Manuals / Brocade Communications Systems / Computer Equipment / Switch

Brocade Communications Systems 6650 Filtering SSH access using ACLs, Displaying SSH information

Models: 6650

1 332

Download 332 pages 4.02 Kb

Page 92

Filtering SSH access using ACLs

Brocade(config)# ip ssh idle-time 30

Syntax: ip ssh idle-time minutes

If an established SSH session has no activity for the specified number of minutes, the Brocade device closes it. An idle time of 0 minutes (the default value) means that SSH sessions never time out. The maximum idle time for SSH sessions is 240 minutes.

Filtering SSH access using ACLs

You can permit or deny SSH access to the Brocade device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL

Enter commands such as the following.

Brocade(config)# access-list 10 permit host 192.168.144.241

Brocade(config)# access-list 10 deny host 192.168.144.242 log

Brocade(config)# access-list 10 permit host 192.168.144.243

Brocade(config)# access-list 10 deny any

Brocade(config)# ssh access-group 10

Syntax: ssh access-groupstandard-named-acl standard-numbered-acl

Terminating an active SSH connection

To terminate one of the active SSH connections, enter the following command

Brocade# kill ssh 1

Syntax: kill ssh connection-id

Displaying SSH information

Up to five SSH connections can be active on the Brocade device.

Displaying SSH connection information

To display information about SSH connections, enter the show ip ssh command.

Brocade# show	ip ssh	Encryption	Username	HMAC	Server Hostkey	IP Address
Connection	Version
Inbound:	SSH-2	3des-cbc	Raymond	hmac-sha1	ssh-dss	10.120.54.2
1
Outbound:	SSH-2	aes256-cbc	Steve	hmac-sha1	ssh-dss	10.37.77.15
6

SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048)

72	Brocade ICX 6650 Security Configuration Guide
	53-1002601-01

Image 92

Brocade Communications Systems 6650 manual Filtering SSH access using ACLs, Terminating an active SSH connection

Contents

Brocade ICX Brocade Communications Systems, Incorporated Contents Brocade ICX 6650 Security Configuration Guide Chapter Brocade ICX 6650 Security Configuration Guide ACL-based rate limiting overview Types of ACL-based rate limitingChapter 802.1X Port Security Ietf RFC supportMAC-based Vlan feature structure MAC port security overviewLocal and global resources used for MAC port security MAC-based Vlan overviewHow multi-device port authentication works Radius authenticationAuthentication-failure actions Supported Radius attributesAvoiding being a victim in a Smurf attack Smurf attacksAvoiding being an intermediary in a Smurf attack Configuration notes for port-based fixed rate limiting Configuring a port-based fixed rate limiting policyDisplaying the port-based fixed rate limiting configuration Configuration notes and feature limitations for DAIConfiguration notes and feature limitations Configuring rate limiting for BUM trafficBroadcast, unknown Unicast, and Multicast rate limiting Viewing rate limits set on BUM trafficPage Brocade ICX 6650 slot and port numbering AudienceSupported hardware and software How this document is organized Dhcp onText formatting Command syntax conventionsDocument conventions Related publications Corporation Referenced Trademarks and ProductsAdditional information Getting technical helpBrocade resources Other industry resourcesDocument feedback Securing access methods Feature Brocade ICXMethod is secured Remote access to management function restrictions ACL usage to restrict remote accessUsing an ACL to restrict Telnet access Using an ACL to restrict SSH accessSyntax telnet access-group num Syntax ssh access-group numSyntax snmp-server community string ro rw num Using ACLs to restrict Snmp accessDefining the console idle time Restricting SSH access to a specific IP address Remote access restrictionsRestricting Telnet access to a specific IP address Restricting access to the device based on IP or MAC address Restricting Snmp access to a specific IP addressRestricting Telnet connection Restricting SSH connectionRestricting Http and Https connection Changing the login timeout period for Telnet sessionsDefining the Telnet idle time Restricting Telnet access to a specific Vlan Syntax no telnet login-retries numberRestricting Snmp access to a specific Vlan Restricting Tftp access to a specific VlanSyntax no telnet server enable vlan vlan-id Syntax no snmp-server enable vlan vlan-idAllowing SSHv2 access to the Brocade device Syntax no default-gateway ip-addr metricDevice management security Syntax crypto key generate zeroizeDisabling specific access methods Allowing Snmp access to the Brocade deviceDisabling Telnet access Disabling Snmp accessPasswords used to secure access Setting a Telnet passwordSyntax no tftp disable Syntax no enable telnet password stringSyntax no telnet server suppress-reject-message Setting passwords for management privilege levelsPasswords used to secure access Syntax enable read-only-password text Augmenting management privilege levelsRecovering from a lost password Specifying a minimum password lengthEnter boot system flash primary at the prompt After the console prompt reappears, assign a new passwordEnhancements to username and password Syntax enable password-min-length number-of-charactersLocal user accounts Number-of-characterscan be fromEnabling enhanced user password combination requirements Syntax no enable strict-password-enforcementEnabling user password masking Enabling user password agingSyntax username name password Enter Syntax no enable user password-maskingConfiguring password history Enhanced login lockoutSyntax no enable user password-aging Syntax no enable user password-history 1Local user account configuration Setting passwords to expireSyntax username name enable Requirement to accept the message of the dayLocal user accounts with no passwords Local user accounts with unencrypted passwordsCreating a password option Local accounts with encrypted passwordsUsing the username user-stringcreate-password command Syntax show usersChanging a local user password Syntax no username user-stringpassword password-stringTacacs and TACACS+ security How TACACS+ differs from TacacsTACACS/TACACS+ authentication, authorization, and accounting Kill console Syntax kill console all unit Tacacs authentication TACACS+ authenticationTACACS+ authorization TACACS+ accountingUser action Applicable AAA operations AAA security for commands pasted into the running-configAAA operations for TACACS/TACACS+ Configuring TACACS+ TACACS/TACACS+ configuration considerationsConfiguring Tacacs Enabling Tacacs Identifying the TACACS/TACACS+ serversSetting optional Tacacs and TACACS+ parameters Specifying different servers for individual AAA functionsSetting the timeout parameter Setting the TACACS+ keySetting the retransmission limit Method parameter Description Syntax no aaa authentication enable implicit-user Entering privileged Exec mode after a Telnet or SSH loginSyntax aaa authentication login privilege-mode Configuring TACACS+ authorization Configuring Exec authorizationSyntax aaa authorization exec default tacacs+ none Configuring an Attribute-Value pair on the TACACS+ serverFoundry-privlvl = Configuring command authorization AAA support for console commandsTACACS+ accounting configuration Configuring TACACS+ accounting for Telnet/SSH Shell accessConfiguring TACACS+ accounting for CLI commands Syntax no enable aaa consoleConfiguring TACACS+ accounting for system events Radius authentication, authorization, and accounting Radius authenticationOutput of the show aaa command for TACACS/TACACS+ Radius securityRadius authorization Radius accountingAAA operations for Radius AAA operations for RadiusRadius configuration considerations Radius security AAA operations for RadiusConfiguring Radius Brocade-specific attributes on the Radius serverPort Configuration level Allows Attribute ID Data type DescriptionAttribute name Attribute ID Data type Description Enabling Snmp to configure RadiusIdentifying the Radius server to the Brocade device Radius server per port configuration notes Radius configuration example and command syntaxFollowing shows an example configuration Radius server per portRadius server-to-ports configuration notes Radius server to individual ports mappingSyntax use-radius-server ip-addr Host ip-addris an IPv4 addressSetting the Radius key Radius parametersSyntax radius-server key 0 1 string Syntax radius-server retransmit numberSetting authentication-method lists for Radius Setting Radius over IPv6Syntax radius-server timeout number Syntax radius-server host ipv6 ipv6-host addressSetting passwords for management privilege levels on Radius authorization Syntax aaa authorization exec default radius noneCommand authorization and accounting for console commands Radius accounting Configuring Radius accounting for Telnet/SSH Shell accessConfiguring Radius accounting for CLI commands Displaying Radius configuration information Configuring Radius accounting for system eventsOutput of the show aaa command for Radius Authentication-method lists Authentication-method listsExamples of authentication-method lists Example Command SyntaxFollowing is the command syntax for the preceding examples User account configuration on TCP Flags edge port securityUsing TCP Flags in combination with other ACL features TCP Flags edge port securityTCP Flags edge port security SSH2 and SCP SSH version 2 overviewSSH2 supported features SSH2 unsupported featuresTested SSH2 clients Key exchange methods are diffie-hellman-group1-sha1SSH2 authentication types Configuring SSH2SSH2 authentication types Configure DSA or RSA challenge-response authenticationGenerating and deleting an RSA key pair Setting the CPU priority for key generationGenerating and deleting a DSA key pair Configuring DSA or RSA challenge-response authentication Deleting DSA and RSA key pairsProviding the public key to clients Syntax crypto key zeroizeImporting authorized public keys into the Brocade device Begin SSH2 Public KEYEnabling DSA or RSA challenge-response authentication Syntax ip ssh key-authentication yes noOptional SSH parameters Syntax clear public-keySetting the number of SSH authentication retries Deactivating user authenticationSyntax ip ssh authentication-retries number Syntax ip ssh password-authentication no yesEnabling empty password logins Setting the SSH port numberSetting the SSH login timeout value Configuring the maximum idle time for SSH sessionsFiltering SSH access using ACLs Terminating an active SSH connectionDisplaying SSH information Displaying SSH connection informationDisplaying SSH configuration information Syntax show ip ssh configDisplaying SSH information SSH connection informationDisplaying SSH information SSH configuration information Displaying additional SSH connection informationSecure copy configuration notes Example file transfers using SCPCopying a file to the running configuration Secure copy with SSH2Copying a file to the startup configuration To overwrite the running configuration fileCopying a software image file to flash memory Copying a software image file from flash memoryImporting a DSA or RSA public key Importing a digital certificate using SCPImporting an RSA private key Enabling SSH2 client Configuring SSH2 client public key authenticationSSH2 client Using SSH2 client Generating and deleting a client DSA key pairGenerating and deleting a client RSA key pair Exporting client public keysDisplaying SSH2 client information Supported ACL features on outbound traffic Rule-Based IP ACLsACL overview Supported ACL features on outbound traffic ACL overviewTypes of IP ACLs ACL IDs and entriesNumbered and named ACLs ACL overview Virtual routing interfacesDefault ACL action How hardware-based ACLs workHow fragmented packets are processed Hardware aging of Layer 4 CAM entriesACL configuration considerations Configuring standard numbered ACLs Standard numbered ACL syntaxStandard named ACL configuration Configuration example for standard numbered ACLsSyntax no ip access-list standard ACL-nameACL-num Standard named ACL syntaxBrocade ICX 6650 Security Configuration Guide 53-1002601-01 Extended numbered ACL configuration Extended numbered ACL configurationConfiguration example for standard named ACLs Extended numbered ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Brocade ICX 6650 Security Configuration Guide Configuration examples for extended numbered ACLs Here is another example of an extended ACLExtended named ACL configuration Extended named ACL configurationExtended named ACL syntax Num Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Page Syntax enable egress-acl-on-cpu-traffic Applying egress ACLs to Control CPU trafficPreserving user input for ACL TCP/UDP port numbers Syntax ip preserve-ACL-user-input-formatACL comment text management Adding a comment to an entry in a numbered ACLShow running-config Show access-list Show ip access-list Adding a comment to an entry in a named ACLDeleting a comment from an ACL entry Viewing comments in an ACLSyntax show running-config ACL logging Configuration notes for ACL loggingACL logging Configuration tasks for ACL logging Example ACL logging configurationSyntax ACL-logging Syntax logging-enableDisplaying ACL Log Entries Syntax no ip access-group frag deny Syntax show logEnter the no form of the command to disable this feature Configuration notes for ACL filteringSyntax no enable ACL-per-port-per-vlan Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID Syntax no ip access-group ACL ID in ethernet port to port ACLs to filter ARP packetsConfiguration considerations for filtering ARP packets Configuring ACLs for ARP filteringSyntax no ip use-ACL-on-arp access-list-number ACLs to filter ARP packetsFiltering on IP precedence and ToS values Displaying ACL filters for ARPClearing the filter count Syntax show ACL-on-arp ethernet port loopback num ve numQoS options for IP ACLs TCP flags edge port securitySyntax ...dscp-marking dscp-value Configuration notes for QoS options on Brocade ICXUsing an IP ACL to mark Dscp values Dscp marking For IP Combined ACL for 802.1p markingQoS options for IP ACLs Using an ACL to change the forwarding queue ACL-based rate limitingDscp matching Syntax ...dscp-matching 0Enabling and viewing hardware usage statistics for an ACL ACLs to control multicast featuresACL statistics Troubleshooting ACLs Syntax show access-list ACL-numACL-nameallDisplaying ACL information Policy Based RoutingConfiguration considerations for policy-based routing Configuring a PBR policyConfiguring the ACLs Configuring the route map Syntax noroute-map map-namepermit deny numEnabling PBR Configuration examples for PBR Setting the next hopBasic example of PBR Policy Based RoutingSetting the output interface to the null interface Trunk formation with PBR policy Feature IPv6 ACL overviewIPv6 protocol names and numbers IPv6 ACL configuration notesIPv6 ACL traffic filtering criteria Configuring an IPv6 ACL Example IPv6 configurationsHere is another example Configuring an IPv6 ACLShow ipv6 access-listcommand displays the following Default and implicit IPv6 ACL action Syntax no ipv6 access-list ACL-name Creating an IPv6 ACLSyntax for creating an IPv6 ACL Ipv6-operator dscpFor UDP For IcmpFor TCP IPv6 ACL arguments Description Ipv6-source-prefix /prefix-lengthCreating an IPv6 ACL Syntax descriptions IPv6 ACL arguments DescriptionIcmp message configurations 802.1p-priority-matching numberSyntax ipv6 enable Applying an IPv6 ACL to an interfaceAdding a comment to an IPv6 ACL entry Syntax for applying an IPv6 ACLApplying an IPv6 ACL to a trunk group Syntax .ipv6 traffic-filter ipv6-ACL-nameinDisplaying IPv6 ACLs Deleting a comment from an IPv6 ACL entrySupport for ACL logging Displaying IPv6 ACLs Syntax show ipv6 access-listSyntax show ipv6 access-list access-list-name ACL-based rate limiting overview Types of ACL-based rate limitingACL statistics Traffic policies overviewTraffic policy structure Configuring fixed rate limiting Configuration notes for traffic policiesConfiguring adaptive rate limiting Configuring adaptive rate limitingACL based adaptive rate limiting parameters Parameter DefinitionPage Handling packets that exceed the rate limit Dropping packetsEnabling and using ACL statistics Permitting packets at low priorityEnabling and using ACL statistics Enabling ACL statisticsEnabling ACL statistics with rate limiting traffic policies Viewing ACL and rate limit countersClearing ACL and rate limit counters ACL and rate limit counting statisticsParameter Description General CountersParameterDescription Viewing traffic policiesSyntax show traffic-policy TPD-name 802.1X Port Security Ietf RFC supportHow 802.1X port security works Device roles in an 802.1X configurationHow 802.1X port security works Communication between the devices Controlled and uncontrolled portsPAE Message exchange during authentication Setting the IP MTU size Refer to EAP pass-through support onAuthenticating multiple hosts connected to the same port Configuration notes for setting the IP MTU sizeEAP pass-through support Syntax no ip mtu numHow 802.1X multiple-host authentication works Multiple hosts connected to a single 802.1X-enabled portConfiguration notes for 802.1x multiple-host authentication 802.1X port security and sFlow 802.1X port security configuration 802.1X port security configurationConfigure the device role as the Authenticator Configure the device interaction with ClientsConfiguring an authentication method list for Setting Radius parametersSyntax no aaa authentication dot1x default method-list Supported Radius attributesSyntax no dot1x auth-timeout-action success Specifying the Radius timeout actionPermit user access to the network after a Radius timeout Dynamic Vlan assignment for 802.1X port configuration Re-authenticate a userSyntax no dot1x re-auth-timeout- success seconds Deny user access to the network after a Radius timeoutType Value Dynamic multiple Vlan assignment for 802.1X ports Saving dynamic Vlan assignments to the running-config file Syntax save-dynamicvlan-to-config802.1X port security configuration Disabled strict security mode Disabling strict security mode globallySyntax no dot1x disable-filter-strict-security ACL or MAC address filter configured on the Brocade deviceDynamically applying existing ACLs or MAC address filters Syntax no global-filter-strict-securityConfiguring per-user IP ACLs or MAC address filters Value DescriptionSetting the port control Enabling 802.1X port securitySyntax no timeout re-authperiod seconds Configuring periodic re-authenticationSyntax no re-authentication Re-authenticating a port manually Setting the quiet periodSetting the wait interval for EAP frame retransmissions Syntax dot1x re-authenticate ethernet portSetting the maximum number of EAP frame retransmissions Syntax no timeout tx-period secondsValue is a number from 1-10. The default is Syntax auth-max valueSyntax supptimeout seconds Syntax servertimeout secondsInitializing 802.1X on a port Syntax maxreq valueAllowing access to multiple hosts Configuring 802.1X multiple-host authenticationSpecifying the authentication-failure action Syntax no auth-fail-action restricted-vlanThis command enables aging of permitted sessions Syntax no auth-fail-max-attempts attemptsDisabling aging for dot1x-mac-sessions Syntax no mac-session-aging no-aging permitted-mac-onlySpecifying the aging time for blocked clients Syntax no mac-age-time secondsMoving native Vlan mac-sesions to restrict Vlan Syntax clear dot1x mac-session mac-address802.1X accounting configuration Configuring Vlan access for non-EAP-capable clientsSyntax timeout restrict-fwd-period num MAC address filters for EAP framesTo enable 802.1X accounting, enter the following command Syntax aaa accounting dot1x default start-stop radius none802.1X accounting attributes for Radius Enabling 802.1X accountingDisplaying 802.1X configuration information Output from the show dot1x commandDisplaying 802.1X information Syntax show dot1xSyntax show dot1x config ethernet port Forceunauth Displaying 802.1X statistics Displaying 802.1X informationSyntax show dot1x statistics ethernet port Field StatisticsClearing 802.1X statistics Displaying dynamically assigned Vlan informationSyntax clear dot1x statistics all Syntax clear dot1x statistics ethernet portSyntax show dot1x ip-ACL Displaying user-defined MAC address filters and IP ACLsSyntax show dot1x mac-address-filter Syntax show dot1x ip-ACL all ethernet port Displaying the status of strict security modeSyntax show dot1x mac-address-filter all ethernet port Displaying 802.1X multiple-host authentication information Global-filter-strict-security EnableDisplaying 802.1X multiple-host configuration information Mac Session max-age SecondsPvid Syntax show dot1x mac-session Output from the show dot1x mac-session brief command Syntax show dot1x mac-session briefSample 802.1X configurations Point-to-point configurationSame point-to-point 802.1x configuration Sample 802.1X configurationsHub configuration Sample 802.1x configuration using a hub802.1X authentication with dynamic Vlan assignment Auth-fail-vlanid Page MAC Port Security MAC port security overview Local and global resources used for MAC port securitySyntax port security Syntax no enable MAC port security configurationEnabling the MAC port security feature Syntax no age minutes Setting the port security age timerMAC port security configuration On a tagged interface Specifying secure MAC addressesOn an untagged interface Syntax violation restrict age Dropping packets from a violating addressSyntax violation restrict Clearing port security statistics Clearing restricted MAC addressesClearing violation statistics Disabling the port for a specified amount of timeDisplaying the secure MAC addresses Displaying port security settingsDisplaying port security information Output from the show port security mac command Output from the show port security statistics port commandDisplaying port security statistics Syntax show port security statistics portSyntax show port security ethernet port restricted-macs Displaying restricted MAC addresses on a portSyntax show port security statistics module MAC-based Vlan overview Static and dynamic hostsMAC-based Vlan feature structure Source MAC address authenticationPolicy-based classification and forwarding MAC-based Vlan and port up or down eventsDynamic MAC-based Vlan CLI commands Dynamic MAC-based VlanDynamic MAC-based Vlan Description CLI levelDynamic MAC-based Vlan configuration example Dynamic MAC-based Vlan CLI commands for MAC-based VLANsFollowing example shows a MAC-based Vlan configuration CLI command Description CLI levelMAC-based Vlan configuration MAC-based Vlan configurationUsing MAC-based VLANs and 802.1X security on the same port Attribute ID Data type Optional or Description MandatoryAging for MAC-based Vlan For permitted hostsFor blocked hosts Aging process for MAC-based Vlan works as described belowDisabling aging for MAC-based Vlan sessions For MAC-based dynamic activationTo change the length of the software aging period Globally disabling agingConfiguring the maximum MAC addresses per port Configuring a MAC-based Vlan for a static hostSyntax no mac-authentication disable-aging Disabling the aging on interfacesSyntax mac-vlan-permit ethernet stack-unit/slotnum/portnum Configuring MAC-based Vlan for a dynamic hostConfiguring dynamic MAC-based Vlan Configuring MAC-based VLANs using Snmp Enter the following command to display the MAC-VLAN tableDisplaying information about MAC-based VLANs Displaying the MAC-VLAN tableDisplaying the MAC-VLAN table for a specific MAC address Displaying allowed MAC addressesDisplaying information about MAC-based VLANs Syntax show table-mac-vlan mac-addressDisplaying denied MAC addresses Syntax show table-mac-vlan denied-macDefault Displaying detailed MAC-VLAN dataDisplaying MAC-VLAN information for a specific interface Displaying MAC addresses in a MAC-based Vlan VlanClearing MAC-VLAN information Sample MAC-based Vlan applicationDisplaying MAC-based Vlan logging Clearing MAC-VLAN informationSample MAC-based Vlan configuration Sample MAC-based Vlan application0000.0075.3f73 1/1/1 Sample MAC-based Vlan application Multi-Device Port Authentication How multi-device port authentication worksSupported Radius attributes Radius authenticationAuthentication-failure actions Support for dynamic ARP inspection with dynamic ACLs Support for dynamic Vlan assignmentSupport for dynamic ACLs Support for Dhcp snooping with dynamic ACLs Support for source guard protectionConfiguring Brocade-specific attributes on Radius server Multi-device port authentication configuration Enabling multi-device port authentication Globally enabling multi-device port authenticationEnabling multi-device port authentication on an interface Syntax no mac-authentication enableSyntax no mac-authentication auth-fail-vlan-id vlan-id Specifying the authentication-failure actionMulti-device port authentication configuration Defining MAC address filters Generating traps for multi-device port authenticationConfiguring dynamic Vlan assignment Syntax no mac-authentication enable-dynamic-vlan Syntax no mac-authentication no-override-restrict-vlanSyntax mac-authentication disable-ingress-filtering Vlan-namestringConfiguration notes and limitations Dynamically applying IP ACLs to authenticated MAC addresses Syntax no mac-authentication save-dynamicvlan-to-configPage ACLs configured on the Brocade device Enabling denial of service attack protectionConfiguring the Radius server to support dynamic IP ACLs Syntax no mac-authentication dos-protection mac-limit number Enabling source guard protectionClearing authenticated MAC addresses Syntax no mac-authentication source-guard-protection enableEnter the no form of the command to disable SG protection Syntax clear auth-mac-tableDisabling aging for authenticated MAC addresses Syntax mac-authentication clear-mac-session mac-addressGlobally disabling aging of MAC addresses Syntax clear auth-mac-table ethernet portSyntax no mac-authentication hw-deny-age num Disabling the aging of MAC addresses on interfacesSpecifying the Radius timeout action Permit user access to the network after a Radius timeoutSyntax no mac-authentication auth-timeout-action success Specifying the aging time for blocked MAC addressesSyntax no mac-authentication auth-timeout-action failure Multi-device port authentication password overrideDeny user access to the network after a Radius timeout Displaying multi-device port authentication information Limiting the number of authenticated MAC addressesDisplaying authenticated MAC address information Syntax no mac-authentication password-override passwordOutput from the show authenticated-mac-address command Syntax show auth-mac-address configurationSyntax show auth-mac-address mac-addressip-addrport Displaying the authenticated MAC addresses Syntax show auth-mac-addresses authorized-macDisplaying the non-authenticated MAC addresses Syntax show auth-mac-addresses unauthorized-macExplains the information in the output Syntax show auth-mac-address ethernet portSyntax show auth-mac-address detail ethernet port Output from the show auth-mac-addresses detailed command YESPvid Example port authentication configurations Example port authentication configurations Interface ethernet 1 dual-modemac-authentication enablePort e1/1/1 Dual Mode Example port authentication configurations Radius Server User 0000.008e.86ac IP Phone Profile No Profile for MAC 0000.007f.2e0a PC User 1 Profile Syntax no mac-authentication auth-fail-dot1x-override Smurf attacks How a Smurf attack floods a victim with Icmp repliesSyntax no ip directed-broadcast Avoiding being an intermediary in a Smurf attackAvoiding being a victim in a Smurf attack TCP SYN attacks TCP SYN attacksTCP security enhancement Protecting against a blind injection attack Syntax show statistics dos-attack Syntax clear statistics dos-attackRate Limiting and Rate Shaping Port-based rate limitingHow port-based fixed rate limiting works Rate limiting in hardwareConfiguration notes for port-based fixed rate limiting Configuring a port-based fixed rate limiting policyDisplaying the port-based fixed rate limiting configuration Syntax no rate-limit input fixed average-rateConfiguration notes for rate shaping Configuring outbound rate shaping for a portRate shaping Rate shapingConfiguring outbound rate shaping for a specific priority Configuring outbound rate shaping for a trunk portDisplaying rate shaping configurations CPU rate-limitingPacket type Rate limit ARPDynamic ARP inspection ARP poisoningDynamic ARP Inspection ARP entries281 Dynamic ARP inspection configuration Configuring an inspection ARP entryEnabling DAI on a Vlan Syntax no arp ip-addrmac-addrinspectionDhcp snooping Displaying ARP inspection status and portsDisplaying the ARP table Enabling trust on a portHow Dhcp snooping works Dhcp binding databasePage Syntax no dhcp snooping client-learning disable Enabling Dhcp snooping on a VlanDisabling the learning of Dhcp clients on a port Syntax no ip dhcp snooping vlan vlan-numberClearing the Dhcp binding database Displaying Dhcp snooping status and portsDisplaying the Dhcp snooping binding database Displaying Dhcp binding entry and statusDhcp relay agent information Dhcp snooping configuration exampleDhcp relay agent information Configuration notes for Dhcp option Dhcp option 82 sub-optionsSub-option 6 Subscriber ID Sub-option 1 Circuit IDSub-option 2 Remote ID Dhcp option 82 configuration Syntax no dhcp snooping relay informationSyntax ip dhcp relay information policy policy-type Changing the forwarding policyEnabling and disabling subscriber ID processing Viewing the ports on which Dhcp option 82 is disabled Output for the ip dhcp relay information commandViewing information about Dhcp option 82 processing Viewing the circuit ID, remote ID, and forwarding policySyntax show interfaces ethernet port IP source guardViewing the status of Dhcp option 82 and the subscriber ID Page For ip-addr, enter a valid IP address No source-guard enableDefining static IP source bindings Syntax no source-guard enable Enabling IP source guard per-port-per-VLANEnabling IP source guard on a VE Displaying learned IP addressesIP source guard Broadcast, unknown Unicast, and Multicast rate limiting Configuration notes and feature limitationsConfiguring rate limiting for BUM traffic Viewing rate limits set on BUM traffic Syntax show run interface Syntax show rate-limit broadcastBroadcast, unknown Unicast, and Multicast rate limiting Index ARP Radius Page Page MAC-VLAN Page SSH Ip access-group,110 mac-vlan-permit,220 source-guard enable Vlan