Brocade FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
30 July 2014
FastIron Ethernet Switch
Security Configuration Guide
Supporting FastIron Software Release 08.0.10d
©
2014, Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron,
OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks
of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be
trademarks of others.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any
equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document
at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be
currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in
this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the
accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that
accompany it.
The product described by this document may contain open source software covered by the GNU General Public License or other open
source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to
the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
Contents
Preface...................................................................................................................................13
Document conventions....................................................................................13
Text formatting conventions................................................................ 13
Command syntax conventions............................................................ 13
Notes, cautions, and warnings............................................................ 14
Brocade resources.......................................................................................... 15
Getting technical help......................................................................................15
Document feedback........................................................................................ 16
About This Document.............................................................................................................. 17
What’s new in this document ......................................................................... 17
How command information is presented in this guide.....................................17
Security Access ......................................................................................................................19
Supported security access features................................................................ 19
Securing access methods............................................................................... 20
Remote access to management function restrictions..................................... 23
ACL usage to restrict remote access ................................................. 23
Defining the console idle time............................................................. 25
Remote access restrictions................................................................. 25
Restricting access to the device based on IP orMAC address........... 26
Defining the Telnet idle time................................................................27
Specifying the maximum number of login attemptsfor Telnet
access........................................................................................... 27
Changing the login timeout period for Telnet sessions....................... 28
Restricting remote access to the device tospecific VLAN IDs.............28
Designated VLAN for Telnet management sessionsto a Layer 2
Switch............................................................................................ 29
Device management security..............................................................30
Disabling specific access methods..................................................... 30
Passwords used to secure access..................................................................31
Setting a Telnet password ..................................................................32
Setting passwords for management privilege levels........................... 32
Recovering from a lost password........................................................34
Displaying the SNMP community string.............................................. 35
Specifying a minimum password length..............................................35
Local user accounts........................................................................................ 35
Enhancements to username and password........................................36
Local user account configuration........................................................ 40
Changing a local user password......................................................... 41
TACACS and TACACS+ security....................................................................42
How TACACS+ differs from TACACS.................................................42
TACACS/TACACS+ authentication, authorization,and accounting.....42
TACACS authentication...................................................................... 44
TACACS/TACACS+ configuration considerations.............................. 47
Enabling TACACS...............................................................................48
Identifying the TACACS/TACACS+ servers........................................48
Specifying different servers for individual AAA functions.................... 49
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
3
Setting optional TACACS and TACACS+ parameters......................49
Configuring authentication-method lists forTACACS and
TACACS+....................................................................................50
Configuring TACACS+ authorization................................................ 53
TACACS+ accounting configuration................................................. 55
Configuring an interface as the source for allTACACS and
TACACS+ packets...................................................................... 56
Displaying TACACS/TACACS+ statistics andconfiguration
information...................................................................................57
RADIUS security........................................................................................... 58
RADIUS authentication, authorization, and accounting.................... 58
RADIUS configuration considerations...............................................61
Configuring RADIUS......................................................................... 61
Brocade-specific attributes on the RADIUS server........................... 62
Enabling SNMP to configure RADIUS.............................................. 63
Identifying the RADIUS server to the Brocade device...................... 64
Specifying different servers for individual AAA functions..................64
RADIUS server per port.................................................................... 64
RADIUS server to individual ports mapping......................................65
RADIUS parameters......................................................................... 66
Setting authentication-method lists for RADIUS............................... 67
RADIUS authorization.......................................................................69
RADIUS accounting.......................................................................... 71
Configuring an interface as the source for allRADIUS packets........ 72
Displaying RADIUS configuration information...................................72
SSL security..................................................................................................73
Specifying a port for SSL communication......................................... 73
Changing the SSL server certificate key size....................................74
Support for SSL digital certificates larger than 2048 bits.................. 74
Importing digital certificates and RSA private key files..................... 74
Generating an SSL certificate........................................................... 75
Deleting the SSL certificate...............................................................75
Authentication-method lists...........................................................................75
Configuration considerations for authentication-method lists........... 76
Examples of authentication-method lists...........................................76
TCP Flags - edge port security..................................................................... 78
Using TCP Flags in combination with other ACL features................ 79
SSH2 and SCP......................................................................................................................81
Supported SSH2 and Secure Copy features................................................ 81
SSH version 2 overview................................................................................81
Tested SSH2 clients..........................................................................82
SSH2 supported features..................................................................82
SSH2 unsupported features..............................................................83
SSH2 authentication types............................................................................83
Configuring SSH2............................................................................. 83
Enabling and disabling SSH by generating and deleting host
keys............................................................................................. 84
Configuring DSA or RSA challenge-response authentication...........86
Optional SSH parameters............................................................................. 88
Setting the number of SSH authentication retries.............................88
Deactivating user authentication.......................................................88
Enabling empty password logins.......................................................89
Setting the SSH port number............................................................ 89
Setting the SSH login timeout value................................................. 89
Designating an interface as the source for all SSH packets............. 90
Configuring the maximum idle time for SSH sessions...................... 90
4
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Filtering SSH access using ACLs................................................................... 90
Terminating an active SSH connection........................................................... 90
Displaying SSH information............................................................................ 90
Displaying SSH connection information.............................................. 91
Displaying SSH configuration information...........................................91
Displaying additional SSH connection information..............................93
Secure copy with SSH2.................................................................................. 93
Enabling and disabling SCP................................................................93
Secure copy configuration notes.........................................................93
Example file transfers using SCP........................................................94
SSH2 client..................................................................................................... 96
Enabling SSH2 client.......................................................................... 97
Configuring SSH2 client public key authentication..............................97
Using SSH2 client............................................................................... 98
Displaying SSH2 client information..................................................... 99
Rule-Based IP ACLs ..............................................................................................................101
Supported Rule-Based IP ACL Features...................................................... 101
ACL overview................................................................................................ 103
Types of IP ACLs.............................................................................. 104
ACL IDs and entries.......................................................................... 104
Numbered and named ACLs.............................................................105
Default ACL action............................................................................ 105
How hardware-based ACLs work..................................................................106
How fragmented packets are processed...........................................106
Hardware aging of Layer 4 CAM entries........................................... 106
ACL configuration considerations................................................................. 106
Configuring standard numbered ACLs..........................................................107
Standard numbered ACL syntax....................................................... 108
Configuration example for standard numbered ACLs....................... 109
Standard named ACL configuration.............................................................. 109
Standard named ACL syntax............................................................ 109
Configuration example for standard named ACLs............................ 111
Extended numbered ACL configuration........................................................ 112
Extended numbered ACL syntax...................................................... 112
Extended named ACL configuration............................................................. 118
Applying egress ACLs to Control (CPU) traffic............................................. 122
Preserving user input for ACL TCP/UDP port numbers................................ 122
ACL comment text management...................................................................123
Adding a comment to an entry in a numbered ACL.......................... 123
Adding a comment to an entry in a named ACL............................... 124
Deleting a comment from an ACL entry............................................ 124
Viewing comments in an ACL........................................................... 124
Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN.125
ACL logging...................................................................................................126
Configuration notes for ACL logging................................................. 126
Configuration tasks for ACL logging..................................................127
Example ACL logging configuration.................................................. 127
Displaying ACL Log Entries.............................................................. 128
Enabling strict control of ACL filtering of fragmented packets.......................128
Enabling ACL support for switched traffic in the router image...................... 129
Enabling ACL filtering based on VLAN membership or VE port
membership.............................................................................................130
Configuration notes for ACL filtering................................................. 130
Applying an IPv4 ACL to specific VLAN members on a port
(Layer 2 devices only)................................................................. 131
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
5
Applying an IPv4 ACL to a subset of ports on a virtual interface
(Layer 3 devices only)............................................................... 132
ACLs to filter ARP packets..........................................................................132
Configuration considerations for filtering ARP packets...................133
Configuring ACLs for ARP filtering..................................................133
Displaying ACL filters for ARP........................................................ 134
Clearing the filter count................................................................... 134
Filtering on IP precedence and ToS values................................................ 134
TCP flags - edge port security.........................................................135
QoS options for IP ACLs.............................................................................135
Configuration notes for QoS options on FCX and ICX devices...... 136
Using an ACL to map the DSCP value (DSCP CoS mapping)....... 136
Using an IP ACL to mark DSCP values (DSCP marking)...............137
DSCP matching...............................................................................140
ACL-based rate limiting...............................................................................140
ACL statistics.............................................................................................. 140
ACL accounting...........................................................................................141
Configuring IPv4 ACL accounting................................................... 141
ACLs to control multicast features.............................................................. 142
Enabling and viewing hardware usage statistics for an ACL...................... 142
Displaying ACL information.........................................................................143
Troubleshooting ACLs.................................................................................144
Policy-based routing (PBR).........................................................................144
Configuration considerations for policy-based routing.................... 144
Configuring a PBR policy................................................................ 145
Configuring the ACLs......................................................................145
Configuring the route map...............................................................147
Enabling PBR..................................................................................148
Configuration examples for policy based routing............................ 149
Basic example of policy based routing............................................149
Setting the next hop........................................................................ 149
Setting the output interface to the null interface..............................150
Trunk formation with PBR policy.....................................................151
IPv6 ACLs .......................................................................................................................... 153
Supported IPv6 ACL features..................................................................... 153
IPv6 ACL overview......................................................................................153
IPv6 ACL traffic filtering criteria.......................................................154
IPv6 protocol names and numbers................................................. 154
IPv6 ACL configuration notes..................................................................... 155
Configuring an IPv6 ACL.............................................................................156
Example IPv6 configurations...........................................................156
Default and implicit IPv6 ACL action...............................................157
Creating an IPv6 ACL................................................................................. 158
Syntax for creating an IPv6 ACL.....................................................159
Enabling IPv6 on an interface to which an ACL will be applied.................. 164
Syntax for enabling IPv6 on an interface........................................ 164
Applying an IPv6 ACL to an interface......................................................... 164
Syntax for applying an IPv6 ACL.................................................... 165
Applying an IPv6 ACL to a trunk group...........................................165
Applying an IPv6 ACL to a virtual interface in a protocol-based
or subnet-based VLAN.............................................................. 165
Adding a comment to an IPv6 ACL entry....................................................165
Deleting a comment from an IPv6 ACL entry..............................................166
Support for ACL logging..............................................................................166
Configuring IPv6 ACL accounting............................................................... 167
Displaying IPv6 ACLs .................................................................................168
6
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
802.1X Port Security.............................................................................................................169
Supported 802.1X port security features.......................................................169
IETF RFC support ........................................................................................ 170
How 802.1X port security works....................................................................170
Device roles in an 802.1X configuration............................................170
Communication between the devices............................................... 172
Controlled and uncontrolled ports..................................................... 172
Message exchange during authentication.........................................173
Authenticating multiple hosts connected to the same port................176
802.1X port security and sFlow.........................................................180
802.1X accounting............................................................................ 180
802.1X port security configuration.................................................................180
Configuring an authentication method list for 802.1X....................... 181
Setting RADIUS parameters............................................................. 181
Dynamic VLAN assignment for 802.1X port configuration................ 184
Dynamically applying IP ACLs and MAC address filtersto 802.1X
ports.............................................................................................187
Enabling 802.1X port security .......................................................... 191
Setting the port control...................................................................... 191
Configuring periodic re-authentication.............................................. 192
Re-authenticating a port manually.................................................... 192
Setting the quiet period..................................................................... 193
Specifying the wait interval and number of EAP-request/identity
frame retransmissions from the Brocade device......................... 193
Wait interval and number of EAP-request/identity frame
retransmissions from the RADIUS server....................................194
Specifying a timeout for retransmission of messages to the
authentication server................................................................... 195
Initializing 802.1X on a port...............................................................195
Allowing access to multiple hosts......................................................195
MAC address filters for EAP frames................................................. 198
Configuring VLAN access for non-EAP-capable clients....................198
802.1X accounting configuration...................................................................199
802.1X Accounting attributes for RADIUS........................................ 199
Enabling 802.1X accounting............................................................. 200
Displaying 802.1X information...................................................................... 200
Displaying 802.1X configuration information.....................................201
Displaying 802.1X statistics.............................................................. 205
Clearing 802.1X statistics..................................................................206
Displaying dynamically-assigned VLAN information......................... 206
Displaying information about dynamically appliedMAC address
filters and IP ACLs.......................................................................207
Displaying 802.1X multiple-host authentication information..............209
Sample 802.1X configurations...................................................................... 210
Point-to-point configuration............................................................... 211
Hub configuration.............................................................................. 212
802.1X Authentication with dynamic VLAN assignment................... 214
Multi-device port authentication and 802.1Xsecurity on the same port ........215
MAC Port Security.................................................................................................................217
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Supported MAC port security features.......................................................... 217
MAC port security overview.......................................................................... 217
Local and global resources used for MAC port security....................218
Configuration notes and feature limitations for MAC port security.... 218
Secure MAC movement.................................................................... 219
7
MAC port security configuration..................................................................219
Enabling the MAC port security feature.......................................... 219
Setting the maximum number of secure MAC addresses for an
interface.....................................................................................219
Setting the port security age timer.................................................. 220
Specifying secure MAC addresses................................................. 221
Autosaving secure MAC addresses to the startup configuration.... 221
Specifying the action taken when a security violation occurs......... 222
Clearing port security statistics................................................................... 223
Clearing restricted MAC addresses................................................ 223
Clearing violation statistics..............................................................223
Displaying port security information ........................................................... 224
Displaying port security settings......................................................224
Displaying the secure MAC addresses........................................... 224
Displaying port security statistics.................................................... 225
Displaying restricted MAC addresses on a port..............................226
MAC-based VLANs..............................................................................................................227
Supported MAC-based VLAN features....................................................... 227
MAC-based VLAN overview........................................................................227
Static and dynamic hosts................................................................ 228
MAC-based VLAN feature structure................................................228
Dynamic MAC-based VLAN........................................................................229
Configuration notes and feature limitations for dynamic MAC-
based VLAN.............................................................................. 229
Dynamic MAC-based VLAN CLI commands...................................229
Dynamic MAC-based VLAN configuration example....................... 230
MAC-based VLAN configuration................................................................. 231
Using MAC-based VLANs and 802.1X securityon the same port ..232
Configuring generic and Brocade vendor-specificattributes on
the RADIUS server....................................................................232
Aging for MAC-based VLAN........................................................... 233
Disabling aging for MAC-based VLAN sessions.............................234
Configuring the maximum MAC addresses per port....................... 235
Configuring a MAC-based VLAN for a static host...........................235
Configuring MAC-based VLAN for a dynamic host.........................236
Configuring dynamic MAC-based VLAN.........................................236
Configuring MAC-based VLANs using SNMP............................................ 237
Displaying Information about MAC-based VLANs...................................... 237
Displaying the MAC-VLAN table..................................................... 237
Displaying the MAC-VLAN table for a specific MAC address......... 238
Displaying allowed MAC addresses................................................238
Displaying denied MAC addresses................................................. 239
Displaying detailed MAC-VLAN data.............................................. 240
Displaying MAC-VLAN information for a specific interface............. 241
Displaying MAC addresses in a MAC-based VLAN .......................242
Displaying MAC-based VLAN logging.............................................242
Clearing MAC-VLAN information................................................................ 243
Sample MAC-based VLAN application....................................................... 243
Defining MAC Address Filters.............................................................................................. 247
Supported MAC address filter features.......................................................247
MAC address filters configuration notes and limitations............................. 247
MAC address filters command syntax.........................................................248
Enabling logging of management traffic permitted by MAC address
filters......................................................................................................249
8
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
MAC address filter logging command syntax....................................250
Configuring MAC filter accounting.................................................................250
MAC address filter override for 802.1X-enabled ports.................................. 251
MAC address filter override configuration notes............................... 251
MAC address filter override configuration syntax..............................251
Multi-Device Port Authentication...........................................................................................253
Supported Multi-device port authentication (MDPA) features....................... 253
How multi-device port authentication works..................................................254
RADIUS authentication..................................................................... 255
Authentication-failure actions............................................................ 255
Unauthenticated port behavior.......................................................... 255
Supported RADIUS attributes........................................................... 255
Support for dynamic VLAN assignment............................................ 256
Support for dynamic ACLs................................................................ 256
Support for authenticating multiple MAC addresseson an interface. 256
Support for dynamic ARP inspection with dynamic ACLs.................256
Support for DHCP snooping with dynamic ACLs.............................. 257
Support for source guard protection..................................................257
Multi-device port authentication and 802.1Xsecurity on the same port.........257
Configuring Brocade-specific attributes on theRADIUS server.........258
Multi-device port authentication configuration...............................................259
Enabling multi-device port authentication......................................... 259
Specifying the format of the MAC addresses sent to theRADIUS
server...........................................................................................260
Specifying the authentication-failure action.......................................260
Generating traps for multi-device port authentication....................... 261
Defining MAC address filters.............................................................261
Configuring dynamic VLAN assignment............................................261
Dynamically applying IP ACLs to authenticated MAC addresses..... 265
Enabling denial of service attack protection......................................267
Enabling source guard protection..................................................... 268
Clearing authenticated MAC addresses............................................269
Disabling aging for authenticated MAC addresses........................... 270
Changing the hardware aging period for blockedMAC addresses....270
Specifying the aging time for blocked MAC addresses.....................271
Specifying the RADIUS timeout action..............................................271
Multi-device port authentication password override.......................... 272
Limiting the number of authenticated MAC addresses..................... 273
Displaying multi-device port authentication information................................ 273
Displaying authenticated MAC address information......................... 273
Displaying multi-device port authenticationconfiguration
information...................................................................................274
Displaying multi-device port authentication informationfor a
specific MAC address or port...................................................... 275
Displaying the authenticated MAC addresses.................................. 276
Displaying the non-authenticated MAC addresses........................... 276
Displaying multi-device port authentication information for a port.....276
Displaying multi-device port authentication settingsand
authenticated MAC addresses.................................................... 277
Displaying the MAC authentication table for FCX and ICX devices..280
Example port authentication configurations.................................................. 281
Multi-device port authentication with dynamicVLAN assignment .....281
Examples of multi-device port authentication and 802.1X
authentication configuration on the same port.............................285
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
9
Web Authentication............................................................................................................ 291
Supported Web Authentication features..................................................... 291
Web authentication overview...................................................................... 291
Web authentication configuration considerations....................................... 292
Web authentication configuration tasks...................................................... 294
Enabling and disabling web authentication.................................................295
Web authentication mode configuration......................................................295
Using local user databases.............................................................296
Passcodes for user authentication..................................................299
Automatic authentication.................................................................304
Web authentication options configuration................................................... 304
Enabling RADIUS accounting for web authentication.....................304
Changing the login mode (HTTPS or HTTP).................................. 305
Specifying trusted ports...................................................................305
Specifying hosts that are permanently authenticated .................... 305
Configuring the re-authentication period.........................................306
Defining the web authentication cycle.............................................306
Limiting the number of web authentication attempts.......................306
Clearing authenticated hosts from the webauthentication table..... 307
Setting and clearing the block duration for webauthentication
attempts.....................................................................................307
Manually blocking and unblocking a specific host.......................... 307
Limiting the number of authenticated hosts.................................... 308
Filtering DNS queries......................................................................308
Forcing re-authentication when ports are down..............................308
Forcing re-authentication after an inactive period...........................309
Defining the web authorization redirect address.............................309
Deleting a web authentication VLAN.............................................. 310
Web authentication pages.............................................................. 310
Displaying web authentication information..................................................317
Displaying the web authentication configuration.............................317
Displaying a list of authenticated hosts...........................................319
Displaying a list of hosts attempting to authenticate....................... 320
Displaying a list of blocked hosts.................................................... 320
Displaying a list of local user databases......................................... 321
Displaying a list of users in a local user database.......................... 321
Displaying passcodes..................................................................... 321
10
DoS Attack Protection.........................................................................................................323
Supported DoS protection features.............................................................323
Smurf attacks.............................................................................................. 323
Avoiding being an intermediary in a Smurf attack...........................324
Avoiding being a victim in a Smurf attack....................................... 324
TCP SYN attacks........................................................................................ 326
TCP security enhancement ............................................................327
Displaying statistics about packets dropped because of DoS
attacks....................................................................................... 328
DHCP................................................................................................................................. 331
Supported DHCP packet inspection and tracking features.........................331
Dynamic ARP inspection ............................................................................331
ARP poisoning................................................................................ 331
About Dynamic ARP Inspection......................................................332
Configuration notes and feature limitations for DAI........................ 333
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Dynamic ARP inspection configuration............................................. 334
Displaying ARP inspection status and ports..................................... 335
Displaying the ARP table ................................................................. 335
Multi-VRF support............................................................................. 336
DHCP snooping............................................................................................ 336
How DHCP snooping works..............................................................337
System reboot and the binding database..........................................338
Configuration notes and feature limitations for DHCP snooping.......338
Configuring DHCP snooping............................................................. 339
Clearing the DHCP binding database............................................... 340
Displaying DHCP snooping status and ports.................................... 340
Displaying the DHCP snooping binding database............................ 340
Displaying DHCP binding entry and status....................................... 340
DHCP snooping configuration example ........................................... 341
Multi-VRF support............................................................................. 341
DHCP relay agent information ..................................................................... 342
Configuration notes for DHCP option 82...........................................343
DHCP Option 82 sub-options............................................................344
DHCP option 82 configuration...........................................................345
Viewing information about DHCP option 82 processing................... 347
Configuring the source IP address of a DHCP-client packet on
the DHCP relay agent..................................................................349
IP source guard.............................................................................................349
Configuration notes and feature limitations for IP source guard....... 349
Enabling IP source guard on a port...................................................351
Defining static IP source bindings..................................................... 351
Enabling IP source guard per-port-per-VLAN................................... 351
Enabling IP source guard on a VE.................................................... 351
Enabling IP Source Guard to support a Multi-VRF instance............. 352
Displaying learned IP addresses.......................................................352
DHCPv6................................................................................................................................355
Supported DHCPv6 packet inspection and tracking features....................... 355
Securing IPv6 address configuration............................................................ 355
DHCPv6 snooping.........................................................................................355
How DHCPv6 snooping works.......................................................... 356
Configuration notes and feature limitations for DHCPv6 snooping... 357
Configuring DHCPv6 snooping......................................................... 357
Clearing the DHCPv6 binding database........................................... 358
Displaying DHCPv6 snooping status and ports ............................... 358
Displaying the DHCPv6 snooping binding database ........................359
DHCPv6 snooping configuration example ....................................... 359
Multi-VRF support for DHCPv6 snooping......................................... 359
IPv6 RA Guard.......................................................................................................................361
Supported platforms for the IPv6 RA guard feature...................................... 361
Securing IPv6 address configuration............................................................ 361
IPv6 RA guard overview................................................................................361
RA guard policy.................................................................................362
Whitelist.............................................................................................362
Prefix list............................................................................................362
Maximum preference........................................................................ 362
Trusted, untrusted, and host ports.................................................... 362
Configuration notes and feature limitations for IPv6 RA guard..................... 363
Configuring IPv6 RA guard........................................................................... 363
Example of configuring IPv6 RA guard......................................................... 364
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
11
Example: Configuring IPv6 RA guard on a device..........................364
Example: Configuring IPv6 RA guard in a network.........................364
Example: Verifying the RA guard configuration.............................. 366
Security Commands............................................................................................................367
access-list enable accounting..................................................................... 368
clear access-list accounting........................................................................ 369
clear ipv6 raguard ...................................................................................... 369
enable-accounting.......................................................................................371
logging ........................................................................................................371
ipv6 raguard policy .....................................................................................372
ipv6 raguard vlan ........................................................................................372
ipv6 raguard whitelist ................................................................................. 373
mac filter enable-accounting....................................................................... 374
preference-maximum ................................................................................. 374
prefix-list .....................................................................................................375
raguard .......................................................................................................375
show access-list accounting........................................................................377
show ipv6 raguard ......................................................................................380
show ipv6 raguard counts .......................................................................... 380
ip bootp-use-intf-ip...................................................................................... 382
whitelist ...................................................................................................... 382
Index..................................................................................................................................385
12
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Preface
● Document conventions....................................................................................................13
● Brocade resources.......................................................................................................... 15
● Getting technical help......................................................................................................15
● Document feedback........................................................................................................ 16
Document conventions
The document conventions describe text formatting conventions, command syntax conventions, and
important notice formats used in Brocade technical documentation.
Text formatting conventions
Text formatting conventions such as boldface, italic, or Courier font may be used in the flow of the text
to highlight specific words or phrases.
Format
bold text
italic text
Courier font
Description
Identifies command names
Identifies keywords and operands
Identifies the names of user-manipulated GUI elements
Identifies text to enter at the GUI
Identifies emphasis
Identifies variables and modifiers
Identifies paths and Internet addresses
Identifies document titles
Identifies CLI output
Identifies command syntax examples
Command syntax conventions
Bold and italic text identify command syntax components. Delimiters and operators define groupings of
parameters and their logical relationships.
Convention
bold text Identifies command names, keywords, and command options.
italic text Identifies a variable.
Description
FastIron Ethernet Switch Security Configuration Guide 13
53-1003088-03
Notes, cautions, and warnings
Convention Description
value In Fibre Channel products, a fixed value provided as input to a command
[ ] Syntax components displayed within square brackets are optional.
option is printed in plain text, for example, --show WWN.
Default responses to system prompts are enclosed in square brackets.
{ x | y | z } A choice of required parameters is enclosed in curly brackets separated by
x | y A vertical bar separates mutually exclusive elements.
< > Nonprinting characters, for example, passwords, are enclosed in angle
...
\
vertical bars. You must select one of the options.
In Fibre Channel products, square brackets may be used instead for this
purpose.
brackets.
Repeat the previous element, for example, member[member...].
Indicates a “soft” line break in command examples. If a backslash separates
two lines of a command input, enter the entire command at the prompt without
the backslash.
Notes, cautions, and warnings
Notes, cautions, and warning statements may be used in this document. They are listed in the order of
increasing severity of potential hazards.
NOTE
A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference
to related information.
ATTENTION
An Attention statement indicates potential damage to hardware or data.
CAUTION
A Caution statement alerts you to situations that can be potentially hazardous to you or cause
damage to hardware, firmware, software, or data.
DANGER
A Danger statement indicates conditions or situations that can be potentially lethal or
extremely hazardous to you. Safety labels are also attached directly to products to warn of
these conditions or situations.
14 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Brocade resources
Visit the Brocade website to locate related documentation for your product and additional Brocade
resources.
You can download additional publications supporting your product at www.brocade.com.
• Adapter documentation is available on the Downloads and Documentation for Brocade Adapters
page. Select your platform and scroll down to the Documentation section.
• For all other products, select the Brocade Products tab to locate your product, then click the Brocade
product name or image to open the individual product page. The user manuals are available in the
resources module at the bottom of the page under the Documentation category.
To get up-to-the-minute information on Brocade products and resources, go to MyBrocade. You can
register at no cost to obtain a user ID and password.
Release notes are available on MyBrocade under Product Downloads.
White papers, online demonstrations, and data sheets are available through the Brocade website.
Brocade resources
Getting technical help
You can contact Brocade Support 24x7 online, by telephone, or by e-mail.
For product support information and the latest information on contacting the Technical Assistance
Center, go to http://www.brocade.com/services-support/index.html.
Use one of the following methods to contact the Brocade Technical Assistance Center.
Online Telephone E-mail
Preferred method of contact for nonurgent issues:
• My Cases through MyBrocade
• Software downloads and licensing
tools
• Knowledge Base
Required for Sev 1-Critical and Sev
2-High issues:
• Continental US: 1-800-752-8061
• Europe, Middle East, Africa, and
Asia Pacific: +800-AT FIBREE
(+800 28 34 27 33)
• For areas unable to access toll
free number: +1-408-333-6061
• Toll-free numbers are available in
many countries.
support@brocade.com
Please include:
• Problem summary
• Serial number
• Installation details
• Environment description
FastIron Ethernet Switch Security Configuration Guide 15
53-1003088-03
Document feedback
Document feedback
To send feedback and report errors in the documentation you can use the feedback form posted with
the document or you can e-mail the documentation team.
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and
completeness of this document. However, if you find an error or an omission, or you think that a topic
needs further development, we want to hear from you. You can provide feedback in two ways:
• Through the online feedback form in the HTML documents posted on www.brocade.com.
• By sending your feedback to documentation@brocade.com.
Provide the publication title, part number, and as much detail as possible, including the topic heading
and page number if applicable, as well as your suggestions for improvement.
16 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
About This Document
● What’s new in this document ......................................................................................... 17
● How command information is presented in this guide.....................................................17
What’s new in this document
This document includes the information from IronWare software release 08.0.10d. The following table
lists the enhancements for FastIron release 08.0.10d.
Summary of enhancements in FastIron release 08.0.10dTABLE 1
Feature Description Described in
TTL enhancement The no-ttl-decrement option
disables the TTL decrement
and the packets will be
forwarded without
decrementing TTL for the
traffic matched by the policy.
See Configuring the route map on page
147.
How command information is presented in this guide
For all new content, command syntax and parameters are documented in a separate command
reference section at the end of the publication.
In an effort to provide consistent command line interface (CLI) documentation for all products, Brocade
is in the process of preparing standalone Command References for the IP platforms. This process
involves separating command syntax and parameter descriptions from configuration tasks. Until this
process is completed, command information is presented in two ways:
• For all new content included in this guide, the CLI is documented in separate command pages. The
new command pages follow a standard format to present syntax, parameters, usage guidelines,
examples, and command history. Command pages are compiled in alphabetical order in a separate
command reference chapter at the end of the publication.
• Legacy content continues to include command syntax and parameter descriptions in the chapters
where the features are documented.
If you do not find command syntax information embedded in a configuration task, refer to the command
reference section at the end of this publication for information on CLI syntax and usage.
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
17
How command information is presented in this guide
18 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Security Access
● Supported security access features................................................................................ 19
● Securing access methods............................................................................................... 20
● Remote access to management function restrictions..................................................... 23
● Passwords used to secure access..................................................................................31
● Local user accounts........................................................................................................ 35
● TACACS and TACACS+ security....................................................................................42
● RADIUS security............................................................................................................. 58
● SSL security.................................................................................................................... 73
● Authentication-method lists............................................................................................. 75
● TCP Flags - edge port security....................................................................................... 78
Supported security access features
Lists security access features supported on FastIron devices.
The following table lists the individual Brocade FastIron switches and the security access features they
support. These features are supported in the Layer 2 and Layer 3 software images, except where
explicitly noted.
Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800
FSX 1600
Authentication, Authorization and
Accounting (AAA): RADIUS, TACACS
ACACS+
AAA support for console commands 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
Restricting remote access to
management functions
Disabling TFTP access 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
Using ACLs to restrict remote access 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
Local user accounts 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
Local user passwords 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
SSL security 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
AAA authentication-method lists 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
Packet filtering on TCP flags 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 No 08.0.10
This chapter explains how to secure access to management functions on a Brocade device.
08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10
ICX 7750
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
19
Securing access methods
NOTE
Web management is not supported in Release 8.0.00a and later releases. If web management is
enabled, you must configure the no web-management command to disable it.
NOTE
For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login
authentication. Also, multiple challenges are supported for TACACS+ login authentication.
Securing access methods
The following table lists the management access methods available on a Brocade device, how they
are secured by default, and the ways in which they can be secured.
Ways to secure management access to Brocade devices TABLE 2
Access method How the access method is
Serial access to the
CLI
Access to the
Privileged EXEC and
CONFIG levels of the
CLI
Telnet access Not secured Regulate Telnet
secured by default
Not secured Establish passwords
Not secured Establish a password
Ways to secure the
access method
for management
privilege levels
for Telnet access to
the CLI
Establish passwords
for management
privilege levels
Set up local user
accounts
Configure TACACS/
TACACS+ security
Configure RADIUS
security
access using ACLs
See page
Setting passwords for
management privilege
levels on page 32
Setting a Telnet
password on page 32
Setting passwords for
management privilege
levels on page 32
Local user accounts on
page 35
TACACS and TACACS+
security on page 42
RADIUS security on page
58
Using an ACL to restrict
Telnet access on page
23
Allow Telnet access
only from specific IP
addresses
Restrict Telnet access
based on a client MAC
address
20 FastIron Ethernet Switch Security Configuration Guide
Restricting Telnet access to a
specific IP address on page 26
Restricting access to the device
based on IP orMAC address on
page 26
53-1003088-03
Security Access
Ways to secure management access to Brocade devices (Continued)TABLE 2
Access method How the access method is
Allow Telnet access
only from specific MAC
addresses
Define the Telnet idle
time
Change the Telnet
login timeout period
Specify the maximum
number of login
attempts for Telnet
access
Disable Telnet access Disabling Telnet access on page
Establish a password
for Telnet access
Establish passwords
for privilege levels of
the CLI
secured by default
Restricting Telnet access to a
specific VLAN on page 28
Defining the Telnet idle time on
page 27
Changing the login timeout period
for Telnet sessions on page 28
Specifying the maximum number of
login attemptsfor Telnet access on
page 27
31
Setting a Telnet password on page
32
Setting passwords for management
privilege levels on page 32
Ways to secure the
access method
See page
Set up local user
accounts
Configure TACACS/
TACACS+ security
Configure RADIUS
security
Secure Shell (SSH)
access
Local user accounts on page 35
TACACS and TACACS+ security
on page 42
RADIUS security on page 58
Not configured Configure SSH Refer to the Configuring
Regulate SSH access
using ACLs
Allow SSH access only
from specific IP
addresses
Allow SSH access only
from specific MAC
addresses
Establish passwords
for privilege levels of
the CLI
SSH2 section
Using an ACL to restrict
SSH access on page
24
Restricting SSH access
to a specific IP address
on page 26
Restricting access to the
device based on IP
orMAC address on page
26
Setting passwords for
management privilege
levels on page 32
FastIron Ethernet Switch Security Configuration Guide 21
53-1003088-03
Security Access
Ways to secure management access to Brocade devices (Continued)TABLE 2
Access method How the access method is
secured by default
SNMP access SNMP read or read-write
community strings and the
password to the Super User
privilege level
NOTE
SNMP read or read-write
community strings are always
required for SNMP access to the
device.
Ways to secure the
access method
Set up local user
accounts
Configure TACACS/
TACACS+ security
Configure RADIUS
security
Regulate SNMP
access using ACLs
Allow SNMP access
only from specific IP
addresses
Disable SNMP access Disabling SNMP access
Allow SNMP access
only to clients
connected to a specific
VLAN
See page
Local user accounts on
page 35
TACACS and TACACS+
security on page 42
RADIUS security on page
58
Using ACLs to restrict
SNMP access on page
24
Restricting SNMP access
to a specific IP address
on page 26
on page 31
Restricting SNMP access
to a specific VLAN on
page 28
Establish passwords to
management levels of
the CLI
Set up local user
accounts
Establish SNMP read
or read-write
community strings
TFTP access Not secured Allow TFTP access
Access for Stacked
Devices
Access to multiple consoles must
be secured after AAA is enabled
only to clients
connected to a specific
VLAN
Disable TFTP access Disabling TFTP access
Extra steps must be
taken to secure
multiple consoles in a
traditional stack.
Setting passwords for
management privilege
levels on page 32
Local user accounts on
page 35
TACACS and TACACS+
security on page 42
Restricting TFTP access
to a specific VLAN on
page 29
on page 31
Configuring TACACS/
TACACS+ for devices in
a Brocade traditional
stack on page 43
22 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Remote access to management function restrictions
Remote access to management function restrictions
You can restrict access to management functions from remote sources, including Telnet and SNMP.
The following methods for restricting remote access are supported:
• Using ACLs to restrict Telnet or SNMP access
• Allowing remote access only from specific IP addresses
• Allowing Telnet and SSH access only from specific MAC addresses
• Allowing remote access only to clients connected to a specific VLAN
• Specifically disabling Telnet or SNMP access to the device
NOTE
Web management is not supported in Release 8.0.00a and later releases. If web management is
enabled, you must configure the no web-management command to disable it.
The following sections describe how to restrict remote access to a Brocade device using these
methods.
ACL usage to restrict remote access
You can use standard ACLs to control the following access methods to management functions on a
Brocade device:
• Telnet
• SSH
• SNMP
Consider the following to configure access control for these management access methods.
1. Configure an ACL with the IP addresses you want to allow to access the device.
2. Configure a Telnet access group, SSH access group, and SNMP community strings. Each of these
configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP
addresses that can use the access method.
The following sections present examples of how to secure management access using ACLs. Refer to
the Rule-Based IP ACLs chapter for more information on configuring ACLs.
Using an ACL to restrict Telnet access
To configure an ACL that restricts Telnet access to the device, enter commands such as the following.
device(config)#access-list 10 deny host 10.157.22.32 log
device(config)#access-list 10 deny 10.157.23.0 0.0.0.255 log
device(config)#access-list 10 deny 10.157.24.0 0.0.0.255 log
device(config)#access-list 10 deny 10.157.25.0/24 log
device(config)#access-list 10 permit any
device(config)#telnet access-group 10
device(config)#write memory
Syntax: telnet access-group num
The num parameter specifies the number of a standard ACL and must be from 1 - 99.
The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The
device allows Telnet access to all IP addresses except those listed in ACL 10.
FastIron Ethernet Switch Security Configuration Guide 23
53-1003088-03
Using an ACL to restrict SSH access
To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of
the ACL.
device(config)#access-list 10 permit host 10.157.22.32
device(config)#access-list 10 permit 10.157.23.0 0.0.0.255
device(config)#access-list 10 permit 10.157.24.0 0.0.0.255
device(config)#access-list 10 permit 10.157.25.0/24
device(config)#telnet access-group 10
device(config)#write memory
The ACL in this example permits Telnet access only to the IP addresses in the permit entries and
denies Telnet access from all other IP addresses.
Using an ACL to restrict SSH access
To configure an ACL that restricts SSH access to the device, enter commands such as the following.
device(config)#access-list 12 deny host 10.157.22.98 log
device(config)#access-list 12 deny 10.157.23.0 0.0.0.255 log
device(config)#access-list 12 deny 10.157.24.0/24 log
device(config)#access-list 12 permit any
device(config)#ssh access-group 12
device(config)#write memory
Syntax: ssh access-group num
The num parameter specifies the number of a standard ACL and must be from 1 - 99.
These commands configure ACL 12, then apply the ACL as the access list for SSH access. The
device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all
other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH
access from all IP addresses.
NOTE
In this example, the command ssh access-group 10 could have been used to apply the ACL
configured in the example for Telnet access. You can use the same ACL multiple times.
Using ACLs to restrict SNMP access
To restrict SNMP access to the device using ACLs, enter commands such as the following.
NOTE
The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and SSH
using ACLs.
device(config)#access-list 25 deny host 10.157.22.98 log
device(config)#access-list 25 deny 10.157.23.0 0.0.0.255 log
device(config)#access-list 25 deny 10.157.24.0 0.0.0.255 log
device(config)#access-list 25 permit any
device(config)#access-list 30 deny 10.157.25.0 0.0.0.255 log
device(config)#access-list 30 deny 10.157.26.0/24 log
device(config)#access-list 30 permit any
device(config)#snmp-server community public ro 25
device(config)#snmp-server community private rw 30
device(config)#write memory
Syntax: snmp-server community string [ ro | rw ] num
The string parameter specifies the SNMP community string the user must enter to gain SNMP access.
24 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Defining the console idle time
The ro parameter indicates that the community string is for read-only ("get") access. The rw parameter
indicates the community string is for read-write ("set") access.
The num parameter specifies the number of a standard ACL and must be from 1 - 99.
These commands configure ACLs 25 and 30, then apply the ACLs to community strings.
ACL 25 is used to control read-only access using the "public" community string. ACL 30 is used to
control read-write access using the "private" community string.
NOTE
When snmp-server community is configured, all incoming SNMP packets are validated first by their
community strings and then by their bound ACLs.
Defining the console idle time
By default, a Brocade device does not time out serial console sessions. A serial session remains open
indefinitely until you close it. You can however define how many minutes a serial management session
can remain idle before it is timed out.
NOTE
You must enable AAA support for console commands, AAA authentication, and Exec authorization in
order to set the console idle time.
To configure the idle time for a serial console session, use the following command.
device(config)#console timeout 120
Syntax: [no] console timeout [ 0-240 ]
Possible values: 0 - 240 minutes
Default value: 0 minutes (no timeout)
NOTE
In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The
attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest
minute, because the switch configuration is defined in minutes.
Remote access restrictions
By default, a Brocade device does not control remote management access based on the IP address of
the managing device. You can restrict remote management access to a single IP address for the
following access methods:
• Telnet access
• SSH access
• SNMP access
In addition, you can restrict all access methods to the same IP address using a single command.
The following examples show the CLI commands for restricting remote access. You can specify only
one IP address with each command. However, you can enter each command ten times to specify up to
ten IP addresses.
FastIron Ethernet Switch Security Configuration Guide 25
53-1003088-03
Restricting Telnet access to a specific IP address
Restricting Telnet access to a specific IP address
To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter the
following command.
device(config)#telnet client 10.157.22.39
Syntax: [no] telnet client { ip-addr | ipv6-addr }
Restricting SSH access to a specific IP address
To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the
following command.
device(config)#ip ssh client 10.157.22.39
Syntax: [no] ip ssh client { ip-addr | ipv6-addr }
Restricting SNMP access to a specific IP address
To allow SNMP access only to the host with IP address 10.157.22.14, enter the following command.
device(config)#snmp-client 10.157.22.14
Syntax: [no] snmp-client { ip-addr | ipv6-addr }
Restricting all remote management access to a specific IP address
To allow Telnet and SNMP management access to the Brocade device only to the host with IP
address 10.157.22.69, enter three separate commands (one for each access type) or enter the
following command.
device(config)#all-client 10.157.22.69
Syntax: [no] all-client { ip-addr | ipv6-addr }
Restricting access to the device based on IP orMAC address
You can restrict remote management access to the Brocade device, using Telnet, SSH, HTTP, and
HTTPS, based on the connecting client IP or MAC address.
Restricting Telnet connection
You can restrict Telnet connection to a device based on the client IP address or MAC address.
To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39 and MAC
address 0000.000f.e9a0, enter the following command.
device(config)#telnet client 10.157.22.39 0000.000f.e9a0
Syntax: [no] telnet client { ip-addr | ipv6-addrmac-addr }
26 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Restricting SSH connection
The following command allows Telnet access to the Brocade device to a host with any IP address and
MAC address 0000.000f.e9a0.
device(config)#telnet client any 0000.000f.e9a0
Syntax: [no] telnet client any mac-addr
Restricting SSH connection
You can restrict SSH connection to a device based on the client IP address or MAC address.
To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC
address 0000.000f.e9a0, enter the following command.
device(config)#ip ssh client 10.157.22.39 0000.000f.e9a0
Syntax: [no] ip ssh client { ip-addr | ipv6-addrmac-addr }
To allow SSH access to the Brocade device to a host with any IP address and MAC address
0000.000f.e9a0, enter the following command.
device(config)#ip ssh client any 0000.000f.e9a0
Syntax: [no] ip ssh client any mac-addr
Defining the Telnet idle time
You can define how many minutes a Telnet session can remain idle before it is timed out. An idle Telnet
session is a session that is still sending TCP ACKs in response to keepalive messages from the device,
but is not being used to send data.
To configure the idle time for a Telnet session, use the following command.
device(config)#telnet timeout 120
Syntax: [no] telnet timeout minutes
For minutes enter a value from 0 - 240. The default value is 0 minutes (no timeout).
Specifying the maximum number of login attemptsfor Telnet access
If you are connecting to the Brocade device using Telnet, the device prompts you for a username and
password. By default, you have up to 4 chances to enter a correct username and password. If you do
not enter a correct username or password after 4 attempts, the Brocade device disconnects the Telnet
session.
You can specify the number of attempts a Telnet user has to enter a correct username and password
before the device disconnects the Telnet session. For example, to allow a Telnet user up to 5 chances
to enter a correct username and password, enter the following command.
device(config)#telnet login-retries 5
Syntax: [no] telnet login-retries number
You can specify from 0 - 5 attempts. The default is 4 attempts.
FastIron Ethernet Switch Security Configuration Guide 27
53-1003088-03
Changing the login timeout period for Telnet sessions
NOTE
You need to configure telnet with the enable telnet authentication local command to enable only a
certain number of telnet login attempts.
Changing the login timeout period for Telnet sessions
By default, the login timeout period for a Telnet session is 2 minutes. To change the login timeout
period, use the following command.
device(config)#telnet login-timeout 5
Syntax: [no] telnet login-timeout minutes
For minutes , enter a value from 1 to 10. The default timeout period is 2 minutes.
Restricting remote access to the device tospecific VLAN IDs
You can restrict management access to a Brocade device to ports within a specific port-based VLAN.
VLAN-based access control applies to the following access methods:
• Telnet access
• SNMP access
• TFTP access
By default, access is allowed for all the methods listed above on all ports. Once you configure security
for a given access method based on VLAN ID, access to the device using that method is restricted to
only the ports within the specified VLAN.
VLAN-based access control works in conjunction with other access control methods. For example,
suppose you configure an ACL to permit Telnet access only to specific client IP addresses, and you
also configure VLAN-based access control for Telnet access. In this case, the only Telnet clients that
can access the device are clients that have one of the IP addresses permitted by the ACL and are
connected to a port that is in a permitted VLAN. Clients who have a permitted IP address but are
connected to a port in a VLAN that is not permitted still cannot access the device through Telnet.
Restricting Telnet access to a specific VLAN
To allow Telnet access only to clients in a specific VLAN, enter a command such as the following.
device(config)#telnet server enable vlan 10
The command in this example configures the device to allow Telnet management access only to
clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN
10 are denied management access.
Syntax: [no] telnet server enable vlan vlan-id
Restricting SNMP access to a specific VLAN
To allow SNMP access only to clients in a specific VLAN, enter a command such as the following.
device(config)#snmp-server enable vlan 40
28 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Restricting TFTP access to a specific VLAN
The command in this example configures the device to allow SNMP access only to clients connected to
ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] snmp-server enable vlan vlan-id
Restricting TFTP access to a specific VLAN
To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.
device(config)#tftp client enable vlan 40
The command in this example configures the device to allow TFTP access only to clients connected to
ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] tftp client enable vlan vlan-id
Designated VLAN for Telnet management sessionsto a Layer 2 Switch
All Brocade FastIron devices support the creation of management VLANs. By default, the management
IP address you configure on a Layer 2 Switch applies globally to all the ports on the device. This is true
even if you divide the device ports into multiple port-based VLANs.
If you want to restrict the IP management address to a specific port-based VLAN, you can make that
VLAN the designated management VLAN for the device. When you configure a VLAN to be the
designated management VLAN, the management IP address you configure on the device is associated
only with the ports in the designated VLAN. To establish a Telnet management session with the device,
a user must access the device through one of the ports in the designated VLAN.
You also can configure up to five default gateways for the designated VLAN, and associate a metric
with each one. The software uses the gateway with the lowest metric. The other gateways reside in the
configuration but are not used. To use one of the other gateways, modify the configuration so that the
gateway you want to use has the lowest metric.
If more than one gateway has the lowest metric, the gateway that appears first in the running-config is
used.
NOTE
If you have already configured a default gateway globally and you do not configure a gateway in the
VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.
To configure a designated management VLAN, enter commands such as the following.
device(config)#vlan 10 by port
device(config-vlan-10)#untag ethernet 1/1 to 1/4
device(config-vlan-10)#management-vlan
device(config-vlan-10)#default-gateway 10.10.10.1 1
device(config-vlan-10)#default-gateway 10.20.20.1 2
These commands configure port-based VLAN 10 to consist of ports 1/1 - 1/4 and to be the designated
management VLAN. The last two commands configure default gateways for the VLAN. Since the
10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in
the configuration but is not used. You can use the other one by changing the metrics so that the
10.20.20.1 gateway has the lower metric.
Syntax: [no] default-gateway ip-addr metric
The ip-addr parameters specify the IP address of the gateway router.
FastIron Ethernet Switch Security Configuration Guide 29
53-1003088-03
Device management security
The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1 - 5.
There is no default. The software uses the gateway with the lowest metric.
Device management security
By default, all management access is disabled. Each of the following management access methods
must be specifically enabled as required in your installation:
• SSHv2
• SNMP
The commands for granting access to each of these management interfaces is described in the
following.
Allowing SSHv2 access to the Brocade device
To allow SSHv2 access to the Brocade device, you must generate a Crypto Key as shown in the
following command.
device(config)#crypto key generate
Syntax: crypto key [ generate | zeroize ]
The generate parameter generates a dsa key pair.
The zeroize parameter deletes the currently operative dsa key pair.
In addition, you must use AAA authentication to create a password to allow SSHv2 access. For
example the following command configures AAA authentication to use TACACS+ for authentication as
the default or local if TACACS+ is not available.
device(config)#aaa authentication login default tacacs+ local
Allowing SNMP access to the Brocade device
To allow SNMP access to the Brocade device, enter the following command.
device(config)#snmp-server
Syntax: [no] snmp server
Disabling specific access methods
You can specifically disable the following access methods:
• Telnet access
• SNMP access
• TFTP
NOTE
If you disable Telnet access, you will not be able to access the CLI except through a serial connection
to the management module. If you disable SNMP access, you will not be able to use an SNMP-based
management applications.
30 FastIron Ethernet Switch Security Configuration Guide
53-1003088-03
Loading...