Brocade ICX
Brocade Communications Systems, Incorporated
Contents
Brocade ICX 6650 Security Configuration Guide
Chapter
Brocade ICX 6650 Security Configuration Guide
ACL-based rate limiting overview
Types of ACL-based rate limiting
Chapter 802.1X Port Security
Ietf RFC support
Local and global resources used for MAC port security
MAC-based Vlan feature structure
MAC port security overview
MAC-based Vlan overview
Authentication-failure actions
How multi-device port authentication works
Radius authentication
Supported Radius attributes
Smurf attacks
Avoiding being an intermediary in a Smurf attack
Avoiding being a victim in a Smurf attack
Displaying the port-based fixed rate limiting configuration
Configuration notes for port-based fixed rate limiting
Configuring a port-based fixed rate limiting policy
Configuration notes and feature limitations for DAI
Broadcast, unknown Unicast, and Multicast rate limiting
Configuration notes and feature limitations
Configuring rate limiting for BUM traffic
Viewing rate limits set on BUM traffic
Page
Audience
Supported hardware and software
Brocade ICX 6650 slot and port numbering
How this document is organized
Dhcp on
Command syntax conventions
Document conventions
Text formatting
Related publications
Corporation Referenced Trademarks and Products
Brocade resources
Additional information
Getting technical help
Other industry resources
Document feedback
Securing access methods
Feature Brocade ICX
Method is secured
Remote access to management function restrictions
ACL usage to restrict remote access
Syntax telnet access-group num
Using an ACL to restrict Telnet access
Using an ACL to restrict SSH access
Syntax ssh access-group num
Using ACLs to restrict Snmp access
Defining the console idle time
Syntax snmp-server community string ro rw num
Remote access restrictions
Restricting Telnet access to a specific IP address
Restricting SSH access to a specific IP address
Restricting Telnet connection
Restricting access to the device based on IP or MAC address
Restricting Snmp access to a specific IP address
Restricting SSH connection
Changing the login timeout period for Telnet sessions
Defining the Telnet idle time
Restricting Http and Https connection
Restricting Telnet access to a specific Vlan
Syntax no telnet login-retries number
Syntax no telnet server enable vlan vlan-id
Restricting Snmp access to a specific Vlan
Restricting Tftp access to a specific Vlan
Syntax no snmp-server enable vlan vlan-id
Device management security
Allowing SSHv2 access to the Brocade device
Syntax no default-gateway ip-addr metric
Syntax crypto key generate zeroize
Disabling Telnet access
Disabling specific access methods
Allowing Snmp access to the Brocade device
Disabling Snmp access
Syntax no tftp disable
Passwords used to secure access
Setting a Telnet password
Syntax no enable telnet password string
Setting passwords for management privilege levels
Passwords used to secure access
Syntax no telnet server suppress-reject-message
Syntax enable read-only-password text
Augmenting management privilege levels
Enter boot system flash primary at the prompt
Recovering from a lost password
Specifying a minimum password length
After the console prompt reappears, assign a new password
Local user accounts
Enhancements to username and password
Syntax enable password-min-length number-of-characters
Number-of-characterscan be from
Enabling enhanced user password combination requirements
Syntax no enable strict-password-enforcement
Syntax username name password Enter
Enabling user password masking
Enabling user password aging
Syntax no enable user password-masking
Syntax no enable user password-aging
Configuring password history
Enhanced login lockout
Syntax no enable user password-history 1
Syntax username name enable
Local user account configuration
Setting passwords to expire
Requirement to accept the message of the day
Local user accounts with no passwords
Local user accounts with unencrypted passwords
Using the username user-stringcreate-password command
Creating a password option
Local accounts with encrypted passwords
Syntax show users
Tacacs and TACACS+ security
Changing a local user password
Syntax no username user-stringpassword password-string
How TACACS+ differs from Tacacs
TACACS/TACACS+ authentication, authorization, and accounting
Kill console Syntax kill console all unit
Tacacs authentication
TACACS+ authentication
TACACS+ authorization
TACACS+ accounting
AAA security for commands pasted into the running-config
AAA operations for TACACS/TACACS+
User action Applicable AAA operations
TACACS/TACACS+ configuration considerations
Configuring Tacacs
Configuring TACACS+
Enabling Tacacs
Identifying the TACACS/TACACS+ servers
Setting optional Tacacs and TACACS+ parameters
Specifying different servers for individual AAA functions
Setting the TACACS+ key
Setting the retransmission limit
Setting the timeout parameter
Method parameter Description
Entering privileged Exec mode after a Telnet or SSH login
Syntax aaa authentication login privilege-mode
Syntax no aaa authentication enable implicit-user
Syntax aaa authorization exec default tacacs+ none
Configuring TACACS+ authorization
Configuring Exec authorization
Configuring an Attribute-Value pair on the TACACS+ server
Foundry-privlvl =
Configuring command authorization
AAA support for console commands
Configuring TACACS+ accounting for CLI commands
TACACS+ accounting configuration
Configuring TACACS+ accounting for Telnet/SSH Shell access
Syntax no enable aaa console
Configuring TACACS+ accounting for system events
Output of the show aaa command for TACACS/TACACS+
Radius authentication, authorization, and accounting
Radius authentication
Radius security
Radius authorization
Radius accounting
AAA operations for Radius
AAA operations for Radius
Radius configuration considerations
Radius security AAA operations for Radius
Configuring Radius
Brocade-specific attributes on the Radius server
Port Configuration level Allows
Attribute ID Data type Description
Enabling Snmp to configure Radius
Identifying the Radius server to the Brocade device
Attribute name Attribute ID Data type Description
Following shows an example configuration
Radius server per port configuration notes
Radius configuration example and command syntax
Radius server per port
Syntax use-radius-server ip-addr
Radius server-to-ports configuration notes
Radius server to individual ports mapping
Host ip-addris an IPv4 address
Syntax radius-server key 0 1 string
Setting the Radius key
Radius parameters
Syntax radius-server retransmit number
Syntax radius-server timeout number
Setting authentication-method lists for Radius
Setting Radius over IPv6
Syntax radius-server host ipv6 ipv6-host address
Setting passwords for management privilege levels on
Radius authorization
Syntax aaa authorization exec default radius none
Command authorization and accounting for console commands
Configuring Radius accounting for Telnet/SSH Shell access
Configuring Radius accounting for CLI commands
Radius accounting
Displaying Radius configuration information
Configuring Radius accounting for system events
Output of the show aaa command for Radius
Authentication-method lists
Examples of authentication-method lists
Authentication-method lists
Command Syntax
Following is the command syntax for the preceding examples
Example
User account configuration on
TCP Flags edge port security
Using TCP Flags in combination with other ACL features
TCP Flags edge port security
TCP Flags edge port security
SSH2 and SCP
SSH version 2 overview
Tested SSH2 clients
SSH2 supported features
SSH2 unsupported features
Key exchange methods are diffie-hellman-group1-sha1
SSH2 authentication types
SSH2 authentication types
Configuring SSH2
Configure DSA or RSA challenge-response authentication
Setting the CPU priority for key generation
Generating and deleting a DSA key pair
Generating and deleting an RSA key pair
Providing the public key to clients
Configuring DSA or RSA challenge-response authentication
Deleting DSA and RSA key pairs
Syntax crypto key zeroize
Importing authorized public keys into the Brocade device
Begin SSH2 Public KEY
Optional SSH parameters
Enabling DSA or RSA challenge-response authentication
Syntax ip ssh key-authentication yes no
Syntax clear public-key
Syntax ip ssh authentication-retries number
Setting the number of SSH authentication retries
Deactivating user authentication
Syntax ip ssh password-authentication no yes
Setting the SSH login timeout value
Enabling empty password logins
Setting the SSH port number
Configuring the maximum idle time for SSH sessions
Displaying SSH information
Filtering SSH access using ACLs
Terminating an active SSH connection
Displaying SSH connection information
Displaying SSH information
Displaying SSH configuration information
Syntax show ip ssh config
SSH connection information
Displaying SSH information SSH configuration information
Displaying additional SSH connection information
Copying a file to the running configuration
Secure copy configuration notes
Example file transfers using SCP
Secure copy with SSH2
Copying a software image file to flash memory
Copying a file to the startup configuration
To overwrite the running configuration file
Copying a software image file from flash memory
Importing a digital certificate using SCP
Importing an RSA private key
Importing a DSA or RSA public key
Configuring SSH2 client public key authentication
SSH2 client
Enabling SSH2 client
Generating and deleting a client RSA key pair
Using SSH2 client
Generating and deleting a client DSA key pair
Exporting client public keys
Displaying SSH2 client information
Supported ACL features on outbound traffic
Rule-Based IP ACLs
ACL overview Supported ACL features on outbound traffic
ACL overview
Numbered and named ACLs
Types of IP ACLs
ACL IDs and entries
ACL overview Virtual routing interfaces
How fragmented packets are processed
Default ACL action
How hardware-based ACLs work
Hardware aging of Layer 4 CAM entries
ACL configuration considerations
Configuring standard numbered ACLs
Standard numbered ACL syntax
Standard named ACL configuration
Configuration example for standard numbered ACLs
Syntax no ip access-list standard ACL-nameACL-num
Standard named ACL syntax
Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Extended numbered ACL configuration
Configuration example for standard named ACLs
Extended numbered ACL configuration
Extended numbered ACL syntax
Num
Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Brocade ICX 6650 Security Configuration Guide
Configuration examples for extended numbered ACLs
Here is another example of an extended ACL
Extended named ACL configuration
Extended named ACL configuration
Extended named ACL syntax
Num
Brocade ICX 6650 Security Configuration Guide 53-1002601-01
Page
Preserving user input for ACL TCP/UDP port numbers
Syntax enable egress-acl-on-cpu-traffic
Applying egress ACLs to Control CPU traffic
Syntax ip preserve-ACL-user-input-format
ACL comment text management
Adding a comment to an entry in a numbered ACL
Deleting a comment from an ACL entry
Show running-config Show access-list Show ip access-list
Adding a comment to an entry in a named ACL
Viewing comments in an ACL
Syntax show running-config
Configuration notes for ACL logging
ACL logging
ACL logging
Configuration tasks for ACL logging
Example ACL logging configuration
Syntax logging-enable
Displaying ACL Log Entries
Syntax ACL-logging
Syntax no ip access-group frag deny
Syntax show log
Configuration notes for ACL filtering
Syntax no enable ACL-per-port-per-vlan
Enter the no form of the command to disable this feature
Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID
Syntax no ip access-group ACL ID in ethernet port to port
ACLs to filter ARP packets
Syntax no ip use-ACL-on-arp access-list-number
Configuration considerations for filtering ARP packets
Configuring ACLs for ARP filtering
ACLs to filter ARP packets
Clearing the filter count
Filtering on IP precedence and ToS values
Displaying ACL filters for ARP
Syntax show ACL-on-arp ethernet port loopback num ve num
QoS options for IP ACLs
TCP flags edge port security
Configuration notes for QoS options on Brocade ICX
Using an IP ACL to mark Dscp values Dscp marking
Syntax ...dscp-marking dscp-value
Combined ACL for 802.1p marking
QoS options for IP ACLs
For IP
Dscp matching
Using an ACL to change the forwarding queue
ACL-based rate limiting
Syntax ...dscp-matching 0
ACLs to control multicast features
ACL statistics
Enabling and viewing hardware usage statistics for an ACL
Displaying ACL information
Troubleshooting ACLs
Syntax show access-list ACL-numACL-nameall
Policy Based Routing
Configuration considerations for policy-based routing
Configuring a PBR policy
Configuring the ACLs
Configuring the route map
Syntax noroute-map map-namepermit deny num
Enabling PBR
Basic example of PBR
Configuration examples for PBR
Setting the next hop
Policy Based Routing
Setting the output interface to the null interface
Trunk formation with PBR policy
Feature
IPv6 ACL overview
IPv6 ACL configuration notes
IPv6 ACL traffic filtering criteria
IPv6 protocol names and numbers
Configuring an IPv6 ACL
Example IPv6 configurations
Configuring an IPv6 ACL
Show ipv6 access-listcommand displays the following
Here is another example
Default and implicit IPv6 ACL action
Syntax for creating an IPv6 ACL
Syntax no ipv6 access-list ACL-name
Creating an IPv6 ACL
Ipv6-operator dscp
For Icmp
For TCP
For UDP
IPv6 ACL arguments Description
Ipv6-source-prefix /prefix-length
Creating an IPv6 ACL Syntax descriptions
IPv6 ACL arguments Description
Icmp message configurations
802.1p-priority-matching number
Syntax ipv6 enable
Applying an IPv6 ACL to an interface
Applying an IPv6 ACL to a trunk group
Adding a comment to an IPv6 ACL entry
Syntax for applying an IPv6 ACL
Syntax .ipv6 traffic-filter ipv6-ACL-namein
Deleting a comment from an IPv6 ACL entry
Support for ACL logging
Displaying IPv6 ACLs
Syntax show ipv6 access-list
Syntax show ipv6 access-list access-list-name
Displaying IPv6 ACLs
ACL-based rate limiting overview
Types of ACL-based rate limiting
Traffic policies overview
Traffic policy structure
ACL statistics
Configuring fixed rate limiting
Configuration notes for traffic policies
Configuring adaptive rate limiting
Configuring adaptive rate limiting
ACL based adaptive rate limiting parameters
Parameter Definition
Page
Handling packets that exceed the rate limit
Dropping packets
Enabling and using ACL statistics
Permitting packets at low priority
Enabling and using ACL statistics
Enabling ACL statistics
Enabling ACL statistics with rate limiting traffic policies
Viewing ACL and rate limit counters
Parameter Description
Clearing ACL and rate limit counters
ACL and rate limit counting statistics
General Counters
Viewing traffic policies
Syntax show traffic-policy TPD-name
ParameterDescription
802.1X Port Security
Ietf RFC support
Device roles in an 802.1X configuration
How 802.1X port security works
How 802.1X port security works
Communication between the devices
Controlled and uncontrolled ports
PAE
Message exchange during authentication
Setting the IP MTU size
Refer to EAP pass-through support on
EAP pass-through support
Authenticating multiple hosts connected to the same port
Configuration notes for setting the IP MTU size
Syntax no ip mtu num
How 802.1X multiple-host authentication works
Multiple hosts connected to a single 802.1X-enabled port
Configuration notes for 802.1x multiple-host authentication
802.1X port security and sFlow
Configure the device role as the Authenticator
802.1X port security configuration
802.1X port security configuration
Configure the device interaction with Clients
Syntax no aaa authentication dot1x default method-list
Configuring an authentication method list for
Setting Radius parameters
Supported Radius attributes
Specifying the Radius timeout action
Permit user access to the network after a Radius timeout
Syntax no dot1x auth-timeout-action success
Syntax no dot1x re-auth-timeout- success seconds
Dynamic Vlan assignment for 802.1X port configuration
Re-authenticate a user
Deny user access to the network after a Radius timeout
Type Value
Dynamic multiple Vlan assignment for 802.1X ports
Saving dynamic Vlan assignments to the running-config file
Syntax save-dynamicvlan-to-config
802.1X port security configuration
Disabled strict security mode
Disabling strict security mode globally
Dynamically applying existing ACLs or MAC address filters
Syntax no dot1x disable-filter-strict-security
ACL or MAC address filter configured on the Brocade device
Syntax no global-filter-strict-security
Configuring per-user IP ACLs or MAC address filters
Value Description
Setting the port control
Enabling 802.1X port security
Configuring periodic re-authentication
Syntax no re-authentication
Syntax no timeout re-authperiod seconds
Setting the wait interval for EAP frame retransmissions
Re-authenticating a port manually
Setting the quiet period
Syntax dot1x re-authenticate ethernet port
Value is a number from 1-10. The default is
Setting the maximum number of EAP frame retransmissions
Syntax no timeout tx-period seconds
Syntax auth-max value
Initializing 802.1X on a port
Syntax supptimeout seconds
Syntax servertimeout seconds
Syntax maxreq value
Specifying the authentication-failure action
Allowing access to multiple hosts
Configuring 802.1X multiple-host authentication
Syntax no auth-fail-action restricted-vlan
Disabling aging for dot1x-mac-sessions
This command enables aging of permitted sessions
Syntax no auth-fail-max-attempts attempts
Syntax no mac-session-aging no-aging permitted-mac-only
Moving native Vlan mac-sesions to restrict Vlan
Specifying the aging time for blocked clients
Syntax no mac-age-time seconds
Syntax clear dot1x mac-session mac-address
Syntax timeout restrict-fwd-period num
802.1X accounting configuration
Configuring Vlan access for non-EAP-capable clients
MAC address filters for EAP frames
802.1X accounting attributes for Radius
To enable 802.1X accounting, enter the following command
Syntax aaa accounting dot1x default start-stop radius none
Enabling 802.1X accounting
Displaying 802.1X information
Displaying 802.1X configuration information
Output from the show dot1x command
Syntax show dot1x
Syntax show dot1x config ethernet port
Forceunauth
Syntax show dot1x statistics ethernet port
Displaying 802.1X statistics
Displaying 802.1X information
Field Statistics
Syntax clear dot1x statistics all
Clearing 802.1X statistics
Displaying dynamically assigned Vlan information
Syntax clear dot1x statistics ethernet port
Displaying user-defined MAC address filters and IP ACLs
Syntax show dot1x mac-address-filter
Syntax show dot1x ip-ACL
Displaying the status of strict security mode
Syntax show dot1x mac-address-filter all ethernet port
Syntax show dot1x ip-ACL all ethernet port
Displaying 802.1X multiple-host authentication information
Global-filter-strict-security Enable
Displaying 802.1X multiple-host configuration information
Mac Session max-age Seconds
Pvid
Syntax show dot1x mac-session
Output from the show dot1x mac-session brief command
Syntax show dot1x mac-session brief
Same point-to-point 802.1x configuration
Sample 802.1X configurations
Point-to-point configuration
Sample 802.1X configurations
Hub configuration
Sample 802.1x configuration using a hub
802.1X authentication with dynamic Vlan assignment
Auth-fail-vlanid
Page
MAC Port Security
MAC port security overview
Local and global resources used for MAC port security
MAC port security configuration
Enabling the MAC port security feature
Syntax port security Syntax no enable
Setting the port security age timer
MAC port security configuration
Syntax no age minutes
Specifying secure MAC addresses
On an untagged interface
On a tagged interface
Dropping packets from a violating address
Syntax violation restrict
Syntax violation restrict age
Clearing violation statistics
Clearing port security statistics
Clearing restricted MAC addresses
Disabling the port for a specified amount of time
Displaying port security settings
Displaying port security information
Displaying the secure MAC addresses
Displaying port security statistics
Output from the show port security mac command
Output from the show port security statistics port command
Syntax show port security statistics port
Displaying restricted MAC addresses on a port
Syntax show port security statistics module
Syntax show port security ethernet port restricted-macs
MAC-based Vlan overview
Static and dynamic hosts
Policy-based classification and forwarding
MAC-based Vlan feature structure
Source MAC address authentication
MAC-based Vlan and port up or down events
Dynamic MAC-based Vlan
Dynamic MAC-based Vlan CLI commands
Dynamic MAC-based Vlan
Description CLI level
Following example shows a MAC-based Vlan configuration
Dynamic MAC-based Vlan configuration example
Dynamic MAC-based Vlan CLI commands for MAC-based VLANs
CLI command Description CLI level
MAC-based Vlan configuration
MAC-based Vlan configuration
Using MAC-based VLANs and 802.1X security on the same port
Attribute ID Data type Optional or Description Mandatory
For blocked hosts
Aging for MAC-based Vlan
For permitted hosts
Aging process for MAC-based Vlan works as described below
To change the length of the software aging period
Disabling aging for MAC-based Vlan sessions
For MAC-based dynamic activation
Globally disabling aging
Syntax no mac-authentication disable-aging
Configuring the maximum MAC addresses per port
Configuring a MAC-based Vlan for a static host
Disabling the aging on interfaces
Configuring MAC-based Vlan for a dynamic host
Configuring dynamic MAC-based Vlan
Syntax mac-vlan-permit ethernet stack-unit/slotnum/portnum
Displaying information about MAC-based VLANs
Configuring MAC-based VLANs using Snmp
Enter the following command to display the MAC-VLAN table
Displaying the MAC-VLAN table
Displaying information about MAC-based VLANs
Displaying the MAC-VLAN table for a specific MAC address
Displaying allowed MAC addresses
Syntax show table-mac-vlan mac-address
Displaying denied MAC addresses
Syntax show table-mac-vlan denied-mac
Default
Displaying detailed MAC-VLAN data
Displaying MAC-VLAN information for a specific interface
Displaying MAC addresses in a MAC-based Vlan
Vlan
Displaying MAC-based Vlan logging
Clearing MAC-VLAN information
Sample MAC-based Vlan application
Clearing MAC-VLAN information
Sample MAC-based Vlan configuration
Sample MAC-based Vlan application
0000.0075.3f73 1/1/1
Sample MAC-based Vlan application
Multi-Device Port Authentication
How multi-device port authentication works
Radius authentication
Authentication-failure actions
Supported Radius attributes
Support for dynamic Vlan assignment
Support for dynamic ACLs
Support for dynamic ARP inspection with dynamic ACLs
Support for Dhcp snooping with dynamic ACLs
Support for source guard protection
Configuring Brocade-specific attributes on Radius server
Multi-device port authentication configuration
Enabling multi-device port authentication on an interface
Enabling multi-device port authentication
Globally enabling multi-device port authentication
Syntax no mac-authentication enable
Specifying the authentication-failure action
Multi-device port authentication configuration
Syntax no mac-authentication auth-fail-vlan-id vlan-id
Generating traps for multi-device port authentication
Configuring dynamic Vlan assignment
Defining MAC address filters
Syntax no mac-authentication enable-dynamic-vlan
Syntax no mac-authentication no-override-restrict-vlan
Syntax mac-authentication disable-ingress-filtering
Vlan-namestring
Configuration notes and limitations
Dynamically applying IP ACLs to authenticated MAC addresses
Syntax no mac-authentication save-dynamicvlan-to-config
Page
Enabling denial of service attack protection
Configuring the Radius server to support dynamic IP ACLs
ACLs configured on the Brocade device
Syntax no mac-authentication dos-protection mac-limit number
Enabling source guard protection
Enter the no form of the command to disable SG protection
Clearing authenticated MAC addresses
Syntax no mac-authentication source-guard-protection enable
Syntax clear auth-mac-table
Globally disabling aging of MAC addresses
Disabling aging for authenticated MAC addresses
Syntax mac-authentication clear-mac-session mac-address
Syntax clear auth-mac-table ethernet port
Syntax no mac-authentication hw-deny-age num
Disabling the aging of MAC addresses on interfaces
Syntax no mac-authentication auth-timeout-action success
Specifying the Radius timeout action
Permit user access to the network after a Radius timeout
Specifying the aging time for blocked MAC addresses
Multi-device port authentication password override
Deny user access to the network after a Radius timeout
Syntax no mac-authentication auth-timeout-action failure
Displaying authenticated MAC address information
Displaying multi-device port authentication information
Limiting the number of authenticated MAC addresses
Syntax no mac-authentication password-override password
Output from the show authenticated-mac-address command
Syntax show auth-mac-address configuration
Syntax show auth-mac-address mac-addressip-addrport
Displaying the authenticated MAC addresses
Syntax show auth-mac-addresses authorized-mac
Explains the information in the output
Displaying the non-authenticated MAC addresses
Syntax show auth-mac-addresses unauthorized-mac
Syntax show auth-mac-address ethernet port
Syntax show auth-mac-address detail ethernet port
Output from the show auth-mac-addresses detailed command
YES
Pvid
Example port authentication configurations
Example port authentication configurations
Interface ethernet 1 dual-modemac-authentication enable
Port e1/1/1 Dual Mode
Example port authentication configurations
Radius Server User 0000.008e.86ac IP Phone Profile
No Profile for MAC 0000.007f.2e0a PC User 1 Profile
Syntax no mac-authentication auth-fail-dot1x-override
Smurf attacks
How a Smurf attack floods a victim with Icmp replies
Avoiding being an intermediary in a Smurf attack
Avoiding being a victim in a Smurf attack
Syntax no ip directed-broadcast
TCP SYN attacks
TCP SYN attacks
TCP security enhancement
Protecting against a blind injection attack
Syntax show statistics dos-attack
Syntax clear statistics dos-attack
Rate Limiting and Rate Shaping
Port-based rate limiting
How port-based fixed rate limiting works
Rate limiting in hardware
Displaying the port-based fixed rate limiting configuration
Configuration notes for port-based fixed rate limiting
Configuring a port-based fixed rate limiting policy
Syntax no rate-limit input fixed average-rate
Rate shaping
Configuration notes for rate shaping
Configuring outbound rate shaping for a port
Rate shaping
Displaying rate shaping configurations
Configuring outbound rate shaping for a specific priority
Configuring outbound rate shaping for a trunk port
CPU rate-limiting
Packet type Rate limit
ARP
Dynamic ARP inspection
ARP poisoning
Dynamic ARP Inspection
ARP entries
281
Enabling DAI on a Vlan
Dynamic ARP inspection configuration
Configuring an inspection ARP entry
Syntax no arp ip-addrmac-addrinspection
Displaying the ARP table
Dhcp snooping
Displaying ARP inspection status and ports
Enabling trust on a port
How Dhcp snooping works
Dhcp binding database
Page
Disabling the learning of Dhcp clients on a port
Syntax no dhcp snooping client-learning disable
Enabling Dhcp snooping on a Vlan
Syntax no ip dhcp snooping vlan vlan-number
Displaying the Dhcp snooping binding database
Clearing the Dhcp binding database
Displaying Dhcp snooping status and ports
Displaying Dhcp binding entry and status
Dhcp snooping configuration example
Dhcp relay agent information
Dhcp relay agent information
Configuration notes for Dhcp option
Dhcp option 82 sub-options
Sub-option 1 Circuit ID
Sub-option 2 Remote ID
Sub-option 6 Subscriber ID
Dhcp option 82 configuration
Syntax no dhcp snooping relay information
Changing the forwarding policy
Enabling and disabling subscriber ID processing
Syntax ip dhcp relay information policy policy-type
Viewing information about Dhcp option 82 processing
Viewing the ports on which Dhcp option 82 is disabled
Output for the ip dhcp relay information command
Viewing the circuit ID, remote ID, and forwarding policy
IP source guard
Viewing the status of Dhcp option 82 and the subscriber ID
Syntax show interfaces ethernet port
Page
No source-guard enable
Defining static IP source bindings
For ip-addr, enter a valid IP address
Enabling IP source guard on a VE
Syntax no source-guard enable
Enabling IP source guard per-port-per-VLAN
Displaying learned IP addresses
IP source guard
Configuration notes and feature limitations
Configuring rate limiting for BUM traffic
Broadcast, unknown Unicast, and Multicast rate limiting
Viewing rate limits set on BUM traffic
Syntax show run interface
Syntax show rate-limit broadcast
Broadcast, unknown Unicast, and Multicast rate limiting
Index
ARP
Radius
Page
Page
MAC-VLAN
Page
SSH
Ip access-group,110 mac-vlan-permit,220 source-guard enable
Vlan
