Brocade ICX
Brocade Communications Systems, Incorporated
Contents
Brocade ICX 6650 Security Configuration Guide
Chapter
Brocade ICX 6650 Security Configuration Guide
Types of ACL-based rate limiting
ACL-based rate limiting overview
Ietf RFC support
Chapter 802.1X Port Security
MAC port security overview
MAC-based Vlan feature structure
Local and global resources used for MAC port security
MAC-based Vlan overview
Radius authentication
How multi-device port authentication works
Authentication-failure actions
Supported Radius attributes
Avoiding being an intermediary in a Smurf attack
Smurf attacks
Avoiding being a victim in a Smurf attack
Configuring a port-based fixed rate limiting policy
Configuration notes for port-based fixed rate limiting
Displaying the port-based fixed rate limiting configuration
Configuration notes and feature limitations for DAI
Configuring rate limiting for BUM traffic
Configuration notes and feature limitations
Broadcast, unknown Unicast, and Multicast rate limiting
Viewing rate limits set on BUM traffic
Page
Supported hardware and software
Audience
Brocade ICX 6650 slot and port numbering
Dhcp on
How this document is organized
Document conventions
Command syntax conventions
Text formatting
Corporation Referenced Trademarks and Products
Related publications
Getting technical help
Additional information
Brocade resources
Other industry resources
Document feedback
Feature Brocade ICX
Securing access methods
Method is secured
ACL usage to restrict remote access
Remote access to management function restrictions
Using an ACL to restrict SSH access
Using an ACL to restrict Telnet access
Syntax telnet access-group num
Syntax ssh access-group num
Defining the console idle time
Using ACLs to restrict Snmp access
Syntax snmp-server community string ro rw num
Restricting Telnet access to a specific IP address
Remote access restrictions
Restricting SSH access to a specific IP address
Restricting Snmp access to a specific IP address
Restricting access to the device based on IP or MAC address
Restricting Telnet connection
Restricting SSH connection
Defining the Telnet idle time
Changing the login timeout period for Telnet sessions
Restricting Http and Https connection
Syntax no telnet login-retries number
Restricting Telnet access to a specific Vlan
Restricting Tftp access to a specific Vlan
Restricting Snmp access to a specific Vlan
Syntax no telnet server enable vlan vlan-id
Syntax no snmp-server enable vlan vlan-id
Syntax no default-gateway ip-addr metric
Allowing SSHv2 access to the Brocade device
Device management security
Syntax crypto key generate zeroize
Allowing Snmp access to the Brocade device
Disabling specific access methods
Disabling Telnet access
Disabling Snmp access
Setting a Telnet password
Passwords used to secure access
Syntax no tftp disable
Syntax no enable telnet password string
Passwords used to secure access
Setting passwords for management privilege levels
Syntax no telnet server suppress-reject-message
Augmenting management privilege levels
Syntax enable read-only-password text
Specifying a minimum password length
Recovering from a lost password
Enter boot system flash primary at the prompt
After the console prompt reappears, assign a new password
Syntax enable password-min-length number-of-characters
Enhancements to username and password
Local user accounts
Number-of-characterscan be from
Syntax no enable strict-password-enforcement
Enabling enhanced user password combination requirements
Enabling user password aging
Enabling user password masking
Syntax username name password Enter
Syntax no enable user password-masking
Enhanced login lockout
Configuring password history
Syntax no enable user password-aging
Syntax no enable user password-history 1
Setting passwords to expire
Local user account configuration
Syntax username name enable
Requirement to accept the message of the day
Local user accounts with unencrypted passwords
Local user accounts with no passwords
Local accounts with encrypted passwords
Creating a password option
Using the username user-stringcreate-password command
Syntax show users
Syntax no username user-stringpassword password-string
Changing a local user password
Tacacs and TACACS+ security
How TACACS+ differs from Tacacs
TACACS/TACACS+ authentication, authorization, and accounting
Kill console Syntax kill console all unit
TACACS+ authentication
Tacacs authentication
TACACS+ accounting
TACACS+ authorization
AAA operations for TACACS/TACACS+
AAA security for commands pasted into the running-config
User action Applicable AAA operations
Configuring Tacacs
TACACS/TACACS+ configuration considerations
Configuring TACACS+
Identifying the TACACS/TACACS+ servers
Enabling Tacacs
Specifying different servers for individual AAA functions
Setting optional Tacacs and TACACS+ parameters
Setting the retransmission limit
Setting the TACACS+ key
Setting the timeout parameter
Method parameter Description
Syntax aaa authentication login privilege-mode
Entering privileged Exec mode after a Telnet or SSH login
Syntax no aaa authentication enable implicit-user
Configuring Exec authorization
Configuring TACACS+ authorization
Syntax aaa authorization exec default tacacs+ none
Configuring an Attribute-Value pair on the TACACS+ server
Foundry-privlvl =
AAA support for console commands
Configuring command authorization
Configuring TACACS+ accounting for Telnet/SSH Shell access
TACACS+ accounting configuration
Configuring TACACS+ accounting for CLI commands
Syntax no enable aaa console
Configuring TACACS+ accounting for system events
Radius authentication
Radius authentication, authorization, and accounting
Output of the show aaa command for TACACS/TACACS+
Radius security
Radius accounting
Radius authorization
AAA operations for Radius
AAA operations for Radius
Radius security AAA operations for Radius
Radius configuration considerations
Brocade-specific attributes on the Radius server
Configuring Radius
Attribute ID Data type Description
Port Configuration level Allows
Identifying the Radius server to the Brocade device
Enabling Snmp to configure Radius
Attribute name Attribute ID Data type Description
Radius configuration example and command syntax
Radius server per port configuration notes
Following shows an example configuration
Radius server per port
Radius server to individual ports mapping
Radius server-to-ports configuration notes
Syntax use-radius-server ip-addr
Host ip-addris an IPv4 address
Radius parameters
Setting the Radius key
Syntax radius-server key 0 1 string
Syntax radius-server retransmit number
Setting Radius over IPv6
Setting authentication-method lists for Radius
Syntax radius-server timeout number
Syntax radius-server host ipv6 ipv6-host address
Setting passwords for management privilege levels on
Syntax aaa authorization exec default radius none
Radius authorization
Command authorization and accounting for console commands
Configuring Radius accounting for CLI commands
Configuring Radius accounting for Telnet/SSH Shell access
Radius accounting
Configuring Radius accounting for system events
Displaying Radius configuration information
Output of the show aaa command for Radius
Examples of authentication-method lists
Authentication-method lists
Authentication-method lists
Following is the command syntax for the preceding examples
Command Syntax
Example
TCP Flags edge port security
User account configuration on
TCP Flags edge port security
Using TCP Flags in combination with other ACL features
TCP Flags edge port security
SSH version 2 overview
SSH2 and SCP
SSH2 unsupported features
SSH2 supported features
Tested SSH2 clients
Key exchange methods are diffie-hellman-group1-sha1
Configuring SSH2
SSH2 authentication types
SSH2 authentication types
Configure DSA or RSA challenge-response authentication
Generating and deleting a DSA key pair
Setting the CPU priority for key generation
Generating and deleting an RSA key pair
Deleting DSA and RSA key pairs
Configuring DSA or RSA challenge-response authentication
Providing the public key to clients
Syntax crypto key zeroize
Begin SSH2 Public KEY
Importing authorized public keys into the Brocade device
Syntax ip ssh key-authentication yes no
Enabling DSA or RSA challenge-response authentication
Optional SSH parameters
Syntax clear public-key
Deactivating user authentication
Setting the number of SSH authentication retries
Syntax ip ssh authentication-retries number
Syntax ip ssh password-authentication no yes
Setting the SSH port number
Enabling empty password logins
Setting the SSH login timeout value
Configuring the maximum idle time for SSH sessions
Terminating an active SSH connection
Filtering SSH access using ACLs
Displaying SSH information
Displaying SSH connection information
Syntax show ip ssh config
Displaying SSH configuration information
Displaying SSH information
SSH connection information
Displaying additional SSH connection information
Displaying SSH information SSH configuration information
Example file transfers using SCP
Secure copy configuration notes
Copying a file to the running configuration
Secure copy with SSH2
To overwrite the running configuration file
Copying a file to the startup configuration
Copying a software image file to flash memory
Copying a software image file from flash memory
Importing an RSA private key
Importing a digital certificate using SCP
Importing a DSA or RSA public key
SSH2 client
Configuring SSH2 client public key authentication
Enabling SSH2 client
Generating and deleting a client DSA key pair
Using SSH2 client
Generating and deleting a client RSA key pair
Exporting client public keys
Displaying SSH2 client information
Rule-Based IP ACLs
Supported ACL features on outbound traffic
ACL overview
ACL overview Supported ACL features on outbound traffic
ACL IDs and entries
Types of IP ACLs
Numbered and named ACLs
ACL overview Virtual routing interfaces
How hardware-based ACLs work
Default ACL action
How fragmented packets are processed
Hardware aging of Layer 4 CAM entries
ACL configuration considerations
Standard numbered ACL syntax
Configuring standard numbered ACLs
Configuration example for standard numbered ACLs
Standard named ACL configuration
Standard named ACL syntax
Syntax no ip access-list standard ACL-nameACL-num
Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Configuration example for standard named ACLs
Extended numbered ACL configuration
Extended numbered ACL configuration
Extended numbered ACL syntax
Num
Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Brocade ICX 6650 Security Configuration Guide
Here is another example of an extended ACL
Configuration examples for extended numbered ACLs
Extended named ACL configuration
Extended named ACL configuration
Extended named ACL syntax
Num
Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Page
Applying egress ACLs to Control CPU traffic
Syntax enable egress-acl-on-cpu-traffic
Preserving user input for ACL TCP/UDP port numbers
Syntax ip preserve-ACL-user-input-format
Adding a comment to an entry in a numbered ACL
ACL comment text management
Adding a comment to an entry in a named ACL
Show running-config Show access-list Show ip access-list
Deleting a comment from an ACL entry
Viewing comments in an ACL
Syntax show running-config
ACL logging
Configuration notes for ACL logging
ACL logging
Example ACL logging configuration
Configuration tasks for ACL logging
Displaying ACL Log Entries
Syntax logging-enable
Syntax ACL-logging
Syntax show log
Syntax no ip access-group frag deny
Syntax no enable ACL-per-port-per-vlan
Configuration notes for ACL filtering
Enter the no form of the command to disable this feature
Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID
ACLs to filter ARP packets
Syntax no ip access-group ACL ID in ethernet port to port
Configuring ACLs for ARP filtering
Configuration considerations for filtering ARP packets
Syntax no ip use-ACL-on-arp access-list-number
ACLs to filter ARP packets
Displaying ACL filters for ARP
Filtering on IP precedence and ToS values
Clearing the filter count
Syntax show ACL-on-arp ethernet port loopback num ve num
TCP flags edge port security
QoS options for IP ACLs
Using an IP ACL to mark Dscp values Dscp marking
Configuration notes for QoS options on Brocade ICX
Syntax ...dscp-marking dscp-value
QoS options for IP ACLs
Combined ACL for 802.1p marking
For IP
ACL-based rate limiting
Using an ACL to change the forwarding queue
Dscp matching
Syntax ...dscp-matching 0
ACL statistics
ACLs to control multicast features
Enabling and viewing hardware usage statistics for an ACL
Syntax show access-list ACL-numACL-nameall
Troubleshooting ACLs
Displaying ACL information
Policy Based Routing
Configuring a PBR policy
Configuration considerations for policy-based routing
Configuring the ACLs
Syntax noroute-map map-namepermit deny num
Configuring the route map
Enabling PBR
Setting the next hop
Configuration examples for PBR
Basic example of PBR
Policy Based Routing
Setting the output interface to the null interface
Trunk formation with PBR policy
IPv6 ACL overview
Feature
IPv6 ACL traffic filtering criteria
IPv6 ACL configuration notes
IPv6 protocol names and numbers
Example IPv6 configurations
Configuring an IPv6 ACL
Show ipv6 access-listcommand displays the following
Configuring an IPv6 ACL
Here is another example
Default and implicit IPv6 ACL action
Creating an IPv6 ACL
Syntax no ipv6 access-list ACL-name
Syntax for creating an IPv6 ACL
Ipv6-operator dscp
For TCP
For Icmp
For UDP
Ipv6-source-prefix /prefix-length
IPv6 ACL arguments Description
IPv6 ACL arguments Description
Creating an IPv6 ACL Syntax descriptions
802.1p-priority-matching number
Icmp message configurations
Applying an IPv6 ACL to an interface
Syntax ipv6 enable
Syntax for applying an IPv6 ACL
Adding a comment to an IPv6 ACL entry
Applying an IPv6 ACL to a trunk group
Syntax .ipv6 traffic-filter ipv6-ACL-namein
Support for ACL logging
Deleting a comment from an IPv6 ACL entry
Displaying IPv6 ACLs
Syntax show ipv6 access-list access-list-name
Syntax show ipv6 access-list
Displaying IPv6 ACLs
Types of ACL-based rate limiting
ACL-based rate limiting overview
Traffic policy structure
Traffic policies overview
ACL statistics
Configuration notes for traffic policies
Configuring fixed rate limiting
Configuring adaptive rate limiting
Configuring adaptive rate limiting
Parameter Definition
ACL based adaptive rate limiting parameters
Page
Dropping packets
Handling packets that exceed the rate limit
Permitting packets at low priority
Enabling and using ACL statistics
Enabling ACL statistics
Enabling and using ACL statistics
Viewing ACL and rate limit counters
Enabling ACL statistics with rate limiting traffic policies
ACL and rate limit counting statistics
Clearing ACL and rate limit counters
Parameter Description
General Counters
Syntax show traffic-policy TPD-name
Viewing traffic policies
ParameterDescription
Ietf RFC support
802.1X Port Security
How 802.1X port security works
Device roles in an 802.1X configuration
How 802.1X port security works
Controlled and uncontrolled ports
Communication between the devices
PAE
Message exchange during authentication
Refer to EAP pass-through support on
Setting the IP MTU size
Configuration notes for setting the IP MTU size
Authenticating multiple hosts connected to the same port
EAP pass-through support
Syntax no ip mtu num
Multiple hosts connected to a single 802.1X-enabled port
How 802.1X multiple-host authentication works
Configuration notes for 802.1x multiple-host authentication
802.1X port security and sFlow
802.1X port security configuration
802.1X port security configuration
Configure the device role as the Authenticator
Configure the device interaction with Clients
Setting Radius parameters
Configuring an authentication method list for
Syntax no aaa authentication dot1x default method-list
Supported Radius attributes
Permit user access to the network after a Radius timeout
Specifying the Radius timeout action
Syntax no dot1x auth-timeout-action success
Re-authenticate a user
Dynamic Vlan assignment for 802.1X port configuration
Syntax no dot1x re-auth-timeout- success seconds
Deny user access to the network after a Radius timeout
Type Value
Dynamic multiple Vlan assignment for 802.1X ports
Syntax save-dynamicvlan-to-config
Saving dynamic Vlan assignments to the running-config file
802.1X port security configuration
Disabling strict security mode globally
Disabled strict security mode
ACL or MAC address filter configured on the Brocade device
Syntax no dot1x disable-filter-strict-security
Dynamically applying existing ACLs or MAC address filters
Syntax no global-filter-strict-security
Value Description
Configuring per-user IP ACLs or MAC address filters
Enabling 802.1X port security
Setting the port control
Syntax no re-authentication
Configuring periodic re-authentication
Syntax no timeout re-authperiod seconds
Setting the quiet period
Re-authenticating a port manually
Setting the wait interval for EAP frame retransmissions
Syntax dot1x re-authenticate ethernet port
Syntax no timeout tx-period seconds
Setting the maximum number of EAP frame retransmissions
Value is a number from 1-10. The default is
Syntax auth-max value
Syntax servertimeout seconds
Syntax supptimeout seconds
Initializing 802.1X on a port
Syntax maxreq value
Configuring 802.1X multiple-host authentication
Allowing access to multiple hosts
Specifying the authentication-failure action
Syntax no auth-fail-action restricted-vlan
Syntax no auth-fail-max-attempts attempts
This command enables aging of permitted sessions
Disabling aging for dot1x-mac-sessions
Syntax no mac-session-aging no-aging permitted-mac-only
Syntax no mac-age-time seconds
Specifying the aging time for blocked clients
Moving native Vlan mac-sesions to restrict Vlan
Syntax clear dot1x mac-session mac-address
Configuring Vlan access for non-EAP-capable clients
802.1X accounting configuration
Syntax timeout restrict-fwd-period num
MAC address filters for EAP frames
Syntax aaa accounting dot1x default start-stop radius none
To enable 802.1X accounting, enter the following command
802.1X accounting attributes for Radius
Enabling 802.1X accounting
Output from the show dot1x command
Displaying 802.1X configuration information
Displaying 802.1X information
Syntax show dot1x
Syntax show dot1x config ethernet port
Forceunauth
Displaying 802.1X information
Displaying 802.1X statistics
Syntax show dot1x statistics ethernet port
Field Statistics
Displaying dynamically assigned Vlan information
Clearing 802.1X statistics
Syntax clear dot1x statistics all
Syntax clear dot1x statistics ethernet port
Syntax show dot1x mac-address-filter
Displaying user-defined MAC address filters and IP ACLs
Syntax show dot1x ip-ACL
Syntax show dot1x mac-address-filter all ethernet port
Displaying the status of strict security mode
Syntax show dot1x ip-ACL all ethernet port
Global-filter-strict-security Enable
Displaying 802.1X multiple-host authentication information
Mac Session max-age Seconds
Displaying 802.1X multiple-host configuration information
Pvid
Syntax show dot1x mac-session
Syntax show dot1x mac-session brief
Output from the show dot1x mac-session brief command
Point-to-point configuration
Sample 802.1X configurations
Same point-to-point 802.1x configuration
Sample 802.1X configurations
Sample 802.1x configuration using a hub
Hub configuration
802.1X authentication with dynamic Vlan assignment
Auth-fail-vlanid
Page
MAC Port Security
Local and global resources used for MAC port security
MAC port security overview
Enabling the MAC port security feature
MAC port security configuration
Syntax port security Syntax no enable
MAC port security configuration
Setting the port security age timer
Syntax no age minutes
On an untagged interface
Specifying secure MAC addresses
On a tagged interface
Syntax violation restrict
Dropping packets from a violating address
Syntax violation restrict age
Clearing restricted MAC addresses
Clearing port security statistics
Clearing violation statistics
Disabling the port for a specified amount of time
Displaying port security information
Displaying port security settings
Displaying the secure MAC addresses
Output from the show port security statistics port command
Output from the show port security mac command
Displaying port security statistics
Syntax show port security statistics port
Syntax show port security statistics module
Displaying restricted MAC addresses on a port
Syntax show port security ethernet port restricted-macs
Static and dynamic hosts
MAC-based Vlan overview
Source MAC address authentication
MAC-based Vlan feature structure
Policy-based classification and forwarding
MAC-based Vlan and port up or down events
Dynamic MAC-based Vlan
Dynamic MAC-based Vlan CLI commands
Dynamic MAC-based Vlan
Description CLI level
Dynamic MAC-based Vlan CLI commands for MAC-based VLANs
Dynamic MAC-based Vlan configuration example
Following example shows a MAC-based Vlan configuration
CLI command Description CLI level
MAC-based Vlan configuration
MAC-based Vlan configuration
Attribute ID Data type Optional or Description Mandatory
Using MAC-based VLANs and 802.1X security on the same port
For permitted hosts
Aging for MAC-based Vlan
For blocked hosts
Aging process for MAC-based Vlan works as described below
For MAC-based dynamic activation
Disabling aging for MAC-based Vlan sessions
To change the length of the software aging period
Globally disabling aging
Configuring a MAC-based Vlan for a static host
Configuring the maximum MAC addresses per port
Syntax no mac-authentication disable-aging
Disabling the aging on interfaces
Configuring dynamic MAC-based Vlan
Configuring MAC-based Vlan for a dynamic host
Syntax mac-vlan-permit ethernet stack-unit/slotnum/portnum
Enter the following command to display the MAC-VLAN table
Configuring MAC-based VLANs using Snmp
Displaying information about MAC-based VLANs
Displaying the MAC-VLAN table
Displaying allowed MAC addresses
Displaying the MAC-VLAN table for a specific MAC address
Displaying information about MAC-based VLANs
Syntax show table-mac-vlan mac-address
Syntax show table-mac-vlan denied-mac
Displaying denied MAC addresses
Displaying detailed MAC-VLAN data
Default
Displaying MAC-VLAN information for a specific interface
Vlan
Displaying MAC addresses in a MAC-based Vlan
Sample MAC-based Vlan application
Clearing MAC-VLAN information
Displaying MAC-based Vlan logging
Clearing MAC-VLAN information
Sample MAC-based Vlan application
Sample MAC-based Vlan configuration
0000.0075.3f73 1/1/1
Sample MAC-based Vlan application
How multi-device port authentication works
Multi-Device Port Authentication
Authentication-failure actions
Radius authentication
Supported Radius attributes
Support for dynamic ACLs
Support for dynamic Vlan assignment
Support for dynamic ARP inspection with dynamic ACLs
Support for source guard protection
Support for Dhcp snooping with dynamic ACLs
Configuring Brocade-specific attributes on Radius server
Multi-device port authentication configuration
Globally enabling multi-device port authentication
Enabling multi-device port authentication
Enabling multi-device port authentication on an interface
Syntax no mac-authentication enable
Multi-device port authentication configuration
Specifying the authentication-failure action
Syntax no mac-authentication auth-fail-vlan-id vlan-id
Configuring dynamic Vlan assignment
Generating traps for multi-device port authentication
Defining MAC address filters
Syntax no mac-authentication no-override-restrict-vlan
Syntax no mac-authentication enable-dynamic-vlan
Vlan-namestring
Syntax mac-authentication disable-ingress-filtering
Configuration notes and limitations
Syntax no mac-authentication save-dynamicvlan-to-config
Dynamically applying IP ACLs to authenticated MAC addresses
Page
Configuring the Radius server to support dynamic IP ACLs
Enabling denial of service attack protection
ACLs configured on the Brocade device
Enabling source guard protection
Syntax no mac-authentication dos-protection mac-limit number
Syntax no mac-authentication source-guard-protection enable
Clearing authenticated MAC addresses
Enter the no form of the command to disable SG protection
Syntax clear auth-mac-table
Syntax mac-authentication clear-mac-session mac-address
Disabling aging for authenticated MAC addresses
Globally disabling aging of MAC addresses
Syntax clear auth-mac-table ethernet port
Disabling the aging of MAC addresses on interfaces
Syntax no mac-authentication hw-deny-age num
Permit user access to the network after a Radius timeout
Specifying the Radius timeout action
Syntax no mac-authentication auth-timeout-action success
Specifying the aging time for blocked MAC addresses
Deny user access to the network after a Radius timeout
Multi-device port authentication password override
Syntax no mac-authentication auth-timeout-action failure
Limiting the number of authenticated MAC addresses
Displaying multi-device port authentication information
Displaying authenticated MAC address information
Syntax no mac-authentication password-override password
Syntax show auth-mac-address configuration
Output from the show authenticated-mac-address command
Syntax show auth-mac-address mac-addressip-addrport
Syntax show auth-mac-addresses authorized-mac
Displaying the authenticated MAC addresses
Syntax show auth-mac-addresses unauthorized-mac
Displaying the non-authenticated MAC addresses
Explains the information in the output
Syntax show auth-mac-address ethernet port
Syntax show auth-mac-address detail ethernet port
YES
Output from the show auth-mac-addresses detailed command
Pvid
Example port authentication configurations
Interface ethernet 1 dual-modemac-authentication enable
Example port authentication configurations
Port e1/1/1 Dual Mode
Example port authentication configurations
Radius Server User 0000.008e.86ac IP Phone Profile
No Profile for MAC 0000.007f.2e0a PC User 1 Profile
Syntax no mac-authentication auth-fail-dot1x-override
How a Smurf attack floods a victim with Icmp replies
Smurf attacks
Avoiding being a victim in a Smurf attack
Avoiding being an intermediary in a Smurf attack
Syntax no ip directed-broadcast
TCP SYN attacks
TCP SYN attacks
TCP security enhancement
Protecting against a blind injection attack
Syntax clear statistics dos-attack
Syntax show statistics dos-attack
Port-based rate limiting
Rate Limiting and Rate Shaping
Rate limiting in hardware
How port-based fixed rate limiting works
Configuring a port-based fixed rate limiting policy
Configuration notes for port-based fixed rate limiting
Displaying the port-based fixed rate limiting configuration
Syntax no rate-limit input fixed average-rate
Configuring outbound rate shaping for a port
Configuration notes for rate shaping
Rate shaping
Rate shaping
Configuring outbound rate shaping for a trunk port
Configuring outbound rate shaping for a specific priority
Displaying rate shaping configurations
CPU rate-limiting
ARP
Packet type Rate limit
ARP poisoning
Dynamic ARP inspection
ARP entries
Dynamic ARP Inspection
281
Configuring an inspection ARP entry
Dynamic ARP inspection configuration
Enabling DAI on a Vlan
Syntax no arp ip-addrmac-addrinspection
Displaying ARP inspection status and ports
Dhcp snooping
Displaying the ARP table
Enabling trust on a port
Dhcp binding database
How Dhcp snooping works
Page
Enabling Dhcp snooping on a Vlan
Syntax no dhcp snooping client-learning disable
Disabling the learning of Dhcp clients on a port
Syntax no ip dhcp snooping vlan vlan-number
Displaying Dhcp snooping status and ports
Clearing the Dhcp binding database
Displaying the Dhcp snooping binding database
Displaying Dhcp binding entry and status
Dhcp relay agent information
Dhcp snooping configuration example
Dhcp relay agent information
Dhcp option 82 sub-options
Configuration notes for Dhcp option
Sub-option 2 Remote ID
Sub-option 1 Circuit ID
Sub-option 6 Subscriber ID
Syntax no dhcp snooping relay information
Dhcp option 82 configuration
Enabling and disabling subscriber ID processing
Changing the forwarding policy
Syntax ip dhcp relay information policy policy-type
Output for the ip dhcp relay information command
Viewing the ports on which Dhcp option 82 is disabled
Viewing information about Dhcp option 82 processing
Viewing the circuit ID, remote ID, and forwarding policy
Viewing the status of Dhcp option 82 and the subscriber ID
IP source guard
Syntax show interfaces ethernet port
Page
Defining static IP source bindings
No source-guard enable
For ip-addr, enter a valid IP address
Enabling IP source guard per-port-per-VLAN
Syntax no source-guard enable
Enabling IP source guard on a VE
Displaying learned IP addresses
IP source guard
Configuring rate limiting for BUM traffic
Configuration notes and feature limitations
Broadcast, unknown Unicast, and Multicast rate limiting
Viewing rate limits set on BUM traffic
Syntax show rate-limit broadcast
Syntax show run interface
Broadcast, unknown Unicast, and Multicast rate limiting
Index
ARP
Radius
Page
Page
MAC-VLAN
Page
SSH
Vlan
Ip access-group,110 mac-vlan-permit,220 source-guard enable
