IPv6 ACL overview, Feature | Brocade Communications Systems 6650

	Chapter
IPv6 ACLs	4

Table 17 lists the IPv6 Access Control Lists (ACL) features supported on Brocade ICX 6650. These features are supported in Brocade ICX 6650 that can be configured as an IPv6 host in an IPv6 network, and in devices that support IPv6 routing. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.

TABLE 17	Supported IPv6 ACL features

Feature		Brocade ICX 6650

IPv6 ACLs		Yes

Applying an IPv6 ACL to an interface		Yes

IPv6 ACL comment text		Yes

IPv6 ACL logging of denied packets		Yes

This chapter describes how ACLs are implemented and configured on a Brocade device.

IPv6 ACL overview

Brocade devices support IPv6 Access Control Lists (ACLs) for inbound traffic filtering, as detailed in Table 17. You can configure up to 100 IPv6 ACLs and, by default, up to a system-wide maximum of 8192 ACL rules.

An IPv6 ACL is composed of one or more conditional statements that pose an action (permit or deny) if a packet matches a specified source or destination prefix. For Brocade ICX 6650, there can be up to 2045 total hardware entries. Most IPv6 ACL rules will need 2 hardware entries, and some more than 2, per port region, including IPv6, IPv4, MAC address filters, and default statements. When the maximum number of ACL rules allowed per port region is reached, an error message will display on the console.

The last statement in each IPv6 ACL is an implicit deny statement for all packets that do not match the previous statements in the ACL.

You can configure an IPv6 ACL on a global basis, then apply it to the incoming IPv6 packets on specified interfaces. You can apply only one IPv6 ACL to an interface. When an interface receives an IPv6 packet, it applies the statements within the ACL in their order of appearance to the packet. As soon as a match occurs, the Brocade device takes the specified action (permit or deny the packet) and stops further comparison for that packet.

IPv6 ACLs are supported on:

•Gbps Ethernet ports

•10 Gbps Ethernet ports

•Trunk groups

•Virtual routing interfaces

Brocade ICX 6650 Security Configuration Guide	127
53-1002601-01

Image 147

Brocade Communications Systems 6650 manual IPv6 ACL overview, Feature

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide Types of ACL-based rate limiting ACL-based rate limiting overview Ietf RFC support Chapter 802.1X Port Security MAC-based Vlan overview MAC-based Vlan feature structureMAC port security overview Local and global resources used for MAC port security Supported Radius attributes How multi-device port authentication worksRadius authentication Authentication-failure actions Smurf attacks Avoiding being an intermediary in a Smurf attackAvoiding being a victim in a Smurf attack Configuration notes and feature limitations for DAI Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Displaying the port-based fixed rate limiting configuration Viewing rate limits set on BUM traffic Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Broadcast, unknown Unicast, and Multicast rate limitingPage Audience Supported hardware and softwareBrocade ICX 6650 slot and port numbering Dhcp on How this document is organized Command syntax conventions Document conventionsText formatting Corporation Referenced Trademarks and Products Related publications Other industry resources Additional informationGetting technical help Brocade resources Document feedback Feature Brocade ICX Securing access methods Method is secured ACL usage to restrict remote access Remote access to management function restrictions Syntax ssh access-group num Using an ACL to restrict Telnet accessUsing an ACL to restrict SSH access Syntax telnet access-group num Using ACLs to restrict Snmp access Defining the console idle timeSyntax snmp-server community string ro rw num Remote access restrictions Restricting Telnet access to a specific IP addressRestricting SSH access to a specific IP address Restricting SSH connection Restricting access to the device based on IP or MAC addressRestricting Snmp access to a specific IP address Restricting Telnet connection Changing the login timeout period for Telnet sessions Defining the Telnet idle timeRestricting Http and Https connection Syntax no telnet login-retries number Restricting Telnet access to a specific Vlan Syntax no snmp-server enable vlan vlan-id Restricting Snmp access to a specific VlanRestricting Tftp access to a specific Vlan Syntax no telnet server enable vlan vlan-id Syntax crypto key generate zeroize Allowing SSHv2 access to the Brocade deviceSyntax no default-gateway ip-addr metric Device management security Disabling Snmp access Disabling specific access methodsAllowing Snmp access to the Brocade device Disabling Telnet access Syntax no enable telnet password string Passwords used to secure accessSetting a Telnet password Syntax no tftp disable Setting passwords for management privilege levels Passwords used to secure accessSyntax no telnet server suppress-reject-message Augmenting management privilege levels Syntax enable read-only-password text After the console prompt reappears, assign a new password Recovering from a lost passwordSpecifying a minimum password length Enter boot system flash primary at the prompt Number-of-characterscan be from Enhancements to username and passwordSyntax enable password-min-length number-of-characters Local user accounts Syntax no enable strict-password-enforcement Enabling enhanced user password combination requirements Syntax no enable user password-masking Enabling user password maskingEnabling user password aging Syntax username name password Enter Syntax no enable user password-history 1 Configuring password historyEnhanced login lockout Syntax no enable user password-aging Requirement to accept the message of the day Local user account configurationSetting passwords to expire Syntax username name enable Local user accounts with unencrypted passwords Local user accounts with no passwords Syntax show users Creating a password optionLocal accounts with encrypted passwords Using the username user-stringcreate-password command How TACACS+ differs from Tacacs Changing a local user passwordSyntax no username user-stringpassword password-string Tacacs and TACACS+ security TACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit TACACS+ authentication Tacacs authentication TACACS+ accounting TACACS+ authorization AAA security for commands pasted into the running-config AAA operations for TACACS/TACACS+User action Applicable AAA operations TACACS/TACACS+ configuration considerations Configuring TacacsConfiguring TACACS+ Identifying the TACACS/TACACS+ servers Enabling Tacacs Specifying different servers for individual AAA functions Setting optional Tacacs and TACACS+ parameters Setting the TACACS+ key Setting the retransmission limitSetting the timeout parameter Method parameter Description Entering privileged Exec mode after a Telnet or SSH login Syntax aaa authentication login privilege-modeSyntax no aaa authentication enable implicit-user Configuring an Attribute-Value pair on the TACACS+ server Configuring TACACS+ authorizationConfiguring Exec authorization Syntax aaa authorization exec default tacacs+ none Foundry-privlvl = AAA support for console commands Configuring command authorization Syntax no enable aaa console TACACS+ accounting configurationConfiguring TACACS+ accounting for Telnet/SSH Shell access Configuring TACACS+ accounting for CLI commands Configuring TACACS+ accounting for system events Radius security Radius authentication, authorization, and accountingRadius authentication Output of the show aaa command for TACACS/TACACS+ Radius accounting Radius authorization AAA operations for Radius AAA operations for Radius Radius security AAA operations for Radius Radius configuration considerations Brocade-specific attributes on the Radius server Configuring Radius Attribute ID Data type Description Port Configuration level Allows Enabling Snmp to configure Radius Identifying the Radius server to the Brocade deviceAttribute name Attribute ID Data type Description Radius server per port Radius server per port configuration notesRadius configuration example and command syntax Following shows an example configuration Host ip-addris an IPv4 address Radius server-to-ports configuration notesRadius server to individual ports mapping Syntax use-radius-server ip-addr Syntax radius-server retransmit number Setting the Radius keyRadius parameters Syntax radius-server key 0 1 string Syntax radius-server host ipv6 ipv6-host address Setting authentication-method lists for RadiusSetting Radius over IPv6 Syntax radius-server timeout number Setting passwords for management privilege levels on Syntax aaa authorization exec default radius none Radius authorization Command authorization and accounting for console commands Configuring Radius accounting for Telnet/SSH Shell access Configuring Radius accounting for CLI commandsRadius accounting Configuring Radius accounting for system events Displaying Radius configuration information Output of the show aaa command for Radius Authentication-method lists Examples of authentication-method listsAuthentication-method lists Command Syntax Following is the command syntax for the preceding examplesExample TCP Flags edge port security User account configuration on TCP Flags edge port security Using TCP Flags in combination with other ACL features TCP Flags edge port security SSH version 2 overview SSH2 and SCP Key exchange methods are diffie-hellman-group1-sha1 SSH2 supported featuresSSH2 unsupported features Tested SSH2 clients Configure DSA or RSA challenge-response authentication SSH2 authentication typesConfiguring SSH2 SSH2 authentication types Setting the CPU priority for key generation Generating and deleting a DSA key pairGenerating and deleting an RSA key pair Syntax crypto key zeroize Configuring DSA or RSA challenge-response authenticationDeleting DSA and RSA key pairs Providing the public key to clients Begin SSH2 Public KEY Importing authorized public keys into the Brocade device Syntax clear public-key Enabling DSA or RSA challenge-response authenticationSyntax ip ssh key-authentication yes no Optional SSH parameters Syntax ip ssh password-authentication no yes Setting the number of SSH authentication retriesDeactivating user authentication Syntax ip ssh authentication-retries number Configuring the maximum idle time for SSH sessions Enabling empty password loginsSetting the SSH port number Setting the SSH login timeout value Displaying SSH connection information Filtering SSH access using ACLsTerminating an active SSH connection Displaying SSH information SSH connection information Displaying SSH configuration informationSyntax show ip ssh config Displaying SSH information Displaying additional SSH connection information Displaying SSH information SSH configuration information Secure copy with SSH2 Secure copy configuration notesExample file transfers using SCP Copying a file to the running configuration Copying a software image file from flash memory Copying a file to the startup configurationTo overwrite the running configuration file Copying a software image file to flash memory Importing a digital certificate using SCP Importing an RSA private keyImporting a DSA or RSA public key Configuring SSH2 client public key authentication SSH2 clientEnabling SSH2 client Exporting client public keys Using SSH2 clientGenerating and deleting a client DSA key pair Generating and deleting a client RSA key pair Displaying SSH2 client information Rule-Based IP ACLs Supported ACL features on outbound traffic ACL overview ACL overview Supported ACL features on outbound traffic ACL overview Virtual routing interfaces Types of IP ACLsACL IDs and entries Numbered and named ACLs Hardware aging of Layer 4 CAM entries Default ACL actionHow hardware-based ACLs work How fragmented packets are processed ACL configuration considerations Standard numbered ACL syntax Configuring standard numbered ACLs Configuration example for standard numbered ACLs Standard named ACL configuration Standard named ACL syntax Syntax no ip access-list standard ACL-nameACL-num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Extended numbered ACL configuration Configuration example for standard named ACLsExtended numbered ACL configuration Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Here is another example of an extended ACL Configuration examples for extended numbered ACLs Extended named ACL configuration Extended named ACL configuration Extended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Syntax ip preserve-ACL-user-input-format Syntax enable egress-acl-on-cpu-trafficApplying egress ACLs to Control CPU traffic Preserving user input for ACL TCP/UDP port numbers Adding a comment to an entry in a numbered ACL ACL comment text management Viewing comments in an ACL Show running-config Show access-list Show ip access-listAdding a comment to an entry in a named ACL Deleting a comment from an ACL entry Syntax show running-config Configuration notes for ACL logging ACL loggingACL logging Example ACL logging configuration Configuration tasks for ACL logging Syntax logging-enable Displaying ACL Log EntriesSyntax ACL-logging Syntax show log Syntax no ip access-group frag deny Configuration notes for ACL filtering Syntax no enable ACL-per-port-per-vlanEnter the no form of the command to disable this feature Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID ACLs to filter ARP packets Syntax no ip access-group ACL ID in ethernet port to port ACLs to filter ARP packets Configuration considerations for filtering ARP packetsConfiguring ACLs for ARP filtering Syntax no ip use-ACL-on-arp access-list-number Syntax show ACL-on-arp ethernet port loopback num ve num Filtering on IP precedence and ToS valuesDisplaying ACL filters for ARP Clearing the filter count TCP flags edge port security QoS options for IP ACLs Configuration notes for QoS options on Brocade ICX Using an IP ACL to mark Dscp values Dscp markingSyntax ...dscp-marking dscp-value Combined ACL for 802.1p marking QoS options for IP ACLsFor IP Syntax ...dscp-matching 0 Using an ACL to change the forwarding queueACL-based rate limiting Dscp matching ACLs to control multicast features ACL statisticsEnabling and viewing hardware usage statistics for an ACL Policy Based Routing Troubleshooting ACLsSyntax show access-list ACL-numACL-nameall Displaying ACL information Configuring a PBR policy Configuration considerations for policy-based routing Configuring the ACLs Syntax noroute-map map-namepermit deny num Configuring the route map Enabling PBR Policy Based Routing Configuration examples for PBRSetting the next hop Basic example of PBR Setting the output interface to the null interface Trunk formation with PBR policy IPv6 ACL overview Feature IPv6 ACL configuration notes IPv6 ACL traffic filtering criteriaIPv6 protocol names and numbers Example IPv6 configurations Configuring an IPv6 ACL Configuring an IPv6 ACL Show ipv6 access-listcommand displays the followingHere is another example Default and implicit IPv6 ACL action Ipv6-operator dscp Syntax no ipv6 access-list ACL-nameCreating an IPv6 ACL Syntax for creating an IPv6 ACL For Icmp For TCPFor UDP Ipv6-source-prefix /prefix-length IPv6 ACL arguments Description IPv6 ACL arguments Description Creating an IPv6 ACL Syntax descriptions 802.1p-priority-matching number Icmp message configurations Applying an IPv6 ACL to an interface Syntax ipv6 enable Syntax .ipv6 traffic-filter ipv6-ACL-namein Adding a comment to an IPv6 ACL entrySyntax for applying an IPv6 ACL Applying an IPv6 ACL to a trunk group Deleting a comment from an IPv6 ACL entry Support for ACL loggingDisplaying IPv6 ACLs Syntax show ipv6 access-list Syntax show ipv6 access-list access-list-nameDisplaying IPv6 ACLs Types of ACL-based rate limiting ACL-based rate limiting overview Traffic policies overview Traffic policy structureACL statistics Configuration notes for traffic policies Configuring fixed rate limiting Configuring adaptive rate limiting Configuring adaptive rate limiting Parameter Definition ACL based adaptive rate limiting parametersPage Dropping packets Handling packets that exceed the rate limit Permitting packets at low priority Enabling and using ACL statistics Enabling ACL statistics Enabling and using ACL statistics Viewing ACL and rate limit counters Enabling ACL statistics with rate limiting traffic policies General Counters Clearing ACL and rate limit countersACL and rate limit counting statistics Parameter Description Viewing traffic policies Syntax show traffic-policy TPD-nameParameterDescription Ietf RFC support 802.1X Port Security Device roles in an 802.1X configuration How 802.1X port security worksHow 802.1X port security works Controlled and uncontrolled ports Communication between the devices PAE Message exchange during authentication Refer to EAP pass-through support on Setting the IP MTU size Syntax no ip mtu num Authenticating multiple hosts connected to the same portConfiguration notes for setting the IP MTU size EAP pass-through support Multiple hosts connected to a single 802.1X-enabled port How 802.1X multiple-host authentication works Configuration notes for 802.1x multiple-host authentication 802.1X port security and sFlow Configure the device interaction with Clients 802.1X port security configuration802.1X port security configuration Configure the device role as the Authenticator Supported Radius attributes Configuring an authentication method list forSetting Radius parameters Syntax no aaa authentication dot1x default method-list Specifying the Radius timeout action Permit user access to the network after a Radius timeoutSyntax no dot1x auth-timeout-action success Deny user access to the network after a Radius timeout Dynamic Vlan assignment for 802.1X port configurationRe-authenticate a user Syntax no dot1x re-auth-timeout- success seconds Type Value Dynamic multiple Vlan assignment for 802.1X ports Syntax save-dynamicvlan-to-config Saving dynamic Vlan assignments to the running-config file 802.1X port security configuration Disabling strict security mode globally Disabled strict security mode Syntax no global-filter-strict-security Syntax no dot1x disable-filter-strict-securityACL or MAC address filter configured on the Brocade device Dynamically applying existing ACLs or MAC address filters Value Description Configuring per-user IP ACLs or MAC address filters Enabling 802.1X port security Setting the port control Configuring periodic re-authentication Syntax no re-authenticationSyntax no timeout re-authperiod seconds Syntax dot1x re-authenticate ethernet port Re-authenticating a port manuallySetting the quiet period Setting the wait interval for EAP frame retransmissions Syntax auth-max value Setting the maximum number of EAP frame retransmissionsSyntax no timeout tx-period seconds Value is a number from 1-10. The default is Syntax maxreq value Syntax supptimeout secondsSyntax servertimeout seconds Initializing 802.1X on a port Syntax no auth-fail-action restricted-vlan Allowing access to multiple hostsConfiguring 802.1X multiple-host authentication Specifying the authentication-failure action Syntax no mac-session-aging no-aging permitted-mac-only This command enables aging of permitted sessionsSyntax no auth-fail-max-attempts attempts Disabling aging for dot1x-mac-sessions Syntax clear dot1x mac-session mac-address Specifying the aging time for blocked clientsSyntax no mac-age-time seconds Moving native Vlan mac-sesions to restrict Vlan MAC address filters for EAP frames 802.1X accounting configurationConfiguring Vlan access for non-EAP-capable clients Syntax timeout restrict-fwd-period num Enabling 802.1X accounting To enable 802.1X accounting, enter the following commandSyntax aaa accounting dot1x default start-stop radius none 802.1X accounting attributes for Radius Syntax show dot1x Displaying 802.1X configuration informationOutput from the show dot1x command Displaying 802.1X information Syntax show dot1x config ethernet port Forceunauth Field Statistics Displaying 802.1X statisticsDisplaying 802.1X information Syntax show dot1x statistics ethernet port Syntax clear dot1x statistics ethernet port Clearing 802.1X statisticsDisplaying dynamically assigned Vlan information Syntax clear dot1x statistics all Displaying user-defined MAC address filters and IP ACLs Syntax show dot1x mac-address-filterSyntax show dot1x ip-ACL Displaying the status of strict security mode Syntax show dot1x mac-address-filter all ethernet portSyntax show dot1x ip-ACL all ethernet port Global-filter-strict-security Enable Displaying 802.1X multiple-host authentication information Mac Session max-age Seconds Displaying 802.1X multiple-host configuration information Pvid Syntax show dot1x mac-session Syntax show dot1x mac-session brief Output from the show dot1x mac-session brief command Sample 802.1X configurations Sample 802.1X configurationsPoint-to-point configuration Same point-to-point 802.1x configuration Sample 802.1x configuration using a hub Hub configuration 802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security Local and global resources used for MAC port security MAC port security overview MAC port security configuration Enabling the MAC port security featureSyntax port security Syntax no enable Setting the port security age timer MAC port security configurationSyntax no age minutes Specifying secure MAC addresses On an untagged interfaceOn a tagged interface Dropping packets from a violating address Syntax violation restrictSyntax violation restrict age Disabling the port for a specified amount of time Clearing port security statisticsClearing restricted MAC addresses Clearing violation statistics Displaying port security settings Displaying port security informationDisplaying the secure MAC addresses Syntax show port security statistics port Output from the show port security mac commandOutput from the show port security statistics port command Displaying port security statistics Displaying restricted MAC addresses on a port Syntax show port security statistics moduleSyntax show port security ethernet port restricted-macs Static and dynamic hosts MAC-based Vlan overview MAC-based Vlan and port up or down events MAC-based Vlan feature structureSource MAC address authentication Policy-based classification and forwarding Description CLI level Dynamic MAC-based Vlan CLI commandsDynamic MAC-based Vlan Dynamic MAC-based Vlan CLI command Description CLI level Dynamic MAC-based Vlan configuration exampleDynamic MAC-based Vlan CLI commands for MAC-based VLANs Following example shows a MAC-based Vlan configuration MAC-based Vlan configuration MAC-based Vlan configuration Attribute ID Data type Optional or Description Mandatory Using MAC-based VLANs and 802.1X security on the same port Aging process for MAC-based Vlan works as described below Aging for MAC-based VlanFor permitted hosts For blocked hosts Globally disabling aging Disabling aging for MAC-based Vlan sessionsFor MAC-based dynamic activation To change the length of the software aging period Disabling the aging on interfaces Configuring the maximum MAC addresses per portConfiguring a MAC-based Vlan for a static host Syntax no mac-authentication disable-aging Configuring MAC-based Vlan for a dynamic host Configuring dynamic MAC-based VlanSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Displaying the MAC-VLAN table Configuring MAC-based VLANs using SnmpEnter the following command to display the MAC-VLAN table Displaying information about MAC-based VLANs Syntax show table-mac-vlan mac-address Displaying the MAC-VLAN table for a specific MAC addressDisplaying allowed MAC addresses Displaying information about MAC-based VLANs Syntax show table-mac-vlan denied-mac Displaying denied MAC addresses Displaying detailed MAC-VLAN data Default Displaying MAC-VLAN information for a specific interface Vlan Displaying MAC addresses in a MAC-based Vlan Clearing MAC-VLAN information Clearing MAC-VLAN informationSample MAC-based Vlan application Displaying MAC-based Vlan logging Sample MAC-based Vlan application Sample MAC-based Vlan configuration 0000.0075.3f73 1/1/1 Sample MAC-based Vlan application How multi-device port authentication works Multi-Device Port Authentication Radius authentication Authentication-failure actionsSupported Radius attributes Support for dynamic Vlan assignment Support for dynamic ACLsSupport for dynamic ARP inspection with dynamic ACLs Support for source guard protection Support for Dhcp snooping with dynamic ACLs Configuring Brocade-specific attributes on Radius server Multi-device port authentication configuration Syntax no mac-authentication enable Enabling multi-device port authenticationGlobally enabling multi-device port authentication Enabling multi-device port authentication on an interface Specifying the authentication-failure action Multi-device port authentication configurationSyntax no mac-authentication auth-fail-vlan-id vlan-id Generating traps for multi-device port authentication Configuring dynamic Vlan assignmentDefining MAC address filters Syntax no mac-authentication no-override-restrict-vlan Syntax no mac-authentication enable-dynamic-vlan Vlan-namestring Syntax mac-authentication disable-ingress-filtering Configuration notes and limitations Syntax no mac-authentication save-dynamicvlan-to-config Dynamically applying IP ACLs to authenticated MAC addressesPage Enabling denial of service attack protection Configuring the Radius server to support dynamic IP ACLsACLs configured on the Brocade device Enabling source guard protection Syntax no mac-authentication dos-protection mac-limit number Syntax clear auth-mac-table Clearing authenticated MAC addressesSyntax no mac-authentication source-guard-protection enable Enter the no form of the command to disable SG protection Syntax clear auth-mac-table ethernet port Disabling aging for authenticated MAC addressesSyntax mac-authentication clear-mac-session mac-address Globally disabling aging of MAC addresses Disabling the aging of MAC addresses on interfaces Syntax no mac-authentication hw-deny-age num Specifying the aging time for blocked MAC addresses Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Syntax no mac-authentication auth-timeout-action success Multi-device port authentication password override Deny user access to the network after a Radius timeoutSyntax no mac-authentication auth-timeout-action failure Syntax no mac-authentication password-override password Displaying multi-device port authentication informationLimiting the number of authenticated MAC addresses Displaying authenticated MAC address information Syntax show auth-mac-address configuration Output from the show authenticated-mac-address command Syntax show auth-mac-address mac-addressip-addrport Syntax show auth-mac-addresses authorized-mac Displaying the authenticated MAC addresses Syntax show auth-mac-address ethernet port Displaying the non-authenticated MAC addressesSyntax show auth-mac-addresses unauthorized-mac Explains the information in the output Syntax show auth-mac-address detail ethernet port YES Output from the show auth-mac-addresses detailed command Pvid Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enable Example port authentication configurations Port e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override How a Smurf attack floods a victim with Icmp replies Smurf attacks Avoiding being an intermediary in a Smurf attack Avoiding being a victim in a Smurf attackSyntax no ip directed-broadcast TCP SYN attacks TCP SYN attacks TCP security enhancement Protecting against a blind injection attack Syntax clear statistics dos-attack Syntax show statistics dos-attack Port-based rate limiting Rate Limiting and Rate Shaping Rate limiting in hardware How port-based fixed rate limiting works Syntax no rate-limit input fixed average-rate Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Displaying the port-based fixed rate limiting configuration Rate shaping Configuration notes for rate shapingConfiguring outbound rate shaping for a port Rate shaping CPU rate-limiting Configuring outbound rate shaping for a specific priorityConfiguring outbound rate shaping for a trunk port Displaying rate shaping configurations ARP Packet type Rate limit ARP poisoning Dynamic ARP inspection ARP entries Dynamic ARP Inspection 281 Syntax no arp ip-addrmac-addrinspection Dynamic ARP inspection configurationConfiguring an inspection ARP entry Enabling DAI on a Vlan Enabling trust on a port Dhcp snoopingDisplaying ARP inspection status and ports Displaying the ARP table Dhcp binding database How Dhcp snooping worksPage Syntax no ip dhcp snooping vlan vlan-number Syntax no dhcp snooping client-learning disableEnabling Dhcp snooping on a Vlan Disabling the learning of Dhcp clients on a port Displaying Dhcp binding entry and status Clearing the Dhcp binding databaseDisplaying Dhcp snooping status and ports Displaying the Dhcp snooping binding database Dhcp snooping configuration example Dhcp relay agent informationDhcp relay agent information Dhcp option 82 sub-options Configuration notes for Dhcp option Sub-option 1 Circuit ID Sub-option 2 Remote IDSub-option 6 Subscriber ID Syntax no dhcp snooping relay information Dhcp option 82 configuration Changing the forwarding policy Enabling and disabling subscriber ID processingSyntax ip dhcp relay information policy policy-type Viewing the circuit ID, remote ID, and forwarding policy Viewing the ports on which Dhcp option 82 is disabledOutput for the ip dhcp relay information command Viewing information about Dhcp option 82 processing IP source guard Viewing the status of Dhcp option 82 and the subscriber IDSyntax show interfaces ethernet port Page No source-guard enable Defining static IP source bindingsFor ip-addr, enter a valid IP address Displaying learned IP addresses Syntax no source-guard enableEnabling IP source guard per-port-per-VLAN Enabling IP source guard on a VE IP source guard Configuration notes and feature limitations Configuring rate limiting for BUM trafficBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM traffic Syntax show rate-limit broadcast Syntax show run interface Broadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Vlan Ip access-group,110 mac-vlan-permit,220 source-guard enable