Manuals / Brocade Communications Systems / Computer Equipment / Switch

Brocade Communications Systems 6650 Setting the TACACS+ key, Setting the retransmission limit

Models: 6650

1 332

Download 332 pages 4.02 Kb

Page 53

TACACS and TACACS+ security

Setting the TACACS+ key

The key parameter in the tacacs-servercommand is used to encrypt TACACS+ packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot include any space characters.

NOTE

The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Brocade device.

To specify a TACACS+ server key, enter a command such as following.

Brocade(config)# tacacs-server key rkwong

Syntax: tacacs-server key [0 1] string

When you display the configuration of the Brocade device, the TACACS+ keys are encrypted. For example.

Brocade(config)# tacacs-server key 1 abc Brocade(config)# write terminal

...

tacacs-server host 10.2.3.5 auth-port 49 tacacs key 1 $!2d

NOTE

Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.

Setting the retransmission limit

The retransmit parameter specifies how many times the Brocade device will resend an authentication request when the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 – 5 times. The default is 3 times.

To set the TACACS and TACACS+ retransmit limit, enter a command such as the following.

Brocade(config)# tacacs-server retransmit 5

Syntax: tacacs-server retransmit number

Setting the timeout parameter

The timeout parameter specifies how many seconds the Brocade device waits for a response from the TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.

Brocade(config)# tacacs-server timeout 5

Syntax: tacacs-server timeout number

Brocade ICX 6650 Security Configuration Guide	33
53-1002601-01

Image 53

Brocade Communications Systems 6650 manual Setting the TACACS+ key, Setting the retransmission limit

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide Types of ACL-based rate limiting ACL-based rate limiting overviewIetf RFC support Chapter 802.1X Port SecurityMAC port security overview MAC-based Vlan feature structureLocal and global resources used for MAC port security MAC-based Vlan overviewRadius authentication How multi-device port authentication worksAuthentication-failure actions Supported Radius attributesAvoiding being a victim in a Smurf attack Smurf attacksAvoiding being an intermediary in a Smurf attack Configuring a port-based fixed rate limiting policy Configuration notes for port-based fixed rate limitingDisplaying the port-based fixed rate limiting configuration Configuration notes and feature limitations for DAIConfiguring rate limiting for BUM traffic Configuration notes and feature limitationsBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM trafficPage Brocade ICX 6650 slot and port numbering AudienceSupported hardware and software Dhcp on How this document is organizedText formatting Command syntax conventionsDocument conventions Corporation Referenced Trademarks and Products Related publicationsGetting technical help Additional informationBrocade resources Other industry resourcesDocument feedback Feature Brocade ICX Securing access methodsMethod is secured ACL usage to restrict remote access Remote access to management function restrictionsUsing an ACL to restrict SSH access Using an ACL to restrict Telnet accessSyntax telnet access-group num Syntax ssh access-group numSyntax snmp-server community string ro rw num Using ACLs to restrict Snmp accessDefining the console idle time Restricting SSH access to a specific IP address Remote access restrictionsRestricting Telnet access to a specific IP address Restricting Snmp access to a specific IP address Restricting access to the device based on IP or MAC addressRestricting Telnet connection Restricting SSH connectionRestricting Http and Https connection Changing the login timeout period for Telnet sessionsDefining the Telnet idle time Syntax no telnet login-retries number Restricting Telnet access to a specific VlanRestricting Tftp access to a specific Vlan Restricting Snmp access to a specific VlanSyntax no telnet server enable vlan vlan-id Syntax no snmp-server enable vlan vlan-idSyntax no default-gateway ip-addr metric Allowing SSHv2 access to the Brocade deviceDevice management security Syntax crypto key generate zeroizeAllowing Snmp access to the Brocade device Disabling specific access methodsDisabling Telnet access Disabling Snmp accessSetting a Telnet password Passwords used to secure accessSyntax no tftp disable Syntax no enable telnet password stringSyntax no telnet server suppress-reject-message Setting passwords for management privilege levelsPasswords used to secure access Augmenting management privilege levels Syntax enable read-only-password textSpecifying a minimum password length Recovering from a lost passwordEnter boot system flash primary at the prompt After the console prompt reappears, assign a new passwordSyntax enable password-min-length number-of-characters Enhancements to username and passwordLocal user accounts Number-of-characterscan be fromSyntax no enable strict-password-enforcement Enabling enhanced user password combination requirementsEnabling user password aging Enabling user password maskingSyntax username name password Enter Syntax no enable user password-maskingEnhanced login lockout Configuring password historySyntax no enable user password-aging Syntax no enable user password-history 1Setting passwords to expire Local user account configurationSyntax username name enable Requirement to accept the message of the dayLocal user accounts with unencrypted passwords Local user accounts with no passwordsLocal accounts with encrypted passwords Creating a password optionUsing the username user-stringcreate-password command Syntax show usersSyntax no username user-stringpassword password-string Changing a local user passwordTacacs and TACACS+ security How TACACS+ differs from TacacsTACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit TACACS+ authentication Tacacs authenticationTACACS+ accounting TACACS+ authorizationUser action Applicable AAA operations AAA security for commands pasted into the running-configAAA operations for TACACS/TACACS+ Configuring TACACS+ TACACS/TACACS+ configuration considerationsConfiguring Tacacs Identifying the TACACS/TACACS+ servers Enabling TacacsSpecifying different servers for individual AAA functions Setting optional Tacacs and TACACS+ parametersSetting the timeout parameter Setting the TACACS+ keySetting the retransmission limit Method parameter Description Syntax no aaa authentication enable implicit-user Entering privileged Exec mode after a Telnet or SSH loginSyntax aaa authentication login privilege-mode Configuring Exec authorization Configuring TACACS+ authorizationSyntax aaa authorization exec default tacacs+ none Configuring an Attribute-Value pair on the TACACS+ serverFoundry-privlvl = AAA support for console commands Configuring command authorizationConfiguring TACACS+ accounting for Telnet/SSH Shell access TACACS+ accounting configurationConfiguring TACACS+ accounting for CLI commands Syntax no enable aaa consoleConfiguring TACACS+ accounting for system events Radius authentication Radius authentication, authorization, and accountingOutput of the show aaa command for TACACS/TACACS+ Radius securityRadius accounting Radius authorizationAAA operations for Radius AAA operations for RadiusRadius security AAA operations for Radius Radius configuration considerationsBrocade-specific attributes on the Radius server Configuring RadiusAttribute ID Data type Description Port Configuration level AllowsAttribute name Attribute ID Data type Description Enabling Snmp to configure RadiusIdentifying the Radius server to the Brocade device Radius configuration example and command syntax Radius server per port configuration notesFollowing shows an example configuration Radius server per portRadius server to individual ports mapping Radius server-to-ports configuration notesSyntax use-radius-server ip-addr Host ip-addris an IPv4 addressRadius parameters Setting the Radius keySyntax radius-server key 0 1 string Syntax radius-server retransmit numberSetting Radius over IPv6 Setting authentication-method lists for RadiusSyntax radius-server timeout number Syntax radius-server host ipv6 ipv6-host addressSetting passwords for management privilege levels on Syntax aaa authorization exec default radius none Radius authorizationCommand authorization and accounting for console commands Radius accounting Configuring Radius accounting for Telnet/SSH Shell accessConfiguring Radius accounting for CLI commands Configuring Radius accounting for system events Displaying Radius configuration informationOutput of the show aaa command for Radius Authentication-method lists Authentication-method listsExamples of authentication-method lists Example Command SyntaxFollowing is the command syntax for the preceding examples TCP Flags edge port security User account configuration onTCP Flags edge port security Using TCP Flags in combination with other ACL featuresTCP Flags edge port security SSH version 2 overview SSH2 and SCPSSH2 unsupported features SSH2 supported featuresTested SSH2 clients Key exchange methods are diffie-hellman-group1-sha1Configuring SSH2 SSH2 authentication typesSSH2 authentication types Configure DSA or RSA challenge-response authenticationGenerating and deleting an RSA key pair Setting the CPU priority for key generationGenerating and deleting a DSA key pair Deleting DSA and RSA key pairs Configuring DSA or RSA challenge-response authenticationProviding the public key to clients Syntax crypto key zeroizeBegin SSH2 Public KEY Importing authorized public keys into the Brocade deviceSyntax ip ssh key-authentication yes no Enabling DSA or RSA challenge-response authenticationOptional SSH parameters Syntax clear public-keyDeactivating user authentication Setting the number of SSH authentication retriesSyntax ip ssh authentication-retries number Syntax ip ssh password-authentication no yesSetting the SSH port number Enabling empty password loginsSetting the SSH login timeout value Configuring the maximum idle time for SSH sessionsTerminating an active SSH connection Filtering SSH access using ACLsDisplaying SSH information Displaying SSH connection informationSyntax show ip ssh config Displaying SSH configuration informationDisplaying SSH information SSH connection informationDisplaying additional SSH connection information Displaying SSH information SSH configuration informationExample file transfers using SCP Secure copy configuration notesCopying a file to the running configuration Secure copy with SSH2To overwrite the running configuration file Copying a file to the startup configurationCopying a software image file to flash memory Copying a software image file from flash memoryImporting a DSA or RSA public key Importing a digital certificate using SCPImporting an RSA private key Enabling SSH2 client Configuring SSH2 client public key authenticationSSH2 client Generating and deleting a client DSA key pair Using SSH2 clientGenerating and deleting a client RSA key pair Exporting client public keysDisplaying SSH2 client information Rule-Based IP ACLs Supported ACL features on outbound trafficACL overview ACL overview Supported ACL features on outbound trafficACL IDs and entries Types of IP ACLsNumbered and named ACLs ACL overview Virtual routing interfacesHow hardware-based ACLs work Default ACL actionHow fragmented packets are processed Hardware aging of Layer 4 CAM entriesACL configuration considerations Standard numbered ACL syntax Configuring standard numbered ACLsConfiguration example for standard numbered ACLs Standard named ACL configurationStandard named ACL syntax Syntax no ip access-list standard ACL-nameACL-numBrocade ICX 6650 Security Configuration Guide 53-1002601-01 Extended numbered ACL configuration Extended numbered ACL configurationConfiguration example for standard named ACLs Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Here is another example of an extended ACL Configuration examples for extended numbered ACLsExtended named ACL configuration Extended named ACL configurationExtended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Applying egress ACLs to Control CPU traffic Syntax enable egress-acl-on-cpu-trafficPreserving user input for ACL TCP/UDP port numbers Syntax ip preserve-ACL-user-input-formatAdding a comment to an entry in a numbered ACL ACL comment text managementAdding a comment to an entry in a named ACL Show running-config Show access-list Show ip access-listDeleting a comment from an ACL entry Viewing comments in an ACLSyntax show running-config ACL logging Configuration notes for ACL loggingACL logging Example ACL logging configuration Configuration tasks for ACL loggingSyntax ACL-logging Syntax logging-enableDisplaying ACL Log Entries Syntax show log Syntax no ip access-group frag denyEnter the no form of the command to disable this feature Configuration notes for ACL filteringSyntax no enable ACL-per-port-per-vlan Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID ACLs to filter ARP packets Syntax no ip access-group ACL ID in ethernet port to portConfiguring ACLs for ARP filtering Configuration considerations for filtering ARP packetsSyntax no ip use-ACL-on-arp access-list-number ACLs to filter ARP packetsDisplaying ACL filters for ARP Filtering on IP precedence and ToS valuesClearing the filter count Syntax show ACL-on-arp ethernet port loopback num ve numTCP flags edge port security QoS options for IP ACLsSyntax ...dscp-marking dscp-value Configuration notes for QoS options on Brocade ICXUsing an IP ACL to mark Dscp values Dscp marking For IP Combined ACL for 802.1p markingQoS options for IP ACLs ACL-based rate limiting Using an ACL to change the forwarding queueDscp matching Syntax ...dscp-matching 0Enabling and viewing hardware usage statistics for an ACL ACLs to control multicast featuresACL statistics Syntax show access-list ACL-numACL-nameall Troubleshooting ACLsDisplaying ACL information Policy Based RoutingConfiguring a PBR policy Configuration considerations for policy-based routingConfiguring the ACLs Syntax noroute-map map-namepermit deny num Configuring the route mapEnabling PBR Setting the next hop Configuration examples for PBRBasic example of PBR Policy Based RoutingSetting the output interface to the null interface Trunk formation with PBR policy IPv6 ACL overview FeatureIPv6 protocol names and numbers IPv6 ACL configuration notesIPv6 ACL traffic filtering criteria Example IPv6 configurations Configuring an IPv6 ACLHere is another example Configuring an IPv6 ACLShow ipv6 access-listcommand displays the following Default and implicit IPv6 ACL action Creating an IPv6 ACL Syntax no ipv6 access-list ACL-nameSyntax for creating an IPv6 ACL Ipv6-operator dscpFor UDP For IcmpFor TCP Ipv6-source-prefix /prefix-length IPv6 ACL arguments DescriptionIPv6 ACL arguments Description Creating an IPv6 ACL Syntax descriptions802.1p-priority-matching number Icmp message configurationsApplying an IPv6 ACL to an interface Syntax ipv6 enableSyntax for applying an IPv6 ACL Adding a comment to an IPv6 ACL entryApplying an IPv6 ACL to a trunk group Syntax .ipv6 traffic-filter ipv6-ACL-nameinDisplaying IPv6 ACLs Deleting a comment from an IPv6 ACL entrySupport for ACL logging Displaying IPv6 ACLs Syntax show ipv6 access-listSyntax show ipv6 access-list access-list-name Types of ACL-based rate limiting ACL-based rate limiting overviewACL statistics Traffic policies overviewTraffic policy structure Configuration notes for traffic policies Configuring fixed rate limitingConfiguring adaptive rate limiting Configuring adaptive rate limitingParameter Definition ACL based adaptive rate limiting parametersPage Dropping packets Handling packets that exceed the rate limitPermitting packets at low priority Enabling and using ACL statisticsEnabling ACL statistics Enabling and using ACL statisticsViewing ACL and rate limit counters Enabling ACL statistics with rate limiting traffic policiesACL and rate limit counting statistics Clearing ACL and rate limit countersParameter Description General CountersParameterDescription Viewing traffic policiesSyntax show traffic-policy TPD-name Ietf RFC support 802.1X Port SecurityHow 802.1X port security works Device roles in an 802.1X configurationHow 802.1X port security works Controlled and uncontrolled ports Communication between the devicesPAE Message exchange during authentication Refer to EAP pass-through support on Setting the IP MTU sizeConfiguration notes for setting the IP MTU size Authenticating multiple hosts connected to the same portEAP pass-through support Syntax no ip mtu numMultiple hosts connected to a single 802.1X-enabled port How 802.1X multiple-host authentication worksConfiguration notes for 802.1x multiple-host authentication 802.1X port security and sFlow 802.1X port security configuration 802.1X port security configurationConfigure the device role as the Authenticator Configure the device interaction with ClientsSetting Radius parameters Configuring an authentication method list forSyntax no aaa authentication dot1x default method-list Supported Radius attributesSyntax no dot1x auth-timeout-action success Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Re-authenticate a user Dynamic Vlan assignment for 802.1X port configurationSyntax no dot1x re-auth-timeout- success seconds Deny user access to the network after a Radius timeoutType Value Dynamic multiple Vlan assignment for 802.1X ports Syntax save-dynamicvlan-to-config Saving dynamic Vlan assignments to the running-config file802.1X port security configuration Disabling strict security mode globally Disabled strict security modeACL or MAC address filter configured on the Brocade device Syntax no dot1x disable-filter-strict-securityDynamically applying existing ACLs or MAC address filters Syntax no global-filter-strict-securityValue Description Configuring per-user IP ACLs or MAC address filtersEnabling 802.1X port security Setting the port controlSyntax no timeout re-authperiod seconds Configuring periodic re-authenticationSyntax no re-authentication Setting the quiet period Re-authenticating a port manuallySetting the wait interval for EAP frame retransmissions Syntax dot1x re-authenticate ethernet portSyntax no timeout tx-period seconds Setting the maximum number of EAP frame retransmissionsValue is a number from 1-10. The default is Syntax auth-max valueSyntax servertimeout seconds Syntax supptimeout secondsInitializing 802.1X on a port Syntax maxreq valueConfiguring 802.1X multiple-host authentication Allowing access to multiple hostsSpecifying the authentication-failure action Syntax no auth-fail-action restricted-vlanSyntax no auth-fail-max-attempts attempts This command enables aging of permitted sessionsDisabling aging for dot1x-mac-sessions Syntax no mac-session-aging no-aging permitted-mac-onlySyntax no mac-age-time seconds Specifying the aging time for blocked clientsMoving native Vlan mac-sesions to restrict Vlan Syntax clear dot1x mac-session mac-addressConfiguring Vlan access for non-EAP-capable clients 802.1X accounting configurationSyntax timeout restrict-fwd-period num MAC address filters for EAP framesSyntax aaa accounting dot1x default start-stop radius none To enable 802.1X accounting, enter the following command802.1X accounting attributes for Radius Enabling 802.1X accountingOutput from the show dot1x command Displaying 802.1X configuration informationDisplaying 802.1X information Syntax show dot1xSyntax show dot1x config ethernet port Forceunauth Displaying 802.1X information Displaying 802.1X statisticsSyntax show dot1x statistics ethernet port Field StatisticsDisplaying dynamically assigned Vlan information Clearing 802.1X statisticsSyntax clear dot1x statistics all Syntax clear dot1x statistics ethernet portSyntax show dot1x ip-ACL Displaying user-defined MAC address filters and IP ACLsSyntax show dot1x mac-address-filter Syntax show dot1x ip-ACL all ethernet port Displaying the status of strict security modeSyntax show dot1x mac-address-filter all ethernet port Global-filter-strict-security Enable Displaying 802.1X multiple-host authentication informationMac Session max-age Seconds Displaying 802.1X multiple-host configuration informationPvid Syntax show dot1x mac-session Syntax show dot1x mac-session brief Output from the show dot1x mac-session brief commandPoint-to-point configuration Sample 802.1X configurationsSame point-to-point 802.1x configuration Sample 802.1X configurationsSample 802.1x configuration using a hub Hub configuration802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security Local and global resources used for MAC port security MAC port security overviewSyntax port security Syntax no enable MAC port security configurationEnabling the MAC port security feature Syntax no age minutes Setting the port security age timerMAC port security configuration On a tagged interface Specifying secure MAC addressesOn an untagged interface Syntax violation restrict age Dropping packets from a violating addressSyntax violation restrict Clearing restricted MAC addresses Clearing port security statisticsClearing violation statistics Disabling the port for a specified amount of timeDisplaying the secure MAC addresses Displaying port security settingsDisplaying port security information Output from the show port security statistics port command Output from the show port security mac commandDisplaying port security statistics Syntax show port security statistics portSyntax show port security ethernet port restricted-macs Displaying restricted MAC addresses on a portSyntax show port security statistics module Static and dynamic hosts MAC-based Vlan overviewSource MAC address authentication MAC-based Vlan feature structurePolicy-based classification and forwarding MAC-based Vlan and port up or down eventsDynamic MAC-based Vlan Dynamic MAC-based Vlan CLI commandsDynamic MAC-based Vlan Description CLI levelDynamic MAC-based Vlan CLI commands for MAC-based VLANs Dynamic MAC-based Vlan configuration exampleFollowing example shows a MAC-based Vlan configuration CLI command Description CLI levelMAC-based Vlan configuration MAC-based Vlan configurationAttribute ID Data type Optional or Description Mandatory Using MAC-based VLANs and 802.1X security on the same portFor permitted hosts Aging for MAC-based VlanFor blocked hosts Aging process for MAC-based Vlan works as described belowFor MAC-based dynamic activation Disabling aging for MAC-based Vlan sessionsTo change the length of the software aging period Globally disabling agingConfiguring a MAC-based Vlan for a static host Configuring the maximum MAC addresses per portSyntax no mac-authentication disable-aging Disabling the aging on interfacesSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Configuring MAC-based Vlan for a dynamic hostConfiguring dynamic MAC-based Vlan Enter the following command to display the MAC-VLAN table Configuring MAC-based VLANs using SnmpDisplaying information about MAC-based VLANs Displaying the MAC-VLAN tableDisplaying allowed MAC addresses Displaying the MAC-VLAN table for a specific MAC addressDisplaying information about MAC-based VLANs Syntax show table-mac-vlan mac-addressSyntax show table-mac-vlan denied-mac Displaying denied MAC addressesDisplaying detailed MAC-VLAN data DefaultDisplaying MAC-VLAN information for a specific interface Vlan Displaying MAC addresses in a MAC-based VlanSample MAC-based Vlan application Clearing MAC-VLAN informationDisplaying MAC-based Vlan logging Clearing MAC-VLAN informationSample MAC-based Vlan application Sample MAC-based Vlan configuration0000.0075.3f73 1/1/1 Sample MAC-based Vlan application How multi-device port authentication works Multi-Device Port AuthenticationSupported Radius attributes Radius authenticationAuthentication-failure actions Support for dynamic ARP inspection with dynamic ACLs Support for dynamic Vlan assignmentSupport for dynamic ACLs Support for source guard protection Support for Dhcp snooping with dynamic ACLsConfiguring Brocade-specific attributes on Radius server Multi-device port authentication configuration Globally enabling multi-device port authentication Enabling multi-device port authenticationEnabling multi-device port authentication on an interface Syntax no mac-authentication enableSyntax no mac-authentication auth-fail-vlan-id vlan-id Specifying the authentication-failure actionMulti-device port authentication configuration Defining MAC address filters Generating traps for multi-device port authenticationConfiguring dynamic Vlan assignment Syntax no mac-authentication no-override-restrict-vlan Syntax no mac-authentication enable-dynamic-vlanVlan-namestring Syntax mac-authentication disable-ingress-filteringConfiguration notes and limitations Syntax no mac-authentication save-dynamicvlan-to-config Dynamically applying IP ACLs to authenticated MAC addressesPage ACLs configured on the Brocade device Enabling denial of service attack protectionConfiguring the Radius server to support dynamic IP ACLs Enabling source guard protection Syntax no mac-authentication dos-protection mac-limit numberSyntax no mac-authentication source-guard-protection enable Clearing authenticated MAC addressesEnter the no form of the command to disable SG protection Syntax clear auth-mac-tableSyntax mac-authentication clear-mac-session mac-address Disabling aging for authenticated MAC addressesGlobally disabling aging of MAC addresses Syntax clear auth-mac-table ethernet portDisabling the aging of MAC addresses on interfaces Syntax no mac-authentication hw-deny-age numPermit user access to the network after a Radius timeout Specifying the Radius timeout actionSyntax no mac-authentication auth-timeout-action success Specifying the aging time for blocked MAC addressesSyntax no mac-authentication auth-timeout-action failure Multi-device port authentication password overrideDeny user access to the network after a Radius timeout Limiting the number of authenticated MAC addresses Displaying multi-device port authentication informationDisplaying authenticated MAC address information Syntax no mac-authentication password-override passwordSyntax show auth-mac-address configuration Output from the show authenticated-mac-address commandSyntax show auth-mac-address mac-addressip-addrport Syntax show auth-mac-addresses authorized-mac Displaying the authenticated MAC addressesSyntax show auth-mac-addresses unauthorized-mac Displaying the non-authenticated MAC addressesExplains the information in the output Syntax show auth-mac-address ethernet portSyntax show auth-mac-address detail ethernet port YES Output from the show auth-mac-addresses detailed commandPvid Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enable Example port authentication configurationsPort e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override How a Smurf attack floods a victim with Icmp replies Smurf attacksSyntax no ip directed-broadcast Avoiding being an intermediary in a Smurf attackAvoiding being a victim in a Smurf attack TCP SYN attacks TCP SYN attacksTCP security enhancement Protecting against a blind injection attack Syntax clear statistics dos-attack Syntax show statistics dos-attackPort-based rate limiting Rate Limiting and Rate ShapingRate limiting in hardware How port-based fixed rate limiting worksConfiguring a port-based fixed rate limiting policy Configuration notes for port-based fixed rate limitingDisplaying the port-based fixed rate limiting configuration Syntax no rate-limit input fixed average-rateConfiguring outbound rate shaping for a port Configuration notes for rate shapingRate shaping Rate shapingConfiguring outbound rate shaping for a trunk port Configuring outbound rate shaping for a specific priorityDisplaying rate shaping configurations CPU rate-limitingARP Packet type Rate limitARP poisoning Dynamic ARP inspectionARP entries Dynamic ARP Inspection281 Configuring an inspection ARP entry Dynamic ARP inspection configurationEnabling DAI on a Vlan Syntax no arp ip-addrmac-addrinspectionDisplaying ARP inspection status and ports Dhcp snoopingDisplaying the ARP table Enabling trust on a portDhcp binding database How Dhcp snooping worksPage Enabling Dhcp snooping on a Vlan Syntax no dhcp snooping client-learning disableDisabling the learning of Dhcp clients on a port Syntax no ip dhcp snooping vlan vlan-numberDisplaying Dhcp snooping status and ports Clearing the Dhcp binding databaseDisplaying the Dhcp snooping binding database Displaying Dhcp binding entry and statusDhcp relay agent information Dhcp snooping configuration exampleDhcp relay agent information Dhcp option 82 sub-options Configuration notes for Dhcp optionSub-option 6 Subscriber ID Sub-option 1 Circuit IDSub-option 2 Remote ID Syntax no dhcp snooping relay information Dhcp option 82 configurationSyntax ip dhcp relay information policy policy-type Changing the forwarding policyEnabling and disabling subscriber ID processing Output for the ip dhcp relay information command Viewing the ports on which Dhcp option 82 is disabledViewing information about Dhcp option 82 processing Viewing the circuit ID, remote ID, and forwarding policySyntax show interfaces ethernet port IP source guardViewing the status of Dhcp option 82 and the subscriber ID Page For ip-addr, enter a valid IP address No source-guard enableDefining static IP source bindings Enabling IP source guard per-port-per-VLAN Syntax no source-guard enableEnabling IP source guard on a VE Displaying learned IP addressesIP source guard Broadcast, unknown Unicast, and Multicast rate limiting Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Viewing rate limits set on BUM traffic Syntax show rate-limit broadcast Syntax show run interfaceBroadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Vlan Ip access-group,110 mac-vlan-permit,220 source-guard enable