Brocade Communications Systems 6650 F, G, I

306 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

denial of service (DoS)

avoiding being a victim in a Smurf attack, 268

avoiding being an intermediary in a Smurf attack, 268

displaying information, 271

enabling for multi-device port authentication, 245

Smurf attacks, 267

TCP security enhancement, 270

TCP SYN attacks, 269

Dot1x

auth-fail-action restricted-vlan, 179

auth-fail-action restrict-vlan, 180

auth-fail-max-attempts, 180

auth-fail-vlanid, 179

auth-max, 177

dot1x disable-filter-strict-security, 172

dot1x initialize ethernet, 178

enable all, 174

enable ethernet, 174

global-filter-strict-security, 172

mac-session-aging no-aging denied-mac-only, 180

mac-session-aging no-aging permitted-mac-only, 180

max-req, 178

re-authentication, 175

save-dynamicvlan-to-config, 169

servertimeout, 178

supptimeout, 178

timeout quiet-period, 176

timeout re-authperiod, 175

timeout restrict-fwd-period, 182

timeout tx-period, 177

DSA authentication

configuring challenge-response authentication, 67

deleting key pairs, 67

enabling challenge-response, 69

exporting client public keys, 79

generating a client key pair, 79

importing public keys into Brocade device, 68

providing the public key to clients, 67

Dynamic ARP

about inspection, 280

configuration notes and feature limitations, 281

poisoning, 279

Dynamic ARP inspection

displaying status and ports, 283

enabling on a VLAN, 282

enabling trust on a port, 283

using with IP source guard, 294

Dynamic Host Configuration Protocol (DHCP)

binding database, 284

changing the forwarding policy, 292

clearing the binding database, 287

configuration example, 288

configuration notes and feature limitations, 285

configuring snooping, 285

defining static IP source bindings, 296

disabling the learning of clients on a port, 286

displaying learned IP addresses, 297

enabling and disabling subscriber ID processing, 292

enabling IP source guard on a port, 296

enabling IP source guard on a virtual interface, 297

enabling IP source guard per-port-per-VLAN, 297

option 82, 289

overview, 279

relay agent information, 288

snooping, 283

dynamic MAC-based VLAN

CLI commands, 213

configuration example, 214

configuration notes and feature limitations, 213

disabling aging, 218

overview, 213

feature support

MAC port security, 201

multi-device port authentication, 231

SSH2 and SCP, 63

traffic policies, 141

Generating, 79

Interface

age, 204

arp inspection trust, 283

dhcp snooping relay information, 291

dhcp snooping relay information option subscriber-id,

292

dot1x auth-timeout-action failure, 166

dot1x auth-timeout-action success, 165

dot1x port-control auto, 175

dot1x re-auth-timeout- success, 166

enable, 203

idhcp snooping trust, 286

ip access-group frag deny, 108

ip access-group in, 144