Brocade FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

30 July 2014

FastIron Ethernet Switch

Security Configuration Guide

Supporting FastIron Software Release 08.0.10d

© 2014, Brocade Communications Systems, Inc. All Rights Reserved.

Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.

The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Contents

Preface...................................................................................................................................	13
Document conventions....................................................................................	13
Text formatting conventions................................................................	13
Command syntax conventions............................................................	13
Notes, cautions, and warnings............................................................	14
Brocade resources..........................................................................................	15
Getting technical help......................................................................................	15
Document feedback........................................................................................	16
About This Document..............................................................................................................	17
What’s new in this document .........................................................................	17
How command information is presented in this guide.....................................	17
Security Access ......................................................................................................................	19
Supported security access features................................................................	19
Securing access methods...............................................................................	20
Remote access to management function restrictions.....................................	23
ACL usage to restrict remote access .................................................	23
Defining the console idle time.............................................................	25
Remote access restrictions.................................................................	25
Restricting access to the device based on IP orMAC address...........	26
Defining the Telnet idle time................................................................	27
Specifying the maximum number of login attemptsfor Telnet
access...........................................................................................	27
Changing the login timeout period for Telnet sessions.......................	28
Restricting remote access to the device tospecific VLAN IDs.............	28
Designated VLAN for Telnet management sessionsto a Layer 2
Switch............................................................................................	29
Device management security..............................................................	30
Disabling specific access methods.....................................................	30
Passwords used to secure access..................................................................	31
Setting a Telnet password ..................................................................	32
Setting passwords for management privilege levels...........................	32
Recovering from a lost password........................................................	34
Displaying the SNMP community string..............................................	35
Specifying a minimum password length..............................................	35
Local user accounts........................................................................................	35
Enhancements to username and password........................................	36
Local user account configuration........................................................	40
Changing a local user password.........................................................	41
TACACS and TACACS+ security....................................................................	42
How TACACS+ differs from TACACS.................................................	42
TACACS/TACACS+ authentication, authorization,and accounting.....	42
TACACS authentication......................................................................	44
TACACS/TACACS+ configuration considerations..............................	47
Enabling TACACS...............................................................................	48
Identifying the TACACS/TACACS+ servers........................................	48
Specifying different servers for individual AAA functions....................	49

FastIron Ethernet Switch Security Configuration Guide	3
53-1003088-03

Setting optional TACACS and TACACS+ parameters......................	49
Configuring authentication-method lists forTACACS and
TACACS+....................................................................................	50
Configuring TACACS+ authorization................................................	53
TACACS+ accounting configuration.................................................	55
Configuring an interface as the source for allTACACS and
TACACS+ packets......................................................................	56
Displaying TACACS/TACACS+ statistics andconfiguration
information...................................................................................	57
RADIUS security...........................................................................................	58
RADIUS authentication, authorization, and accounting....................	58
RADIUS configuration considerations...............................................	61
Configuring RADIUS.........................................................................	61
Brocade-specific attributes on the RADIUS server...........................	62
Enabling SNMP to configure RADIUS..............................................	63
Identifying the RADIUS server to the Brocade device......................	64
Specifying different servers for individual AAA functions..................	64
RADIUS server per port....................................................................	64
RADIUS server to individual ports mapping......................................	65
RADIUS parameters.........................................................................	66
Setting authentication-method lists for RADIUS...............................	67
RADIUS authorization.......................................................................	69
RADIUS accounting..........................................................................	71
Configuring an interface as the source for allRADIUS packets........	72
Displaying RADIUS configuration information...................................	72
SSL security..................................................................................................	73
Specifying a port for SSL communication.........................................	73
Changing the SSL server certificate key size....................................	74
Support for SSL digital certificates larger than 2048 bits..................	74
Importing digital certificates and RSA private key files.....................	74
Generating an SSL certificate...........................................................	75
Deleting the SSL certificate...............................................................	75
Authentication-method lists...........................................................................	75
Configuration considerations for authentication-method lists...........	76
Examples of authentication-method lists...........................................	76
TCP Flags - edge port security.....................................................................	78
Using TCP Flags in combination with other ACL features................	79
SSH2 and SCP......................................................................................................................	81
Supported SSH2 and Secure Copy features................................................	81
SSH version 2 overview................................................................................	81
Tested SSH2 clients..........................................................................	82
SSH2 supported features..................................................................	82
SSH2 unsupported features..............................................................	83
SSH2 authentication types............................................................................	83
Configuring SSH2.............................................................................	83
Enabling and disabling SSH by generating and deleting host
keys.............................................................................................	84
Configuring DSA or RSA challenge-response authentication...........	86
Optional SSH parameters.............................................................................	88
Setting the number of SSH authentication retries.............................	88
Deactivating user authentication.......................................................	88
Enabling empty password logins.......................................................	89
Setting the SSH port number............................................................	89
Setting the SSH login timeout value.................................................	89
Designating an interface as the source for all SSH packets.............	90
Configuring the maximum idle time for SSH sessions......................	90

4	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Filtering SSH access using ACLs...................................................................	90
Terminating an active SSH connection...........................................................	90
Displaying SSH information............................................................................	90
Displaying SSH connection information..............................................	91
Displaying SSH configuration information...........................................	91
Displaying additional SSH connection information..............................	93
Secure copy with SSH2..................................................................................	93
Enabling and disabling SCP................................................................	93
Secure copy configuration notes.........................................................	93
Example file transfers using SCP........................................................	94
SSH2 client.....................................................................................................	96
Enabling SSH2 client..........................................................................	97
Configuring SSH2 client public key authentication..............................	97
Using SSH2 client...............................................................................	98
Displaying SSH2 client information.....................................................	99
Rule-Based IP ACLs ..............................................................................................................	101
Supported Rule-Based IP ACL Features......................................................	101
ACL overview................................................................................................	103
Types of IP ACLs..............................................................................	104
ACL IDs and entries..........................................................................	104
Numbered and named ACLs.............................................................	105
Default ACL action............................................................................	105
How hardware-based ACLs work..................................................................	106
How fragmented packets are processed...........................................	106
Hardware aging of Layer 4 CAM entries...........................................	106
ACL configuration considerations.................................................................	106
Configuring standard numbered ACLs..........................................................	107
Standard numbered ACL syntax.......................................................	108
Configuration example for standard numbered ACLs.......................	109
Standard named ACL configuration..............................................................	109
Standard named ACL syntax............................................................	109
Configuration example for standard named ACLs............................	111
Extended numbered ACL configuration........................................................	112
Extended numbered ACL syntax......................................................	112
Extended named ACL configuration.............................................................	118
Applying egress ACLs to Control (CPU) traffic.............................................	122
Preserving user input for ACL TCP/UDP port numbers................................	122
ACL comment text management...................................................................	123
Adding a comment to an entry in a numbered ACL..........................	123
Adding a comment to an entry in a named ACL...............................	124
Deleting a comment from an ACL entry............................................	124
Viewing comments in an ACL...........................................................	124
Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN.125
ACL logging...................................................................................................	126
Configuration notes for ACL logging.................................................	126
Configuration tasks for ACL logging..................................................	127
Example ACL logging configuration..................................................	127
Displaying ACL Log Entries..............................................................	128
Enabling strict control of ACL filtering of fragmented packets.......................	128
Enabling ACL support for switched traffic in the router image......................	129
Enabling ACL filtering based on VLAN membership or VE port
membership.............................................................................................	130
Configuration notes for ACL filtering.................................................	130
Applying an IPv4 ACL to specific VLAN members on a port
(Layer 2 devices only).................................................................	131

FastIron Ethernet Switch Security Configuration Guide	5
53-1003088-03

Applying an IPv4 ACL to a subset of ports on a virtual interface
(Layer 3 devices only)...............................................................	132
ACLs to filter ARP packets..........................................................................	132
Configuration considerations for filtering ARP packets...................	133
Configuring ACLs for ARP filtering..................................................	133
Displaying ACL filters for ARP........................................................	134
Clearing the filter count...................................................................	134
Filtering on IP precedence and ToS values................................................	134
TCP flags - edge port security.........................................................	135
QoS options for IP ACLs.............................................................................	135
Configuration notes for QoS options on FCX and ICX devices......	136
Using an ACL to map the DSCP value (DSCP CoS mapping).......	136
Using an IP ACL to mark DSCP values (DSCP marking)...............	137
DSCP matching...............................................................................	140
ACL-based rate limiting...............................................................................	140
ACL statistics..............................................................................................	140
ACL accounting...........................................................................................	141
Configuring IPv4 ACL accounting...................................................	141
ACLs to control multicast features..............................................................	142
Enabling and viewing hardware usage statistics for an ACL......................	142
Displaying ACL information.........................................................................	143
Troubleshooting ACLs.................................................................................	144
Policy-based routing (PBR).........................................................................	144
Configuration considerations for policy-based routing....................	144
Configuring a PBR policy................................................................	145
Configuring the ACLs......................................................................	145
Configuring the route map...............................................................	147
Enabling PBR..................................................................................	148
Configuration examples for policy based routing............................	149
Basic example of policy based routing............................................	149
Setting the next hop........................................................................	149
Setting the output interface to the null interface..............................	150
Trunk formation with PBR policy.....................................................	151
IPv6 ACLs ..........................................................................................................................	153
Supported IPv6 ACL features.....................................................................	153
IPv6 ACL overview......................................................................................	153
IPv6 ACL traffic filtering criteria.......................................................	154
IPv6 protocol names and numbers.................................................	154
IPv6 ACL configuration notes.....................................................................	155
Configuring an IPv6 ACL.............................................................................	156
Example IPv6 configurations...........................................................	156
Default and implicit IPv6 ACL action...............................................	157
Creating an IPv6 ACL.................................................................................	158
Syntax for creating an IPv6 ACL.....................................................	159
Enabling IPv6 on an interface to which an ACL will be applied..................	164
Syntax for enabling IPv6 on an interface........................................	164
Applying an IPv6 ACL to an interface.........................................................	164
Syntax for applying an IPv6 ACL....................................................	165
Applying an IPv6 ACL to a trunk group...........................................	165
Applying an IPv6 ACL to a virtual interface in a protocol-based
or subnet-based VLAN..............................................................	165
Adding a comment to an IPv6 ACL entry....................................................	165
Deleting a comment from an IPv6 ACL entry..............................................	166
Support for ACL logging..............................................................................	166
Configuring IPv6 ACL accounting...............................................................	167
Displaying IPv6 ACLs .................................................................................	168

6	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

802.1X Port Security.............................................................................................................	169
Supported 802.1X port security features.......................................................	169
IETF RFC support ........................................................................................	170
How 802.1X port security works....................................................................	170
Device roles in an 802.1X configuration............................................	170
Communication between the devices...............................................	172
Controlled and uncontrolled ports.....................................................	172
Message exchange during authentication.........................................	173
Authenticating multiple hosts connected to the same port................	176
802.1X port security and sFlow.........................................................	180
802.1X accounting............................................................................	180
802.1X port security configuration.................................................................	180
Configuring an authentication method list for 802.1X.......................	181
Setting RADIUS parameters.............................................................	181
Dynamic VLAN assignment for 802.1X port configuration................	184
Dynamically applying IP ACLs and MAC address filtersto 802.1X
ports.............................................................................................	187
Enabling 802.1X port security ..........................................................	191
Setting the port control......................................................................	191
Configuring periodic re-authentication..............................................	192
Re-authenticating a port manually....................................................	192
Setting the quiet period.....................................................................	193
Specifying the wait interval and number of EAP-request/identity
frame retransmissions from the Brocade device.........................	193
Wait interval and number of EAP-request/identity frame
retransmissions from the RADIUS server....................................	194
Specifying a timeout for retransmission of messages to the
authentication server...................................................................	195
Initializing 802.1X on a port...............................................................	195
Allowing access to multiple hosts......................................................	195
MAC address filters for EAP frames.................................................	198
Configuring VLAN access for non-EAP-capable clients....................	198
802.1X accounting configuration...................................................................	199
802.1X Accounting attributes for RADIUS........................................	199
Enabling 802.1X accounting.............................................................	200
Displaying 802.1X information......................................................................	200
Displaying 802.1X configuration information.....................................	201
Displaying 802.1X statistics..............................................................	205
Clearing 802.1X statistics..................................................................	206
Displaying dynamically-assigned VLAN information.........................	206
Displaying information about dynamically appliedMAC address
filters and IP ACLs.......................................................................	207
Displaying 802.1X multiple-host authentication information..............	209
Sample 802.1X configurations......................................................................	210
Point-to-point configuration...............................................................	211
Hub configuration..............................................................................	212
802.1X Authentication with dynamic VLAN assignment...................	214
Multi-device port authentication and 802.1Xsecurity on the same port ........	215
MAC Port Security.................................................................................................................	217
Supported MAC port security features..........................................................	217
MAC port security overview..........................................................................	217
Local and global resources used for MAC port security....................	218
Configuration notes and feature limitations for MAC port security....	218
Secure MAC movement....................................................................	219

FastIron Ethernet Switch Security Configuration Guide	7
53-1003088-03

MAC port security configuration..................................................................	219
Enabling the MAC port security feature..........................................	219
Setting the maximum number of secure MAC addresses for an
interface.....................................................................................	219
Setting the port security age timer..................................................	220
Specifying secure MAC addresses.................................................	221
Autosaving secure MAC addresses to the startup configuration....	221
Specifying the action taken when a security violation occurs.........	222
Clearing port security statistics...................................................................	223
Clearing restricted MAC addresses................................................	223
Clearing violation statistics..............................................................	223
Displaying port security information ...........................................................	224
Displaying port security settings......................................................	224
Displaying the secure MAC addresses...........................................	224
Displaying port security statistics....................................................	225
Displaying restricted MAC addresses on a port..............................	226
MAC-based VLANs..............................................................................................................	227
Supported MAC-based VLAN features.......................................................	227
MAC-based VLAN overview........................................................................	227
Static and dynamic hosts................................................................	228
MAC-based VLAN feature structure................................................	228
Dynamic MAC-based VLAN........................................................................	229
Configuration notes and feature limitations for dynamic MAC-
based VLAN..............................................................................	229
Dynamic MAC-based VLAN CLI commands...................................	229
Dynamic MAC-based VLAN configuration example.......................	230
MAC-based VLAN configuration.................................................................	231
Using MAC-based VLANs and 802.1X securityon the same port ..	232
Configuring generic and Brocade vendor-specificattributes on
the RADIUS server....................................................................	232
Aging for MAC-based VLAN...........................................................	233
Disabling aging for MAC-based VLAN sessions.............................	234
Configuring the maximum MAC addresses per port.......................	235
Configuring a MAC-based VLAN for a static host...........................	235
Configuring MAC-based VLAN for a dynamic host.........................	236
Configuring dynamic MAC-based VLAN.........................................	236
Configuring MAC-based VLANs using SNMP............................................	237
Displaying Information about MAC-based VLANs......................................	237
Displaying the MAC-VLAN table.....................................................	237
Displaying the MAC-VLAN table for a specific MAC address.........	238
Displaying allowed MAC addresses................................................	238
Displaying denied MAC addresses.................................................	239
Displaying detailed MAC-VLAN data..............................................	240
Displaying MAC-VLAN information for a specific interface.............	241
Displaying MAC addresses in a MAC-based VLAN .......................	242
Displaying MAC-based VLAN logging.............................................	242
Clearing MAC-VLAN information................................................................	243
Sample MAC-based VLAN application.......................................................	243
Defining MAC Address Filters..............................................................................................	247
Supported MAC address filter features.......................................................	247
MAC address filters configuration notes and limitations.............................	247
MAC address filters command syntax.........................................................	248
Enabling logging of management traffic permitted by MAC address
filters......................................................................................................	249

8	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

MAC address filter logging command syntax....................................	250
Configuring MAC filter accounting.................................................................	250
MAC address filter override for 802.1X-enabled ports..................................	251
MAC address filter override configuration notes...............................	251
MAC address filter override configuration syntax..............................	251
Multi-Device Port Authentication...........................................................................................	253
Supported Multi-device port authentication (MDPA) features.......................	253
How multi-device port authentication works..................................................	254
RADIUS authentication.....................................................................	255
Authentication-failure actions............................................................	255
Unauthenticated port behavior..........................................................	255
Supported RADIUS attributes...........................................................	255
Support for dynamic VLAN assignment............................................	256
Support for dynamic ACLs................................................................	256
Support for authenticating multiple MAC addresseson an interface. 256
Support for dynamic ARP inspection with dynamic ACLs.................	256
Support for DHCP snooping with dynamic ACLs..............................	257
Support for source guard protection..................................................	257
Multi-device port authentication and 802.1Xsecurity on the same port.........	257
Configuring Brocade-specific attributes on theRADIUS server.........	258
Multi-device port authentication configuration...............................................	259
Enabling multi-device port authentication.........................................	259
Specifying the format of the MAC addresses sent to theRADIUS
server...........................................................................................	260
Specifying the authentication-failure action.......................................	260
Generating traps for multi-device port authentication.......................	261
Defining MAC address filters.............................................................	261
Configuring dynamic VLAN assignment............................................	261
Dynamically applying IP ACLs to authenticated MAC addresses.....	265
Enabling denial of service attack protection......................................	267
Enabling source guard protection.....................................................	268
Clearing authenticated MAC addresses............................................	269
Disabling aging for authenticated MAC addresses...........................	270
Changing the hardware aging period for blockedMAC addresses....	270
Specifying the aging time for blocked MAC addresses.....................	271
Specifying the RADIUS timeout action..............................................	271
Multi-device port authentication password override..........................	272
Limiting the number of authenticated MAC addresses.....................	273
Displaying multi-device port authentication information................................	273
Displaying authenticated MAC address information.........................	273
Displaying multi-device port authenticationconfiguration
information...................................................................................	274
Displaying multi-device port authentication informationfor a
specific MAC address or port......................................................	275
Displaying the authenticated MAC addresses..................................	276
Displaying the non-authenticated MAC addresses...........................	276
Displaying multi-device port authentication information for a port.....	276
Displaying multi-device port authentication settingsand
authenticated MAC addresses....................................................	277
Displaying the MAC authentication table for FCX and ICX devices..280
Example port authentication configurations..................................................	281
Multi-device port authentication with dynamicVLAN assignment .....	281
Examples of multi-device port authentication and 802.1X
authentication configuration on the same port.............................	285

FastIron Ethernet Switch Security Configuration Guide	9
53-1003088-03

Web Authentication............................................................................................................	291
Supported Web Authentication features.....................................................	291
Web authentication overview......................................................................	291
Web authentication configuration considerations.......................................	292
Web authentication configuration tasks......................................................	294
Enabling and disabling web authentication.................................................	295
Web authentication mode configuration......................................................	295
Using local user databases.............................................................	296
Passcodes for user authentication..................................................	299
Automatic authentication.................................................................	304
Web authentication options configuration...................................................	304
Enabling RADIUS accounting for web authentication.....................	304
Changing the login mode (HTTPS or HTTP)..................................	305
Specifying trusted ports...................................................................	305
Specifying hosts that are permanently authenticated ....................	305
Configuring the re-authentication period.........................................	306
Defining the web authentication cycle.............................................	306
Limiting the number of web authentication attempts.......................	306
Clearing authenticated hosts from the webauthentication table.....	307
Setting and clearing the block duration for webauthentication
attempts.....................................................................................	307
Manually blocking and unblocking a specific host..........................	307
Limiting the number of authenticated hosts....................................	308
Filtering DNS queries......................................................................	308
Forcing re-authentication when ports are down..............................	308
Forcing re-authentication after an inactive period...........................	309
Defining the web authorization redirect address.............................	309
Deleting a web authentication VLAN..............................................	310
Web authentication pages..............................................................	310
Displaying web authentication information..................................................	317
Displaying the web authentication configuration.............................	317
Displaying a list of authenticated hosts...........................................	319
Displaying a list of hosts attempting to authenticate.......................	320
Displaying a list of blocked hosts....................................................	320
Displaying a list of local user databases.........................................	321
Displaying a list of users in a local user database..........................	321
Displaying passcodes.....................................................................	321
DoS Attack Protection.........................................................................................................	323
Supported DoS protection features.............................................................	323
Smurf attacks..............................................................................................	323
Avoiding being an intermediary in a Smurf attack...........................	324
Avoiding being a victim in a Smurf attack.......................................	324
TCP SYN attacks........................................................................................	326
TCP security enhancement ............................................................	327
Displaying statistics about packets dropped because of DoS
attacks.......................................................................................	328
DHCP.................................................................................................................................	331
Supported DHCP packet inspection and tracking features.........................	331
Dynamic ARP inspection ............................................................................	331
ARP poisoning................................................................................	331
About Dynamic ARP Inspection......................................................	332
Configuration notes and feature limitations for DAI........................	333

10	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Dynamic ARP inspection configuration.............................................	334
Displaying ARP inspection status and ports.....................................	335
Displaying the ARP table .................................................................	335
Multi-VRF support.............................................................................	336
DHCP snooping............................................................................................	336
How DHCP snooping works..............................................................	337
System reboot and the binding database..........................................	338
Configuration notes and feature limitations for DHCP snooping.......	338
Configuring DHCP snooping.............................................................	339
Clearing the DHCP binding database...............................................	340
Displaying DHCP snooping status and ports....................................	340
Displaying the DHCP snooping binding database............................	340
Displaying DHCP binding entry and status.......................................	340
DHCP snooping configuration example ...........................................	341
Multi-VRF support.............................................................................	341
DHCP relay agent information .....................................................................	342
Configuration notes for DHCP option 82...........................................	343
DHCP Option 82 sub-options............................................................	344
DHCP option 82 configuration...........................................................	345
Viewing information about DHCP option 82 processing...................	347
Configuring the source IP address of a DHCP-client packet on
the DHCP relay agent..................................................................	349
IP source guard.............................................................................................	349
Configuration notes and feature limitations for IP source guard.......	349
Enabling IP source guard on a port...................................................	351
Defining static IP source bindings.....................................................	351
Enabling IP source guard per-port-per-VLAN...................................	351
Enabling IP source guard on a VE....................................................	351
Enabling IP Source Guard to support a Multi-VRF instance.............	352
Displaying learned IP addresses.......................................................	352
DHCPv6................................................................................................................................	355
Supported DHCPv6 packet inspection and tracking features.......................	355
Securing IPv6 address configuration............................................................	355
DHCPv6 snooping.........................................................................................	355
How DHCPv6 snooping works..........................................................	356
Configuration notes and feature limitations for DHCPv6 snooping...	357
Configuring DHCPv6 snooping.........................................................	357
Clearing the DHCPv6 binding database...........................................	358
Displaying DHCPv6 snooping status and ports ...............................	358
Displaying the DHCPv6 snooping binding database ........................	359
DHCPv6 snooping configuration example .......................................	359
Multi-VRF support for DHCPv6 snooping.........................................	359
IPv6 RA Guard.......................................................................................................................	361
Supported platforms for the IPv6 RA guard feature......................................	361
Securing IPv6 address configuration............................................................	361
IPv6 RA guard overview................................................................................	361
RA guard policy.................................................................................	362
Whitelist.............................................................................................	362
Prefix list............................................................................................	362
Maximum preference........................................................................	362
Trusted, untrusted, and host ports....................................................	362
Configuration notes and feature limitations for IPv6 RA guard.....................	363
Configuring IPv6 RA guard...........................................................................	363
Example of configuring IPv6 RA guard.........................................................	364

FastIron Ethernet Switch Security Configuration Guide	11
53-1003088-03

Example: Configuring IPv6 RA guard on a device..........................	364
Example: Configuring IPv6 RA guard in a network.........................	364
Example: Verifying the RA guard configuration..............................	366
Security Commands............................................................................................................	367
access-list enable accounting.....................................................................	368
clear access-list accounting........................................................................	369
clear ipv6 raguard ......................................................................................	369
enable-accounting.......................................................................................	371
logging ........................................................................................................	371
ipv6 raguard policy .....................................................................................	372
ipv6 raguard vlan ........................................................................................	372
ipv6 raguard whitelist .................................................................................	373
mac filter enable-accounting.......................................................................	374
preference-maximum .................................................................................	374
prefix-list .....................................................................................................	375
raguard .......................................................................................................	375
show access-list accounting........................................................................	377
show ipv6 raguard ......................................................................................	380
show ipv6 raguard counts ..........................................................................	380
ip bootp-use-intf-ip......................................................................................	382
whitelist ......................................................................................................	382
Index..................................................................................................................................	385

12	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Preface

● Document conventions....................................................................................................	13
● Brocade resources..........................................................................................................	15
● Getting technical help......................................................................................................	15
● Document feedback........................................................................................................	16

Document conventions

The document conventions describe text formatting conventions, command syntax conventions, and important notice formats used in Brocade technical documentation.

Text formatting conventions

Text formatting conventions such as boldface, italic, or Courier font may be used in the flow of the text to highlight specific words or phrases.

Format

bold text

italic text

Courier font

Description

Identifies command names

Identifies keywords and operands

Identifies the names of user-manipulated GUI elements Identifies text to enter at the GUI

Identifies emphasis

Identifies variables and modifiers

Identifies paths and Internet addresses

Identifies document titles

Identifies CLI output

Identifies command syntax examples

Command syntax conventions

Bold and italic text identify command syntax components. Delimiters and operators define groupings of parameters and their logical relationships.

Convention	Description
bold text	Identifies command names, keywords, and command options.
italic text	Identifies a variable.

FastIron Ethernet Switch Security Configuration Guide	13
53-1003088-03

Notes, cautions, and warnings

Convention	Description
value	In Fibre Channel products, a fixed value provided as input to a command
	option is printed in plain text, for example, --show WWN.
[ ]	Syntax components displayed within square brackets are optional.
	Default responses to system prompts are enclosed in square brackets.

{ x | y | z }

x | y

< >

...

\

A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.

In Fibre Channel products, square brackets may be used instead for this purpose.

A vertical bar separates mutually exclusive elements.

Nonprinting characters, for example, passwords, are enclosed in angle brackets.

Repeat the previous element, for example, member[member...].

Indicates a “soft” line break in command examples. If a backslash separates two lines of a command input, enter the entire command at the prompt without the backslash.

Notes, cautions, and warnings

Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards.

NOTE

A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information.

ATTENTION

An Attention statement indicates potential damage to hardware or data.

CAUTION

A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.

DANGER

A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

14	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Brocade resources

Brocade resources

Visit the Brocade website to locate related documentation for your product and additional Brocade resources.

You can download additional publications supporting your product at www.brocade.com.

•Adapter documentation is available on the Downloads and Documentation for Brocade Adapters page. Select your platform and scroll down to the Documentation section.

•For all other products, select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category.

To get up-to-the-minute information on Brocade products and resources, go to MyBrocade. You can register at no cost to obtain a user ID and password.

Release notes are available on MyBrocade under Product Downloads.

White papers, online demonstrations, and data sheets are available through the Brocade website.

Getting technical help

You can contact Brocade Support 24x7 online, by telephone, or by e-mail.

For product support information and the latest information on contacting the Technical Assistance Center, go to http://www.brocade.com/services-support/index.html.

Use one of the following methods to contact the Brocade Technical Assistance Center.

Online	Telephone	E-mail

Preferred method of contact for non-	Required for Sev 1-Critical and Sev
urgent issues:	2-High issues:
• My Cases through MyBrocade	• Continental US: 1-800-752-8061
• Software downloads and licensing	• Europe, Middle East, Africa, and
tools	Asia Pacific: +800-AT FIBREE
• Knowledge Base	(+800 28 34 27 33)
	• For areas unable to access toll
	free number: +1-408-333-6061
	• Toll-free numbers are available in
	many countries.

support@brocade.com

Please include:

•Problem summary

•Serial number

•Installation details

•Environment description

15

Document feedback

Document feedback

To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team.

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. You can provide feedback in two ways:

•Through the online feedback form in the HTML documents posted on www.brocade.com.

•By sending your feedback to documentation@brocade.com.

Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement.

16	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

About This Document

● What’s new in this document .........................................................................................	17
● How command information is presented in this guide.....................................................	17

What’s new in this document

This document includes the information from IronWare software release 08.0.10d. The following table lists the enhancements for FastIron release 08.0.10d.

TABLE 1 Summary of enhancements in FastIron release 08.0.10d

Feature	Description	Described in
TTL enhancement	The no-ttl-decrement option	See Configuring the route map on page
	disables the TTL decrement	147.
	and the packets will be
	forwarded without
	decrementing TTL for the
	traffic matched by the policy.

How command information is presented in this guide

For all new content, command syntax and parameters are documented in a separate command reference section at the end of the publication.

In an effort to provide consistent command line interface (CLI) documentation for all products, Brocade is in the process of preparing standalone Command References for the IP platforms. This process involves separating command syntax and parameter descriptions from configuration tasks. Until this process is completed, command information is presented in two ways:

•For all new content included in this guide, the CLI is documented in separate command pages. The new command pages follow a standard format to present syntax, parameters, usage guidelines, examples, and command history. Command pages are compiled in alphabetical order in a separate command reference chapter at the end of the publication.

•Legacy content continues to include command syntax and parameter descriptions in the chapters where the features are documented.

If you do not find command syntax information embedded in a configuration task, refer to the command reference section at the end of this publication for information on CLI syntax and usage.

FastIron Ethernet Switch Security Configuration Guide	17
53-1003088-03

How command information is presented in this guide

18	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Security Access

● Supported security access features................................................................................	19
● Securing access methods...............................................................................................	20
● Remote access to management function restrictions.....................................................	23
● Passwords used to secure access..................................................................................	31
● Local user accounts........................................................................................................	35
● TACACS and TACACS+ security....................................................................................	42
● RADIUS security.............................................................................................................	58
● SSL security....................................................................................................................	73
● Authentication-method lists.............................................................................................	75
● TCP Flags - edge port security.......................................................................................	78

Supported security access features

Lists security access features supported on FastIron devices.

The following table lists the individual Brocade FastIron switches and the security access features they support. These features are supported in the Layer 2 and Layer 3 software images, except where explicitly noted.

Feature	ICX 6430	ICX 6450	FCX	ICX 6610	ICX 6650	FSX 800	ICX 7750
						FSX 1600
Authentication, Authorization and	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
Accounting (AAA): RADIUS, TACACS
ACACS+
AAA support for console commands	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
Restricting remote access to	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
management functions
Disabling TFTP access	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
Using ACLs to restrict remote access	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
Local user accounts	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
Local user passwords	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
SSL security	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
AAA authentication-method lists	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	08.0.10
Packet filtering on TCP flags	08.0.01	08.0.01	08.0.01	08.0.01	08.0.01	No	08.0.10

This chapter explains how to secure access to management functions on a Brocade device.

FastIron Ethernet Switch Security Configuration Guide	19
53-1003088-03

Securing access methods

NOTE

Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.

NOTE

For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication.

Securing access methods

The following table lists the management access methods available on a Brocade device, how they are secured by default, and the ways in which they can be secured.

TABLE 2 Ways to secure management access to Brocade devices

Access method	How the access method is	Ways to secure the	See page
	secured by default	access method
Serial access to the	Not secured	Establish passwords	Setting passwords for
CLI		for management	management privilege
		privilege levels	levels on page 32
Access to the	Not secured	Establish a password	Setting a Telnet
Privileged EXEC and		for Telnet access to	password on page 32
CONFIG levels of the		the CLI
CLI
		Establish passwords	Setting passwords for
		for management	management privilege
		privilege levels	levels on page 32
		Set up local user	Local user accounts on
		accounts	page 35
		Configure TACACS/	TACACS and TACACS+
		TACACS+ security	security on page 42
		Configure RADIUS	RADIUS security on page
		security	58
Telnet access	Not secured	Regulate Telnet	Using an ACL to restrict
		access using ACLs	Telnet access on page
			23
Allow Telnet access	Restricting Telnet access to a
only from specific IP	specific IP address on page 26
addresses

Restrict Telnet access based on a client MAC address

Restricting access to the device based on IP orMAC address on page 26

20	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Security Access

TABLE 2 Ways to secure management access to Brocade devices (Continued)

Access method	How the access method is	Ways to secure the	See page
	secured by default	access method
Allow Telnet access	Restricting Telnet access to a
only from specific MAC	specific VLAN on page 28
addresses
Define the Telnet idle	Defining the Telnet idle time on
time	page 27
Change the Telnet	Changing the login timeout period
login timeout period	for Telnet sessions on page 28
Specify the maximum	Specifying the maximum number of
number of login	login attemptsfor Telnet access on
attempts for Telnet	page 27
access
Disable Telnet access	Disabling Telnet access on page
	31
Establish a password	Setting a Telnet password on page
for Telnet access	32
Establish passwords	Setting passwords for management
for privilege levels of	privilege levels on page 32
the CLI
Set up local user	Local user accounts on page 35
accounts
Configure TACACS/	TACACS and TACACS+ security
TACACS+ security	on page 42
Configure RADIUS	RADIUS security on page 58
security
Secure Shell (SSH)	Not configured	Configure SSH	Refer to the Configuring
access			SSH2 section
		Regulate SSH access	Using an ACL to restrict
		using ACLs	SSH access on page
			24
		Allow SSH access only	Restricting SSH access
		from specific IP	to a specific IP address
		addresses	on page 26
		Allow SSH access only	Restricting access to the
		from specific MAC	device based on IP
		addresses	orMAC address on page
			26
		Establish passwords	Setting passwords for
		for privilege levels of	management privilege
		the CLI	levels on page 32

FastIron Ethernet Switch Security Configuration Guide	21
53-1003088-03

Security Access

TABLE 2 Ways to secure management access to Brocade devices (Continued)

Access method	How the access method is	Ways to secure the	See page
	secured by default	access method
		Set up local user	Local user accounts on
		accounts	page 35
		Configure TACACS/	TACACS and TACACS+
		TACACS+ security	security on page 42
		Configure RADIUS	RADIUS security on page
		security	58
SNMP access	SNMP read or read-write	Regulate SNMP	Using ACLs to restrict
	community strings and the	access using ACLs	SNMP access on page
	password to the Super User		24
	privilege level

NOTE

SNMP read or read-write community strings are always required for SNMP access to the device.

Allow SNMP access	Restricting SNMP access
only from specific IP	to a specific IP address
addresses	on page 26
Disable SNMP access	Disabling SNMP access
	on page 31

		Allow SNMP access	Restricting SNMP access
		only to clients	to a specific VLAN on
		connected to a specific	page 28
		VLAN
		Establish passwords to	Setting passwords for
		management levels of	management privilege
		the CLI	levels on page 32
		Set up local user	Local user accounts on
		accounts	page 35
		Establish SNMP read	TACACS and TACACS+
		or read-write	security on page 42
		community strings
TFTP access	Not secured	Allow TFTP access	Restricting TFTP access
		only to clients	to a specific VLAN on
		connected to a specific	page 29
		VLAN
		Disable TFTP access	Disabling TFTP access
			on page 31

Access for Stacked	Access to multiple consoles must
Devices	be secured after AAA is enabled

Extra steps must be	Configuring TACACS/
taken to secure	TACACS+ for devices in
multiple consoles in a	a Brocade traditional
traditional stack.	stack on page 43

22	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Remote access to management function restrictions

Remote access to management function restrictions

You can restrict access to management functions from remote sources, including Telnet and SNMP. The following methods for restricting remote access are supported:

•Using ACLs to restrict Telnet or SNMP access

•Allowing remote access only from specific IP addresses

•Allowing Telnet and SSH access only from specific MAC addresses

•Allowing remote access only to clients connected to a specific VLAN

•Specifically disabling Telnet or SNMP access to the device

NOTE

Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.

The following sections describe how to restrict remote access to a Brocade device using these methods.

ACL usage to restrict remote access

You can use standard ACLs to control the following access methods to management functions on a Brocade device:

•Telnet

•SSH

•SNMP

Consider the following to configure access control for these management access methods.

1.Configure an ACL with the IP addresses you want to allow to access the device.

2.Configure a Telnet access group, SSH access group, and SNMP community strings. Each of these configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP addresses that can use the access method.

The following sections present examples of how to secure management access using ACLs. Refer to the Rule-Based IP ACLs chapter for more information on configuring ACLs.

Using an ACL to restrict Telnet access

To configure an ACL that restricts Telnet access to the device, enter commands such as the following.

device(config)#access-list 10 deny host 10.157.22.32 log device(config)#access-list 10 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 10 deny 10.157.24.0 0.0.0.255 log device(config)#access-list 10 deny 10.157.25.0/24 log device(config)#access-list 10 permit any device(config)#telnet access-group 10

device(config)#write memory

Syntax: telnet access-group num

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The device allows Telnet access to all IP addresses except those listed in ACL 10.

FastIron Ethernet Switch Security Configuration Guide	23
53-1003088-03

Using an ACL to restrict SSH access

To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL.

device(config)#access-list 10 permit host 10.157.22.32 device(config)#access-list 10 permit 10.157.23.0 0.0.0.255 device(config)#access-list 10 permit 10.157.24.0 0.0.0.255 device(config)#access-list 10 permit 10.157.25.0/24 device(config)#telnet access-group 10

device(config)#write memory

The ACL in this example permits Telnet access only to the IP addresses in the permit entries and denies Telnet access from all other IP addresses.

Using an ACL to restrict SSH access

To configure an ACL that restricts SSH access to the device, enter commands such as the following.

device(config)#access-list 12 deny host 10.157.22.98 log device(config)#access-list 12 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 12 deny 10.157.24.0/24 log device(config)#access-list 12 permit any

device(config)#ssh access-group 12 device(config)#write memory

Syntax: ssh access-group num

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

These commands configure ACL 12, then apply the ACL as the access list for SSH access. The device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH access from all IP addresses.

NOTE

In this example, the command ssh access-group 10 could have been used to apply the ACL configured in the example for Telnet access. You can use the same ACL multiple times.

Using ACLs to restrict SNMP access

To restrict SNMP access to the device using ACLs, enter commands such as the following.

NOTE

The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and SSH using ACLs.

device(config)#access-list 25 deny host 10.157.22.98 log device(config)#access-list 25 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 25 deny 10.157.24.0 0.0.0.255 log device(config)#access-list 25 permit any device(config)#access-list 30 deny 10.157.25.0 0.0.0.255 log device(config)#access-list 30 deny 10.157.26.0/24 log device(config)#access-list 30 permit any device(config)#snmp-server community public ro 25 device(config)#snmp-server community private rw 30 device(config)#write memory

Syntax: snmp-server community string [ ro | rw ] num

The string parameter specifies the SNMP community string the user must enter to gain SNMP access.

24	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Defining the console idle time

The ro parameter indicates that the community string is for read-only ("get") access. The rw parameter indicates the community string is for read-write ("set") access.

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

These commands configure ACLs 25 and 30, then apply the ACLs to community strings.

ACL 25 is used to control read-only access using the "public" community string. ACL 30 is used to control read-write access using the "private" community string.

NOTE

When snmp-server community is configured, all incoming SNMP packets are validated first by their community strings and then by their bound ACLs.

Defining the console idle time

By default, a Brocade device does not time out serial console sessions. A serial session remains open indefinitely until you close it. You can however define how many minutes a serial management session can remain idle before it is timed out.

NOTE

You must enable AAA support for console commands, AAA authentication, and Exec authorization in order to set the console idle time.

To configure the idle time for a serial console session, use the following command.

device(config)#console timeout 120

Syntax: [no] console timeout [ 0-240 ]

Possible values: 0 - 240 minutes

Default value: 0 minutes (no timeout)

NOTE

In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes.

Remote access restrictions

By default, a Brocade device does not control remote management access based on the IP address of the managing device. You can restrict remote management access to a single IP address for the following access methods:

•Telnet access

•SSH access

•SNMP access

In addition, you can restrict all access methods to the same IP address using a single command.

The following examples show the CLI commands for restricting remote access. You can specify only one IP address with each command. However, you can enter each command ten times to specify up to ten IP addresses.

FastIron Ethernet Switch Security Configuration Guide	25
53-1003088-03

Restricting Telnet access to a specific IP address

Restricting Telnet access to a specific IP address

To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.

device(config)#telnet client 10.157.22.39

Syntax: [no] telnet client { ip-addr | ipv6-addr }

Restricting SSH access to a specific IP address

To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.

device(config)#ip ssh client 10.157.22.39

Syntax: [no] ip ssh client { ip-addr | ipv6-addr }

Restricting SNMP access to a specific IP address

To allow SNMP access only to the host with IP address 10.157.22.14, enter the following command.

device(config)#snmp-client 10.157.22.14

Syntax: [no] snmp-client { ip-addr | ipv6-addr }

Restricting all remote management access to a specific IP address

To allow Telnet and SNMP management access to the Brocade device only to the host with IP address 10.157.22.69, enter three separate commands (one for each access type) or enter the following command.

device(config)#all-client 10.157.22.69

Syntax: [no] all-client { ip-addr | ipv6-addr }

Restricting access to the device based on IP orMAC address

You can restrict remote management access to the Brocade device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address.

Restricting Telnet connection

You can restrict Telnet connection to a device based on the client IP address or MAC address.

To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.

device(config)#telnet client 10.157.22.39 0000.000f.e9a0

Syntax: [no] telnet client { ip-addr | ipv6-addrmac-addr }

26	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Restricting SSH connection

The following command allows Telnet access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0.

device(config)#telnet client any 0000.000f.e9a0

Syntax: [no] telnet client any mac-addr

Restricting SSH connection

You can restrict SSH connection to a device based on the client IP address or MAC address.

To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.

device(config)#ip ssh client 10.157.22.39 0000.000f.e9a0

Syntax: [no] ip ssh client { ip-addr | ipv6-addrmac-addr }

To allow SSH access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0, enter the following command.

device(config)#ip ssh client any 0000.000f.e9a0

Syntax: [no] ip ssh client any mac-addr

Defining the Telnet idle time

You can define how many minutes a Telnet session can remain idle before it is timed out. An idle Telnet session is a session that is still sending TCP ACKs in response to keepalive messages from the device, but is not being used to send data.

To configure the idle time for a Telnet session, use the following command.

device(config)#telnet timeout 120

Syntax: [no] telnet timeout minutes

For minutes enter a value from 0 - 240. The default value is 0 minutes (no timeout).

Specifying the maximum number of login attemptsfor Telnet access

If you are connecting to the Brocade device using Telnet, the device prompts you for a username and password. By default, you have up to 4 chances to enter a correct username and password. If you do not enter a correct username or password after 4 attempts, the Brocade device disconnects the Telnet session.

You can specify the number of attempts a Telnet user has to enter a correct username and password before the device disconnects the Telnet session. For example, to allow a Telnet user up to 5 chances to enter a correct username and password, enter the following command.

device(config)#telnet login-retries 5

Syntax: [no] telnet login-retries number

You can specify from 0 - 5 attempts. The default is 4 attempts.

FastIron Ethernet Switch Security Configuration Guide	27
53-1003088-03

Changing the login timeout period for Telnet sessions

NOTE

You need to configure telnet with the enable telnet authentication local command to enable only a certain number of telnet login attempts.

Changing the login timeout period for Telnet sessions

By default, the login timeout period for a Telnet session is 2 minutes. To change the login timeout period, use the following command.

device(config)#telnet login-timeout 5

Syntax: [no] telnet login-timeout minutes

For minutes , enter a value from 1 to 10. The default timeout period is 2 minutes.

Restricting remote access to the device tospecific VLAN IDs

You can restrict management access to a Brocade device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods:

•Telnet access

•SNMP access

•TFTP access

By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.

VLAN-based access control works in conjunction with other access control methods. For example, suppose you configure an ACL to permit Telnet access only to specific client IP addresses, and you also configure VLAN-based access control for Telnet access. In this case, the only Telnet clients that can access the device are clients that have one of the IP addresses permitted by the ACL and are connected to a port that is in a permitted VLAN. Clients who have a permitted IP address but are connected to a port in a VLAN that is not permitted still cannot access the device through Telnet.

Restricting Telnet access to a specific VLAN

To allow Telnet access only to clients in a specific VLAN, enter a command such as the following.

device(config)#telnet server enable vlan 10

The command in this example configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.

Syntax: [no] telnet server enable vlan vlan-id

Restricting SNMP access to a specific VLAN

To allow SNMP access only to clients in a specific VLAN, enter a command such as the following.

device(config)#snmp-server enable vlan 40

28	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03

Restricting TFTP access to a specific VLAN

The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

Syntax: [no] snmp-server enable vlan vlan-id

Restricting TFTP access to a specific VLAN

To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.

device(config)#tftp client enable vlan 40

The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

Syntax: [no] tftp client enable vlan vlan-id

Designated VLAN for Telnet management sessionsto a Layer 2 Switch

All Brocade FastIron devices support the creation of management VLANs. By default, the management IP address you configure on a Layer 2 Switch applies globally to all the ports on the device. This is true even if you divide the device ports into multiple port-based VLANs.

If you want to restrict the IP management address to a specific port-based VLAN, you can make that VLAN the designated management VLAN for the device. When you configure a VLAN to be the designated management VLAN, the management IP address you configure on the device is associated only with the ports in the designated VLAN. To establish a Telnet management session with the device, a user must access the device through one of the ports in the designated VLAN.

You also can configure up to five default gateways for the designated VLAN, and associate a metric with each one. The software uses the gateway with the lowest metric. The other gateways reside in the configuration but are not used. To use one of the other gateways, modify the configuration so that the gateway you want to use has the lowest metric.

If more than one gateway has the lowest metric, the gateway that appears first in the running-config is used.

NOTE

If you have already configured a default gateway globally and you do not configure a gateway in the VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.

To configure a designated management VLAN, enter commands such as the following.

device(config)#vlan 10 by port device(config-vlan-10)#untag ethernet 1/1 to 1/4 device(config-vlan-10)#management-vlan device(config-vlan-10)#default-gateway 10.10.10.1 1 device(config-vlan-10)#default-gateway 10.20.20.1 2

These commands configure port-based VLAN 10 to consist of ports 1/1 - 1/4 and to be the designated management VLAN. The last two commands configure default gateways for the VLAN. Since the 10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in the configuration but is not used. You can use the other one by changing the metrics so that the 10.20.20.1 gateway has the lower metric.

Syntax: [no] default-gateway ip-addr metric

The ip-addr parameters specify the IP address of the gateway router.

FastIron Ethernet Switch Security Configuration Guide	29
53-1003088-03

Device management security

The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1 - 5. There is no default. The software uses the gateway with the lowest metric.

Device management security

By default, all management access is disabled. Each of the following management access methods must be specifically enabled as required in your installation:

•SSHv2

•SNMP

The commands for granting access to each of these management interfaces is described in the following.

Allowing SSHv2 access to the Brocade device

To allow SSHv2 access to the Brocade device, you must generate a Crypto Key as shown in the following command.

device(config)#crypto key generate

Syntax: crypto key [ generate | zeroize ]

The generate parameter generates a dsa key pair.

The zeroize parameter deletes the currently operative dsa key pair.

In addition, you must use AAA authentication to create a password to allow SSHv2 access. For example the following command configures AAA authentication to use TACACS+ for authentication as the default or local if TACACS+ is not available.

device(config)#aaa authentication login default tacacs+ local

Allowing SNMP access to the Brocade device

To allow SNMP access to the Brocade device, enter the following command.

device(config)#snmp-server

Syntax: [no] snmp server

Disabling specific access methods

You can specifically disable the following access methods:

•Telnet access

•SNMP access

•TFTP

NOTE

If you disable Telnet access, you will not be able to access the CLI except through a serial connection to the management module. If you disable SNMP access, you will not be able to use an SNMP-based management applications.

30	FastIron Ethernet Switch Security Configuration Guide
	53-1003088-03