail

Original PVID : 1Authorized PVID ref count : 2Restricted PVID ref count : 0Radius assign PVID ref count : 0num mac sessio

Output from the show dot1x config command for an interface (Continued)TABLE 17 Field Descriptionnum mac authorized The number of authorized dot1x-ma

Output from the show dot1x statistics command (Continued)TABLE 18 Field StatisticsLast EAPOL Source The source MAC address in the last EAPOL frame r

In this example, the 802.1X-enabled port has been moved from VLAN 1 to VLAN 2. When the clientdisconnects, the port will be moved back to VLAN 1.The s

Syntax: show dot1x mac-address-filter [ all | ethernet port ]The all keyword displays all dynamically applied MAC address filters active on the device

Syntax: show dot1x config ethernet portDisplaying 802.1X multiple-host authentication informationYou can display the following information about 802.1

Ways to secure management access to Brocade devices (Continued)TABLE 2 Access method How the access method issecured by defaultWays to secure theacc

Output from the show dot1x mac-session command (Continued)TABLE 19 Field DescriptionPAE State The current status of the Authenticator PAE state mach

Point-to-point configurationThe following figure illustrates a sample 802.1X configuration with Clients connected to three ports onthe Brocade device.

default key mirabeau dot1xdevice(config)#dot1x-enable e 1 to 3device(config-dot1x)#re-authenticationdevice(config-dot1x)#timeout re-authperiod 2000dev

FIGURE 7 Sample 802.1X configuration using a hubSample 802.1x configuration using a hubThe following commands configure the Brocade device in the Samp

device(config-if-e1000-1)#dot1x port-control autodevice(config-if-e1000-1)#exit802.1X Authentication with dynamic VLAN assignmentThe following figure

2 is authenticated first, then the PVID for port e2 is changed to VLAN 20. Since a PVID cannot bechanged by RADIUS authentication after it has been dy

Multi-device port authentication and 802.1Xsecurity on the same port216 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

MAC Port Security● Supported MAC port security features... 217● MAC port securi

if the interface then receives a packet with a source MAC address that does not match the learnedaddresses, it is considered a security violation.When

Secure MAC movementIf you move a connected device that has MAC address configured as secure on one port to anotherport, the FastIron device connects t

Ways to secure management access to Brocade devices (Continued)TABLE 2 Access method How the access method issecured by defaultWays to secure theacc

For example, to configure interface 7/11 to have a maximum of 10 secure MAC addresses, enter thefollowing commands.device(config)#interface ethernet 7

On the ICX 7750 device, the port security age can only be set to the global hardware age. The absoluteage and no age secure MACs are configured as sta

For example, to automatically save learned secure MAC addresses every 20 minutes, enter thefollowing commands.device(config)#port securitydevice(confi

Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of oneminute from the specified time.The restricted MAC a

Displaying port security informationYou can display the following information about the MAC port security feature:• The port security settings for an

Output from the show port security mac command TABLE 22 Field DescriptionPort The slot and port number of the interface.Num-Addr The number of MAC a

For example, to display port security statistics for interface module 7, enter the show port securitystatistics command.device#show port security stat

MAC-based VLANs● Supported MAC-based VLAN features... 227● MAC-based VLAN overvi

from the new MAC address will be blocked or dropped until the authentication succeeds. Traffic isdropped if the authentication fails.Static and dynami

NOTEEven though the feature supports up tp a maximum of 32 MAC address per physical port, theconfiguration of the maximum number of MAC addresses per

Remote access to management function restrictionsYou can restrict access to management functions from remote sources, including Telnet and SNMP.The fo

CLI commands for MAC-based VLANs TABLE 25 CLI command Description CLI levelmac-auth mac-vlan enable Enables per-port MAC-based VLAN Interfacemac-aut

vlan 222 name RESTRICTED_MBV by portuntagged ethe 0/1/4mac-vlan-permit ethe 0/1/1 to 0/1/3vlan 666 name RESTRICTED_MAC_AUTH by portuntagged ethe 0/1/2

NOTEMAC-based VLAN is not supported on trunk or LACP ports. Do not configure trunks on MAC-basedVLAN-enabled ports.Using MAC-based VLANs and 802.1X se

Brocade vendor-specific attributes for RADIUS TABLE 27 Attribute name Attribute ID Data type OptionalormandatoryDescriptionFoundry-MAC-basedVLAN-QoS

For blocked hostsFor blocked hosts, as long as the Brocade device is receiving traffic, aging does not occur. In theoutput of the show table-mac-vlan

Enter the command at the global or interface configuration level.The denied-mac-only parameter prevents denied sessions from being aged out, but ages

4. To enable MAC-based VLAN on the port.device(config)#interface e 0/1/1device(config-if-e1000-0/1/1)#mac-authentication mac-vlan enable5. To disable

NOTEIf static Mac-Based VLAN is configured on a port, the port will be added only to the VLAN table forwhich the static MAC-based VLAN configuration e

Field DescriptionStatic Macs The number of currently connected active static hosts.Static Conf The number of static hosts that are configured on the p

-------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x------

To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end ofthe ACL.device(config)#access-list 10 permit hos

Field DescriptionAuthenticated No indicates that authentication has failed.Inp indicates that authentication is in progress.Time The time at which aut

Displaying MAC-VLAN information for a specific interfaceEnter the show table-mac-vlan e command to display MAC-VLAN information for a specific interfa

Field DescriptionPri This field indicates the value set for Foundry-MAC-based VLAN-QoS attribute in the RADIUSconfiguration for dynamic hosts, if conf

0d18h46m28s:I:running-config was changed from console0d02h12m25s:A:MAC Based Vlan Mapping failed for [0000.0011.0108 ] on port 0/2/1(Invalid User)0d02

FIGURE 9 Sample MAC-based VLAN configurationHost A MAC address is statically mapped to VLAN 1 with priority 1 and is not subjected to RADIUSauthentica

radius-server host 10.44.3.111radius-server key 1 $-ndUnomac-authentication enablemac-authentication max-age 60mac-authentication hw-deny-age 30mac-au

Sample MAC-based VLAN application246 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

Defining MAC Address Filters● Supported MAC address filter features... 247● MAC

MAC address filters command syntaxTo configure and apply a MAC address filter, enter commands such as the following.device(config)# mac filter 1 deny

NOTEYou cannot add or remove individual filters in the group. To add or remove a filter on an interface, applythe filter group again containing all th

The ro parameter indicates that the community string is for read-only ("get") access. The rw parameterindicates the community string is for

MAC address filter logging command syntaxTo configure MAC address filter logging globally, enter the following CLI commands at the globalCONFIG level.

MAC address filter override for 802.1X-enabled portsThe MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X devices t

The filter-num command identifies the MAC address filter. The maximum number of supported MACaddress filters is determined by the mac-filter-sys defau

Multi-Device Port Authentication● Supported Multi-device port authentication (MDPA) features... 253● How multi-dev

Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800FSX 1600ICX 7750Multi-Device Port Authentication 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.0

the device to move the port on which the non-authenticated MAC address was learned into a restrictedor "guest" VLAN, which may have limited

• Vendor-Specific (26) - RFC 2865• Session-Timeout (27) - RFC 2865• Termination-Action (29) - RFC 2865• Calling-Station-ID (31) - RFC 2865• NAS-Identi

Support for DHCP snooping with dynamic ACLsNOTEThis feature is not supported on FCX devices.Multi-device port authentication and DHCP snooping are sup

If multi-device port authentication fails for a device, then by default traffic from the device is eitherblocked in hardware, or the device is placed

Multi-device port authentication configurationConfiguring multi-device port authentication on the Brocade device consists of the following tasks:• Ena

Restricting Telnet access to a specific IP addressTo allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter th

device(config)#int e 3/1 to 3/12device(config-mif-3/1-3/12)#mac-authentication enableSpecifying the format of the MAC addresses sent to theRADIUS serv

Syntax: [no] mac-authentication auth-fail-action block-trafficDropping traffic from non-authenticated MAC addresses is the default behavior when multi

To enable dynamic VLAN assignment for authenticated MAC addresses, you must add attributes tothe profile for the MAC address on the RADIUS server, the

Configuring the RADIUS server to support dynamic VLAN assignmentTo specify VLAN identifiers on the RADIUS server, add the following attributes to the

• Enabling dynamic VLAN support for tagged packets on non-member VLAN ports is not supportedon FWS and FCX devices.• The mac-authentication disable-in

displayed, although they can be displayed with the show vlan , show auth-mac-addresses detail ,and show auth-mac-addresses authorized-mac commands.You

Support is automatically enabled when all of the required conditions are met.The following describes the conditions and feature limitations:• On Layer

configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies thename or number of the Brocade IP ACL.The follow

To specify a maximum rate for RADIUS authentication attempts, enter commands such as thefollowing.device(config)#interface e 3/1device(config-if-e1000

NOTESource guard protection is supported only on the router image and not on the switch image.Viewing the assigned ACL for ports on which source guard

The following command allows Telnet access to the Brocade device to a host with any IP address andMAC address 0000.000f.e9a0.device(config)#telnet cli

Disabling aging for authenticated MAC addressesMAC addresses that have been authenticated or denied by a RADIUS server are aged out if no trafficis re

configurable through the CLI, with the mac-authentication max-age command. Once the hardwareaging period ends, the software aging period begins. When

process and blocks user access to the network, unless restrict-vlan is configured, in which case, theuser is placed into a VLAN with restricted or lim

the request sent to the RADIUS server. For example, given a MAC address of 0000000feaa1, the usersfile on the RADIUS server would be configured with a

1/22 100 0 0 04/5 30 0 0 0Syntax: show auth-mac-addressT

Output from theshow authenticated-mac-address configuration command (Continued)TABLE 30 Field DescriptionDyn-vlan Whether RADIUS dynamic VLAN assign

Output from the show authenticated-mac-address address command (Continued)TABLE 31 Field DescriptionCAM Index If the MAC address is blocked, this is

0000.0000.0321 18/1 87 No 00d01h03m17s H52 Ena0000.0000.0259 18/1 87 No 00d01h03m17s H52 Ena0000.0000.0065 18/1 87 Yes

Authentication attempts : 0 RADIUS timeouts : 0 RADIUS timeouts action : Success MAC Address on PVID

Output from the show auth-mac-addresses detailed command (Continued)TABLE 33 Field DescriptionAccepted Mac Addresses The number of MAC addresses tha

NOTEYou need to configure telnet with the enable telnet authentication local command to enable only acertain number of telnet login attempts.Changing

Output from the show auth-mac-addresses detailed command (Continued)TABLE 33 Field DescriptionRADIUS Server The IP address of the RADIUS server used

To display the table of allowed mac addresses enter the show table denied-mac command as shown.Syntax: show table mac addressThe mac address variable

FIGURE 10 Using multi-device port authentication with dynamic VLAN assignmentIn this example, multi-device port authentication is performed for both d

mac-authentication auth-fail-action restrict-vlan mac-authentication enable-dynamic-vlan mac-authentication disable-ingress-filteringThe mac-authenti

FIGURE 11 Using multi-device port authentication with dynamic VLAN assignmentIn this example, multi-device port authentication is performed for both d

VLAN, authentication would not occur. In this case, port e1 must be added to that VLAN prior toauthentication.The part of the running-config related t

FIGURE 12 Using multi-device port authentication and 802.1X authentication on the same portWhen the devices attempt to connect to the network, they ar

that the PVID for User 1 port be changed to the VLAN named "User-VLAN", which is VLAN 3. If 802.1Xauthentication for User 1 is unsuccessful,

FIGURE 13 802.1X Authentication is performed when a device fails multi-device port authenticationMulti-device port authentication is initially perform

To configure the device to perform 802.1X authentication when a device fails multi-device portauthentication, enter the following command.device(confi

The command in this example configures the device to allow SNMP access only to clients connected toports within port-based VLAN 40. Clients connected

Example 2 -- Creating a profile on the RADIUS server for each MAC address290 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

Web Authentication● Supported Web Authentication features... 291● Web authenticati

The Brocade Web authentication method provides an ideal port-based authentication alternative tomulti-device port authentication without the complexit

• If you are using DHCP addressing, a DHCP server must be in the same broadcast domain as thehost. This DHCP server does not have to be physically con

Web authentication configuration tasksFollow the steps given below to configure Web Authentication on a device.1. Set up any global configuration requ

5. Create a Web Authentication VLAN and enable Web Authentication on that VLAN.device(config)#vlan 10device(config-vlan-10)#webauthdevice(config-vlan-

Using local user databasesWeb Authentication supports the use of local user databases consisting of usernames and passwords,to authenticate devices. U

Syntax: username username password passwordFor username , enter up to 31 ASCII characters.For username , enter up to 29 ASCII characters.You can add u

For password1 , password2 , etc., enter up to 29 ASCII characters.Be sure to Insert a cursor return (cr ) after each user record.You can enter up to 3

To revert back to using the RADIUS server, enter the following command.device(config-vlan-10-webauth)# auth-mode username-password auth-methods radius

ContentsPreface...13Do

The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1 - 5.There is no default. The software uses the gateway

Creating static passcodesStatic passcodes can be used for troubleshooting purposes, or for networks that want to use passcodeauthentication, but do no

• Duration of time - By default, dynamically-created passcodes are refreshed every 1440 minutes (24hours). When refreshed, a new passcode is generated

hh:mm is the hour and minutes. If you do not enter a value for hh:mm , by default, passcodes will berefreshed at 00:00 (12:00 midnight). You can confi

The following shows an example Syslog message and SNMP trap message related to passcodeauthentication.New passcode: 01234567. Expires in 1440 minutes.

Automatic authenticationBy default, if Web Authentication is enabled, hosts need to login and enter authentication credentialsin order to gain access

Syntax: [no] accountingEnter the no accounting command to disable RADIUS accounting for Web Authentication.Changing the login mode (HTTPS or HTTP)Web

Entering a no add mac mac-addressdurationseconds|ethernetportdurationseconds command setsduration and ethernet to their default values. If you want to

Clearing authenticated hosts from the webauthentication tableUse the following commands to clear dynamically-authenticated hosts from the Web Authenti

Limiting the number of authenticated hostsYou can limit the number of hosts that are authenticated at any one time by entering a command suchas the fo

Forcing re-authentication after an inactive periodYou can force Web Authenticated hosts to be re-authenticated if they have been inactive for a period

Disabling Telnet accessYou can use a Telnet client to access the CLI on the device over the network. If you do not plan to usethe CLI over the network

Deleting a web authentication VLANTo delete a Web Authentication VLAN, enter the following commands:device(config)# vlan 10device(config-vlan-10)# no

FIGURE 16 Example of a login page when automatic authentication is disabled and passcodeAuthentication is EnabledThe user enters a passcode, which is

FIGURE 18 Example of a maximum Host limit pageIf the number of Web Authentication attempts by a user has been exceeded, the Maximum AttemptsLimit page

FIGURE 20 Example of a web authentication success pageOnce a host is authenticated, that host can manually de-authenticate by clicking the Logout butt

Displaying text for web authentication pagesUse the show webauth vlan vlan-ID webpage command to determine what text has been configuredfor Web Authen

FIGURE 21 Objects in the web authentication pages that can be customizedCustomizing the title barYou can customize the title bar that appears on all W

The filename parameter specifies the name of the image file on the TFTP server.Use the no webpage logo command to delete the logo from all Web Authent

Customizing the login buttonYou can customize the Login button that appears on the bottom of the Web Authentication Login page.To do so, enter a comma

Bottom (Footer): Custom Text "SNL Copyright 2009" Title: Default Text Login Button: Custom Text "Sign On" Web

Field DescriptionWeb Page Customizations The current configuration for the text that appears on the Web Authenticationpages. Either "Custom Text&

NOTEYou also can configure up to 16 user accounts consisting of a user name and password, and assigneach user account a management privilege level. Re

Displaying a list of hosts attempting to authenticateEnter the show webauth authenticating-list command to display a list of hosts that are trying toa

Field DescriptionUser Name The User Name associated with the MAC address.Configuration Static/Dynamic If the MAC address was dynamically or statically

Displaying passcodes322 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

DoS Attack Protection● Supported DoS protection features...323● Smurf atta

FIGURE 22 How a Smurf attack floods a victim with ICMP repliesThe attacker sends an ICMP echo request packet to the broadcast address of an intermedia

For example, to set threshold values for ICMP packets targeted at the router, enter the followingcommand in global CONFIG mode.device(config)#ip icmp

• If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets aredropped.• If the number of ICMP packets exceeds the burst-m

NOTEFor ICX 7750 devices, the "attack rate" parameter is only applicable for smurf attacks and not forTCP/SYN attacks.To set threshold value

Protecting against a blind TCP reset attack using the RST bitIn a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bi

Syntax: clear statistics dos-attackDoS Attack ProtectionFastIron Ethernet Switch Security Configuration Guide 32953-1003088-03

on the order you specify in the authentication-method lists. Refer to Authentication-method lists on page75.Follow the steps given below to set passwo

Displaying statistics about packets dropped because of DoS attacks330 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

DHCP● Supported DHCP packet inspection and tracking features... 331● Dynamic ARP inspection ...

mapping. All computers on the subnet will receive and process the ARP requests, and the host whoseIP address matches the IP address in the request wil

FIGURE 23 Dynamic ARP inspection at workARP entriesDAI uses the IP/MAC mappings in the ARP table to validate ARP packets received on untrusted ports.A

NOTEYou must save the configuration and reload the software to place the change into effect.• Brocade does not support DAI on trunk or LAG ports.• The

The ARP entry will be in Pend (pending) status until traffic with the matching IP-to-MAC is received on aport.Syntax: [no] arp ip-addr mac-addr inspec

2 10.43.1.78 0000.0060.6ab1 Dynamic 2 mgmt1 ValidThe command displays all ARP entries i

other users. DHCP snooping can also stop unauthorized DHCP servers and prevent errors due to usermis-configuration of DHCP servers.Often DHCP snooping

The lease time will be refreshed when the client renews its IP address with the DHCP server;otherwise the Brocade device removes the entry when the le

Configuring DHCP snoopingConfiguring DHCP snooping consists of the following steps.1. Enable DHCP snooping on a VLAN.Refer to Enabling DHCP snooping o

Enhance the Port Configuration privilege level so users also can enter IP commands at the globalCONFIG level.device(config)#privilege configure level

Clearing the DHCP binding databaseYou can clear the DHCP binding database using the CLI command clear DHCP . You can remove allentries in the database

DHCP snooping configuration exampleThe following example configures VLAN 2 and VLAN 20, and changes the CLI to the globalconfiguration level to enable

Syntax: enable acl-per-port-per-vlan• Configure DHCP IPv4 snooping on a specific VLAN using ip dhcp snooping vlan vlan-id . Forexample:Brocade(config)

• Before relaying a DHCP discovery packet or DHCP request packet from a client to a DHCP server,the FastIron switch will add agent information to the

DHCP Option 82 sub-optionsThe Brocade implementation of DHCP Option 82 supports the following sub-options:• Sub-Option 1 - Circuit ID• Sub-Option 2 -

The following figure illustrates the SID packet format.FIGURE 30 SID packet formatThe second byte (N in the figure) is the length of the ASCII string

To re-enable DHCP option 82 on an interface after it has been disabled, enter the following commandat the Interface level of the CLI.device(config-if-

Use the show interfaces ethernet command to view the subscriber ID configured on a port.Refer to Viewing the status of DHCP option 82 and the subscrib

Output for the show ip dhcp snooping vlan commandTABLE 35 Field DescriptionIP DHCP snooping VLAN vlan-id The DHCP snooping and DHCP option 82 status

Configuring the source IP address of a DHCP-client packet on the DHCPrelay agentEnables the DHCP server to know the source subnet or network of a DHCP

1. Start a CLI session over the serial interface to the device.2. Reboot the device.3. At the initial boot prompt at system startup, enter b to enter

NOTEYou must save the configuration and reload the software to place the change into effect.• Brocade FCX devices do not support IP Source Guard and d

Enabling IP source guard on a portYou can enable IP Source Guard on DHCP snooping untrusted ports. Refer to DHCP snooping on page336 for how to config

device(config-vlan-2)#tag e1Added tagged port(s) ethe 1 to port-vlan 2device(config-vlan-2)#router-int ve 2device(config-vlan-2)#int ve 2device(config

for FWS, FCX, and ICX stackable switches.Syntax: show ip source-guard ethernet slotnum/portnumfor FSX, 800, and FSX 1600 chassis devices.DHCPFastIron

Displaying learned IP addresses354 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

DHCPv6● Supported DHCPv6 packet inspection and tracking features... 355● Securing IPv6 address configuration...

How DHCPv6 snooping worksWhen enabled on a VLAN, DHCPv6 snooping stands between untrusted ports (those connected tohost ports) and trusted ports (thos

Configuration notes and feature limitations for DHCPv6 snoopingThe following limits and restrictions apply to DHCPv6 snooping:• To run DHCPv6 snooping

Enabling trust on a port connected to a DHCPv6 serverThe default trust setting for a port is untrusted. To enable trust on a port connected to a DHCPv

Syntax: show ipv6 dhcp6 snooping vlan vlan-idDisplaying the DHCPv6 snooping binding databaseTo see DHCPv6 snooping binding database, enter the show ip

If you configure local user accounts, you also need to configure an authentication-method list forTelnet access and SNMP access. Refer to Authenticati

Syntax: enable acl-per-port-per-vlan• Configure DHCPv6 snooping on a specific VLAN using ipv6 dhcp6 snooping vlan vlan-id. Forexample:Brocade(config)#

IPv6 RA Guard● Supported platforms for the IPv6 RA guard feature... 361● Securing IPv6 address conf

link. This helps the nodes to autoconfigure themselves on the network. Unintended misconfigurationsor malicious attacks on the network lead to false R

the VLAN the ports are a part of. By default, all interfaces are configured as host ports. On a host port,all the RAs are dropped with a policy config

10.(Optional) Clear the RA packet counter using the clear ipv6 raguard command.11.(Optional) Verify the RA packet counts using the show ipv6 raguard c

FIGURE 33 IPv6 RA guard configuration in a networkConfiguring port A:Configure port A as a trusted port.Brocade(config)# interface ethernet 1/1/1Broca

Brocade(config)# prefix-list raguard-prefix-list1 permit 2001:db8::/16Brocade(config)# ipv6 raguard policy policyBBrocade(ipv6-RAG-policy policyB)# wh

Security Commands● access-list enable accounting... 368● clear acc

access-list enable accountingConfigures ACL accounting.Enables ACL accounting for IPv4 numbered ACLs.The no form disables ACL accounting for IPv4 numb

clear access-list accountingClears ACL accounting statistics.Clears ACL accounting statistics for IPv4 ACLs, IPv6 ACLs, and Layer 2 MAC filters.Syntax

NOTEPassword minimum and combination requirements are strictly enforced.Use the enable strict-password-enforcement command to enable the password secu

ModesGlobal configurationUsage GuidelinesTo clear RA guard packet counters for all RA guard policies, use the all keyword. To clear the RA guardpacket

enable-accountingConfigures ACL accountingEnables ACL accounting for IPv4 and IPv6 named ACLs.The no form disables ACL accounting for IPv4 and IPv6 na

RA packets drop due to congestion if they are received at the line rate. For less load on the CPU,logging can be disabled on the RA guard policy.Examp

Usage GuidelinesYou can associate only one RA guard policy with a VLAN. If you associate a new RA guard policy witha VLAN that already has a policy co

mac filter enable-accountingConfigures ACL accounting for MAC filters.Enables ACL accounting on Layer 2 MAC filters.The no form disables ACL accountin

Allows RAs of low and medium router preference.ModesRA guard policy configurationUsage GuidelinesIf a very low value is set, then the RAs expected to

Configures an interface as a trusted RA guard port.untrustConfigures an interface as an untrusted RA guard port.hostConfigures an interface as a host

show access-list accountingDisplays ACL accounting statisticsDisplays ACL accounting statistics for IPv4 ACLs, IPv6 ACLs, and Layer 2 MAC filters.Synt

ExamplesThe output displayed will give information about IPv4 ACLs or IPv6 ACLs, or MAC filters based on theconfiguration of the port or interface. If

The following sample output from the FastIron SX device shows the per-port display when the devicehas "acl-per-port-per-vlan" configured for

To enable password masking, enter the following command.device(config)#enable user password-maskingSyntax: [no] enable user password-maskingEnabling u

Hit Count: (1Min) N/A (5Sec) N/A (PktCnt) N/A (ByteCnt) 0 -------------------

Displays the permit or drop counts for the specified RA guard policy.allDisplays the permit or drop counts for all RA guard policies.ModesGlobal confi

ip bootp-use-intf-ipConfigures the source IP address of a DHCP-client packet in a DHCP relay agent.Configures a DHCP relay agent to set the source IP

The no form of this command removes the associated RA guard whitelist from the RA guard policy.When a whitelist associated with an RA guard policy is

whitelist384 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

Index802.1x port securityaccounting 180accounting attributes for RADIUS802.1x port securityFastIron Ethernet Switch Security Configuration Guide 38553

enabling accounting 199accounting configuration 199allowing access to multiple hosts 195and sFlow 180applying IP ACLs and MAC address filters 187authe

accounting, pre-requisites for ACL accounting 141adding a comment to an entry 124adding a comment to an IPv6 entry 165applying an IPv4 ACL to a subset

TCP flags 76aaa authorization commands 70aaa authorization commands < 55access-list 108, 112, 123, 137, 145accounting 304ACL-logging 127age 220all-

auth-fail-action restricted-vlan 195auth-fail-action restrict-vlan 195auth-fail-max-attempts 195auth-fail-vlanid 195auth-max 193dot1x disable-filter-s

Enhanced login lockoutThe CLI provides up to three login attempts. If a user fails to login after three attempts, that user islocked out (disabled). I

age 220arp inspection trust 335dhcp snooping relay information 345dhcp snooping relay information option subscriber-id 346dot1x auth-filter 251dot1x a

aging 233and port up or down events 229clearing information 243configuration 231configuring for a dynamic host 236configuring for a static host 235con

changing a local user password 41configuring 36configuring password history 38enabling user password aging 38enabling user password masking 37enhanced

configuring challenge-response authentication 86enabling challenge-response 87exporting client public keys 98generating a client key pair 98generating

SSH2DSA challenge-response authentication 83password authenticationSSH2configuration 83RSA challenge-response authentication 83use with secure copy 93

auth-mode passcode static 300auth-mode username-password auth-methods 299auth-mode username-password auth-methodslocal 298auth-mode username-password

396 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

Setting optional TACACS and TACACS+ parameters...49Configuring authentication-method lists forTACACS andTACACS+...

Local user account configurationYou can create accounts for local users with or without passwords. Accounts with passwords can haveencrypted or unencr

The password | nopassword parameter indicates whether the user must enter a password. If youspecify password , enter the string for the user's pa

TACACS and TACACS+ securityYou can use the security protocol Terminal Access Controller Access Control System (TACACS) orTACACS+ to authenticate the f

Configuring TACACS/TACACS+ for devices in a Brocade traditional stackBecausedevices operating in a Brocade traditional stack topology present multiple

you are connecting to this session 1 minutes 5 seconds in idle 2 established 1 hours 4 minutes 18 seconds in idle 3 es

TACACS+ authorizationBrocade devices support two kinds of TACACS+ authorization:• Exec authorization determines a user privilege level when they are a

User action Applicable AAA operationsSystem accounting start (TACACS+):aaa accounting system default start-stop method-listUser logs in using Telnet/S

AAA security for commands pasted into the running-configIf AAA security is enabled on the device, commands pasted into the running-config are subject

Enabling TACACSTACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, youmust enable TACACS by entering the following c

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number ofthe authentication port on the server. The default port numb

Filtering SSH access using ACLs... 90Terminating an active SSH connection...

To specify a TACACS+ server key, enter a command such as following.device(config)#tacacs-server key rkwongSyntax: tacacs-server key [ 0 ] stringWhen y

When you configure authentication-method lists for TACACS/TACACS+ authentication, you must createa separate authentication-method list for Telnet/SSH

Authentication method values (Continued)TABLE 3 Method parameter Descriptionnone Do not use any authentication method. The device automatically perm

Configuring TACACS+ authorizationBrocade devices support TACACS+ authorization for controlling access to management functions in theCLI. Two kinds of

are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5is specified in the foundry-privlvl A-V

Configuring command authorizationWhen TACACS+ command authorization is enabled, the Brocade device consults a TACACS+ serverto get authorization for c

Configuring TACACS+ accounting for Telnet/SSH (Shell) accessTo send an Accounting Start packet to the TACACS+ accounting server when an authenticated

Switch. For configuration details, see "Specifying a single source interface for specified packet types"section in the FastIron Ethernet Swi

RADIUS securityYou can use a Remote Authentication Dial In User Service (RADIUS) server to secure the followingtypes of access to the Brocade Layer 2

3. If the command belongs to a privilege level that requires authorization, the Brocade device looks atthe list of commands delivered to it in the RAD

Applying an IPv4 ACL to a subset of ports on a virtual interface(Layer 3 devices only)...

User action Applicable AAA operationsEXEC accounting Start:aaa accounting exec default start-stop method-listSystem accounting Start:aaa accounting sy

AAA operations are performed before the commands are actually added to the running-config. Theserver performing the AAA operations should be reachable

8. Optionally configure RADIUS authorization. Refer to RADIUS authorization on page 69.9. Optionally configure RADIUS accounting. Refer to RADIUS acco

Brocade vendor-specific attributes for RADIUS (Continued)TABLE 6 Attribute name Attribute ID Data type Descriptionfoundry-command-exception-flag3 in

The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled bydefault.The config-tacacs parameter specifies the TACACS con

RADIUS server per port configuration notes• This feature works with 802.1X and multi-device port authentication only.• You can define up to eight RADI

RADIUS server-to-ports configuration notes• This feature works with 802.1X and multi-device port authentication only.• You can map a RADIUS server to

NOTEEncryption of the RADIUS keys is done by default and the default value is 2( SIMPLE_ENCRYPTION_BASE64). The 0 parameter disables encryption. The 1

When you configure authentication-method lists for RADIUS, you must create a separateauthentication-method list for Telnet or SSH CLI access and for C

Authentication method values (Continued)TABLE 7 Method parameter Descriptionnone Do not use any authentication method. The device automatically perm

802.1X Port Security...169Supported 802.1X p

Syntax: aaa authorization exec default [ radius | none ]If you specify none , or omit the aaa authorization exec command from the device configuration

Command authorization and accounting for console commandsThe Brocade device supports command authorization and command accounting for CLI commandsente

NOTEIf authorization is enabled, and the command requires authorization, then authorization is performedbefore accounting takes place. If authorizatio

Output of the show aaa command for RADIUS TABLE 8 Field DescriptionRadius key The setting configured with the radius-server key command. At the Supe

Changing the SSL server certificate key sizeThe default key size for Brocade-issued and imported digital certificates is 1024 bits. If desired, youcan

Generating an SSL certificateIf the certificate does not automatically generate, enter the following command togenerate it.Brocade(config)#crypto-ssl

In an authentication-method list for a particular access method, you can specify up to sevenauthentication methods. If the first authentication method

Note that the above configuration can be overridden by the command no snmp-server pw-check ,which disables password checking for SNMP SET requests.Exa

Authentication method values (Continued)TABLE 9 Method parameter Descriptionlocal Authenticate using a local user name and password you configured o

Using TCP Flags in combination with other ACL featuresThe TCP Flags feature has the added capability of being combined with other ACL features.device(

MAC port security configuration...219Enabling the MAC port security feature...

Using TCP Flags in combination with other ACL features80 FastIron Ethernet Switch Security Configuration Guide53-1003088-03

SSH2 and SCP● Supported SSH2 and Secure Copy features... 81● SSH version 2 overview...

used. The highest version of SSH2 supported by both the Brocade device and the client is the versionthat is used for the session. Once the SSH2 versio

• Encryption is provided with 3des-cbc , aes128-cbc , aes192-cbc or aes256-cbc . AES encryptionhas been adopted by the U.S. Government as an encryptio

Enabling and disabling SSH by generating and deleting host keysTo enable SSH, you generate a DSA or RSA host key on the device. The SSH server on the

Generating and deleting an RSA key pairTo generate an RSA key pair, enter a command such as the following:device(config)#crypto key generate rsa modul

Configuring DSA or RSA challenge-response authenticationWith DSA or RSA challenge-response authentication, a collection of clients’ public keys are st

The tftp-server-ip-addr variable is the IP address of the tftp server that contains the public key file thatyou want to import into the Brocade device

Optional SSH parametersYou can adjust the following SSH settings on the Brocade device:• The number of SSH authentication retries• The user authentica

The default is yes .To deactivate password authentication, enter the following command.device(config)#ip ssh password-authentication noSyntax: ip ssh

MAC address filter logging command syntax...250Configuring MAC filter accounting...

Designating an interface as the source for all SSH packetsYou can designate a loopback interface, virtual interface, or Ethernet port as the source fo

Displaying SSH connection informationTo display information about SSH connections, enter the show ip ssh command.device#show ip sshConnection Version

SCP : EnabledSSH IPv4 clients : AllSSH IPv6 clients : AllSSH IPv4 access-group :SSH IPv6 access-group

Displaying additional SSH connection informationThe show who command also displays information about SSH connections:device#show who Console con

Example file transfers using SCPThe following are examples of using SCP to transfer files to and from a Brocade device.Copying a file to the running c

To copy a software image file from an SCP-enabled client to the secondary flash on these devices,enter one of the following commands.C:\> scp FCXR0

Importing an RSA private keyTo import an RSA private key from a client using SCP, enter a command such as the following one:C:\> scp keyfile user@1

while you are connected to the device by any connection method (SSH2, Telnet, console). Brocadedevices support one outbound SSH2 client session at a t

Generating and deleting a client RSA key pairTo generate a client RSA key pair, enter a command such as the following:device(config)#crypto key client

Displaying SSH2 client informationFor information about displaying SSH2 client information, see the following sections:• Displaying SSH connection inf