Manuals / Brocade Communications Systems / Computer Equipment / Switch

Brocade Communications Systems 6650 manual Tacacs authentication, TACACS+ authentication

Models: 6650

1 332

Download 332 pages 4.02 Kb

Page 47

Image 47

TACACS and TACACS+ security

Telnet connections (inbound):

1closed

2closed

3closed

4closed

5closed

Telnet connection (outbound):

6closed

SSH connections:

1closed

2closed

3closed

4closed

5closed

stack9#

TACACS authentication

NOTE

Also, multiple challenges are supported for TACACS+ login authentication.

When TACACS authentication takes place, the following events occur.

1.A user attempts to gain access to the Brocade device by doing one of the following:

•Logging into the device using Telnet or SSH

•Entering the Privileged EXEC level or CONFIG level of the CLI

2.The user is prompted for a username and password.

3.The user enters a username and password.

4.The Brocade device sends a request containing the username and password to the TACACS server.

5.The username and password are validated in the TACACS server database.

6.If the password is valid, the user is authenticated.

TACACS+ authentication

When TACACS+ authentication takes place, the following events occur.

1.A user attempts to gain access to the Brocade device by doing one of the following:

•Logging into the device using Telnet or SSH

•Entering the Privileged EXEC level or CONFIG level of the CLI

2.The user is prompted for a username.

3.The user enters a username.

4.The Brocade device obtains a password prompt from a TACACS+ server.

5.The user is prompted for a password.

6.The user enters a password.

7.The Brocade device sends the password to the TACACS+ server.

Brocade ICX 6650 Security Configuration Guide	27
53-1002601-01

Page 47

Image 47

Brocade Communications Systems 6650 manual Tacacs authentication, TACACS+ authentication

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide Types of ACL-based rate limiting ACL-based rate limiting overviewIetf RFC support Chapter 802.1X Port SecurityMAC-based Vlan overview MAC-based Vlan feature structureMAC port security overview Local and global resources used for MAC port securitySupported Radius attributes How multi-device port authentication worksRadius authentication Authentication-failure actionsAvoiding being a victim in a Smurf attack Smurf attacksAvoiding being an intermediary in a Smurf attack Configuration notes and feature limitations for DAI Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Displaying the port-based fixed rate limiting configurationViewing rate limits set on BUM traffic Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Broadcast, unknown Unicast, and Multicast rate limitingPage Brocade ICX 6650 slot and port numbering AudienceSupported hardware and software Dhcp on How this document is organizedText formatting Command syntax conventionsDocument conventions Corporation Referenced Trademarks and Products Related publicationsOther industry resources Additional informationGetting technical help Brocade resourcesDocument feedback Feature Brocade ICX Securing access methodsMethod is secured ACL usage to restrict remote access Remote access to management function restrictionsSyntax ssh access-group num Using an ACL to restrict Telnet accessUsing an ACL to restrict SSH access Syntax telnet access-group numSyntax snmp-server community string ro rw num Using ACLs to restrict Snmp accessDefining the console idle time Restricting SSH access to a specific IP address Remote access restrictionsRestricting Telnet access to a specific IP address Restricting SSH connection Restricting access to the device based on IP or MAC addressRestricting Snmp access to a specific IP address Restricting Telnet connectionRestricting Http and Https connection Changing the login timeout period for Telnet sessionsDefining the Telnet idle time Syntax no telnet login-retries number Restricting Telnet access to a specific VlanSyntax no snmp-server enable vlan vlan-id Restricting Snmp access to a specific VlanRestricting Tftp access to a specific Vlan Syntax no telnet server enable vlan vlan-idSyntax crypto key generate zeroize Allowing SSHv2 access to the Brocade deviceSyntax no default-gateway ip-addr metric Device management securityDisabling Snmp access Disabling specific access methodsAllowing Snmp access to the Brocade device Disabling Telnet accessSyntax no enable telnet password string Passwords used to secure accessSetting a Telnet password Syntax no tftp disableSyntax no telnet server suppress-reject-message Setting passwords for management privilege levelsPasswords used to secure access Augmenting management privilege levels Syntax enable read-only-password textAfter the console prompt reappears, assign a new password Recovering from a lost passwordSpecifying a minimum password length Enter boot system flash primary at the promptNumber-of-characterscan be from Enhancements to username and passwordSyntax enable password-min-length number-of-characters Local user accountsSyntax no enable strict-password-enforcement Enabling enhanced user password combination requirementsSyntax no enable user password-masking Enabling user password maskingEnabling user password aging Syntax username name password EnterSyntax no enable user password-history 1 Configuring password historyEnhanced login lockout Syntax no enable user password-agingRequirement to accept the message of the day Local user account configurationSetting passwords to expire Syntax username name enableLocal user accounts with unencrypted passwords Local user accounts with no passwordsSyntax show users Creating a password optionLocal accounts with encrypted passwords Using the username user-stringcreate-password commandHow TACACS+ differs from Tacacs Changing a local user passwordSyntax no username user-stringpassword password-string Tacacs and TACACS+ securityTACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit TACACS+ authentication Tacacs authenticationTACACS+ accounting TACACS+ authorizationUser action Applicable AAA operations AAA security for commands pasted into the running-configAAA operations for TACACS/TACACS+ Configuring TACACS+ TACACS/TACACS+ configuration considerationsConfiguring Tacacs Identifying the TACACS/TACACS+ servers Enabling TacacsSpecifying different servers for individual AAA functions Setting optional Tacacs and TACACS+ parametersSetting the timeout parameter Setting the TACACS+ keySetting the retransmission limit Method parameter Description Syntax no aaa authentication enable implicit-user Entering privileged Exec mode after a Telnet or SSH loginSyntax aaa authentication login privilege-mode Configuring an Attribute-Value pair on the TACACS+ server Configuring TACACS+ authorizationConfiguring Exec authorization Syntax aaa authorization exec default tacacs+ noneFoundry-privlvl = AAA support for console commands Configuring command authorizationSyntax no enable aaa console TACACS+ accounting configurationConfiguring TACACS+ accounting for Telnet/SSH Shell access Configuring TACACS+ accounting for CLI commandsConfiguring TACACS+ accounting for system events Radius security Radius authentication, authorization, and accountingRadius authentication Output of the show aaa command for TACACS/TACACS+Radius accounting Radius authorizationAAA operations for Radius AAA operations for RadiusRadius security AAA operations for Radius Radius configuration considerationsBrocade-specific attributes on the Radius server Configuring RadiusAttribute ID Data type Description Port Configuration level AllowsAttribute name Attribute ID Data type Description Enabling Snmp to configure RadiusIdentifying the Radius server to the Brocade device Radius server per port Radius server per port configuration notesRadius configuration example and command syntax Following shows an example configurationHost ip-addris an IPv4 address Radius server-to-ports configuration notesRadius server to individual ports mapping Syntax use-radius-server ip-addrSyntax radius-server retransmit number Setting the Radius keyRadius parameters Syntax radius-server key 0 1 stringSyntax radius-server host ipv6 ipv6-host address Setting authentication-method lists for RadiusSetting Radius over IPv6 Syntax radius-server timeout numberSetting passwords for management privilege levels on Syntax aaa authorization exec default radius none Radius authorizationCommand authorization and accounting for console commands Radius accounting Configuring Radius accounting for Telnet/SSH Shell accessConfiguring Radius accounting for CLI commands Configuring Radius accounting for system events Displaying Radius configuration informationOutput of the show aaa command for Radius Authentication-method lists Authentication-method listsExamples of authentication-method lists Example Command SyntaxFollowing is the command syntax for the preceding examples TCP Flags edge port security User account configuration onTCP Flags edge port security Using TCP Flags in combination with other ACL featuresTCP Flags edge port security SSH version 2 overview SSH2 and SCPKey exchange methods are diffie-hellman-group1-sha1 SSH2 supported featuresSSH2 unsupported features Tested SSH2 clientsConfigure DSA or RSA challenge-response authentication SSH2 authentication typesConfiguring SSH2 SSH2 authentication typesGenerating and deleting an RSA key pair Setting the CPU priority for key generationGenerating and deleting a DSA key pair Syntax crypto key zeroize Configuring DSA or RSA challenge-response authenticationDeleting DSA and RSA key pairs Providing the public key to clientsBegin SSH2 Public KEY Importing authorized public keys into the Brocade deviceSyntax clear public-key Enabling DSA or RSA challenge-response authenticationSyntax ip ssh key-authentication yes no Optional SSH parametersSyntax ip ssh password-authentication no yes Setting the number of SSH authentication retriesDeactivating user authentication Syntax ip ssh authentication-retries numberConfiguring the maximum idle time for SSH sessions Enabling empty password loginsSetting the SSH port number Setting the SSH login timeout valueDisplaying SSH connection information Filtering SSH access using ACLsTerminating an active SSH connection Displaying SSH informationSSH connection information Displaying SSH configuration informationSyntax show ip ssh config Displaying SSH informationDisplaying additional SSH connection information Displaying SSH information SSH configuration informationSecure copy with SSH2 Secure copy configuration notesExample file transfers using SCP Copying a file to the running configurationCopying a software image file from flash memory Copying a file to the startup configurationTo overwrite the running configuration file Copying a software image file to flash memoryImporting a DSA or RSA public key Importing a digital certificate using SCPImporting an RSA private key Enabling SSH2 client Configuring SSH2 client public key authenticationSSH2 client Exporting client public keys Using SSH2 clientGenerating and deleting a client DSA key pair Generating and deleting a client RSA key pairDisplaying SSH2 client information Rule-Based IP ACLs Supported ACL features on outbound trafficACL overview ACL overview Supported ACL features on outbound trafficACL overview Virtual routing interfaces Types of IP ACLsACL IDs and entries Numbered and named ACLsHardware aging of Layer 4 CAM entries Default ACL actionHow hardware-based ACLs work How fragmented packets are processedACL configuration considerations Standard numbered ACL syntax Configuring standard numbered ACLsConfiguration example for standard numbered ACLs Standard named ACL configurationStandard named ACL syntax Syntax no ip access-list standard ACL-nameACL-numBrocade ICX 6650 Security Configuration Guide 53-1002601-01 Extended numbered ACL configuration Extended numbered ACL configurationConfiguration example for standard named ACLs Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Here is another example of an extended ACL Configuration examples for extended numbered ACLsExtended named ACL configuration Extended named ACL configurationExtended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Syntax ip preserve-ACL-user-input-format Syntax enable egress-acl-on-cpu-trafficApplying egress ACLs to Control CPU traffic Preserving user input for ACL TCP/UDP port numbersAdding a comment to an entry in a numbered ACL ACL comment text managementViewing comments in an ACL Show running-config Show access-list Show ip access-listAdding a comment to an entry in a named ACL Deleting a comment from an ACL entrySyntax show running-config ACL logging Configuration notes for ACL loggingACL logging Example ACL logging configuration Configuration tasks for ACL loggingSyntax ACL-logging Syntax logging-enableDisplaying ACL Log Entries Syntax show log Syntax no ip access-group frag denyEnter the no form of the command to disable this feature Configuration notes for ACL filteringSyntax no enable ACL-per-port-per-vlan Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID ACLs to filter ARP packets Syntax no ip access-group ACL ID in ethernet port to portACLs to filter ARP packets Configuration considerations for filtering ARP packetsConfiguring ACLs for ARP filtering Syntax no ip use-ACL-on-arp access-list-numberSyntax show ACL-on-arp ethernet port loopback num ve num Filtering on IP precedence and ToS valuesDisplaying ACL filters for ARP Clearing the filter countTCP flags edge port security QoS options for IP ACLsSyntax ...dscp-marking dscp-value Configuration notes for QoS options on Brocade ICXUsing an IP ACL to mark Dscp values Dscp marking For IP Combined ACL for 802.1p markingQoS options for IP ACLs Syntax ...dscp-matching 0 Using an ACL to change the forwarding queueACL-based rate limiting Dscp matchingEnabling and viewing hardware usage statistics for an ACL ACLs to control multicast featuresACL statistics Policy Based Routing Troubleshooting ACLsSyntax show access-list ACL-numACL-nameall Displaying ACL informationConfiguring a PBR policy Configuration considerations for policy-based routingConfiguring the ACLs Syntax noroute-map map-namepermit deny num Configuring the route mapEnabling PBR Policy Based Routing Configuration examples for PBRSetting the next hop Basic example of PBRSetting the output interface to the null interface Trunk formation with PBR policy IPv6 ACL overview FeatureIPv6 protocol names and numbers IPv6 ACL configuration notesIPv6 ACL traffic filtering criteria Example IPv6 configurations Configuring an IPv6 ACLHere is another example Configuring an IPv6 ACLShow ipv6 access-listcommand displays the following Default and implicit IPv6 ACL action Ipv6-operator dscp Syntax no ipv6 access-list ACL-nameCreating an IPv6 ACL Syntax for creating an IPv6 ACLFor UDP For IcmpFor TCP Ipv6-source-prefix /prefix-length IPv6 ACL arguments DescriptionIPv6 ACL arguments Description Creating an IPv6 ACL Syntax descriptions802.1p-priority-matching number Icmp message configurationsApplying an IPv6 ACL to an interface Syntax ipv6 enableSyntax .ipv6 traffic-filter ipv6-ACL-namein Adding a comment to an IPv6 ACL entrySyntax for applying an IPv6 ACL Applying an IPv6 ACL to a trunk groupDisplaying IPv6 ACLs Deleting a comment from an IPv6 ACL entrySupport for ACL logging Displaying IPv6 ACLs Syntax show ipv6 access-listSyntax show ipv6 access-list access-list-name Types of ACL-based rate limiting ACL-based rate limiting overviewACL statistics Traffic policies overviewTraffic policy structure Configuration notes for traffic policies Configuring fixed rate limitingConfiguring adaptive rate limiting Configuring adaptive rate limitingParameter Definition ACL based adaptive rate limiting parametersPage Dropping packets Handling packets that exceed the rate limitPermitting packets at low priority Enabling and using ACL statisticsEnabling ACL statistics Enabling and using ACL statisticsViewing ACL and rate limit counters Enabling ACL statistics with rate limiting traffic policiesGeneral Counters Clearing ACL and rate limit countersACL and rate limit counting statistics Parameter DescriptionParameterDescription Viewing traffic policiesSyntax show traffic-policy TPD-name Ietf RFC support 802.1X Port SecurityHow 802.1X port security works Device roles in an 802.1X configurationHow 802.1X port security works Controlled and uncontrolled ports Communication between the devicesPAE Message exchange during authentication Refer to EAP pass-through support on Setting the IP MTU sizeSyntax no ip mtu num Authenticating multiple hosts connected to the same portConfiguration notes for setting the IP MTU size EAP pass-through supportMultiple hosts connected to a single 802.1X-enabled port How 802.1X multiple-host authentication worksConfiguration notes for 802.1x multiple-host authentication 802.1X port security and sFlow Configure the device interaction with Clients 802.1X port security configuration802.1X port security configuration Configure the device role as the AuthenticatorSupported Radius attributes Configuring an authentication method list forSetting Radius parameters Syntax no aaa authentication dot1x default method-listSyntax no dot1x auth-timeout-action success Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Deny user access to the network after a Radius timeout Dynamic Vlan assignment for 802.1X port configurationRe-authenticate a user Syntax no dot1x re-auth-timeout- success secondsType Value Dynamic multiple Vlan assignment for 802.1X ports Syntax save-dynamicvlan-to-config Saving dynamic Vlan assignments to the running-config file802.1X port security configuration Disabling strict security mode globally Disabled strict security modeSyntax no global-filter-strict-security Syntax no dot1x disable-filter-strict-securityACL or MAC address filter configured on the Brocade device Dynamically applying existing ACLs or MAC address filtersValue Description Configuring per-user IP ACLs or MAC address filtersEnabling 802.1X port security Setting the port controlSyntax no timeout re-authperiod seconds Configuring periodic re-authenticationSyntax no re-authentication Syntax dot1x re-authenticate ethernet port Re-authenticating a port manuallySetting the quiet period Setting the wait interval for EAP frame retransmissionsSyntax auth-max value Setting the maximum number of EAP frame retransmissionsSyntax no timeout tx-period seconds Value is a number from 1-10. The default isSyntax maxreq value Syntax supptimeout secondsSyntax servertimeout seconds Initializing 802.1X on a portSyntax no auth-fail-action restricted-vlan Allowing access to multiple hostsConfiguring 802.1X multiple-host authentication Specifying the authentication-failure actionSyntax no mac-session-aging no-aging permitted-mac-only This command enables aging of permitted sessionsSyntax no auth-fail-max-attempts attempts Disabling aging for dot1x-mac-sessionsSyntax clear dot1x mac-session mac-address Specifying the aging time for blocked clientsSyntax no mac-age-time seconds Moving native Vlan mac-sesions to restrict VlanMAC address filters for EAP frames 802.1X accounting configurationConfiguring Vlan access for non-EAP-capable clients Syntax timeout restrict-fwd-period numEnabling 802.1X accounting To enable 802.1X accounting, enter the following commandSyntax aaa accounting dot1x default start-stop radius none 802.1X accounting attributes for RadiusSyntax show dot1x Displaying 802.1X configuration informationOutput from the show dot1x command Displaying 802.1X informationSyntax show dot1x config ethernet port Forceunauth Field Statistics Displaying 802.1X statisticsDisplaying 802.1X information Syntax show dot1x statistics ethernet portSyntax clear dot1x statistics ethernet port Clearing 802.1X statisticsDisplaying dynamically assigned Vlan information Syntax clear dot1x statistics allSyntax show dot1x ip-ACL Displaying user-defined MAC address filters and IP ACLsSyntax show dot1x mac-address-filter Syntax show dot1x ip-ACL all ethernet port Displaying the status of strict security modeSyntax show dot1x mac-address-filter all ethernet port Global-filter-strict-security Enable Displaying 802.1X multiple-host authentication informationMac Session max-age Seconds Displaying 802.1X multiple-host configuration informationPvid Syntax show dot1x mac-session Syntax show dot1x mac-session brief Output from the show dot1x mac-session brief commandSample 802.1X configurations Sample 802.1X configurationsPoint-to-point configuration Same point-to-point 802.1x configurationSample 802.1x configuration using a hub Hub configuration802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security Local and global resources used for MAC port security MAC port security overviewSyntax port security Syntax no enable MAC port security configurationEnabling the MAC port security feature Syntax no age minutes Setting the port security age timerMAC port security configuration On a tagged interface Specifying secure MAC addressesOn an untagged interface Syntax violation restrict age Dropping packets from a violating addressSyntax violation restrict Disabling the port for a specified amount of time Clearing port security statisticsClearing restricted MAC addresses Clearing violation statisticsDisplaying the secure MAC addresses Displaying port security settingsDisplaying port security information Syntax show port security statistics port Output from the show port security mac commandOutput from the show port security statistics port command Displaying port security statisticsSyntax show port security ethernet port restricted-macs Displaying restricted MAC addresses on a portSyntax show port security statistics module Static and dynamic hosts MAC-based Vlan overviewMAC-based Vlan and port up or down events MAC-based Vlan feature structureSource MAC address authentication Policy-based classification and forwardingDescription CLI level Dynamic MAC-based Vlan CLI commandsDynamic MAC-based Vlan Dynamic MAC-based VlanCLI command Description CLI level Dynamic MAC-based Vlan configuration exampleDynamic MAC-based Vlan CLI commands for MAC-based VLANs Following example shows a MAC-based Vlan configurationMAC-based Vlan configuration MAC-based Vlan configurationAttribute ID Data type Optional or Description Mandatory Using MAC-based VLANs and 802.1X security on the same portAging process for MAC-based Vlan works as described below Aging for MAC-based VlanFor permitted hosts For blocked hostsGlobally disabling aging Disabling aging for MAC-based Vlan sessionsFor MAC-based dynamic activation To change the length of the software aging periodDisabling the aging on interfaces Configuring the maximum MAC addresses per portConfiguring a MAC-based Vlan for a static host Syntax no mac-authentication disable-agingSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Configuring MAC-based Vlan for a dynamic hostConfiguring dynamic MAC-based Vlan Displaying the MAC-VLAN table Configuring MAC-based VLANs using SnmpEnter the following command to display the MAC-VLAN table Displaying information about MAC-based VLANsSyntax show table-mac-vlan mac-address Displaying the MAC-VLAN table for a specific MAC addressDisplaying allowed MAC addresses Displaying information about MAC-based VLANsSyntax show table-mac-vlan denied-mac Displaying denied MAC addressesDisplaying detailed MAC-VLAN data DefaultDisplaying MAC-VLAN information for a specific interface Vlan Displaying MAC addresses in a MAC-based VlanClearing MAC-VLAN information Clearing MAC-VLAN informationSample MAC-based Vlan application Displaying MAC-based Vlan loggingSample MAC-based Vlan application Sample MAC-based Vlan configuration0000.0075.3f73 1/1/1 Sample MAC-based Vlan application How multi-device port authentication works Multi-Device Port AuthenticationSupported Radius attributes Radius authenticationAuthentication-failure actions Support for dynamic ARP inspection with dynamic ACLs Support for dynamic Vlan assignmentSupport for dynamic ACLs Support for source guard protection Support for Dhcp snooping with dynamic ACLsConfiguring Brocade-specific attributes on Radius server Multi-device port authentication configuration Syntax no mac-authentication enable Enabling multi-device port authenticationGlobally enabling multi-device port authentication Enabling multi-device port authentication on an interfaceSyntax no mac-authentication auth-fail-vlan-id vlan-id Specifying the authentication-failure actionMulti-device port authentication configuration Defining MAC address filters Generating traps for multi-device port authenticationConfiguring dynamic Vlan assignment Syntax no mac-authentication no-override-restrict-vlan Syntax no mac-authentication enable-dynamic-vlanVlan-namestring Syntax mac-authentication disable-ingress-filteringConfiguration notes and limitations Syntax no mac-authentication save-dynamicvlan-to-config Dynamically applying IP ACLs to authenticated MAC addressesPage ACLs configured on the Brocade device Enabling denial of service attack protectionConfiguring the Radius server to support dynamic IP ACLs Enabling source guard protection Syntax no mac-authentication dos-protection mac-limit numberSyntax clear auth-mac-table Clearing authenticated MAC addressesSyntax no mac-authentication source-guard-protection enable Enter the no form of the command to disable SG protectionSyntax clear auth-mac-table ethernet port Disabling aging for authenticated MAC addressesSyntax mac-authentication clear-mac-session mac-address Globally disabling aging of MAC addressesDisabling the aging of MAC addresses on interfaces Syntax no mac-authentication hw-deny-age numSpecifying the aging time for blocked MAC addresses Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Syntax no mac-authentication auth-timeout-action successSyntax no mac-authentication auth-timeout-action failure Multi-device port authentication password overrideDeny user access to the network after a Radius timeout Syntax no mac-authentication password-override password Displaying multi-device port authentication informationLimiting the number of authenticated MAC addresses Displaying authenticated MAC address informationSyntax show auth-mac-address configuration Output from the show authenticated-mac-address commandSyntax show auth-mac-address mac-addressip-addrport Syntax show auth-mac-addresses authorized-mac Displaying the authenticated MAC addressesSyntax show auth-mac-address ethernet port Displaying the non-authenticated MAC addressesSyntax show auth-mac-addresses unauthorized-mac Explains the information in the outputSyntax show auth-mac-address detail ethernet port YES Output from the show auth-mac-addresses detailed commandPvid Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enable Example port authentication configurationsPort e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override How a Smurf attack floods a victim with Icmp replies Smurf attacksSyntax no ip directed-broadcast Avoiding being an intermediary in a Smurf attackAvoiding being a victim in a Smurf attack TCP SYN attacks TCP SYN attacksTCP security enhancement Protecting against a blind injection attack Syntax clear statistics dos-attack Syntax show statistics dos-attackPort-based rate limiting Rate Limiting and Rate ShapingRate limiting in hardware How port-based fixed rate limiting worksSyntax no rate-limit input fixed average-rate Configuration notes for port-based fixed rate limitingConfiguring a port-based fixed rate limiting policy Displaying the port-based fixed rate limiting configurationRate shaping Configuration notes for rate shapingConfiguring outbound rate shaping for a port Rate shapingCPU rate-limiting Configuring outbound rate shaping for a specific priorityConfiguring outbound rate shaping for a trunk port Displaying rate shaping configurationsARP Packet type Rate limitARP poisoning Dynamic ARP inspectionARP entries Dynamic ARP Inspection281 Syntax no arp ip-addrmac-addrinspection Dynamic ARP inspection configurationConfiguring an inspection ARP entry Enabling DAI on a VlanEnabling trust on a port Dhcp snoopingDisplaying ARP inspection status and ports Displaying the ARP tableDhcp binding database How Dhcp snooping worksPage Syntax no ip dhcp snooping vlan vlan-number Syntax no dhcp snooping client-learning disableEnabling Dhcp snooping on a Vlan Disabling the learning of Dhcp clients on a portDisplaying Dhcp binding entry and status Clearing the Dhcp binding databaseDisplaying Dhcp snooping status and ports Displaying the Dhcp snooping binding databaseDhcp relay agent information Dhcp snooping configuration exampleDhcp relay agent information Dhcp option 82 sub-options Configuration notes for Dhcp optionSub-option 6 Subscriber ID Sub-option 1 Circuit IDSub-option 2 Remote ID Syntax no dhcp snooping relay information Dhcp option 82 configurationSyntax ip dhcp relay information policy policy-type Changing the forwarding policyEnabling and disabling subscriber ID processing Viewing the circuit ID, remote ID, and forwarding policy Viewing the ports on which Dhcp option 82 is disabledOutput for the ip dhcp relay information command Viewing information about Dhcp option 82 processingSyntax show interfaces ethernet port IP source guardViewing the status of Dhcp option 82 and the subscriber ID Page For ip-addr, enter a valid IP address No source-guard enableDefining static IP source bindings Displaying learned IP addresses Syntax no source-guard enableEnabling IP source guard per-port-per-VLAN Enabling IP source guard on a VEIP source guard Broadcast, unknown Unicast, and Multicast rate limiting Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Viewing rate limits set on BUM traffic Syntax show rate-limit broadcast Syntax show run interfaceBroadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Vlan Ip access-group,110 mac-vlan-permit,220 source-guard enable