0000.0075.3f73 1/1/1

	Sample MAC-based VLAN application
mac-authentication	max-age 60
mac-authentication	hw-deny-age 30
mac-authentication	auth-passwd-format xxxx.xxxx.xxxx
interface ethernet	1/1/1
mac-authentication mac-vlan max-mac-entries 5
mac-authentication mac-vlan 0000.0088.b9fe vlan 1 priority 1
mac-authentication mac-vlan enable
!	1/1/2
interface ethernet	1/1/2
mac-authentication	mac-vlan max-mac-entries 5
mac-authentication	mac-vlan enable
!

end

The show table-mac-vlancommand returns the following results for all ports in this configuration.

Brocade# show table-mac-vlan

---------------------------------------------------------------

Port	Vlan Accepted	Rejected	Attempted	Static	Static	Max
	Macs	Macs	Macs	Macs	Conf	Macs

----------------------------------------------------------------

1/1/1	N/A	2	1	0	1	1	5
1/1/2	N/A	0	0	0	0	0	5

The show table-mac-vlan ethernet 1/1/1 command returns the following results for port1/1/1 in this configuration.

Brocade# show table-mac-vlan ethernet 1/1/1

-------------------------------------------------------------------------------

MAC Address	Port	Vlan Authenticated Time Age	CAM	MAC Dot1x Type Pri
			Index	Index

-------------------------------------------------------------------------------

0000.0075.3f73 1/1/1		2	Yes	00d00h00m46s S32		0001	3728	Dis	Dyn	4
0000.0088.b9fe	1/1/1	1	Yes	00d00h00m08s	Dis	0000	0970	Dis	Sta	1
0000.0075.3ff5	1/1/1	666	Rst	01d18h47m58s	S8	0002	1ee4 Dis		Dyn	0

Brocade ICX 6650 Security Configuration Guide	229
53-1002601-01

Page 249

Image 249

Brocade Communications Systems 6650 manual 0000.0075.3f73 1/1/1

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide Types of ACL-based rate limiting ACL-based rate limiting overview Ietf RFC support Chapter 802.1X Port Security MAC port security overview MAC-based Vlan feature structureLocal and global resources used for MAC port security MAC-based Vlan overview Radius authentication How multi-device port authentication worksAuthentication-failure actions Supported Radius attributes Smurf attacks Avoiding being an intermediary in a Smurf attackAvoiding being a victim in a Smurf attack Configuring a port-based fixed rate limiting policy Configuration notes for port-based fixed rate limitingDisplaying the port-based fixed rate limiting configuration Configuration notes and feature limitations for DAI Configuring rate limiting for BUM traffic Configuration notes and feature limitationsBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM trafficPage Audience Supported hardware and softwareBrocade ICX 6650 slot and port numbering Dhcp on How this document is organized Command syntax conventions Document conventionsText formatting Corporation Referenced Trademarks and Products Related publications Getting technical help Additional informationBrocade resources Other industry resources Document feedback Feature Brocade ICX Securing access methods Method is secured ACL usage to restrict remote access Remote access to management function restrictions Using an ACL to restrict SSH access Using an ACL to restrict Telnet accessSyntax telnet access-group num Syntax ssh access-group num Using ACLs to restrict Snmp access Defining the console idle timeSyntax snmp-server community string ro rw num Remote access restrictions Restricting Telnet access to a specific IP addressRestricting SSH access to a specific IP address Restricting Snmp access to a specific IP address Restricting access to the device based on IP or MAC addressRestricting Telnet connection Restricting SSH connection Changing the login timeout period for Telnet sessions Defining the Telnet idle timeRestricting Http and Https connection Syntax no telnet login-retries number Restricting Telnet access to a specific Vlan Restricting Tftp access to a specific Vlan Restricting Snmp access to a specific VlanSyntax no telnet server enable vlan vlan-id Syntax no snmp-server enable vlan vlan-id Syntax no default-gateway ip-addr metric Allowing SSHv2 access to the Brocade deviceDevice management security Syntax crypto key generate zeroize Allowing Snmp access to the Brocade device Disabling specific access methodsDisabling Telnet access Disabling Snmp access Setting a Telnet password Passwords used to secure accessSyntax no tftp disable Syntax no enable telnet password string Setting passwords for management privilege levels Passwords used to secure accessSyntax no telnet server suppress-reject-message Augmenting management privilege levels Syntax enable read-only-password text Specifying a minimum password length Recovering from a lost passwordEnter boot system flash primary at the prompt After the console prompt reappears, assign a new password Syntax enable password-min-length number-of-characters Enhancements to username and passwordLocal user accounts Number-of-characterscan be from Syntax no enable strict-password-enforcement Enabling enhanced user password combination requirements Enabling user password aging Enabling user password maskingSyntax username name password Enter Syntax no enable user password-masking Enhanced login lockout Configuring password historySyntax no enable user password-aging Syntax no enable user password-history 1 Setting passwords to expire Local user account configurationSyntax username name enable Requirement to accept the message of the day Local user accounts with unencrypted passwords Local user accounts with no passwords Local accounts with encrypted passwords Creating a password optionUsing the username user-stringcreate-password command Syntax show users Syntax no username user-stringpassword password-string Changing a local user passwordTacacs and TACACS+ security How TACACS+ differs from Tacacs TACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit TACACS+ authentication Tacacs authentication TACACS+ accounting TACACS+ authorization AAA security for commands pasted into the running-config AAA operations for TACACS/TACACS+User action Applicable AAA operations TACACS/TACACS+ configuration considerations Configuring TacacsConfiguring TACACS+ Identifying the TACACS/TACACS+ servers Enabling Tacacs Specifying different servers for individual AAA functions Setting optional Tacacs and TACACS+ parameters Setting the TACACS+ key Setting the retransmission limitSetting the timeout parameter Method parameter Description Entering privileged Exec mode after a Telnet or SSH login Syntax aaa authentication login privilege-modeSyntax no aaa authentication enable implicit-user Configuring Exec authorization Configuring TACACS+ authorizationSyntax aaa authorization exec default tacacs+ none Configuring an Attribute-Value pair on the TACACS+ server Foundry-privlvl = AAA support for console commands Configuring command authorization Configuring TACACS+ accounting for Telnet/SSH Shell access TACACS+ accounting configurationConfiguring TACACS+ accounting for CLI commands Syntax no enable aaa console Configuring TACACS+ accounting for system events Radius authentication Radius authentication, authorization, and accountingOutput of the show aaa command for TACACS/TACACS+ Radius security Radius accounting Radius authorization AAA operations for Radius AAA operations for Radius Radius security AAA operations for Radius Radius configuration considerations Brocade-specific attributes on the Radius server Configuring Radius Attribute ID Data type Description Port Configuration level Allows Enabling Snmp to configure Radius Identifying the Radius server to the Brocade deviceAttribute name Attribute ID Data type Description Radius configuration example and command syntax Radius server per port configuration notesFollowing shows an example configuration Radius server per port Radius server to individual ports mapping Radius server-to-ports configuration notesSyntax use-radius-server ip-addr Host ip-addris an IPv4 address Radius parameters Setting the Radius keySyntax radius-server key 0 1 string Syntax radius-server retransmit number Setting Radius over IPv6 Setting authentication-method lists for RadiusSyntax radius-server timeout number Syntax radius-server host ipv6 ipv6-host address Setting passwords for management privilege levels on Syntax aaa authorization exec default radius none Radius authorization Command authorization and accounting for console commands Configuring Radius accounting for Telnet/SSH Shell access Configuring Radius accounting for CLI commandsRadius accounting Configuring Radius accounting for system events Displaying Radius configuration information Output of the show aaa command for Radius Authentication-method lists Examples of authentication-method listsAuthentication-method lists Command Syntax Following is the command syntax for the preceding examplesExample TCP Flags edge port security User account configuration on TCP Flags edge port security Using TCP Flags in combination with other ACL features TCP Flags edge port security SSH version 2 overview SSH2 and SCP SSH2 unsupported features SSH2 supported featuresTested SSH2 clients Key exchange methods are diffie-hellman-group1-sha1 Configuring SSH2 SSH2 authentication typesSSH2 authentication types Configure DSA or RSA challenge-response authentication Setting the CPU priority for key generation Generating and deleting a DSA key pairGenerating and deleting an RSA key pair Deleting DSA and RSA key pairs Configuring DSA or RSA challenge-response authenticationProviding the public key to clients Syntax crypto key zeroize Begin SSH2 Public KEY Importing authorized public keys into the Brocade device Syntax ip ssh key-authentication yes no Enabling DSA or RSA challenge-response authenticationOptional SSH parameters Syntax clear public-key Deactivating user authentication Setting the number of SSH authentication retriesSyntax ip ssh authentication-retries number Syntax ip ssh password-authentication no yes Setting the SSH port number Enabling empty password loginsSetting the SSH login timeout value Configuring the maximum idle time for SSH sessions Terminating an active SSH connection Filtering SSH access using ACLsDisplaying SSH information Displaying SSH connection information Syntax show ip ssh config Displaying SSH configuration informationDisplaying SSH information SSH connection information Displaying additional SSH connection information Displaying SSH information SSH configuration information Example file transfers using SCP Secure copy configuration notesCopying a file to the running configuration Secure copy with SSH2 To overwrite the running configuration file Copying a file to the startup configurationCopying a software image file to flash memory Copying a software image file from flash memory Importing a digital certificate using SCP Importing an RSA private keyImporting a DSA or RSA public key Configuring SSH2 client public key authentication SSH2 clientEnabling SSH2 client Generating and deleting a client DSA key pair Using SSH2 clientGenerating and deleting a client RSA key pair Exporting client public keys Displaying SSH2 client information Rule-Based IP ACLs Supported ACL features on outbound traffic ACL overview ACL overview Supported ACL features on outbound traffic ACL IDs and entries Types of IP ACLsNumbered and named ACLs ACL overview Virtual routing interfaces How hardware-based ACLs work Default ACL actionHow fragmented packets are processed Hardware aging of Layer 4 CAM entries ACL configuration considerations Standard numbered ACL syntax Configuring standard numbered ACLs Configuration example for standard numbered ACLs Standard named ACL configuration Standard named ACL syntax Syntax no ip access-list standard ACL-nameACL-num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Extended numbered ACL configuration Configuration example for standard named ACLsExtended numbered ACL configuration Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Here is another example of an extended ACL Configuration examples for extended numbered ACLs Extended named ACL configuration Extended named ACL configuration Extended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Applying egress ACLs to Control CPU traffic Syntax enable egress-acl-on-cpu-trafficPreserving user input for ACL TCP/UDP port numbers Syntax ip preserve-ACL-user-input-format Adding a comment to an entry in a numbered ACL ACL comment text management Adding a comment to an entry in a named ACL Show running-config Show access-list Show ip access-listDeleting a comment from an ACL entry Viewing comments in an ACL Syntax show running-config Configuration notes for ACL logging ACL loggingACL logging Example ACL logging configuration Configuration tasks for ACL logging Syntax logging-enable Displaying ACL Log EntriesSyntax ACL-logging Syntax show log Syntax no ip access-group frag deny Configuration notes for ACL filtering Syntax no enable ACL-per-port-per-vlanEnter the no form of the command to disable this feature Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID ACLs to filter ARP packets Syntax no ip access-group ACL ID in ethernet port to port Configuring ACLs for ARP filtering Configuration considerations for filtering ARP packetsSyntax no ip use-ACL-on-arp access-list-number ACLs to filter ARP packets Displaying ACL filters for ARP Filtering on IP precedence and ToS valuesClearing the filter count Syntax show ACL-on-arp ethernet port loopback num ve num TCP flags edge port security QoS options for IP ACLs Configuration notes for QoS options on Brocade ICX Using an IP ACL to mark Dscp values Dscp markingSyntax ...dscp-marking dscp-value Combined ACL for 802.1p marking QoS options for IP ACLsFor IP ACL-based rate limiting Using an ACL to change the forwarding queueDscp matching Syntax ...dscp-matching 0 ACLs to control multicast features ACL statisticsEnabling and viewing hardware usage statistics for an ACL Syntax show access-list ACL-numACL-nameall Troubleshooting ACLsDisplaying ACL information Policy Based Routing Configuring a PBR policy Configuration considerations for policy-based routing Configuring the ACLs Syntax noroute-map map-namepermit deny num Configuring the route map Enabling PBR Setting the next hop Configuration examples for PBRBasic example of PBR Policy Based Routing Setting the output interface to the null interface Trunk formation with PBR policy IPv6 ACL overview Feature IPv6 ACL configuration notes IPv6 ACL traffic filtering criteriaIPv6 protocol names and numbers Example IPv6 configurations Configuring an IPv6 ACL Configuring an IPv6 ACL Show ipv6 access-listcommand displays the followingHere is another example Default and implicit IPv6 ACL action Creating an IPv6 ACL Syntax no ipv6 access-list ACL-nameSyntax for creating an IPv6 ACL Ipv6-operator dscp For Icmp For TCPFor UDP Ipv6-source-prefix /prefix-length IPv6 ACL arguments Description IPv6 ACL arguments Description Creating an IPv6 ACL Syntax descriptions 802.1p-priority-matching number Icmp message configurations Applying an IPv6 ACL to an interface Syntax ipv6 enable Syntax for applying an IPv6 ACL Adding a comment to an IPv6 ACL entryApplying an IPv6 ACL to a trunk group Syntax .ipv6 traffic-filter ipv6-ACL-namein Deleting a comment from an IPv6 ACL entry Support for ACL loggingDisplaying IPv6 ACLs Syntax show ipv6 access-list Syntax show ipv6 access-list access-list-nameDisplaying IPv6 ACLs Types of ACL-based rate limiting ACL-based rate limiting overview Traffic policies overview Traffic policy structureACL statistics Configuration notes for traffic policies Configuring fixed rate limiting Configuring adaptive rate limiting Configuring adaptive rate limiting Parameter Definition ACL based adaptive rate limiting parametersPage Dropping packets Handling packets that exceed the rate limit Permitting packets at low priority Enabling and using ACL statistics Enabling ACL statistics Enabling and using ACL statistics Viewing ACL and rate limit counters Enabling ACL statistics with rate limiting traffic policies ACL and rate limit counting statistics Clearing ACL and rate limit countersParameter Description General Counters Viewing traffic policies Syntax show traffic-policy TPD-nameParameterDescription Ietf RFC support 802.1X Port Security Device roles in an 802.1X configuration How 802.1X port security worksHow 802.1X port security works Controlled and uncontrolled ports Communication between the devices PAE Message exchange during authentication Refer to EAP pass-through support on Setting the IP MTU size Configuration notes for setting the IP MTU size Authenticating multiple hosts connected to the same portEAP pass-through support Syntax no ip mtu num Multiple hosts connected to a single 802.1X-enabled port How 802.1X multiple-host authentication works Configuration notes for 802.1x multiple-host authentication 802.1X port security and sFlow 802.1X port security configuration 802.1X port security configurationConfigure the device role as the Authenticator Configure the device interaction with Clients Setting Radius parameters Configuring an authentication method list forSyntax no aaa authentication dot1x default method-list Supported Radius attributes Specifying the Radius timeout action Permit user access to the network after a Radius timeoutSyntax no dot1x auth-timeout-action success Re-authenticate a user Dynamic Vlan assignment for 802.1X port configurationSyntax no dot1x re-auth-timeout- success seconds Deny user access to the network after a Radius timeout Type Value Dynamic multiple Vlan assignment for 802.1X ports Syntax save-dynamicvlan-to-config Saving dynamic Vlan assignments to the running-config file 802.1X port security configuration Disabling strict security mode globally Disabled strict security mode ACL or MAC address filter configured on the Brocade device Syntax no dot1x disable-filter-strict-securityDynamically applying existing ACLs or MAC address filters Syntax no global-filter-strict-security Value Description Configuring per-user IP ACLs or MAC address filters Enabling 802.1X port security Setting the port control Configuring periodic re-authentication Syntax no re-authenticationSyntax no timeout re-authperiod seconds Setting the quiet period Re-authenticating a port manuallySetting the wait interval for EAP frame retransmissions Syntax dot1x re-authenticate ethernet port Syntax no timeout tx-period seconds Setting the maximum number of EAP frame retransmissionsValue is a number from 1-10. The default is Syntax auth-max value Syntax servertimeout seconds Syntax supptimeout secondsInitializing 802.1X on a port Syntax maxreq value Configuring 802.1X multiple-host authentication Allowing access to multiple hostsSpecifying the authentication-failure action Syntax no auth-fail-action restricted-vlan Syntax no auth-fail-max-attempts attempts This command enables aging of permitted sessionsDisabling aging for dot1x-mac-sessions Syntax no mac-session-aging no-aging permitted-mac-only Syntax no mac-age-time seconds Specifying the aging time for blocked clientsMoving native Vlan mac-sesions to restrict Vlan Syntax clear dot1x mac-session mac-address Configuring Vlan access for non-EAP-capable clients 802.1X accounting configurationSyntax timeout restrict-fwd-period num MAC address filters for EAP frames Syntax aaa accounting dot1x default start-stop radius none To enable 802.1X accounting, enter the following command802.1X accounting attributes for Radius Enabling 802.1X accounting Output from the show dot1x command Displaying 802.1X configuration informationDisplaying 802.1X information Syntax show dot1x Syntax show dot1x config ethernet port Forceunauth Displaying 802.1X information Displaying 802.1X statisticsSyntax show dot1x statistics ethernet port Field Statistics Displaying dynamically assigned Vlan information Clearing 802.1X statisticsSyntax clear dot1x statistics all Syntax clear dot1x statistics ethernet port Displaying user-defined MAC address filters and IP ACLs Syntax show dot1x mac-address-filterSyntax show dot1x ip-ACL Displaying the status of strict security mode Syntax show dot1x mac-address-filter all ethernet portSyntax show dot1x ip-ACL all ethernet port Global-filter-strict-security Enable Displaying 802.1X multiple-host authentication information Mac Session max-age Seconds Displaying 802.1X multiple-host configuration information Pvid Syntax show dot1x mac-session Syntax show dot1x mac-session brief Output from the show dot1x mac-session brief command Point-to-point configuration Sample 802.1X configurationsSame point-to-point 802.1x configuration Sample 802.1X configurations Sample 802.1x configuration using a hub Hub configuration 802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security Local and global resources used for MAC port security MAC port security overview MAC port security configuration Enabling the MAC port security featureSyntax port security Syntax no enable Setting the port security age timer MAC port security configurationSyntax no age minutes Specifying secure MAC addresses On an untagged interfaceOn a tagged interface Dropping packets from a violating address Syntax violation restrictSyntax violation restrict age Clearing restricted MAC addresses Clearing port security statisticsClearing violation statistics Disabling the port for a specified amount of time Displaying port security settings Displaying port security informationDisplaying the secure MAC addresses Output from the show port security statistics port command Output from the show port security mac commandDisplaying port security statistics Syntax show port security statistics port Displaying restricted MAC addresses on a port Syntax show port security statistics moduleSyntax show port security ethernet port restricted-macs Static and dynamic hosts MAC-based Vlan overview Source MAC address authentication MAC-based Vlan feature structurePolicy-based classification and forwarding MAC-based Vlan and port up or down events Dynamic MAC-based Vlan Dynamic MAC-based Vlan CLI commandsDynamic MAC-based Vlan Description CLI level Dynamic MAC-based Vlan CLI commands for MAC-based VLANs Dynamic MAC-based Vlan configuration exampleFollowing example shows a MAC-based Vlan configuration CLI command Description CLI level MAC-based Vlan configuration MAC-based Vlan configuration Attribute ID Data type Optional or Description Mandatory Using MAC-based VLANs and 802.1X security on the same port For permitted hosts Aging for MAC-based VlanFor blocked hosts Aging process for MAC-based Vlan works as described below For MAC-based dynamic activation Disabling aging for MAC-based Vlan sessionsTo change the length of the software aging period Globally disabling aging Configuring a MAC-based Vlan for a static host Configuring the maximum MAC addresses per portSyntax no mac-authentication disable-aging Disabling the aging on interfaces Configuring MAC-based Vlan for a dynamic host Configuring dynamic MAC-based VlanSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Enter the following command to display the MAC-VLAN table Configuring MAC-based VLANs using SnmpDisplaying information about MAC-based VLANs Displaying the MAC-VLAN table Displaying allowed MAC addresses Displaying the MAC-VLAN table for a specific MAC addressDisplaying information about MAC-based VLANs Syntax show table-mac-vlan mac-address Syntax show table-mac-vlan denied-mac Displaying denied MAC addresses Displaying detailed MAC-VLAN data Default Displaying MAC-VLAN information for a specific interface Vlan Displaying MAC addresses in a MAC-based Vlan Sample MAC-based Vlan application Clearing MAC-VLAN informationDisplaying MAC-based Vlan logging Clearing MAC-VLAN information Sample MAC-based Vlan application Sample MAC-based Vlan configuration 0000.0075.3f73 1/1/1 Sample MAC-based Vlan application How multi-device port authentication works Multi-Device Port Authentication Radius authentication Authentication-failure actionsSupported Radius attributes Support for dynamic Vlan assignment Support for dynamic ACLsSupport for dynamic ARP inspection with dynamic ACLs Support for source guard protection Support for Dhcp snooping with dynamic ACLs Configuring Brocade-specific attributes on Radius server Multi-device port authentication configuration Globally enabling multi-device port authentication Enabling multi-device port authenticationEnabling multi-device port authentication on an interface Syntax no mac-authentication enable Specifying the authentication-failure action Multi-device port authentication configurationSyntax no mac-authentication auth-fail-vlan-id vlan-id Generating traps for multi-device port authentication Configuring dynamic Vlan assignmentDefining MAC address filters Syntax no mac-authentication no-override-restrict-vlan Syntax no mac-authentication enable-dynamic-vlan Vlan-namestring Syntax mac-authentication disable-ingress-filtering Configuration notes and limitations Syntax no mac-authentication save-dynamicvlan-to-config Dynamically applying IP ACLs to authenticated MAC addressesPage Enabling denial of service attack protection Configuring the Radius server to support dynamic IP ACLsACLs configured on the Brocade device Enabling source guard protection Syntax no mac-authentication dos-protection mac-limit number Syntax no mac-authentication source-guard-protection enable Clearing authenticated MAC addressesEnter the no form of the command to disable SG protection Syntax clear auth-mac-table Syntax mac-authentication clear-mac-session mac-address Disabling aging for authenticated MAC addressesGlobally disabling aging of MAC addresses Syntax clear auth-mac-table ethernet port Disabling the aging of MAC addresses on interfaces Syntax no mac-authentication hw-deny-age num Permit user access to the network after a Radius timeout Specifying the Radius timeout actionSyntax no mac-authentication auth-timeout-action success Specifying the aging time for blocked MAC addresses Multi-device port authentication password override Deny user access to the network after a Radius timeoutSyntax no mac-authentication auth-timeout-action failure Limiting the number of authenticated MAC addresses Displaying multi-device port authentication informationDisplaying authenticated MAC address information Syntax no mac-authentication password-override password Syntax show auth-mac-address configuration Output from the show authenticated-mac-address command Syntax show auth-mac-address mac-addressip-addrport Syntax show auth-mac-addresses authorized-mac Displaying the authenticated MAC addresses Syntax show auth-mac-addresses unauthorized-mac Displaying the non-authenticated MAC addressesExplains the information in the output Syntax show auth-mac-address ethernet port Syntax show auth-mac-address detail ethernet port YES Output from the show auth-mac-addresses detailed command Pvid Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enable Example port authentication configurations Port e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override How a Smurf attack floods a victim with Icmp replies Smurf attacks Avoiding being an intermediary in a Smurf attack Avoiding being a victim in a Smurf attackSyntax no ip directed-broadcast TCP SYN attacks TCP SYN attacks TCP security enhancement Protecting against a blind injection attack Syntax clear statistics dos-attack Syntax show statistics dos-attack Port-based rate limiting Rate Limiting and Rate Shaping Rate limiting in hardware How port-based fixed rate limiting works Configuring a port-based fixed rate limiting policy Configuration notes for port-based fixed rate limitingDisplaying the port-based fixed rate limiting configuration Syntax no rate-limit input fixed average-rate Configuring outbound rate shaping for a port Configuration notes for rate shapingRate shaping Rate shaping Configuring outbound rate shaping for a trunk port Configuring outbound rate shaping for a specific priorityDisplaying rate shaping configurations CPU rate-limiting ARP Packet type Rate limit ARP poisoning Dynamic ARP inspection ARP entries Dynamic ARP Inspection 281 Configuring an inspection ARP entry Dynamic ARP inspection configurationEnabling DAI on a Vlan Syntax no arp ip-addrmac-addrinspection Displaying ARP inspection status and ports Dhcp snoopingDisplaying the ARP table Enabling trust on a port Dhcp binding database How Dhcp snooping worksPage Enabling Dhcp snooping on a Vlan Syntax no dhcp snooping client-learning disableDisabling the learning of Dhcp clients on a port Syntax no ip dhcp snooping vlan vlan-number Displaying Dhcp snooping status and ports Clearing the Dhcp binding databaseDisplaying the Dhcp snooping binding database Displaying Dhcp binding entry and status Dhcp snooping configuration example Dhcp relay agent informationDhcp relay agent information Dhcp option 82 sub-options Configuration notes for Dhcp option Sub-option 1 Circuit ID Sub-option 2 Remote IDSub-option 6 Subscriber ID Syntax no dhcp snooping relay information Dhcp option 82 configuration Changing the forwarding policy Enabling and disabling subscriber ID processingSyntax ip dhcp relay information policy policy-type Output for the ip dhcp relay information command Viewing the ports on which Dhcp option 82 is disabledViewing information about Dhcp option 82 processing Viewing the circuit ID, remote ID, and forwarding policy IP source guard Viewing the status of Dhcp option 82 and the subscriber IDSyntax show interfaces ethernet port Page No source-guard enable Defining static IP source bindingsFor ip-addr, enter a valid IP address Enabling IP source guard per-port-per-VLAN Syntax no source-guard enableEnabling IP source guard on a VE Displaying learned IP addresses IP source guard Configuration notes and feature limitations Configuring rate limiting for BUM trafficBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM traffic Syntax show rate-limit broadcast Syntax show run interface Broadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Vlan Ip access-group,110 mac-vlan-permit,220 source-guard enable

Sample MAC-based VLAN application

CAM