Brocade Multi-Service IronWare Security Configuration Guid Manual de usuario Pagina 1

53-1003035-0209 December, 2013 ®53-1003035-02Multi-Service IronWareSecurity Configuration GuideSupporting Multi-Service IronWare R05.6.00

x Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying multi-device port authentication information . . . . . . . .279Displaying

82 Multi-Service IronWare Security Configuration Guide53-1003035-02Creating a numbered Layer-2 ACL table2Brocade(config)# access-list 401 sequence 23

Multi-Service IronWare Security Configuration Guide 8353-1003035-02Creating a numbered Layer-2 ACL table2Using the mask, you can make the access list

84 Multi-Service IronWare Security Configuration Guide53-1003035-02Creating a numbered Layer-2 ACL table2The Brocade NetIron CES and Brocade NetIron C

Multi-Service IronWare Security Configuration Guide 8553-1003035-02Creating a numbered Layer-2 ACL table2In the following example, access list 414 per

86 Multi-Service IronWare Security Configuration Guide53-1003035-02Creating a named Layer-2 ACL table2Creating a named Layer-2 ACL tableTo create for

Multi-Service IronWare Security Configuration Guide 8753-1003035-02ACL accounting2ACL accountingMulti-Service devices may be configured to monitor the

88 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying Layer-2 ACLs2For detailed information about ACL accounting consideration

Multi-Service IronWare Security Configuration Guide 8953-1003035-02Displaying Layer-2 ACLs210: deny 0000.0030.0310 ffff.ffff.ffff 0000.0030.0010 ffff.

90 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying Layer-2 ACLs2 permit vlan 3000 ip any anySyntax: [no] display-config-for

Multi-Service IronWare Security Configuration Guide 9153-1003035-02Displaying Layer-2 ACLs2Displaying Layer-2 ACL statistics on Brocade NetIron CES an

Multi-Service IronWare Security Configuration Guide xi53-1003035-02Configuring 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . .

92 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying Layer-2 ACLs2

Multi-Service IronWare Security Configuration Guide 9353-1003035-02Chapter3Access Control ListTable 14 displays the individual Brocade devices and the

94 Multi-Service IronWare Security Configuration Guide53-1003035-02Access Control List3This chapter discusses the IPv4 Access Control List (ACL) featu

Multi-Service IronWare Security Configuration Guide 9553-1003035-02How the Brocade device processes ACLs3How the Brocade device processes ACLsThe Broc

96 Multi-Service IronWare Security Configuration Guide53-1003035-02How the Brocade device processes ACLs3NOTEFor all NetIron devices running any previ

Multi-Service IronWare Security Configuration Guide 9753-1003035-02Disabling outbound ACLs for switching traffic3Disabling outbound ACLs for switching

98 Multi-Service IronWare Security Configuration Guide53-1003035-02Default ACL action3The ipv4 and ipv6 options are mutually exclusive within the same

Multi-Service IronWare Security Configuration Guide 9953-1003035-02Types of IP ACLs3Types of IP ACLsIP ACLs can be configured as standard or extended

100 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL IDs and entries3• ncopy tftp ip-addr from-name running-config In this case, th

Multi-Service IronWare Security Configuration Guide 10153-1003035-02Configuring numbered and named ACLs3Syntax: [no] suppress-acl-seqThe no version of

xii Multi-Service IronWare Security Configuration Guide53-1003035-02Chapter 10 Securing SNMP AccessEstablishing SNMP community strings . . . . . . . .

102 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3sequence number generated by the system is the

Multi-Service IronWare Security Configuration Guide 10353-1003035-02Configuring numbered and named ACLs3Deleting a standard numbered ACL entryYou can

104 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3Parameters for regenerating IPv4 ACL table seq

Multi-Service IronWare Security Configuration Guide 10553-1003035-02Configuring numbered and named ACLs3Parameters to bind standard ACLs to an interfa

106 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3Here is another example of commands for config

Multi-Service IronWare Security Configuration Guide 10753-1003035-02Configuring numbered and named ACLs3The fifth entry permits all packets that are n

108 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3access-list 100 permit icmp any anyExtended AC

Multi-Service IronWare Security Configuration Guide 10953-1003035-02Configuring numbered and named ACLs3wildcard Specifies the portion of the source I

110 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3Parameters to filter TCP or UDP packetsUse the

Multi-Service IronWare Security Configuration Guide 11153-1003035-02Configuring numbered and named ACLs3operator Specifies a comparison operator for t

Multi-Service IronWare Security Configuration Guide xiii53-1003035-02About This DocumentIn this chapter•Audience. . . . . . . . . . . . . . . . . . .

112 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3Filtering traffic with ICMP packetsUse the fol

Multi-Service IronWare Security Configuration Guide 11353-1003035-02Configuring numbered and named ACLs3precedence name | num The precedence option

114 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3Using ACL QoS options to filter packetsYou can

Multi-Service IronWare Security Configuration Guide 11553-1003035-02Configuring numbered and named ACLs3Please note, the behavior of an implicit deny

116 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3Configuration example for standard ACLTo confi

Multi-Service IronWare Security Configuration Guide 11753-1003035-02Configuring numbered and named ACLs33. Enter the show access-list command to displ

118 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring numbered and named ACLs3NOTE The command prompt changes after you ente

Multi-Service IronWare Security Configuration Guide 11953-1003035-02Configuring numbered and named ACLs3Brocade(config)#show access-list 99ACL configu

120 Multi-Service IronWare Security Configuration Guide53-1003035-02Simultaneous per VLAN rate limit and QoS3This shall not affect CAM occupation, tha

Multi-Service IronWare Security Configuration Guide 12153-1003035-02Modifying ACLs3Modifying ACLsWhen you configure any ACL, a sequence number is assi

xiv Multi-Service IronWare Security Configuration Guide53-1003035-02In this chapterSupported hardware and softwareThe following hardware platforms are

122 Multi-Service IronWare Security Configuration Guide53-1003035-02Modifying ACLs3Modify an ACL by configuring an ACL list on a file server.1. Use a

Multi-Service IronWare Security Configuration Guide 12353-1003035-02Modifying ACLs3Adding or deleting a comment You can add or delete comments to an I

124 Multi-Service IronWare Security Configuration Guide53-1003035-02Modifying ACLs3Complete the syntax by specifying any options you want for the ACL

Multi-Service IronWare Security Configuration Guide 12553-1003035-02Applying ACLs to interfaces3Enter deny to deny the specified traffic or permit to

126 Multi-Service IronWare Security Configuration Guide53-1003035-02Applying ACLs to interfaces3Brocade(config)# vlan 10 name IP-subnet-vlanBrocade(co

Multi-Service IronWare Security Configuration Guide 12753-1003035-02Enabling ACL duplication check3mac access-list SampleACL permit any any 10 etype a

128 Multi-Service IronWare Security Configuration Guide53-1003035-02Enabling ACL conflict check3Syntax: [no] acl-duplication-checkEnabling ACL conflic

Multi-Service IronWare Security Configuration Guide 12953-1003035-02Enabling ACL filtering of fragmented or non-fragmented packets3Named ACLsBrocade(c

130 Multi-Service IronWare Security Configuration Guide53-1003035-02Enabling ACL filtering of fragmented or non-fragmented packets3This can be a parti

Multi-Service IronWare Security Configuration Guide 13153-1003035-02Enabling ACL filtering of fragmented or non-fragmented packets3ACL entries with La

Multi-Service IronWare Security Configuration Guide xv53-1003035-02In this chapterDocument conventionsThis section describes text formatting conventio

132 Multi-Service IronWare Security Configuration Guide53-1003035-02Enabling ACL filtering of fragmented or non-fragmented packets3Configuring the con

Multi-Service IronWare Security Configuration Guide 13353-1003035-02Enabling ACL filtering of fragmented or non-fragmented packets3Non-fragmented pack

134 Multi-Service IronWare Security Configuration Guide53-1003035-02Enabling ACL filtering of fragmented or non-fragmented packets3Brocade(config-if-e

Multi-Service IronWare Security Configuration Guide 13553-1003035-02ACL filtering for traffic switched within a virtual routing interface3Behavior In

136 Multi-Service IronWare Security Configuration Guide53-1003035-02Filtering and priority manipulation based on 802.1p priority3• 4 – qosp4• 5 – qosp

Multi-Service IronWare Security Configuration Guide 13753-1003035-02ICMP filtering for extended ACLs3Brocade(config)# access-list 100 permit udp 10.1.

138 Multi-Service IronWare Security Configuration Guide53-1003035-02ICMP filtering for extended ACLs3The acl-name | acl-num parameter allows you to sp

Multi-Service IronWare Security Configuration Guide 13953-1003035-02Binding IPv4 inbound ACLs to a management port3Binding IPv4 inbound ACLs to a mana

140 Multi-Service IronWare Security Configuration Guide53-1003035-02IP broadcast ACL3NOTEFor IPv4 inbound ACL applied to management port, the user can

Multi-Service IronWare Security Configuration Guide 14153-1003035-02IP broadcast ACL3• For LAG ports, all ports within the LAG are required to have th

xvi Multi-Service IronWare Security Configuration Guide53-1003035-02In this chapterNotice to the readerThis document may contain references to the tra

142 Multi-Service IronWare Security Configuration Guide53-1003035-02IP broadcast ACL3The no option is used to disable filtering of directed broadcast

Multi-Service IronWare Security Configuration Guide 14353-1003035-02IP broadcast ACL3Brocade(config-if-e1000-4/1)# show access-list subnet-broadcast a

144 Multi-Service IronWare Security Configuration Guide53-1003035-02IP broadcast ACL CAM3Syntax: show access-list subnet-broadcast accounting globalTa

Multi-Service IronWare Security Configuration Guide 14553-1003035-02IP broadcast ACL CAM3NOTEHitless upgrade support for the IP broadcast ACL CAM entr

146 Multi-Service IronWare Security Configuration Guide53-1003035-02IP receive ACLs3Rebinding of IP broadcast ACL CAM entriesTo rebind IP broadcast AC

Multi-Service IronWare Security Configuration Guide 14753-1003035-02IP receive ACLs3• deny icmp host 10.1.1.1 host 10.2.2.2• deny icmp host 10.1.1.1 h

148 Multi-Service IronWare Security Configuration Guide53-1003035-02IP receive ACLs3NOTEAn implicit deny ip any any will be programmed at the end, aft

Multi-Service IronWare Security Configuration Guide 14953-1003035-02IP receive ACLs3Syntax: [no] ip receive access-list {acl-num | acl-name} sequence

150 Multi-Service IronWare Security Configuration Guide53-1003035-02IP receive ACLs3NOTES: The following limitations apply when the number variable ha

Multi-Service IronWare Security Configuration Guide 15153-1003035-02IP receive ACLs3Displaying accounting information for rACL To display rACL account

Multi-Service IronWare Security Configuration Guide xvii53-1003035-02In this chapterGetting technical help or reporting errorsTo contact Technical Sup

152 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL CAM sharing for inbound ACLs for IPv4 ACLs (Brocade NetIron XMR and Brocade ML

Multi-Service IronWare Security Configuration Guide 15353-1003035-02Matching on TCP header flags for IPv4 ACLs3Matching on TCP header flags for IPv4 A

154 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL deny logging3• On Brocade NetIron CES and Brocade NetIron CER devices, ACL Den

Multi-Service IronWare Security Configuration Guide 15553-1003035-02ACL deny logging3Configuring ACL deny logging for IPv4 ACLsConfiguring ACL Deny Lo

156 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL deny logging3NOTEUsing this command, ACL logging can be enabled and disabled d

Multi-Service IronWare Security Configuration Guide 15753-1003035-02ACL accounting3Log exampleThe following examples display typical log entries where

158 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL accounting3ACL accounting on Brocade NetIron CES and Brocade NetIron CER devic

Multi-Service IronWare Security Configuration Guide 15953-1003035-02ACL accounting3ACL deny logging and ACL accountingOn Brocade NetIron CES and Broca

160 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL accounting3Displaying statistics for an interfaceTo display statistics for an

Multi-Service IronWare Security Configuration Guide 16153-1003035-02Commands3The policy-based-routing parameter limits the display to policy-based rou

xviii Multi-Service IronWare Security Configuration Guide53-1003035-02In this chapter

162 Multi-Service IronWare Security Configuration Guide53-1003035-02clear access-list receive accounting3clear access-list receive accountingClears IP

Multi-Service IronWare Security Configuration Guide 16353-1003035-02ip receive access-list3ip receive access-listConfigures an IPv4 access-control lis

164 Multi-Service IronWare Security Configuration Guide53-1003035-02ip receive access-list3HistoryRelatedCommandsclear access-list receive accounting

Multi-Service IronWare Security Configuration Guide 16553-1003035-02ip receive deactivate-acl-all3ip receive deactivate-acl-allDeactivates the IPv4 re

166 Multi-Service IronWare Security Configuration Guide53-1003035-02ip receive delete-acl-all3ip receive delete-acl-allDeletes IPv4 receive access-con

Multi-Service IronWare Security Configuration Guide 16753-1003035-02ip receive rebind-acl-all3ip receive rebind-acl-allRebinds an IPv4 receive access-

168 Multi-Service IronWare Security Configuration Guide53-1003035-02show access-list bindings3show access-list bindingsDisplays all IPv4 access-lists

Multi-Service IronWare Security Configuration Guide 16953-1003035-02show access-list receive accounting3show access-list receive accounting Displays a

170 Multi-Service IronWare Security Configuration Guide53-1003035-02suppress-acl-seq3suppress-acl-seqHides or suppresses the display and storage of se

Multi-Service IronWare Security Configuration Guide 17153-1003035-02Chapter4Configuring an IPv6 Access Control ListTable 24 displays the individual Br

Multi-Service IronWare Security Configuration Guide 153-1003035-02Chapter1Securing Access to Management FunctionsTable 2 displays the individual Broca

172 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 Access Control List4Brocade devices support IPv6 access contro

Multi-Service IronWare Security Configuration Guide 17353-1003035-02Configuring an IPv6 Access Control List4IPv6 ACLs also support the filtering of pa

174 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 Access Control List4• Remove the IPv6 outbound ACL from a VPLS

Multi-Service IronWare Security Configuration Guide 17553-1003035-02Configuring an IPv6 Access Control List4The following example displays show access

176 Multi-Service IronWare Security Configuration Guide53-1003035-02Using IPv6 ACLs as input to other features4 remark-entry sequence 7 permit all ip

Multi-Service IronWare Security Configuration Guide 17753-1003035-02Configuring an IPv6 ACL4• Control access to and from a Brocade device.Example conf

178 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4The first condition in this ACL denies TCP traffic from th

Multi-Service IronWare Security Configuration Guide 17953-1003035-02Configuring an IPv6 ACL4Brocade(config)#access-list 101 deny ipv6 any anyIn the ab

180 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4The first permit statement permits ICMP traffic from hosts

Multi-Service IronWare Security Configuration Guide 18153-1003035-02Configuring an IPv6 ACL4Deleting an IPv6 ACL entryYou can delete an ACL filter rul

Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved.ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, I

2 Multi-Service IronWare Security Configuration Guide53-1003035-02Securing Access to Management Functions1By default, the Brocade devices have all man

182 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4TABLE 25 Syntax descriptionsIPv6 ACL arguments Description

Multi-Service IronWare Security Configuration Guide 18353-1003035-02Configuring an IPv6 ACL4source-ipv6_address The host source-ipv6-address parameter

184 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4For ICMPSyntax: [no] ipv6 access-list acl nameSyntax: [no]

Multi-Service IronWare Security Configuration Guide 18553-1003035-02Configuring an IPv6 ACL4The icmp protocol indicates the you are filtering ICMP pac

186 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4NOTERefer to “Configuration considerations for IPv6 ACL an

Multi-Service IronWare Security Configuration Guide 18753-1003035-02Configuring an IPv6 ACL4any When specified instead of the ipv6-source-prefix/pref

188 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4For TCPSyntax: [no] ipv6 access-list acl nameSyntax: [no]

Multi-Service IronWare Security Configuration Guide 18953-1003035-02Configuring an IPv6 ACL4TABLE 27 Syntax descriptions IPv6 ACL arguments Descriptio

190 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4source-ipv6_address The host source-ipv6-address parameter

Multi-Service IronWare Security Configuration Guide 19153-1003035-02Configuring an IPv6 ACL4 tcp-udp-operator The tcp-udp-operator parameter can be on

Multi-Service IronWare Security Configuration Guide 353-1003035-02Securing access methods1NOTEFor the Brocade devices, RADIUS Challenge is supported f

192 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4NOTERefer to “Configuration considerations for IPv6 ACL an

Multi-Service IronWare Security Configuration Guide 19353-1003035-02Configuring an IPv6 ACL4TABLE 28 Syntax descriptions (Continued)IPv6 ACL arguments

194 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring an IPv6 ACL4host Allows you specify a host IPv6 address. When you use

Multi-Service IronWare Security Configuration Guide 19553-1003035-02Configuring an IPv6 ACL4Filtering packets based on DSCP valuesTo filter packets ba

196 Multi-Service IronWare Security Configuration Guide53-1003035-02Extended IPv6 ACLs4Syntax: [no] ipv6 access-list name deny | permitrouting-header-

Multi-Service IronWare Security Configuration Guide 19753-1003035-02Extended IPv6 ACLs4• The following actions are available for the ingress ACL:- Per

198 Multi-Service IronWare Security Configuration Guide53-1003035-02Extended IPv6 ACLs4Syntax: [no] [sequence num] permit | deny protocolipv6-source-p

Multi-Service IronWare Security Configuration Guide 19953-1003035-02Extended IPv6 ACLs4• dscp – Applies to packets that match the traffic class value

200 Multi-Service IronWare Security Configuration Guide53-1003035-02Extended IPv6 ACLs4Syntax: [no] [sequence num] permit | deny [ vlan vlan-id] icmp

Multi-Service IronWare Security Configuration Guide 20153-1003035-02Extended IPv6 ACLs4• port-unreachable• reassembly-timeout• renum-command• renum-re

4 Multi-Service IronWare Security Configuration Guide53-1003035-02Securing access methods1Secure Shell (SSH) accessFor more information on SSH, refer

202 Multi-Service IronWare Security Configuration Guide53-1003035-02Extended IPv6 ACLs4The tcp-udp-operator parameter can be one of the following:• eq

Multi-Service IronWare Security Configuration Guide 20353-1003035-02Extended IPv6 ACLs4Syntax: regenerate-seq-num [num]The udp protocol indicates the

204 Multi-Service IronWare Security Configuration Guide53-1003035-02Extended IPv6 ACLs4Configuration considerations for Layer 2 IPv6 ACLsNOTEThis feat

Multi-Service IronWare Security Configuration Guide 20553-1003035-02Displaying IPv6 ACL definitions4NOTEThis example has accounting enabled, which is

206 Multi-Service IronWare Security Configuration Guide53-1003035-02CAM partitioning4ipv6 access-list rtr: 3 entries 10: permit ipv6 host 3000::2 any

Multi-Service IronWare Security Configuration Guide 20753-1003035-02Applying an IPv6 ACL4Brocade(config)# interface ethernet 3/1Brocade(config-if-e100

208 Multi-Service IronWare Security Configuration Guide53-1003035-02Applying an IPv6 ACL4When an IPv6 VRF is dynamically configured on an interface po

Multi-Service IronWare Security Configuration Guide 20953-1003035-02Adding a comment to an IPv6 ACL entry4Adding a comment to an IPv6 ACL entryYou can

210 Multi-Service IronWare Security Configuration Guide53-1003035-02Adding a comment to an IPv6 ACL entry4• Once the default remark gets associated wi

Multi-Service IronWare Security Configuration Guide 21153-1003035-02ACL CAM sharing for inbound IPv6 ACLs4The following example shows the comment text

Multi-Service IronWare Security Configuration Guide 553-1003035-02Securing access methods1SNMP (Brocade Network Advisor) accessSNMP read or read-write

212 Multi-Service IronWare Security Configuration Guide53-1003035-02Filtering and priority manipulation based on 802.1p priority4• This feature cannot

Multi-Service IronWare Security Configuration Guide 21353-1003035-02ACL accounting4ACL accountingMulti-Service devices monitor the number of times an

214 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL accounting4• You can enable ACL accounting at the filter level by adding an en

Multi-Service IronWare Security Configuration Guide 21553-1003035-02ACL accounting4Displaying statistics for IPv6 ACL accountingTo display statistics

216 Multi-Service IronWare Security Configuration Guide53-1003035-02ACL accounting4Table 31 describes the output parameters of the show ipv6 access-li

Multi-Service IronWare Security Configuration Guide 21753-1003035-02IPv6 receive ACLs4IPv6 receive ACLsThis section discusses the following topics:•IP

218 Multi-Service IronWare Security Configuration Guide53-1003035-02IPv6 receive ACLs4• After an upgrade to Multi-Service IronWare R05.6.00, the sub-p

Multi-Service IronWare Security Configuration Guide 21953-1003035-02IPv6 receive ACLs4NOTEYou must write this command to memory and perform a system r

220 Multi-Service IronWare Security Configuration Guide53-1003035-02IPv6 receive ACLs4NOTETable 32 shows the maximum supported IPv6 rACL entries for a

Multi-Service IronWare Security Configuration Guide 22153-1003035-02IPv6 receive ACLs4Brocade(config)# system-max ipv6-receive-cam 1024 Reload requir

6 Multi-Service IronWare Security Configuration Guide53-1003035-02Restricting remote access to management functions1Restricting remote access to manag

222 Multi-Service IronWare Security Configuration Guide53-1003035-02IPv6 receive ACLs4Creating a policy-mapTo create a policy map “m1” to rate-limit t

Multi-Service IronWare Security Configuration Guide 22353-1003035-02IPv6 receive ACLs4Brocade(config)# show ipv6 access-list bindings!ipv6 receive acc

224 Multi-Service IronWare Security Configuration Guide53-1003035-02IPv6 receive ACLs4Brocade(config-ipv6-access-list b1)# permit ipv6 any anyBrocade(

Multi-Service IronWare Security Configuration Guide 22553-1003035-02IPv6 receive ACLs4SYSLOG: <14>Jun 6 10:38:14 FWD14 IPv6-rACL: Activated by

226 Multi-Service IronWare Security Configuration Guide53-1003035-02Commands4Syntax: clear ipv6 access-list receive ( all | name acl-name }The all par

Multi-Service IronWare Security Configuration Guide 22753-1003035-02clear ipv6 access-list receive4clear ipv6 access-list receiveClears IPv6 receive a

228 Multi-Service IronWare Security Configuration Guide53-1003035-02ipv6 receive access-list4ipv6 receive access-listConfigures an IPv6 access-control

Multi-Service IronWare Security Configuration Guide 22953-1003035-02ipv6 receive access-list4HistoryRelatedCommandsclear ipv6 access-list receiveipv6

230 Multi-Service IronWare Security Configuration Guide53-1003035-02ipv6 receive deactivate-acl-all4ipv6 receive deactivate-acl-allDeactivates the IPv

Multi-Service IronWare Security Configuration Guide 23153-1003035-02ipv6 receive delete-acl-all4ipv6 receive delete-acl-allDeletes IPv6 receive access

Multi-Service IronWare Security Configuration Guide 753-1003035-02Restricting remote access to management functions1Using an ACL to restrict Telnet ac

232 Multi-Service IronWare Security Configuration Guide53-1003035-02ipv6 receive rebind-acl-all4ipv6 receive rebind-acl-allRebinds an IPv6 receive acc

Multi-Service IronWare Security Configuration Guide 23353-1003035-02show ipv6 access-list bindings4show ipv6 access-list bindingsDisplays all IPv6 acc

234 Multi-Service IronWare Security Configuration Guide53-1003035-02show ipv6 access-list receive accounting4show ipv6 access-list receive accounting

Multi-Service IronWare Security Configuration Guide 23553-1003035-02show ipv6 access-list receive accounting4system-max ipv6-receive-cam

236 Multi-Service IronWare Security Configuration Guide53-1003035-02system-max ipv6-receive-cam4system-max ipv6-receive-camConfigures the number of IP

Multi-Service IronWare Security Configuration Guide 23753-1003035-02Chapter5Configuring Secure Shell and Secure CopyTable 33 displays the individual d

238 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5Secure Shell (SSH) server is a mechanism for allowing

Multi-Service IronWare Security Configuration Guide 23953-1003035-02SSH server version 2 support5• SSH server Protocol Assigned Numbers• SSH server Tr

240 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5• Data integrity is ensured with the hmac-sha1 algori

Multi-Service IronWare Security Configuration Guide 24153-1003035-02SSH server version 2 support5Syntax: show ip ssh configTable 34 shows the output i

8 Multi-Service IronWare Security Configuration Guide53-1003035-02Restricting remote access to management functions1The ipv6-acl-name variable specifi

242 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5TABLE 34 show ip ssh config command output informatio

Multi-Service IronWare Security Configuration Guide 24353-1003035-02SSH server version 2 support5The host DSA key pair is stored in the device’s syste

244 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5Enabling and disabling SSH server by generating and d

Multi-Service IronWare Security Configuration Guide 24553-1003035-02SSH server version 2 support5Deleting DSA and RSA key pairsTo delete DSA and RSA k

246 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5Collect one public key of each key type (DSA and/or R

Multi-Service IronWare Security Configuration Guide 24753-1003035-02SSH server version 2 support5Configuring DSA public key authenticationWith DSA pub

248 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5NOTEWhen one public-key file already exists, download

Multi-Service IronWare Security Configuration Guide 24953-1003035-02SSH server version 2 support5Setting optional parametersYou can adjust the followi

250 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5The default is “yes”.Enabling empty password loginsBy

Multi-Service IronWare Security Configuration Guide 25153-1003035-02SSH server version 2 support5Designating an interface as the source for all SSH se

Multi-Service IronWare Security Configuration Guide 953-1003035-02Restricting remote access to management functions1Using ACLs to restrict SNMP access

252 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5Filtering SSH server access using ACLsYou can permit

Multi-Service IronWare Security Configuration Guide 25353-1003035-02SSH server version 2 support5Syntax: show ip ssh [| begin expression | exclude exp

254 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5The show who command also displays information about

Multi-Service IronWare Security Configuration Guide 25553-1003035-02SSH server version 2 support5• Public Key authentication• Message Authentication C

256 Multi-Service IronWare Security Configuration Guide53-1003035-02SSH server version 2 support5To delete the RSA host key pair, enter the following

Multi-Service IronWare Security Configuration Guide 25753-1003035-02SSH server version 2 support5To start an SSH2 client connection to an SSH2 server

258 Multi-Service IronWare Security Configuration Guide53-1003035-02Using Secure Copy5Using Secure CopySecure Copy (SCP) uses security built into SSH

Multi-Service IronWare Security Configuration Guide 25953-1003035-02Using Secure Copy5To copy and append a configuration file (c:\cfg\brocadehp.cfg) t

260 Multi-Service IronWare Security Configuration Guide53-1003035-02Using Secure Copy5Secure Copy Feature for Brocade NetIron XMRThe following encrypt

Multi-Service IronWare Security Configuration Guide 26153-1003035-02Using Secure Copy5Syntax: scp file-name user@IP Address:Destination:file-name[:add

10 Multi-Service IronWare Security Configuration Guide53-1003035-02Restricting remote access to management functions1Possible values: 0 – 240 minutesD

262 Multi-Service IronWare Security Configuration Guide53-1003035-02Using Secure Copy5• cspf-group• bypass-lsp For backward compatibility, the followi

Multi-Service IronWare Security Configuration Guide 26353-1003035-02Using Secure Copy5This command downloads image-file and replaces the mbridge image

264 Multi-Service IronWare Security Configuration Guide53-1003035-02Using Secure Copy5To download and over-write the LP secondary image on one LP or a

Multi-Service IronWare Security Configuration Guide 26553-1003035-02Using Secure Copy5To download and over-write PBIF FPGA image, enter the following

266 Multi-Service IronWare Security Configuration Guide53-1003035-02Using Secure Copy5NOTEIf force-overwrite is present in the command, the command sk

Multi-Service IronWare Security Configuration Guide 26753-1003035-02Using Secure Copy5Delete old file first optionNOTEThe delete file first option onl

268 Multi-Service IronWare Security Configuration Guide53-1003035-02Using Secure Copy5

Multi-Service IronWare Security Configuration Guide 26953-1003035-02Chapter6Configuring Multi-Device Port AuthenticationTable 37 displays the individu

270 Multi-Service IronWare Security Configuration Guide53-1003035-02How multi-device port authentication works6How multi-device port authentication wo

Multi-Service IronWare Security Configuration Guide 27153-1003035-02How multi-device port authentication works6Supported RADIUS attributesThe Brocade

Multi-Service IronWare Security Configuration Guide 1153-1003035-02Restricting remote access to management functions1Restricting Web management access

272 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring multi-device port authentication6Support for multi-device port authent

Multi-Service IronWare Security Configuration Guide 27353-1003035-02Configuring multi-device port authentication6Configuring an authentication method

274 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring multi-device port authentication6• Vendor-Specific Attributes (26) – R

Multi-Service IronWare Security Configuration Guide 27553-1003035-02Configuring multi-device port authentication6Brocade(config)# interface e 3/1Broca

276 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring multi-device port authentication6If a previous authentication attempt

Multi-Service IronWare Security Configuration Guide 27753-1003035-02Configuring multi-device port authentication6You can optionally specify an alterna

278 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring multi-device port authentication6Syntax: mac-authentication clear-mac-

Multi-Service IronWare Security Configuration Guide 27953-1003035-02Displaying multi-device port authentication information6To change the length of th

280 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying multi-device port authentication information6Displaying multi-device po

Multi-Service IronWare Security Configuration Guide 28153-1003035-02Displaying multi-device port authentication information6Syntax: show auth-mac-addr

Multi-Service IronWare Security Configuration Guide iii53-1003035-02ContentsAbout This DocumentIn this chapter . . . . . . . . . . . . . . . . . . . .

12 Multi-Service IronWare Security Configuration Guide53-1003035-02Restricting remote access to management functions1Specifying the maximum login atte

282 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying multi-device port authentication information6Syntax: show auth-mac-addr

Multi-Service IronWare Security Configuration Guide 28353-1003035-02Displaying multi-device port authentication information6Displaying the authenticat

284 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying multi-device port authentication information6

Multi-Service IronWare Security Configuration Guide 28553-1003035-02Chapter7Using the MAC Port Security FeatureTable 42 displays the individual Brocad

286 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring the MAC port security feature7The secure MAC addresses are not flushed

Multi-Service IronWare Security Configuration Guide 28753-1003035-02Configuring the MAC port security feature7Enabling the MAC port security featureBy

288 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring the MAC port security feature7To set the port security age timer to 10

Multi-Service IronWare Security Configuration Guide 28953-1003035-02Configuring the MAC port security feature7You can configure the delete-dynamic-lea

290 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring the MAC port security feature7Denying MAC addresses globally To deny a

Multi-Service IronWare Security Configuration Guide 29153-1003035-02Configuring the MAC port security feature7In addition to the new processing of pac

Multi-Service IronWare Security Configuration Guide 1353-1003035-02Restricting remote access to management functions1Restricting Web management access

292 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying port security information7 Displaying port security information You can

Multi-Service IronWare Security Configuration Guide 29353-1003035-02Displaying port security information7Displaying the secure MAC addresses on the de

294 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying port security information7Brocade# show port security statistics 7Modul

Multi-Service IronWare Security Configuration Guide 29553-1003035-02Chapter8Configuring 802.1x Port Security Table 47 displays the individual devices

296 Multi-Service IronWare Security Configuration Guide53-1003035-02Overview of 802.1x port security8Overview of 802.1x port security The Multi-Servic

Multi-Service IronWare Security Configuration Guide 29753-1003035-02How 802.1x port security works8How 802.1x port security worksThis section explains

298 Multi-Service IronWare Security Configuration Guide53-1003035-02How 802.1x port security works8Authentication server – The device that validates t

Multi-Service IronWare Security Configuration Guide 29953-1003035-02How 802.1x port security works8Supplicant PAE – The Supplicant PAE supplies inform

300 Multi-Service IronWare Security Configuration Guide53-1003035-02How 802.1x port security works8By default, all controlled ports on the device are

Multi-Service IronWare Security Configuration Guide 30153-1003035-02How 802.1x port security works8If a client does not support 802.1x, authentication

14 Multi-Service IronWare Security Configuration Guide53-1003035-02Restricting remote access to management functions1Enabling Telnet accessTelnet acce

302 Multi-Service IronWare Security Configuration Guide53-1003035-02How 802.1x port security works8By default, traffic from clients that cannot be aut

Multi-Service IronWare Security Configuration Guide 30353-1003035-02802.1x port security and sFlow8• If a client has been denied access to the network

304 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring 802.1x port security8NOTE Multi-Device Port Authentication and 802.1x

Multi-Service IronWare Security Configuration Guide 30553-1003035-02Configuring 802.1x port security8Supported RADIUS attributesMany IEEE 802.1x Authe

306 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring 802.1x port security8• If the Tunnel-Type or the Tunnel-Medium-Type at

Multi-Service IronWare Security Configuration Guide 30753-1003035-02Configuring 802.1x port security8When strict security mode is enabled:• If the Fil

308 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring 802.1x port security8Dynamically applying existing ACLs or MAC address

Multi-Service IronWare Security Configuration Guide 30953-1003035-02Configuring 802.1x port security8• Multiple IP ACLs and MAC address filters can be

310 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring 802.1x port security8Enabling 802.1x port security By default, 802.1x

Multi-Service IronWare Security Configuration Guide 31153-1003035-02Configuring 802.1x port security8When an interface’s control type is set to auto,

Multi-Service IronWare Security Configuration Guide 1553-1003035-02Restricting remote access to management functions1Syntax: [no] crypto-ssl certifica

312 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring 802.1x port security8The re-authentication interval is a global settin

Multi-Service IronWare Security Configuration Guide 31353-1003035-02Configuring 802.1x port security8Specifying the number of EAP-request or identity

314 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring 802.1x port security8Initializing 802.1x on a portTo initialize 802.1x

Multi-Service IronWare Security Configuration Guide 31553-1003035-02Displaying 802.1x information8Brocade(config-dot1x)# auth-fail-max-attempts 2Synta

316 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying 802.1x information8The following table describes the information displa

Multi-Service IronWare Security Configuration Guide 31753-1003035-02Displaying 802.1x information8To display information about the 802.1x configuratio

318 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying 802.1x information8Displaying 802.1x statisticsTo display 802.1x statis

Multi-Service IronWare Security Configuration Guide 31953-1003035-02Displaying 802.1x information8Clearing 802.1x statisticsYou can clear the 802.1x s

320 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying 802.1x information8Displaying dynamically assigned VLAN informationThe

Multi-Service IronWare Security Configuration Guide 32153-1003035-02Displaying 802.1x information8Port 1/1 MAC Address Filter information: 802.1x dyn

16 Multi-Service IronWare Security Configuration Guide53-1003035-02Setting passwords1Setting passwordsPasswords can be used to secure the following ac

322 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying 802.1x information8Displaying information about the dot1x-mac-sessions

Multi-Service IronWare Security Configuration Guide 32353-1003035-02Sample 802.1x configurations8Syntax: show dot1x mac-session brief [ | begin expres

324 Multi-Service IronWare Security Configuration Guide53-1003035-02Sample 802.1x configurations8The following commands configure the device in Figure

Multi-Service IronWare Security Configuration Guide 32553-1003035-02Sample 802.1x configurations8Hub configuration Figure 8 illustrates a configuratio

326 Multi-Service IronWare Security Configuration Guide53-1003035-02Sample 802.1x configurations8

Multi-Service IronWare Security Configuration Guide 32753-1003035-02Chapter9Protecting against Denial of Service AttacksTable 54 displays the individu

328 Multi-Service IronWare Security Configuration Guide53-1003035-02Protecting against smurf attacks9The attacker sends an ICMP echo request packet to

Multi-Service IronWare Security Configuration Guide 32953-1003035-02Protecting against smurf attacks9The burst-max value can be from 1 – 100000.The lo

330 Multi-Service IronWare Security Configuration Guide53-1003035-02Protecting against TCP SYN attacks9Multicast Router Discovery messages:• Multicast

Multi-Service IronWare Security Configuration Guide 33153-1003035-02Protecting against TCP SYN attacks9The number of incoming TCP SYN packets per seco

Multi-Service IronWare Security Configuration Guide 1753-1003035-02Setting passwords1Setting passwords for management privilege levelsYou can set one

332 Multi-Service IronWare Security Configuration Guide53-1003035-02Protecting against TCP SYN attacks9Protecting against a blind TCP reset attack usi

Multi-Service IronWare Security Configuration Guide 33353-1003035-02Protecting against TCP SYN attacks9The burst-max value can be from 1 – 100000.The

334 Multi-Service IronWare Security Configuration Guide53-1003035-02Displaying statistics from a DoS attack9Displaying statistics from a DoS attackYou

Multi-Service IronWare Security Configuration Guide 33553-1003035-02Chapter10Securing SNMP AccessTable 56 displays the individual Brocade devices and

336 Multi-Service IronWare Security Configuration Guide53-1003035-02Establishing SNMP community strings10• The default read-only community string is “

Multi-Service IronWare Security Configuration Guide 33753-1003035-02Using the User-Based Security model10Brocade(config)# snmp-s community myread ro v

338 Multi-Service IronWare Security Configuration Guide53-1003035-02Using the User-Based Security model10Configuring your NMSTo be able to use the SNM

Multi-Service IronWare Security Configuration Guide 33953-1003035-02Using the User-Based Security model10NOTESince the current implementation of SNMP

340 Multi-Service IronWare Security Configuration Guide53-1003035-02Using the User-Based Security model10The auth | noauth parameter determines whethe

Multi-Service IronWare Security Configuration Guide 34153-1003035-02Using the User-Based Security model10NOTEThe SNMP group to which the user account

18 Multi-Service IronWare Security Configuration Guide53-1003035-02Setting passwords1Syntax: enable super-user-password textSyntax: enable port-config

342 Multi-Service IronWare Security Configuration Guide53-1003035-02Using the User-Based Security model10The engine ID identifies the source or destin

Multi-Service IronWare Security Configuration Guide 34353-1003035-02Using the User-Based Security model10Interpreting varbinds in report packetsIf an

344 Multi-Service IronWare Security Configuration Guide53-1003035-02Defining SNMP views10Defining SNMP viewsSNMP views are named groups of MIB objects

Multi-Service IronWare Security Configuration Guide 34553-1003035-02SNMP v3 configuration examples10SNMP v3 configuration examplesThe examples below s

346 Multi-Service IronWare Security Configuration Guide53-1003035-02SNMP v3 configuration examples10

Multi-Service IronWare Administration Configuration Guide 34753-1003035-02AppendixAACL Editing and Sequence NumbersThis appendix presents functional i

348 Multi-Service IronWare Administration Configuration Guide53-1003035-02Sequence NumbersApermit 1.1.1.1 0.0.0.0permit 2.2.2.2 0.0.0.0permit 3.3.3.3

Multi-Service IronWare Administration Configuration Guide 34953-1003035-02Creating an ACL filterAInternal and User Specified With the ACL editing feat

350 Multi-Service IronWare Administration Configuration Guide53-1003035-02Re-generating ACL sequence numbersABrocade(config)#show access-list name v4_

Multi-Service IronWare Administration Configuration Guide 35153-1003035-02Backward compatibility with earlier releasesABrocade(config)# show access-li

Multi-Service IronWare Security Configuration Guide 1953-1003035-02Setting passwords1• configure – CONFIG level; for example, Brocade(config)# • inter

352 Multi-Service IronWare Administration Configuration Guide53-1003035-02Backward compatibility with earlier releasesAExtended IP access list 191 : 4

20 Multi-Service IronWare Security Configuration Guide53-1003035-02Setting up local user accounts1The enable password-display command enables display

Multi-Service IronWare Security Configuration Guide 2153-1003035-02Setting up local user accounts1If you configure local user accounts, you also need

iv Multi-Service IronWare Security Configuration Guide53-1003035-02Web interface login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22 Multi-Service IronWare Security Configuration Guide53-1003035-02Enabling strict password enforcement1NOTEYou must be logged on with Super User acce

Multi-Service IronWare Security Configuration Guide 2353-1003035-02Enabling strict password enforcement1Strict password rulesNOTEIf enable strict-pass

24 Multi-Service IronWare Security Configuration Guide53-1003035-02Enabling strict password enforcement1Also, if the user tries to configure a passwor

Multi-Service IronWare Security Configuration Guide 2553-1003035-02Enabling strict password enforcement1Syntax: [no] enable strict-password-enforcemen

26 Multi-Service IronWare Security Configuration Guide53-1003035-02Web interface login lockout1Requirement to accept the message of the dayIf a messag

Multi-Service IronWare Security Configuration Guide 2753-1003035-02Configuring SSL security for the Web Management Interface1The first instance of the

28 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1Importing digital certificates and RSA priva

Multi-Service IronWare Security Configuration Guide 2953-1003035-02Configuring TACACS or TACACS+ security1• Web management access• Access to the Privi

30 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1TACACS authenticationNOTEAlso, multiple chal

Multi-Service IronWare Security Configuration Guide 3153-1003035-02Configuring TACACS or TACACS+ security11. A user logs into the Brocade device using

Multi-Service IronWare Security Configuration Guide v53-1003035-02Configuring AAA authentication-method lists for login . . . . . . . . . . . . . . .

32 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1User action Applicable AAA operationsUser at

Multi-Service IronWare Security Configuration Guide 3353-1003035-02Configuring TACACS or TACACS+ security1AAA Security for commands pasted Into the ru

34 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security15. Optionally configure TACACS+ authorizatio

Multi-Service IronWare Security Configuration Guide 3553-1003035-02Configuring TACACS or TACACS+ security1NOTEIf you erase a tacacs-server command (by

36 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1• 0 = the key string is not encrypted and is

Multi-Service IronWare Security Configuration Guide 3753-1003035-02Configuring TACACS or TACACS+ security1NOTEEncryption of the TACACS+ keys is done b

38 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1The commands above cause TACACS or TACACS+ t

Multi-Service IronWare Security Configuration Guide 3953-1003035-02Configuring TACACS or TACACS+ security1NOTEAfter successful key-authentication, the

40 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1• If the next method in the authentication m

Multi-Service IronWare Security Configuration Guide 4153-1003035-02Configuring TACACS or TACACS+ security1To set a user’s privilege level, you can con

vi Multi-Service IronWare Security Configuration Guide53-1003035-02Chapter 3 Access Control ListHow the Brocade device processes ACLs . . . . . . . .

42 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1Example user=bob { default service = permi

Multi-Service IronWare Security Configuration Guide 4353-1003035-02Configuring TACACS or TACACS+ security1Configuring TACACS+ accountingThe Brocade de

44 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1Syntax: [no] aaa accounting system default s

Multi-Service IronWare Security Configuration Guide 4553-1003035-02Configuring TACACS or TACACS+ security1Displaying TACACS or TACACS+ statistics and

46 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1The show web command displays the privilege

Multi-Service IronWare Security Configuration Guide 4753-1003035-02Configuring TACACS or TACACS+ security1Following table lists all possible error con

48 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring TACACS or TACACS+ security1Validating TACACS+ accounting replyThe TACAC

Multi-Service IronWare Security Configuration Guide 4953-1003035-02Configuring RADIUS security1Configuring RADIUS securityYou can use a Remote Authent

50 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security11. A user triggers RADIUS authentication by doing one o

Multi-Service IronWare Security Configuration Guide 5153-1003035-02Configuring RADIUS security1Telnet - 08-25-2010 -- 11:20:18 This is the message o

Multi-Service IronWare Security Configuration Guide vii53-1003035-02IP broadcast ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1• A system event occurs, such as a reboot or reloading

Multi-Service IronWare Security Configuration Guide 5353-1003035-02Configuring RADIUS security1AAA security for commands pasted into the running confi

54 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1• When a radius-server host is configured, a status-ser

Multi-Service IronWare Security Configuration Guide 5553-1003035-02Configuring RADIUS security1Configuring Brocade-specific attributes on the RADIUS s

56 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1foundry-access-list 5 string Specifies the access contr

Multi-Service IronWare Security Configuration Guide 5753-1003035-02Configuring RADIUS security1Enabling SNMP traps for RADIUS To enable SNMP traps for

58 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1The acct-port number parameter specifies what port to u

Multi-Service IronWare Security Configuration Guide 5953-1003035-02Configuring RADIUS security1Global radius configurationThe following global configu

60 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1Setting the RADIUS keyThe key parameter in the radius-s

Multi-Service IronWare Security Configuration Guide 6153-1003035-02Configuring RADIUS security1Within the authentication-method list, RADIUS is specif

viii Multi-Service IronWare Security Configuration Guide53-1003035-02Extended IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

62 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1To configure the Brocade device to prompt only for a pa

Multi-Service IronWare Security Configuration Guide 6353-1003035-02Configuring RADIUS security1You enable RADIUS command authorization by specifying a

64 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1Configuring RADIUS accountingThe Brocade devices suppor

Multi-Service IronWare Security Configuration Guide 6553-1003035-02Configuring RADIUS security1Syntax: [no] aaa accounting system default start-stop r

66 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring RADIUS security1Configuring an IPv6 interface as the source for all RAD

Multi-Service IronWare Security Configuration Guide 6753-1003035-02Configuring AAA on the console1Syntax: show aaaThe following table describes the RA

68 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring AAA authentication-method lists for login13. Enter “exit” to display th

Multi-Service IronWare Security Configuration Guide 6953-1003035-02Configuring authentication-method lists1The none option eliminates the requirement

70 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring authentication-method lists1NOTEIf a user cannot be authenticated using

Multi-Service IronWare Security Configuration Guide 7153-1003035-02Configuring authentication-method lists1To configure an authentication-method list

Multi-Service IronWare Security Configuration Guide ix53-1003035-02Chapter 5 Configuring Secure Shell and Secure CopySSH server version 2 support . .

72 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuring authentication-method lists1tacacs Authenticate using the database on a

Multi-Service IronWare Security Configuration Guide 7353-1003035-02Chapter2Layer 2 Access Control ListsTable 13 displays the individual devices and th

74 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuration rules and notes2Layer-2 Access Control Lists (ACLs) filter incoming t

Multi-Service IronWare Security Configuration Guide 7553-1003035-02Configuration rules and notes2• You can bind multiple rate limiting policies to a s

76 Multi-Service IronWare Security Configuration Guide53-1003035-02Configuration rules and notes2There can be up to 500 named L2 ACLs. The maximum len

Multi-Service IronWare Security Configuration Guide 7753-1003035-02Creating a numbered Layer-2 ACL table2Creating a numbered Layer-2 ACL tableYou crea

78 Multi-Service IronWare Security Configuration Guide53-1003035-02Creating a numbered Layer-2 ACL table2In the above example, the first ACL entry wil

Multi-Service IronWare Security Configuration Guide 7953-1003035-02Creating a numbered Layer-2 ACL table2Deleting a numbered Layer-2 ACL entryYou can

80 Multi-Service IronWare Security Configuration Guide53-1003035-02Creating a numbered Layer-2 ACL table2The src-mac mask | any parameter specifies th

Multi-Service IronWare Security Configuration Guide 8153-1003035-02Creating a numbered Layer-2 ACL table2The priority option assigns outgoing traffic