Manuals / Brocade Communications Systems / Computer Equipment / Switch

Brocade Communications Systems 6650 manual Num

Models: 6650

1 332

Download 332 pages 4.02 Kb

Page 118

Extended named ACL configuration

If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/ mask-bits” format. To enable the software to display the CIDR masks, enter the ip show-subnet-lengthcommand at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.

NOTE

If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with subnet mask in the display produced by the show ip access-listcommand.

The destination-ip hostname parameter specifies the destination IP host for the policy. If you want the policy to match on all destination addresses, enter any.

The icmp-type icmp-numparameter specifies the ICMP protocol type:

•This parameter applies only if you specified icmp as the ip-protocolvalue.

•If you use this parameter, the ACL entry is sent to the CPU for processing.

•If you do not specify a message type, the ACL applies to all types of ICMP messages. The icmp-numparameter can be a value from 0 – 255.

The icmp-typeparameter can have one of the following values, depending on the software version the device is running:

•any-icmp-type

•echo

•echo-reply

•information-request

•log

•mask-reply

•mask-request

•parameter-problem

•redirect

•source-quench

•time-exceeded

•timestamp-reply

•timestamp-request

•traffic policy

•unreachable

•num

NOTE

The QoS options listed below are only available if a specific ICMP type is specified for the icmp-typeparameter and cannot be used with the any-icmp-typeoption above. See “QoS options for IP ACLs” on page 1734for more information on using ACLs to perform QoS.

98	Brocade ICX 6650 Security Configuration Guide
	53-1002601-01

Image 118

Brocade Communications Systems 6650 manual Num

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide ACL-based rate limiting overview Types of ACL-based rate limitingChapter 802.1X Port Security Ietf RFC supportLocal and global resources used for MAC port security MAC-based Vlan feature structureMAC port security overview MAC-based Vlan overviewAuthentication-failure actions How multi-device port authentication worksRadius authentication Supported Radius attributesAvoiding being an intermediary in a Smurf attack Smurf attacksAvoiding being a victim in a Smurf attack Displaying the port-based fixed rate limiting configuration Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Configuration notes and feature limitations for DAIBroadcast, unknown Unicast, and Multicast rate limiting Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Viewing rate limits set on BUM trafficPage Supported hardware and software AudienceBrocade ICX 6650 slot and port numbering How this document is organized Dhcp onDocument conventions Command syntax conventionsText formatting Related publications Corporation Referenced Trademarks and ProductsBrocade resources Additional informationGetting technical help Other industry resourcesDocument feedback Securing access methods Feature Brocade ICXMethod is secured Remote access to management function restrictions ACL usage to restrict remote accessSyntax telnet access-group num Using an ACL to restrict Telnet accessUsing an ACL to restrict SSH access Syntax ssh access-group numDefining the console idle time Using ACLs to restrict Snmp accessSyntax snmp-server community string ro rw num Restricting Telnet access to a specific IP address Remote access restrictionsRestricting SSH access to a specific IP address Restricting Telnet connection Restricting access to the device based on IP or MAC addressRestricting Snmp access to a specific IP address Restricting SSH connectionDefining the Telnet idle time Changing the login timeout period for Telnet sessionsRestricting Http and Https connection Restricting Telnet access to a specific Vlan Syntax no telnet login-retries numberSyntax no telnet server enable vlan vlan-id Restricting Snmp access to a specific VlanRestricting Tftp access to a specific Vlan Syntax no snmp-server enable vlan vlan-idDevice management security Allowing SSHv2 access to the Brocade deviceSyntax no default-gateway ip-addr metric Syntax crypto key generate zeroizeDisabling Telnet access Disabling specific access methodsAllowing Snmp access to the Brocade device Disabling Snmp accessSyntax no tftp disable Passwords used to secure accessSetting a Telnet password Syntax no enable telnet password stringPasswords used to secure access Setting passwords for management privilege levelsSyntax no telnet server suppress-reject-message Syntax enable read-only-password text Augmenting management privilege levelsEnter boot system flash primary at the prompt Recovering from a lost passwordSpecifying a minimum password length After the console prompt reappears, assign a new passwordLocal user accounts Enhancements to username and passwordSyntax enable password-min-length number-of-characters Number-of-characterscan be fromEnabling enhanced user password combination requirements Syntax no enable strict-password-enforcementSyntax username name password Enter Enabling user password maskingEnabling user password aging Syntax no enable user password-maskingSyntax no enable user password-aging Configuring password historyEnhanced login lockout Syntax no enable user password-history 1Syntax username name enable Local user account configurationSetting passwords to expire Requirement to accept the message of the dayLocal user accounts with no passwords Local user accounts with unencrypted passwordsUsing the username user-stringcreate-password command Creating a password optionLocal accounts with encrypted passwords Syntax show usersTacacs and TACACS+ security Changing a local user passwordSyntax no username user-stringpassword password-string How TACACS+ differs from TacacsTACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit Tacacs authentication TACACS+ authenticationTACACS+ authorization TACACS+ accountingAAA operations for TACACS/TACACS+ AAA security for commands pasted into the running-configUser action Applicable AAA operations Configuring Tacacs TACACS/TACACS+ configuration considerationsConfiguring TACACS+ Enabling Tacacs Identifying the TACACS/TACACS+ serversSetting optional Tacacs and TACACS+ parameters Specifying different servers for individual AAA functionsSetting the retransmission limit Setting the TACACS+ keySetting the timeout parameter Method parameter Description Syntax aaa authentication login privilege-mode Entering privileged Exec mode after a Telnet or SSH loginSyntax no aaa authentication enable implicit-user Syntax aaa authorization exec default tacacs+ none Configuring TACACS+ authorizationConfiguring Exec authorization Configuring an Attribute-Value pair on the TACACS+ serverFoundry-privlvl = Configuring command authorization AAA support for console commandsConfiguring TACACS+ accounting for CLI commands TACACS+ accounting configurationConfiguring TACACS+ accounting for Telnet/SSH Shell access Syntax no enable aaa consoleConfiguring TACACS+ accounting for system events Output of the show aaa command for TACACS/TACACS+ Radius authentication, authorization, and accountingRadius authentication Radius securityRadius authorization Radius accountingAAA operations for Radius AAA operations for RadiusRadius configuration considerations Radius security AAA operations for RadiusConfiguring Radius Brocade-specific attributes on the Radius serverPort Configuration level Allows Attribute ID Data type DescriptionIdentifying the Radius server to the Brocade device Enabling Snmp to configure RadiusAttribute name Attribute ID Data type Description Following shows an example configuration Radius server per port configuration notesRadius configuration example and command syntax Radius server per portSyntax use-radius-server ip-addr Radius server-to-ports configuration notesRadius server to individual ports mapping Host ip-addris an IPv4 addressSyntax radius-server key 0 1 string Setting the Radius keyRadius parameters Syntax radius-server retransmit numberSyntax radius-server timeout number Setting authentication-method lists for RadiusSetting Radius over IPv6 Syntax radius-server host ipv6 ipv6-host addressSetting passwords for management privilege levels on Radius authorization Syntax aaa authorization exec default radius noneCommand authorization and accounting for console commands Configuring Radius accounting for CLI commands Configuring Radius accounting for Telnet/SSH Shell accessRadius accounting Displaying Radius configuration information Configuring Radius accounting for system eventsOutput of the show aaa command for Radius Examples of authentication-method lists Authentication-method listsAuthentication-method lists Following is the command syntax for the preceding examples Command SyntaxExample User account configuration on TCP Flags edge port securityUsing TCP Flags in combination with other ACL features TCP Flags edge port securityTCP Flags edge port security SSH2 and SCP SSH version 2 overviewTested SSH2 clients SSH2 supported featuresSSH2 unsupported features Key exchange methods are diffie-hellman-group1-sha1SSH2 authentication types SSH2 authentication typesConfiguring SSH2 Configure DSA or RSA challenge-response authenticationGenerating and deleting a DSA key pair Setting the CPU priority for key generationGenerating and deleting an RSA key pair Providing the public key to clients Configuring DSA or RSA challenge-response authenticationDeleting DSA and RSA key pairs Syntax crypto key zeroizeImporting authorized public keys into the Brocade device Begin SSH2 Public KEYOptional SSH parameters Enabling DSA or RSA challenge-response authenticationSyntax ip ssh key-authentication yes no Syntax clear public-keySyntax ip ssh authentication-retries number Setting the number of SSH authentication retriesDeactivating user authentication Syntax ip ssh password-authentication no yesSetting the SSH login timeout value Enabling empty password loginsSetting the SSH port number Configuring the maximum idle time for SSH sessionsDisplaying SSH information Filtering SSH access using ACLsTerminating an active SSH connection Displaying SSH connection informationDisplaying SSH information Displaying SSH configuration informationSyntax show ip ssh config SSH connection informationDisplaying SSH information SSH configuration information Displaying additional SSH connection informationCopying a file to the running configuration Secure copy configuration notesExample file transfers using SCP Secure copy with SSH2Copying a software image file to flash memory Copying a file to the startup configurationTo overwrite the running configuration file Copying a software image file from flash memoryImporting an RSA private key Importing a digital certificate using SCPImporting a DSA or RSA public key SSH2 client Configuring SSH2 client public key authenticationEnabling SSH2 client Generating and deleting a client RSA key pair Using SSH2 clientGenerating and deleting a client DSA key pair Exporting client public keysDisplaying SSH2 client information Supported ACL features on outbound traffic Rule-Based IP ACLsACL overview Supported ACL features on outbound traffic ACL overviewNumbered and named ACLs Types of IP ACLsACL IDs and entries ACL overview Virtual routing interfacesHow fragmented packets are processed Default ACL actionHow hardware-based ACLs work Hardware aging of Layer 4 CAM entriesACL configuration considerations Configuring standard numbered ACLs Standard numbered ACL syntaxStandard named ACL configuration Configuration example for standard numbered ACLsSyntax no ip access-list standard ACL-nameACL-num Standard named ACL syntaxBrocade ICX 6650 Security Configuration Guide 53-1002601-01 Configuration example for standard named ACLs Extended numbered ACL configurationExtended numbered ACL configuration Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Configuration examples for extended numbered ACLs Here is another example of an extended ACLExtended named ACL configuration Extended named ACL configurationExtended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Preserving user input for ACL TCP/UDP port numbers Syntax enable egress-acl-on-cpu-trafficApplying egress ACLs to Control CPU traffic Syntax ip preserve-ACL-user-input-formatACL comment text management Adding a comment to an entry in a numbered ACLDeleting a comment from an ACL entry Show running-config Show access-list Show ip access-listAdding a comment to an entry in a named ACL Viewing comments in an ACLSyntax show running-config ACL logging Configuration notes for ACL loggingACL logging Configuration tasks for ACL logging Example ACL logging configurationDisplaying ACL Log Entries Syntax logging-enableSyntax ACL-logging Syntax no ip access-group frag deny Syntax show logSyntax no enable ACL-per-port-per-vlan Configuration notes for ACL filteringEnter the no form of the command to disable this feature Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID Syntax no ip access-group ACL ID in ethernet port to port ACLs to filter ARP packetsSyntax no ip use-ACL-on-arp access-list-number Configuration considerations for filtering ARP packetsConfiguring ACLs for ARP filtering ACLs to filter ARP packetsClearing the filter count Filtering on IP precedence and ToS valuesDisplaying ACL filters for ARP Syntax show ACL-on-arp ethernet port loopback num ve numQoS options for IP ACLs TCP flags edge port securityUsing an IP ACL to mark Dscp values Dscp marking Configuration notes for QoS options on Brocade ICXSyntax ...dscp-marking dscp-value QoS options for IP ACLs Combined ACL for 802.1p markingFor IP Dscp matching Using an ACL to change the forwarding queueACL-based rate limiting Syntax ...dscp-matching 0ACL statistics ACLs to control multicast featuresEnabling and viewing hardware usage statistics for an ACL Displaying ACL information Troubleshooting ACLsSyntax show access-list ACL-numACL-nameall Policy Based RoutingConfiguration considerations for policy-based routing Configuring a PBR policyConfiguring the ACLs Configuring the route map Syntax noroute-map map-namepermit deny numEnabling PBR Basic example of PBR Configuration examples for PBRSetting the next hop Policy Based RoutingSetting the output interface to the null interface Trunk formation with PBR policy Feature IPv6 ACL overviewIPv6 ACL traffic filtering criteria IPv6 ACL configuration notesIPv6 protocol names and numbers Configuring an IPv6 ACL Example IPv6 configurationsShow ipv6 access-listcommand displays the following Configuring an IPv6 ACLHere is another example Default and implicit IPv6 ACL action Syntax for creating an IPv6 ACL Syntax no ipv6 access-list ACL-nameCreating an IPv6 ACL Ipv6-operator dscpFor TCP For IcmpFor UDP IPv6 ACL arguments Description Ipv6-source-prefix /prefix-lengthCreating an IPv6 ACL Syntax descriptions IPv6 ACL arguments DescriptionIcmp message configurations 802.1p-priority-matching numberSyntax ipv6 enable Applying an IPv6 ACL to an interfaceApplying an IPv6 ACL to a trunk group Adding a comment to an IPv6 ACL entrySyntax for applying an IPv6 ACL Syntax .ipv6 traffic-filter ipv6-ACL-nameinSupport for ACL logging Deleting a comment from an IPv6 ACL entryDisplaying IPv6 ACLs Syntax show ipv6 access-list access-list-name Syntax show ipv6 access-listDisplaying IPv6 ACLs ACL-based rate limiting overview Types of ACL-based rate limitingTraffic policy structure Traffic policies overviewACL statistics Configuring fixed rate limiting Configuration notes for traffic policiesConfiguring adaptive rate limiting Configuring adaptive rate limitingACL based adaptive rate limiting parameters Parameter DefinitionPage Handling packets that exceed the rate limit Dropping packetsEnabling and using ACL statistics Permitting packets at low priorityEnabling and using ACL statistics Enabling ACL statisticsEnabling ACL statistics with rate limiting traffic policies Viewing ACL and rate limit countersParameter Description Clearing ACL and rate limit countersACL and rate limit counting statistics General CountersSyntax show traffic-policy TPD-name Viewing traffic policiesParameterDescription 802.1X Port Security Ietf RFC supportHow 802.1X port security works Device roles in an 802.1X configurationHow 802.1X port security works Communication between the devices Controlled and uncontrolled portsPAE Message exchange during authentication Setting the IP MTU size Refer to EAP pass-through support onEAP pass-through support Authenticating multiple hosts connected to the same portConfiguration notes for setting the IP MTU size Syntax no ip mtu numHow 802.1X multiple-host authentication works Multiple hosts connected to a single 802.1X-enabled portConfiguration notes for 802.1x multiple-host authentication 802.1X port security and sFlow Configure the device role as the Authenticator 802.1X port security configuration802.1X port security configuration Configure the device interaction with ClientsSyntax no aaa authentication dot1x default method-list Configuring an authentication method list forSetting Radius parameters Supported Radius attributesPermit user access to the network after a Radius timeout Specifying the Radius timeout actionSyntax no dot1x auth-timeout-action success Syntax no dot1x re-auth-timeout- success seconds Dynamic Vlan assignment for 802.1X port configurationRe-authenticate a user Deny user access to the network after a Radius timeoutType Value Dynamic multiple Vlan assignment for 802.1X ports Saving dynamic Vlan assignments to the running-config file Syntax save-dynamicvlan-to-config802.1X port security configuration Disabled strict security mode Disabling strict security mode globallyDynamically applying existing ACLs or MAC address filters Syntax no dot1x disable-filter-strict-securityACL or MAC address filter configured on the Brocade device Syntax no global-filter-strict-securityConfiguring per-user IP ACLs or MAC address filters Value DescriptionSetting the port control Enabling 802.1X port securitySyntax no re-authentication Configuring periodic re-authenticationSyntax no timeout re-authperiod seconds Setting the wait interval for EAP frame retransmissions Re-authenticating a port manuallySetting the quiet period Syntax dot1x re-authenticate ethernet portValue is a number from 1-10. The default is Setting the maximum number of EAP frame retransmissionsSyntax no timeout tx-period seconds Syntax auth-max valueInitializing 802.1X on a port Syntax supptimeout secondsSyntax servertimeout seconds Syntax maxreq valueSpecifying the authentication-failure action Allowing access to multiple hostsConfiguring 802.1X multiple-host authentication Syntax no auth-fail-action restricted-vlanDisabling aging for dot1x-mac-sessions This command enables aging of permitted sessionsSyntax no auth-fail-max-attempts attempts Syntax no mac-session-aging no-aging permitted-mac-onlyMoving native Vlan mac-sesions to restrict Vlan Specifying the aging time for blocked clientsSyntax no mac-age-time seconds Syntax clear dot1x mac-session mac-addressSyntax timeout restrict-fwd-period num 802.1X accounting configurationConfiguring Vlan access for non-EAP-capable clients MAC address filters for EAP frames802.1X accounting attributes for Radius To enable 802.1X accounting, enter the following commandSyntax aaa accounting dot1x default start-stop radius none Enabling 802.1X accountingDisplaying 802.1X information Displaying 802.1X configuration informationOutput from the show dot1x command Syntax show dot1xSyntax show dot1x config ethernet port Forceunauth Syntax show dot1x statistics ethernet port Displaying 802.1X statisticsDisplaying 802.1X information Field StatisticsSyntax clear dot1x statistics all Clearing 802.1X statisticsDisplaying dynamically assigned Vlan information Syntax clear dot1x statistics ethernet portSyntax show dot1x mac-address-filter Displaying user-defined MAC address filters and IP ACLsSyntax show dot1x ip-ACL Syntax show dot1x mac-address-filter all ethernet port Displaying the status of strict security modeSyntax show dot1x ip-ACL all ethernet port Displaying 802.1X multiple-host authentication information Global-filter-strict-security EnableDisplaying 802.1X multiple-host configuration information Mac Session max-age SecondsPvid Syntax show dot1x mac-session Output from the show dot1x mac-session brief command Syntax show dot1x mac-session briefSame point-to-point 802.1x configuration Sample 802.1X configurationsPoint-to-point configuration Sample 802.1X configurationsHub configuration Sample 802.1x configuration using a hub802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security MAC port security overview Local and global resources used for MAC port securityEnabling the MAC port security feature MAC port security configurationSyntax port security Syntax no enable MAC port security configuration Setting the port security age timerSyntax no age minutes On an untagged interface Specifying secure MAC addressesOn a tagged interface Syntax violation restrict Dropping packets from a violating addressSyntax violation restrict age Clearing violation statistics Clearing port security statisticsClearing restricted MAC addresses Disabling the port for a specified amount of timeDisplaying port security information Displaying port security settingsDisplaying the secure MAC addresses Displaying port security statistics Output from the show port security mac commandOutput from the show port security statistics port command Syntax show port security statistics portSyntax show port security statistics module Displaying restricted MAC addresses on a portSyntax show port security ethernet port restricted-macs MAC-based Vlan overview Static and dynamic hostsPolicy-based classification and forwarding MAC-based Vlan feature structureSource MAC address authentication MAC-based Vlan and port up or down eventsDynamic MAC-based Vlan Dynamic MAC-based Vlan CLI commandsDynamic MAC-based Vlan Description CLI levelFollowing example shows a MAC-based Vlan configuration Dynamic MAC-based Vlan configuration exampleDynamic MAC-based Vlan CLI commands for MAC-based VLANs CLI command Description CLI levelMAC-based Vlan configuration MAC-based Vlan configurationUsing MAC-based VLANs and 802.1X security on the same port Attribute ID Data type Optional or Description MandatoryFor blocked hosts Aging for MAC-based VlanFor permitted hosts Aging process for MAC-based Vlan works as described belowTo change the length of the software aging period Disabling aging for MAC-based Vlan sessionsFor MAC-based dynamic activation Globally disabling agingSyntax no mac-authentication disable-aging Configuring the maximum MAC addresses per portConfiguring a MAC-based Vlan for a static host Disabling the aging on interfacesConfiguring dynamic MAC-based Vlan Configuring MAC-based Vlan for a dynamic hostSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Displaying information about MAC-based VLANs Configuring MAC-based VLANs using SnmpEnter the following command to display the MAC-VLAN table Displaying the MAC-VLAN tableDisplaying information about MAC-based VLANs Displaying the MAC-VLAN table for a specific MAC addressDisplaying allowed MAC addresses Syntax show table-mac-vlan mac-addressDisplaying denied MAC addresses Syntax show table-mac-vlan denied-macDefault Displaying detailed MAC-VLAN dataDisplaying MAC-VLAN information for a specific interface Displaying MAC addresses in a MAC-based Vlan VlanDisplaying MAC-based Vlan logging Clearing MAC-VLAN informationSample MAC-based Vlan application Clearing MAC-VLAN informationSample MAC-based Vlan configuration Sample MAC-based Vlan application0000.0075.3f73 1/1/1 Sample MAC-based Vlan application Multi-Device Port Authentication How multi-device port authentication worksAuthentication-failure actions Radius authenticationSupported Radius attributes Support for dynamic ACLs Support for dynamic Vlan assignmentSupport for dynamic ARP inspection with dynamic ACLs Support for Dhcp snooping with dynamic ACLs Support for source guard protectionConfiguring Brocade-specific attributes on Radius server Multi-device port authentication configuration Enabling multi-device port authentication on an interface Enabling multi-device port authenticationGlobally enabling multi-device port authentication Syntax no mac-authentication enableMulti-device port authentication configuration Specifying the authentication-failure actionSyntax no mac-authentication auth-fail-vlan-id vlan-id Configuring dynamic Vlan assignment Generating traps for multi-device port authenticationDefining MAC address filters Syntax no mac-authentication enable-dynamic-vlan Syntax no mac-authentication no-override-restrict-vlanSyntax mac-authentication disable-ingress-filtering Vlan-namestringConfiguration notes and limitations Dynamically applying IP ACLs to authenticated MAC addresses Syntax no mac-authentication save-dynamicvlan-to-configPage Configuring the Radius server to support dynamic IP ACLs Enabling denial of service attack protectionACLs configured on the Brocade device Syntax no mac-authentication dos-protection mac-limit number Enabling source guard protectionEnter the no form of the command to disable SG protection Clearing authenticated MAC addressesSyntax no mac-authentication source-guard-protection enable Syntax clear auth-mac-tableGlobally disabling aging of MAC addresses Disabling aging for authenticated MAC addressesSyntax mac-authentication clear-mac-session mac-address Syntax clear auth-mac-table ethernet portSyntax no mac-authentication hw-deny-age num Disabling the aging of MAC addresses on interfacesSyntax no mac-authentication auth-timeout-action success Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Specifying the aging time for blocked MAC addressesDeny user access to the network after a Radius timeout Multi-device port authentication password overrideSyntax no mac-authentication auth-timeout-action failure Displaying authenticated MAC address information Displaying multi-device port authentication informationLimiting the number of authenticated MAC addresses Syntax no mac-authentication password-override passwordOutput from the show authenticated-mac-address command Syntax show auth-mac-address configurationSyntax show auth-mac-address mac-addressip-addrport Displaying the authenticated MAC addresses Syntax show auth-mac-addresses authorized-macExplains the information in the output Displaying the non-authenticated MAC addressesSyntax show auth-mac-addresses unauthorized-mac Syntax show auth-mac-address ethernet portSyntax show auth-mac-address detail ethernet port Output from the show auth-mac-addresses detailed command YESPvid Example port authentication configurations Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enablePort e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override Smurf attacks How a Smurf attack floods a victim with Icmp repliesAvoiding being a victim in a Smurf attack Avoiding being an intermediary in a Smurf attackSyntax no ip directed-broadcast TCP SYN attacks TCP SYN attacksTCP security enhancement Protecting against a blind injection attack Syntax show statistics dos-attack Syntax clear statistics dos-attackRate Limiting and Rate Shaping Port-based rate limitingHow port-based fixed rate limiting works Rate limiting in hardwareDisplaying the port-based fixed rate limiting configuration Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Syntax no rate-limit input fixed average-rateRate shaping Configuration notes for rate shapingConfiguring outbound rate shaping for a port Rate shapingDisplaying rate shaping configurations Configuring outbound rate shaping for a specific priorityConfiguring outbound rate shaping for a trunk port CPU rate-limitingPacket type Rate limit ARPDynamic ARP inspection ARP poisoningDynamic ARP Inspection ARP entries281 Enabling DAI on a Vlan Dynamic ARP inspection configurationConfiguring an inspection ARP entry Syntax no arp ip-addrmac-addrinspectionDisplaying the ARP table Dhcp snoopingDisplaying ARP inspection status and ports Enabling trust on a portHow Dhcp snooping works Dhcp binding databasePage Disabling the learning of Dhcp clients on a port Syntax no dhcp snooping client-learning disableEnabling Dhcp snooping on a Vlan Syntax no ip dhcp snooping vlan vlan-numberDisplaying the Dhcp snooping binding database Clearing the Dhcp binding databaseDisplaying Dhcp snooping status and ports Displaying Dhcp binding entry and statusDhcp relay agent information Dhcp snooping configuration exampleDhcp relay agent information Configuration notes for Dhcp option Dhcp option 82 sub-optionsSub-option 2 Remote ID Sub-option 1 Circuit IDSub-option 6 Subscriber ID Dhcp option 82 configuration Syntax no dhcp snooping relay informationEnabling and disabling subscriber ID processing Changing the forwarding policySyntax ip dhcp relay information policy policy-type Viewing information about Dhcp option 82 processing Viewing the ports on which Dhcp option 82 is disabledOutput for the ip dhcp relay information command Viewing the circuit ID, remote ID, and forwarding policyViewing the status of Dhcp option 82 and the subscriber ID IP source guardSyntax show interfaces ethernet port Page Defining static IP source bindings No source-guard enableFor ip-addr, enter a valid IP address Enabling IP source guard on a VE Syntax no source-guard enableEnabling IP source guard per-port-per-VLAN Displaying learned IP addressesIP source guard Configuring rate limiting for BUM traffic Configuration notes and feature limitationsBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM traffic Syntax show run interface Syntax show rate-limit broadcastBroadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Ip access-group,110 mac-vlan-permit,220 source-guard enable Vlan