ACL overview | Brocade Communications Systems 6650 specification

ACL overview

TABLE 16 Supported ACL features on outbound traffic (Continued)

Feature	Brocade ICX 6650

Extended named and numbered	Yes
ACLs

User input preservation for ACL	Yes
TCP/UDP port numbers

ACL comment text	Yes

Strict control of ACL filtering of	Yes
fragmented packets

ACL support for switched traffic in	Yes
the router image	NOTE: This feature is enabled by
	NOTE: This feature is enabled by
	default for outbound ACLs
	on platforms that support
	outbound ACL support.
	There is no CLI command
	to enable or disable it.

Filtering on IP precedence and ToS	Yes
value

QoS options for IP ACLs	Yes

Hardware usage statistics	Yes

This chapter describes how Access Control Lists (ACLs) are implemented and configured in the Brocade devices.

NOTE

For information about IPv6 ACLs, refer to Chapter 4, “IPv6 ACLs”.

ACL overview

Brocade devices support rule-based ACLs (sometimes called hardware-based ACLs), where the decisions to permit or deny packets are processed in hardware and all permitted packets are switched or routed in hardware. All denied packets are also dropped in hardware. Brocade ICX 6650 support both inbound and outbound ACLs. The ACL features supported on inbound and outbound traffic are as listed in Table 15 and Table 16 respectively and discussed in more detail in the rest of this chapter.

Brocade ICX 6650 devices do not support flow-based ACLs.

Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup (or as new ACLs are entered and bound to ports). Devices that use rule-based ACLs program the ACLs into the CAM entries and use these entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing.

Rule-based ACLs are supported on the following interface types:

•Gbps Ethernet ports

•10 Gbps Ethernet ports

•Trunk groups

82	Brocade ICX 6650 Security Configuration Guide
	53-1002601-01

Image 102

Brocade Communications Systems 6650 manual ACL overview Supported ACL features on outbound traffic

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide ACL-based rate limiting overview Types of ACL-based rate limiting Chapter 802.1X Port Security Ietf RFC support Local and global resources used for MAC port security MAC-based Vlan feature structureMAC port security overview MAC-based Vlan overview Authentication-failure actions How multi-device port authentication worksRadius authentication Supported Radius attributes Smurf attacks Avoiding being an intermediary in a Smurf attackAvoiding being a victim in a Smurf attack Displaying the port-based fixed rate limiting configuration Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Configuration notes and feature limitations for DAI Broadcast, unknown Unicast, and Multicast rate limiting Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Viewing rate limits set on BUM trafficPage Audience Supported hardware and softwareBrocade ICX 6650 slot and port numbering How this document is organized Dhcp on Command syntax conventions Document conventionsText formatting Related publications Corporation Referenced Trademarks and Products Brocade resources Additional informationGetting technical help Other industry resources Document feedback Securing access methods Feature Brocade ICX Method is secured Remote access to management function restrictions ACL usage to restrict remote access Syntax telnet access-group num Using an ACL to restrict Telnet accessUsing an ACL to restrict SSH access Syntax ssh access-group num Using ACLs to restrict Snmp access Defining the console idle timeSyntax snmp-server community string ro rw num Remote access restrictions Restricting Telnet access to a specific IP addressRestricting SSH access to a specific IP address Restricting Telnet connection Restricting access to the device based on IP or MAC addressRestricting Snmp access to a specific IP address Restricting SSH connection Changing the login timeout period for Telnet sessions Defining the Telnet idle timeRestricting Http and Https connection Restricting Telnet access to a specific Vlan Syntax no telnet login-retries number Syntax no telnet server enable vlan vlan-id Restricting Snmp access to a specific VlanRestricting Tftp access to a specific Vlan Syntax no snmp-server enable vlan vlan-id Device management security Allowing SSHv2 access to the Brocade deviceSyntax no default-gateway ip-addr metric Syntax crypto key generate zeroize Disabling Telnet access Disabling specific access methodsAllowing Snmp access to the Brocade device Disabling Snmp access Syntax no tftp disable Passwords used to secure accessSetting a Telnet password Syntax no enable telnet password string Setting passwords for management privilege levels Passwords used to secure accessSyntax no telnet server suppress-reject-message Syntax enable read-only-password text Augmenting management privilege levels Enter boot system flash primary at the prompt Recovering from a lost passwordSpecifying a minimum password length After the console prompt reappears, assign a new password Local user accounts Enhancements to username and passwordSyntax enable password-min-length number-of-characters Number-of-characterscan be from Enabling enhanced user password combination requirements Syntax no enable strict-password-enforcement Syntax username name password Enter Enabling user password maskingEnabling user password aging Syntax no enable user password-masking Syntax no enable user password-aging Configuring password historyEnhanced login lockout Syntax no enable user password-history 1 Syntax username name enable Local user account configurationSetting passwords to expire Requirement to accept the message of the day Local user accounts with no passwords Local user accounts with unencrypted passwords Using the username user-stringcreate-password command Creating a password optionLocal accounts with encrypted passwords Syntax show users Tacacs and TACACS+ security Changing a local user passwordSyntax no username user-stringpassword password-string How TACACS+ differs from Tacacs TACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit Tacacs authentication TACACS+ authentication TACACS+ authorization TACACS+ accounting AAA security for commands pasted into the running-config AAA operations for TACACS/TACACS+User action Applicable AAA operations TACACS/TACACS+ configuration considerations Configuring TacacsConfiguring TACACS+ Enabling Tacacs Identifying the TACACS/TACACS+ servers Setting optional Tacacs and TACACS+ parameters Specifying different servers for individual AAA functions Setting the TACACS+ key Setting the retransmission limitSetting the timeout parameter Method parameter Description Entering privileged Exec mode after a Telnet or SSH login Syntax aaa authentication login privilege-modeSyntax no aaa authentication enable implicit-user Syntax aaa authorization exec default tacacs+ none Configuring TACACS+ authorizationConfiguring Exec authorization Configuring an Attribute-Value pair on the TACACS+ server Foundry-privlvl = Configuring command authorization AAA support for console commands Configuring TACACS+ accounting for CLI commands TACACS+ accounting configurationConfiguring TACACS+ accounting for Telnet/SSH Shell access Syntax no enable aaa console Configuring TACACS+ accounting for system events Output of the show aaa command for TACACS/TACACS+ Radius authentication, authorization, and accountingRadius authentication Radius security Radius authorization Radius accounting AAA operations for Radius AAA operations for Radius Radius configuration considerations Radius security AAA operations for Radius Configuring Radius Brocade-specific attributes on the Radius server Port Configuration level Allows Attribute ID Data type Description Enabling Snmp to configure Radius Identifying the Radius server to the Brocade deviceAttribute name Attribute ID Data type Description Following shows an example configuration Radius server per port configuration notesRadius configuration example and command syntax Radius server per port Syntax use-radius-server ip-addr Radius server-to-ports configuration notesRadius server to individual ports mapping Host ip-addris an IPv4 address Syntax radius-server key 0 1 string Setting the Radius keyRadius parameters Syntax radius-server retransmit number Syntax radius-server timeout number Setting authentication-method lists for RadiusSetting Radius over IPv6 Syntax radius-server host ipv6 ipv6-host address Setting passwords for management privilege levels on Radius authorization Syntax aaa authorization exec default radius none Command authorization and accounting for console commands Configuring Radius accounting for Telnet/SSH Shell access Configuring Radius accounting for CLI commandsRadius accounting Displaying Radius configuration information Configuring Radius accounting for system events Output of the show aaa command for Radius Authentication-method lists Examples of authentication-method listsAuthentication-method lists Command Syntax Following is the command syntax for the preceding examplesExample User account configuration on TCP Flags edge port security Using TCP Flags in combination with other ACL features TCP Flags edge port security TCP Flags edge port security SSH2 and SCP SSH version 2 overview Tested SSH2 clients SSH2 supported featuresSSH2 unsupported features Key exchange methods are diffie-hellman-group1-sha1 SSH2 authentication types SSH2 authentication typesConfiguring SSH2 Configure DSA or RSA challenge-response authentication Setting the CPU priority for key generation Generating and deleting a DSA key pairGenerating and deleting an RSA key pair Providing the public key to clients Configuring DSA or RSA challenge-response authenticationDeleting DSA and RSA key pairs Syntax crypto key zeroize Importing authorized public keys into the Brocade device Begin SSH2 Public KEY Optional SSH parameters Enabling DSA or RSA challenge-response authenticationSyntax ip ssh key-authentication yes no Syntax clear public-key Syntax ip ssh authentication-retries number Setting the number of SSH authentication retriesDeactivating user authentication Syntax ip ssh password-authentication no yes Setting the SSH login timeout value Enabling empty password loginsSetting the SSH port number Configuring the maximum idle time for SSH sessions Displaying SSH information Filtering SSH access using ACLsTerminating an active SSH connection Displaying SSH connection information Displaying SSH information Displaying SSH configuration informationSyntax show ip ssh config SSH connection information Displaying SSH information SSH configuration information Displaying additional SSH connection information Copying a file to the running configuration Secure copy configuration notesExample file transfers using SCP Secure copy with SSH2 Copying a software image file to flash memory Copying a file to the startup configurationTo overwrite the running configuration file Copying a software image file from flash memory Importing a digital certificate using SCP Importing an RSA private keyImporting a DSA or RSA public key Configuring SSH2 client public key authentication SSH2 clientEnabling SSH2 client Generating and deleting a client RSA key pair Using SSH2 clientGenerating and deleting a client DSA key pair Exporting client public keys Displaying SSH2 client information Supported ACL features on outbound traffic Rule-Based IP ACLs ACL overview Supported ACL features on outbound traffic ACL overview Numbered and named ACLs Types of IP ACLsACL IDs and entries ACL overview Virtual routing interfaces How fragmented packets are processed Default ACL actionHow hardware-based ACLs work Hardware aging of Layer 4 CAM entries ACL configuration considerations Configuring standard numbered ACLs Standard numbered ACL syntax Standard named ACL configuration Configuration example for standard numbered ACLs Syntax no ip access-list standard ACL-nameACL-num Standard named ACL syntax Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Extended numbered ACL configuration Configuration example for standard named ACLsExtended numbered ACL configuration Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Configuration examples for extended numbered ACLs Here is another example of an extended ACL Extended named ACL configuration Extended named ACL configuration Extended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Preserving user input for ACL TCP/UDP port numbers Syntax enable egress-acl-on-cpu-trafficApplying egress ACLs to Control CPU traffic Syntax ip preserve-ACL-user-input-format ACL comment text management Adding a comment to an entry in a numbered ACL Deleting a comment from an ACL entry Show running-config Show access-list Show ip access-listAdding a comment to an entry in a named ACL Viewing comments in an ACL Syntax show running-config Configuration notes for ACL logging ACL loggingACL logging Configuration tasks for ACL logging Example ACL logging configuration Syntax logging-enable Displaying ACL Log EntriesSyntax ACL-logging Syntax no ip access-group frag deny Syntax show log Configuration notes for ACL filtering Syntax no enable ACL-per-port-per-vlanEnter the no form of the command to disable this feature Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID Syntax no ip access-group ACL ID in ethernet port to port ACLs to filter ARP packets Syntax no ip use-ACL-on-arp access-list-number Configuration considerations for filtering ARP packetsConfiguring ACLs for ARP filtering ACLs to filter ARP packets Clearing the filter count Filtering on IP precedence and ToS valuesDisplaying ACL filters for ARP Syntax show ACL-on-arp ethernet port loopback num ve num QoS options for IP ACLs TCP flags edge port security Configuration notes for QoS options on Brocade ICX Using an IP ACL to mark Dscp values Dscp markingSyntax ...dscp-marking dscp-value Combined ACL for 802.1p marking QoS options for IP ACLsFor IP Dscp matching Using an ACL to change the forwarding queueACL-based rate limiting Syntax ...dscp-matching 0 ACLs to control multicast features ACL statisticsEnabling and viewing hardware usage statistics for an ACL Displaying ACL information Troubleshooting ACLsSyntax show access-list ACL-numACL-nameall Policy Based Routing Configuration considerations for policy-based routing Configuring a PBR policy Configuring the ACLs Configuring the route map Syntax noroute-map map-namepermit deny num Enabling PBR Basic example of PBR Configuration examples for PBRSetting the next hop Policy Based Routing Setting the output interface to the null interface Trunk formation with PBR policy Feature IPv6 ACL overview IPv6 ACL configuration notes IPv6 ACL traffic filtering criteriaIPv6 protocol names and numbers Configuring an IPv6 ACL Example IPv6 configurations Configuring an IPv6 ACL Show ipv6 access-listcommand displays the followingHere is another example Default and implicit IPv6 ACL action Syntax for creating an IPv6 ACL Syntax no ipv6 access-list ACL-nameCreating an IPv6 ACL Ipv6-operator dscp For Icmp For TCPFor UDP IPv6 ACL arguments Description Ipv6-source-prefix /prefix-length Creating an IPv6 ACL Syntax descriptions IPv6 ACL arguments Description Icmp message configurations 802.1p-priority-matching number Syntax ipv6 enable Applying an IPv6 ACL to an interface Applying an IPv6 ACL to a trunk group Adding a comment to an IPv6 ACL entrySyntax for applying an IPv6 ACL Syntax .ipv6 traffic-filter ipv6-ACL-namein Deleting a comment from an IPv6 ACL entry Support for ACL loggingDisplaying IPv6 ACLs Syntax show ipv6 access-list Syntax show ipv6 access-list access-list-nameDisplaying IPv6 ACLs ACL-based rate limiting overview Types of ACL-based rate limiting Traffic policies overview Traffic policy structureACL statistics Configuring fixed rate limiting Configuration notes for traffic policies Configuring adaptive rate limiting Configuring adaptive rate limiting ACL based adaptive rate limiting parameters Parameter DefinitionPage Handling packets that exceed the rate limit Dropping packets Enabling and using ACL statistics Permitting packets at low priority Enabling and using ACL statistics Enabling ACL statistics Enabling ACL statistics with rate limiting traffic policies Viewing ACL and rate limit counters Parameter Description Clearing ACL and rate limit countersACL and rate limit counting statistics General Counters Viewing traffic policies Syntax show traffic-policy TPD-nameParameterDescription 802.1X Port Security Ietf RFC support Device roles in an 802.1X configuration How 802.1X port security worksHow 802.1X port security works Communication between the devices Controlled and uncontrolled ports PAE Message exchange during authentication Setting the IP MTU size Refer to EAP pass-through support on EAP pass-through support Authenticating multiple hosts connected to the same portConfiguration notes for setting the IP MTU size Syntax no ip mtu num How 802.1X multiple-host authentication works Multiple hosts connected to a single 802.1X-enabled port Configuration notes for 802.1x multiple-host authentication 802.1X port security and sFlow Configure the device role as the Authenticator 802.1X port security configuration802.1X port security configuration Configure the device interaction with Clients Syntax no aaa authentication dot1x default method-list Configuring an authentication method list forSetting Radius parameters Supported Radius attributes Specifying the Radius timeout action Permit user access to the network after a Radius timeoutSyntax no dot1x auth-timeout-action success Syntax no dot1x re-auth-timeout- success seconds Dynamic Vlan assignment for 802.1X port configurationRe-authenticate a user Deny user access to the network after a Radius timeout Type Value Dynamic multiple Vlan assignment for 802.1X ports Saving dynamic Vlan assignments to the running-config file Syntax save-dynamicvlan-to-config 802.1X port security configuration Disabled strict security mode Disabling strict security mode globally Dynamically applying existing ACLs or MAC address filters Syntax no dot1x disable-filter-strict-securityACL or MAC address filter configured on the Brocade device Syntax no global-filter-strict-security Configuring per-user IP ACLs or MAC address filters Value Description Setting the port control Enabling 802.1X port security Configuring periodic re-authentication Syntax no re-authenticationSyntax no timeout re-authperiod seconds Setting the wait interval for EAP frame retransmissions Re-authenticating a port manuallySetting the quiet period Syntax dot1x re-authenticate ethernet port Value is a number from 1-10. The default is Setting the maximum number of EAP frame retransmissionsSyntax no timeout tx-period seconds Syntax auth-max value Initializing 802.1X on a port Syntax supptimeout secondsSyntax servertimeout seconds Syntax maxreq value Specifying the authentication-failure action Allowing access to multiple hostsConfiguring 802.1X multiple-host authentication Syntax no auth-fail-action restricted-vlan Disabling aging for dot1x-mac-sessions This command enables aging of permitted sessionsSyntax no auth-fail-max-attempts attempts Syntax no mac-session-aging no-aging permitted-mac-only Moving native Vlan mac-sesions to restrict Vlan Specifying the aging time for blocked clientsSyntax no mac-age-time seconds Syntax clear dot1x mac-session mac-address Syntax timeout restrict-fwd-period num 802.1X accounting configurationConfiguring Vlan access for non-EAP-capable clients MAC address filters for EAP frames 802.1X accounting attributes for Radius To enable 802.1X accounting, enter the following commandSyntax aaa accounting dot1x default start-stop radius none Enabling 802.1X accounting Displaying 802.1X information Displaying 802.1X configuration informationOutput from the show dot1x command Syntax show dot1x Syntax show dot1x config ethernet port Forceunauth Syntax show dot1x statistics ethernet port Displaying 802.1X statisticsDisplaying 802.1X information Field Statistics Syntax clear dot1x statistics all Clearing 802.1X statisticsDisplaying dynamically assigned Vlan information Syntax clear dot1x statistics ethernet port Displaying user-defined MAC address filters and IP ACLs Syntax show dot1x mac-address-filterSyntax show dot1x ip-ACL Displaying the status of strict security mode Syntax show dot1x mac-address-filter all ethernet portSyntax show dot1x ip-ACL all ethernet port Displaying 802.1X multiple-host authentication information Global-filter-strict-security Enable Displaying 802.1X multiple-host configuration information Mac Session max-age Seconds Pvid Syntax show dot1x mac-session Output from the show dot1x mac-session brief command Syntax show dot1x mac-session brief Same point-to-point 802.1x configuration Sample 802.1X configurationsPoint-to-point configuration Sample 802.1X configurations Hub configuration Sample 802.1x configuration using a hub 802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security MAC port security overview Local and global resources used for MAC port security MAC port security configuration Enabling the MAC port security featureSyntax port security Syntax no enable Setting the port security age timer MAC port security configurationSyntax no age minutes Specifying secure MAC addresses On an untagged interfaceOn a tagged interface Dropping packets from a violating address Syntax violation restrictSyntax violation restrict age Clearing violation statistics Clearing port security statisticsClearing restricted MAC addresses Disabling the port for a specified amount of time Displaying port security settings Displaying port security informationDisplaying the secure MAC addresses Displaying port security statistics Output from the show port security mac commandOutput from the show port security statistics port command Syntax show port security statistics port Displaying restricted MAC addresses on a port Syntax show port security statistics moduleSyntax show port security ethernet port restricted-macs MAC-based Vlan overview Static and dynamic hosts Policy-based classification and forwarding MAC-based Vlan feature structureSource MAC address authentication MAC-based Vlan and port up or down events Dynamic MAC-based Vlan Dynamic MAC-based Vlan CLI commandsDynamic MAC-based Vlan Description CLI level Following example shows a MAC-based Vlan configuration Dynamic MAC-based Vlan configuration exampleDynamic MAC-based Vlan CLI commands for MAC-based VLANs CLI command Description CLI level MAC-based Vlan configuration MAC-based Vlan configuration Using MAC-based VLANs and 802.1X security on the same port Attribute ID Data type Optional or Description Mandatory For blocked hosts Aging for MAC-based VlanFor permitted hosts Aging process for MAC-based Vlan works as described below To change the length of the software aging period Disabling aging for MAC-based Vlan sessionsFor MAC-based dynamic activation Globally disabling aging Syntax no mac-authentication disable-aging Configuring the maximum MAC addresses per portConfiguring a MAC-based Vlan for a static host Disabling the aging on interfaces Configuring MAC-based Vlan for a dynamic host Configuring dynamic MAC-based VlanSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Displaying information about MAC-based VLANs Configuring MAC-based VLANs using SnmpEnter the following command to display the MAC-VLAN table Displaying the MAC-VLAN table Displaying information about MAC-based VLANs Displaying the MAC-VLAN table for a specific MAC addressDisplaying allowed MAC addresses Syntax show table-mac-vlan mac-address Displaying denied MAC addresses Syntax show table-mac-vlan denied-mac Default Displaying detailed MAC-VLAN data Displaying MAC-VLAN information for a specific interface Displaying MAC addresses in a MAC-based Vlan Vlan Displaying MAC-based Vlan logging Clearing MAC-VLAN informationSample MAC-based Vlan application Clearing MAC-VLAN information Sample MAC-based Vlan configuration Sample MAC-based Vlan application 0000.0075.3f73 1/1/1 Sample MAC-based Vlan application Multi-Device Port Authentication How multi-device port authentication works Radius authentication Authentication-failure actionsSupported Radius attributes Support for dynamic Vlan assignment Support for dynamic ACLsSupport for dynamic ARP inspection with dynamic ACLs Support for Dhcp snooping with dynamic ACLs Support for source guard protection Configuring Brocade-specific attributes on Radius server Multi-device port authentication configuration Enabling multi-device port authentication on an interface Enabling multi-device port authenticationGlobally enabling multi-device port authentication Syntax no mac-authentication enable Specifying the authentication-failure action Multi-device port authentication configurationSyntax no mac-authentication auth-fail-vlan-id vlan-id Generating traps for multi-device port authentication Configuring dynamic Vlan assignmentDefining MAC address filters Syntax no mac-authentication enable-dynamic-vlan Syntax no mac-authentication no-override-restrict-vlan Syntax mac-authentication disable-ingress-filtering Vlan-namestring Configuration notes and limitations Dynamically applying IP ACLs to authenticated MAC addresses Syntax no mac-authentication save-dynamicvlan-to-configPage Enabling denial of service attack protection Configuring the Radius server to support dynamic IP ACLsACLs configured on the Brocade device Syntax no mac-authentication dos-protection mac-limit number Enabling source guard protection Enter the no form of the command to disable SG protection Clearing authenticated MAC addressesSyntax no mac-authentication source-guard-protection enable Syntax clear auth-mac-table Globally disabling aging of MAC addresses Disabling aging for authenticated MAC addressesSyntax mac-authentication clear-mac-session mac-address Syntax clear auth-mac-table ethernet port Syntax no mac-authentication hw-deny-age num Disabling the aging of MAC addresses on interfaces Syntax no mac-authentication auth-timeout-action success Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Specifying the aging time for blocked MAC addresses Multi-device port authentication password override Deny user access to the network after a Radius timeoutSyntax no mac-authentication auth-timeout-action failure Displaying authenticated MAC address information Displaying multi-device port authentication informationLimiting the number of authenticated MAC addresses Syntax no mac-authentication password-override password Output from the show authenticated-mac-address command Syntax show auth-mac-address configuration Syntax show auth-mac-address mac-addressip-addrport Displaying the authenticated MAC addresses Syntax show auth-mac-addresses authorized-mac Explains the information in the output Displaying the non-authenticated MAC addressesSyntax show auth-mac-addresses unauthorized-mac Syntax show auth-mac-address ethernet port Syntax show auth-mac-address detail ethernet port Output from the show auth-mac-addresses detailed command YES Pvid Example port authentication configurations Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enable Port e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override Smurf attacks How a Smurf attack floods a victim with Icmp replies Avoiding being an intermediary in a Smurf attack Avoiding being a victim in a Smurf attackSyntax no ip directed-broadcast TCP SYN attacks TCP SYN attacks TCP security enhancement Protecting against a blind injection attack Syntax show statistics dos-attack Syntax clear statistics dos-attack Rate Limiting and Rate Shaping Port-based rate limiting How port-based fixed rate limiting works Rate limiting in hardware Displaying the port-based fixed rate limiting configuration Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Syntax no rate-limit input fixed average-rate Rate shaping Configuration notes for rate shapingConfiguring outbound rate shaping for a port Rate shaping Displaying rate shaping configurations Configuring outbound rate shaping for a specific priorityConfiguring outbound rate shaping for a trunk port CPU rate-limiting Packet type Rate limit ARP Dynamic ARP inspection ARP poisoning Dynamic ARP Inspection ARP entries 281 Enabling DAI on a Vlan Dynamic ARP inspection configurationConfiguring an inspection ARP entry Syntax no arp ip-addrmac-addrinspection Displaying the ARP table Dhcp snoopingDisplaying ARP inspection status and ports Enabling trust on a port How Dhcp snooping works Dhcp binding databasePage Disabling the learning of Dhcp clients on a port Syntax no dhcp snooping client-learning disableEnabling Dhcp snooping on a Vlan Syntax no ip dhcp snooping vlan vlan-number Displaying the Dhcp snooping binding database Clearing the Dhcp binding databaseDisplaying Dhcp snooping status and ports Displaying Dhcp binding entry and status Dhcp snooping configuration example Dhcp relay agent informationDhcp relay agent information Configuration notes for Dhcp option Dhcp option 82 sub-options Sub-option 1 Circuit ID Sub-option 2 Remote IDSub-option 6 Subscriber ID Dhcp option 82 configuration Syntax no dhcp snooping relay information Changing the forwarding policy Enabling and disabling subscriber ID processingSyntax ip dhcp relay information policy policy-type Viewing information about Dhcp option 82 processing Viewing the ports on which Dhcp option 82 is disabledOutput for the ip dhcp relay information command Viewing the circuit ID, remote ID, and forwarding policy IP source guard Viewing the status of Dhcp option 82 and the subscriber IDSyntax show interfaces ethernet port Page No source-guard enable Defining static IP source bindingsFor ip-addr, enter a valid IP address Enabling IP source guard on a VE Syntax no source-guard enableEnabling IP source guard per-port-per-VLAN Displaying learned IP addresses IP source guard Configuration notes and feature limitations Configuring rate limiting for BUM trafficBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM traffic Syntax show run interface Syntax show rate-limit broadcast Broadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Ip access-group,110 mac-vlan-permit,220 source-guard enable Vlan