53-1003088-03
30 July 2014
FastIron Ethernet Switch
Security Configuration Guide
Supporting FastIron Software Release 08.0.10d
© 2014, Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.
The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
Preface................................................................................................................................... |
13 |
Document conventions.................................................................................... |
13 |
Text formatting conventions................................................................ |
13 |
Command syntax conventions............................................................ |
13 |
Notes, cautions, and warnings............................................................ |
14 |
Brocade resources.......................................................................................... |
15 |
Getting technical help...................................................................................... |
15 |
Document feedback........................................................................................ |
16 |
About This Document.............................................................................................................. |
17 |
What’s new in this document ......................................................................... |
17 |
How command information is presented in this guide..................................... |
17 |
Security Access ...................................................................................................................... |
19 |
Supported security access features................................................................ |
19 |
Securing access methods............................................................................... |
20 |
Remote access to management function restrictions..................................... |
23 |
ACL usage to restrict remote access ................................................. |
23 |
Defining the console idle time............................................................. |
25 |
Remote access restrictions................................................................. |
25 |
Restricting access to the device based on IP orMAC address........... |
26 |
Defining the Telnet idle time................................................................ |
27 |
Specifying the maximum number of login attemptsfor Telnet |
|
access........................................................................................... |
27 |
Changing the login timeout period for Telnet sessions....................... |
28 |
Restricting remote access to the device tospecific VLAN IDs............. |
28 |
Designated VLAN for Telnet management sessionsto a Layer 2 |
|
Switch............................................................................................ |
29 |
Device management security.............................................................. |
30 |
Disabling specific access methods..................................................... |
30 |
Passwords used to secure access.................................................................. |
31 |
Setting a Telnet password .................................................................. |
32 |
Setting passwords for management privilege levels........................... |
32 |
Recovering from a lost password........................................................ |
34 |
Displaying the SNMP community string.............................................. |
35 |
Specifying a minimum password length.............................................. |
35 |
Local user accounts........................................................................................ |
35 |
Enhancements to username and password........................................ |
36 |
Local user account configuration........................................................ |
40 |
Changing a local user password......................................................... |
41 |
TACACS and TACACS+ security.................................................................... |
42 |
How TACACS+ differs from TACACS................................................. |
42 |
TACACS/TACACS+ authentication, authorization,and accounting..... |
42 |
TACACS authentication...................................................................... |
44 |
TACACS/TACACS+ configuration considerations.............................. |
47 |
Enabling TACACS............................................................................... |
48 |
Identifying the TACACS/TACACS+ servers........................................ |
48 |
Specifying different servers for individual AAA functions.................... |
49 |
FastIron Ethernet Switch Security Configuration Guide |
3 |
53-1003088-03 |
|
Setting optional TACACS and TACACS+ parameters...................... |
49 |
Configuring authentication-method lists forTACACS and |
|
TACACS+.................................................................................... |
50 |
Configuring TACACS+ authorization................................................ |
53 |
TACACS+ accounting configuration................................................. |
55 |
Configuring an interface as the source for allTACACS and |
|
TACACS+ packets...................................................................... |
56 |
Displaying TACACS/TACACS+ statistics andconfiguration |
|
information................................................................................... |
57 |
RADIUS security........................................................................................... |
58 |
RADIUS authentication, authorization, and accounting.................... |
58 |
RADIUS configuration considerations............................................... |
61 |
Configuring RADIUS......................................................................... |
61 |
Brocade-specific attributes on the RADIUS server........................... |
62 |
Enabling SNMP to configure RADIUS.............................................. |
63 |
Identifying the RADIUS server to the Brocade device...................... |
64 |
Specifying different servers for individual AAA functions.................. |
64 |
RADIUS server per port.................................................................... |
64 |
RADIUS server to individual ports mapping...................................... |
65 |
RADIUS parameters......................................................................... |
66 |
Setting authentication-method lists for RADIUS............................... |
67 |
RADIUS authorization....................................................................... |
69 |
RADIUS accounting.......................................................................... |
71 |
Configuring an interface as the source for allRADIUS packets........ |
72 |
Displaying RADIUS configuration information................................... |
72 |
SSL security.................................................................................................. |
73 |
Specifying a port for SSL communication......................................... |
73 |
Changing the SSL server certificate key size.................................... |
74 |
Support for SSL digital certificates larger than 2048 bits.................. |
74 |
Importing digital certificates and RSA private key files..................... |
74 |
Generating an SSL certificate........................................................... |
75 |
Deleting the SSL certificate............................................................... |
75 |
Authentication-method lists........................................................................... |
75 |
Configuration considerations for authentication-method lists........... |
76 |
Examples of authentication-method lists........................................... |
76 |
TCP Flags - edge port security..................................................................... |
78 |
Using TCP Flags in combination with other ACL features................ |
79 |
SSH2 and SCP...................................................................................................................... |
81 |
Supported SSH2 and Secure Copy features................................................ |
81 |
SSH version 2 overview................................................................................ |
81 |
Tested SSH2 clients.......................................................................... |
82 |
SSH2 supported features.................................................................. |
82 |
SSH2 unsupported features.............................................................. |
83 |
SSH2 authentication types............................................................................ |
83 |
Configuring SSH2............................................................................. |
83 |
Enabling and disabling SSH by generating and deleting host |
|
keys............................................................................................. |
84 |
Configuring DSA or RSA challenge-response authentication........... |
86 |
Optional SSH parameters............................................................................. |
88 |
Setting the number of SSH authentication retries............................. |
88 |
Deactivating user authentication....................................................... |
88 |
Enabling empty password logins....................................................... |
89 |
Setting the SSH port number............................................................ |
89 |
Setting the SSH login timeout value................................................. |
89 |
Designating an interface as the source for all SSH packets............. |
90 |
Configuring the maximum idle time for SSH sessions...................... |
90 |
4 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
Filtering SSH access using ACLs................................................................... |
90 |
Terminating an active SSH connection........................................................... |
90 |
Displaying SSH information............................................................................ |
90 |
Displaying SSH connection information.............................................. |
91 |
Displaying SSH configuration information........................................... |
91 |
Displaying additional SSH connection information.............................. |
93 |
Secure copy with SSH2.................................................................................. |
93 |
Enabling and disabling SCP................................................................ |
93 |
Secure copy configuration notes......................................................... |
93 |
Example file transfers using SCP........................................................ |
94 |
SSH2 client..................................................................................................... |
96 |
Enabling SSH2 client.......................................................................... |
97 |
Configuring SSH2 client public key authentication.............................. |
97 |
Using SSH2 client............................................................................... |
98 |
Displaying SSH2 client information..................................................... |
99 |
Rule-Based IP ACLs .............................................................................................................. |
101 |
Supported Rule-Based IP ACL Features...................................................... |
101 |
ACL overview................................................................................................ |
103 |
Types of IP ACLs.............................................................................. |
104 |
ACL IDs and entries.......................................................................... |
104 |
Numbered and named ACLs............................................................. |
105 |
Default ACL action............................................................................ |
105 |
How hardware-based ACLs work.................................................................. |
106 |
How fragmented packets are processed........................................... |
106 |
Hardware aging of Layer 4 CAM entries........................................... |
106 |
ACL configuration considerations................................................................. |
106 |
Configuring standard numbered ACLs.......................................................... |
107 |
Standard numbered ACL syntax....................................................... |
108 |
Configuration example for standard numbered ACLs....................... |
109 |
Standard named ACL configuration.............................................................. |
109 |
Standard named ACL syntax............................................................ |
109 |
Configuration example for standard named ACLs............................ |
111 |
Extended numbered ACL configuration........................................................ |
112 |
Extended numbered ACL syntax...................................................... |
112 |
Extended named ACL configuration............................................................. |
118 |
Applying egress ACLs to Control (CPU) traffic............................................. |
122 |
Preserving user input for ACL TCP/UDP port numbers................................ |
122 |
ACL comment text management................................................................... |
123 |
Adding a comment to an entry in a numbered ACL.......................... |
123 |
Adding a comment to an entry in a named ACL............................... |
124 |
Deleting a comment from an ACL entry............................................ |
124 |
Viewing comments in an ACL........................................................... |
124 |
Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN.125 |
|
ACL logging................................................................................................... |
126 |
Configuration notes for ACL logging................................................. |
126 |
Configuration tasks for ACL logging.................................................. |
127 |
Example ACL logging configuration.................................................. |
127 |
Displaying ACL Log Entries.............................................................. |
128 |
Enabling strict control of ACL filtering of fragmented packets....................... |
128 |
Enabling ACL support for switched traffic in the router image...................... |
129 |
Enabling ACL filtering based on VLAN membership or VE port |
|
membership............................................................................................. |
130 |
Configuration notes for ACL filtering................................................. |
130 |
Applying an IPv4 ACL to specific VLAN members on a port |
|
(Layer 2 devices only)................................................................. |
131 |
FastIron Ethernet Switch Security Configuration Guide |
5 |
53-1003088-03 |
|
Applying an IPv4 ACL to a subset of ports on a virtual interface |
|
(Layer 3 devices only)............................................................... |
132 |
ACLs to filter ARP packets.......................................................................... |
132 |
Configuration considerations for filtering ARP packets................... |
133 |
Configuring ACLs for ARP filtering.................................................. |
133 |
Displaying ACL filters for ARP........................................................ |
134 |
Clearing the filter count................................................................... |
134 |
Filtering on IP precedence and ToS values................................................ |
134 |
TCP flags - edge port security......................................................... |
135 |
QoS options for IP ACLs............................................................................. |
135 |
Configuration notes for QoS options on FCX and ICX devices...... |
136 |
Using an ACL to map the DSCP value (DSCP CoS mapping)....... |
136 |
Using an IP ACL to mark DSCP values (DSCP marking)............... |
137 |
DSCP matching............................................................................... |
140 |
ACL-based rate limiting............................................................................... |
140 |
ACL statistics.............................................................................................. |
140 |
ACL accounting........................................................................................... |
141 |
Configuring IPv4 ACL accounting................................................... |
141 |
ACLs to control multicast features.............................................................. |
142 |
Enabling and viewing hardware usage statistics for an ACL...................... |
142 |
Displaying ACL information......................................................................... |
143 |
Troubleshooting ACLs................................................................................. |
144 |
Policy-based routing (PBR)......................................................................... |
144 |
Configuration considerations for policy-based routing.................... |
144 |
Configuring a PBR policy................................................................ |
145 |
Configuring the ACLs...................................................................... |
145 |
Configuring the route map............................................................... |
147 |
Enabling PBR.................................................................................. |
148 |
Configuration examples for policy based routing............................ |
149 |
Basic example of policy based routing............................................ |
149 |
Setting the next hop........................................................................ |
149 |
Setting the output interface to the null interface.............................. |
150 |
Trunk formation with PBR policy..................................................... |
151 |
IPv6 ACLs .......................................................................................................................... |
153 |
Supported IPv6 ACL features..................................................................... |
153 |
IPv6 ACL overview...................................................................................... |
153 |
IPv6 ACL traffic filtering criteria....................................................... |
154 |
IPv6 protocol names and numbers................................................. |
154 |
IPv6 ACL configuration notes..................................................................... |
155 |
Configuring an IPv6 ACL............................................................................. |
156 |
Example IPv6 configurations........................................................... |
156 |
Default and implicit IPv6 ACL action............................................... |
157 |
Creating an IPv6 ACL................................................................................. |
158 |
Syntax for creating an IPv6 ACL..................................................... |
159 |
Enabling IPv6 on an interface to which an ACL will be applied.................. |
164 |
Syntax for enabling IPv6 on an interface........................................ |
164 |
Applying an IPv6 ACL to an interface......................................................... |
164 |
Syntax for applying an IPv6 ACL.................................................... |
165 |
Applying an IPv6 ACL to a trunk group........................................... |
165 |
Applying an IPv6 ACL to a virtual interface in a protocol-based |
|
or subnet-based VLAN.............................................................. |
165 |
Adding a comment to an IPv6 ACL entry.................................................... |
165 |
Deleting a comment from an IPv6 ACL entry.............................................. |
166 |
Support for ACL logging.............................................................................. |
166 |
Configuring IPv6 ACL accounting............................................................... |
167 |
Displaying IPv6 ACLs ................................................................................. |
168 |
6 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
802.1X Port Security............................................................................................................. |
169 |
Supported 802.1X port security features....................................................... |
169 |
IETF RFC support ........................................................................................ |
170 |
How 802.1X port security works.................................................................... |
170 |
Device roles in an 802.1X configuration............................................ |
170 |
Communication between the devices............................................... |
172 |
Controlled and uncontrolled ports..................................................... |
172 |
Message exchange during authentication......................................... |
173 |
Authenticating multiple hosts connected to the same port................ |
176 |
802.1X port security and sFlow......................................................... |
180 |
802.1X accounting............................................................................ |
180 |
802.1X port security configuration................................................................. |
180 |
Configuring an authentication method list for 802.1X....................... |
181 |
Setting RADIUS parameters............................................................. |
181 |
Dynamic VLAN assignment for 802.1X port configuration................ |
184 |
Dynamically applying IP ACLs and MAC address filtersto 802.1X |
|
ports............................................................................................. |
187 |
Enabling 802.1X port security .......................................................... |
191 |
Setting the port control...................................................................... |
191 |
Configuring periodic re-authentication.............................................. |
192 |
Re-authenticating a port manually.................................................... |
192 |
Setting the quiet period..................................................................... |
193 |
Specifying the wait interval and number of EAP-request/identity |
|
frame retransmissions from the Brocade device......................... |
193 |
Wait interval and number of EAP-request/identity frame |
|
retransmissions from the RADIUS server.................................... |
194 |
Specifying a timeout for retransmission of messages to the |
|
authentication server................................................................... |
195 |
Initializing 802.1X on a port............................................................... |
195 |
Allowing access to multiple hosts...................................................... |
195 |
MAC address filters for EAP frames................................................. |
198 |
Configuring VLAN access for non-EAP-capable clients.................... |
198 |
802.1X accounting configuration................................................................... |
199 |
802.1X Accounting attributes for RADIUS........................................ |
199 |
Enabling 802.1X accounting............................................................. |
200 |
Displaying 802.1X information...................................................................... |
200 |
Displaying 802.1X configuration information..................................... |
201 |
Displaying 802.1X statistics.............................................................. |
205 |
Clearing 802.1X statistics.................................................................. |
206 |
Displaying dynamically-assigned VLAN information......................... |
206 |
Displaying information about dynamically appliedMAC address |
|
filters and IP ACLs....................................................................... |
207 |
Displaying 802.1X multiple-host authentication information.............. |
209 |
Sample 802.1X configurations...................................................................... |
210 |
Point-to-point configuration............................................................... |
211 |
Hub configuration.............................................................................. |
212 |
802.1X Authentication with dynamic VLAN assignment................... |
214 |
Multi-device port authentication and 802.1Xsecurity on the same port ........ |
215 |
MAC Port Security................................................................................................................. |
217 |
Supported MAC port security features.......................................................... |
217 |
MAC port security overview.......................................................................... |
217 |
Local and global resources used for MAC port security.................... |
218 |
Configuration notes and feature limitations for MAC port security.... |
218 |
Secure MAC movement.................................................................... |
219 |
FastIron Ethernet Switch Security Configuration Guide |
7 |
53-1003088-03 |
|
MAC port security configuration.................................................................. |
219 |
Enabling the MAC port security feature.......................................... |
219 |
Setting the maximum number of secure MAC addresses for an |
|
interface..................................................................................... |
219 |
Setting the port security age timer.................................................. |
220 |
Specifying secure MAC addresses................................................. |
221 |
Autosaving secure MAC addresses to the startup configuration.... |
221 |
Specifying the action taken when a security violation occurs......... |
222 |
Clearing port security statistics................................................................... |
223 |
Clearing restricted MAC addresses................................................ |
223 |
Clearing violation statistics.............................................................. |
223 |
Displaying port security information ........................................................... |
224 |
Displaying port security settings...................................................... |
224 |
Displaying the secure MAC addresses........................................... |
224 |
Displaying port security statistics.................................................... |
225 |
Displaying restricted MAC addresses on a port.............................. |
226 |
MAC-based VLANs.............................................................................................................. |
227 |
Supported MAC-based VLAN features....................................................... |
227 |
MAC-based VLAN overview........................................................................ |
227 |
Static and dynamic hosts................................................................ |
228 |
MAC-based VLAN feature structure................................................ |
228 |
Dynamic MAC-based VLAN........................................................................ |
229 |
Configuration notes and feature limitations for dynamic MAC- |
|
based VLAN.............................................................................. |
229 |
Dynamic MAC-based VLAN CLI commands................................... |
229 |
Dynamic MAC-based VLAN configuration example....................... |
230 |
MAC-based VLAN configuration................................................................. |
231 |
Using MAC-based VLANs and 802.1X securityon the same port .. |
232 |
Configuring generic and Brocade vendor-specificattributes on |
|
the RADIUS server.................................................................... |
232 |
Aging for MAC-based VLAN........................................................... |
233 |
Disabling aging for MAC-based VLAN sessions............................. |
234 |
Configuring the maximum MAC addresses per port....................... |
235 |
Configuring a MAC-based VLAN for a static host........................... |
235 |
Configuring MAC-based VLAN for a dynamic host......................... |
236 |
Configuring dynamic MAC-based VLAN......................................... |
236 |
Configuring MAC-based VLANs using SNMP............................................ |
237 |
Displaying Information about MAC-based VLANs...................................... |
237 |
Displaying the MAC-VLAN table..................................................... |
237 |
Displaying the MAC-VLAN table for a specific MAC address......... |
238 |
Displaying allowed MAC addresses................................................ |
238 |
Displaying denied MAC addresses................................................. |
239 |
Displaying detailed MAC-VLAN data.............................................. |
240 |
Displaying MAC-VLAN information for a specific interface............. |
241 |
Displaying MAC addresses in a MAC-based VLAN ....................... |
242 |
Displaying MAC-based VLAN logging............................................. |
242 |
Clearing MAC-VLAN information................................................................ |
243 |
Sample MAC-based VLAN application....................................................... |
243 |
Defining MAC Address Filters.............................................................................................. |
247 |
Supported MAC address filter features....................................................... |
247 |
MAC address filters configuration notes and limitations............................. |
247 |
MAC address filters command syntax......................................................... |
248 |
Enabling logging of management traffic permitted by MAC address |
|
filters...................................................................................................... |
249 |
8 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
MAC address filter logging command syntax.................................... |
250 |
Configuring MAC filter accounting................................................................. |
250 |
MAC address filter override for 802.1X-enabled ports.................................. |
251 |
MAC address filter override configuration notes............................... |
251 |
MAC address filter override configuration syntax.............................. |
251 |
Multi-Device Port Authentication........................................................................................... |
253 |
Supported Multi-device port authentication (MDPA) features....................... |
253 |
How multi-device port authentication works.................................................. |
254 |
RADIUS authentication..................................................................... |
255 |
Authentication-failure actions............................................................ |
255 |
Unauthenticated port behavior.......................................................... |
255 |
Supported RADIUS attributes........................................................... |
255 |
Support for dynamic VLAN assignment............................................ |
256 |
Support for dynamic ACLs................................................................ |
256 |
Support for authenticating multiple MAC addresseson an interface. 256 |
|
Support for dynamic ARP inspection with dynamic ACLs................. |
256 |
Support for DHCP snooping with dynamic ACLs.............................. |
257 |
Support for source guard protection.................................................. |
257 |
Multi-device port authentication and 802.1Xsecurity on the same port......... |
257 |
Configuring Brocade-specific attributes on theRADIUS server......... |
258 |
Multi-device port authentication configuration............................................... |
259 |
Enabling multi-device port authentication......................................... |
259 |
Specifying the format of the MAC addresses sent to theRADIUS |
|
server........................................................................................... |
260 |
Specifying the authentication-failure action....................................... |
260 |
Generating traps for multi-device port authentication....................... |
261 |
Defining MAC address filters............................................................. |
261 |
Configuring dynamic VLAN assignment............................................ |
261 |
Dynamically applying IP ACLs to authenticated MAC addresses..... |
265 |
Enabling denial of service attack protection...................................... |
267 |
Enabling source guard protection..................................................... |
268 |
Clearing authenticated MAC addresses............................................ |
269 |
Disabling aging for authenticated MAC addresses........................... |
270 |
Changing the hardware aging period for blockedMAC addresses.... |
270 |
Specifying the aging time for blocked MAC addresses..................... |
271 |
Specifying the RADIUS timeout action.............................................. |
271 |
Multi-device port authentication password override.......................... |
272 |
Limiting the number of authenticated MAC addresses..................... |
273 |
Displaying multi-device port authentication information................................ |
273 |
Displaying authenticated MAC address information......................... |
273 |
Displaying multi-device port authenticationconfiguration |
|
information................................................................................... |
274 |
Displaying multi-device port authentication informationfor a |
|
specific MAC address or port...................................................... |
275 |
Displaying the authenticated MAC addresses.................................. |
276 |
Displaying the non-authenticated MAC addresses........................... |
276 |
Displaying multi-device port authentication information for a port..... |
276 |
Displaying multi-device port authentication settingsand |
|
authenticated MAC addresses.................................................... |
277 |
Displaying the MAC authentication table for FCX and ICX devices..280 |
|
Example port authentication configurations.................................................. |
281 |
Multi-device port authentication with dynamicVLAN assignment ..... |
281 |
Examples of multi-device port authentication and 802.1X |
|
authentication configuration on the same port............................. |
285 |
FastIron Ethernet Switch Security Configuration Guide |
9 |
53-1003088-03 |
|
Web Authentication............................................................................................................ |
291 |
Supported Web Authentication features..................................................... |
291 |
Web authentication overview...................................................................... |
291 |
Web authentication configuration considerations....................................... |
292 |
Web authentication configuration tasks...................................................... |
294 |
Enabling and disabling web authentication................................................. |
295 |
Web authentication mode configuration...................................................... |
295 |
Using local user databases............................................................. |
296 |
Passcodes for user authentication.................................................. |
299 |
Automatic authentication................................................................. |
304 |
Web authentication options configuration................................................... |
304 |
Enabling RADIUS accounting for web authentication..................... |
304 |
Changing the login mode (HTTPS or HTTP).................................. |
305 |
Specifying trusted ports................................................................... |
305 |
Specifying hosts that are permanently authenticated .................... |
305 |
Configuring the re-authentication period......................................... |
306 |
Defining the web authentication cycle............................................. |
306 |
Limiting the number of web authentication attempts....................... |
306 |
Clearing authenticated hosts from the webauthentication table..... |
307 |
Setting and clearing the block duration for webauthentication |
|
attempts..................................................................................... |
307 |
Manually blocking and unblocking a specific host.......................... |
307 |
Limiting the number of authenticated hosts.................................... |
308 |
Filtering DNS queries...................................................................... |
308 |
Forcing re-authentication when ports are down.............................. |
308 |
Forcing re-authentication after an inactive period........................... |
309 |
Defining the web authorization redirect address............................. |
309 |
Deleting a web authentication VLAN.............................................. |
310 |
Web authentication pages.............................................................. |
310 |
Displaying web authentication information.................................................. |
317 |
Displaying the web authentication configuration............................. |
317 |
Displaying a list of authenticated hosts........................................... |
319 |
Displaying a list of hosts attempting to authenticate....................... |
320 |
Displaying a list of blocked hosts.................................................... |
320 |
Displaying a list of local user databases......................................... |
321 |
Displaying a list of users in a local user database.......................... |
321 |
Displaying passcodes..................................................................... |
321 |
DoS Attack Protection......................................................................................................... |
323 |
Supported DoS protection features............................................................. |
323 |
Smurf attacks.............................................................................................. |
323 |
Avoiding being an intermediary in a Smurf attack........................... |
324 |
Avoiding being a victim in a Smurf attack....................................... |
324 |
TCP SYN attacks........................................................................................ |
326 |
TCP security enhancement ............................................................ |
327 |
Displaying statistics about packets dropped because of DoS |
|
attacks....................................................................................... |
328 |
DHCP................................................................................................................................. |
331 |
Supported DHCP packet inspection and tracking features......................... |
331 |
Dynamic ARP inspection ............................................................................ |
331 |
ARP poisoning................................................................................ |
331 |
About Dynamic ARP Inspection...................................................... |
332 |
Configuration notes and feature limitations for DAI........................ |
333 |
10 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
Dynamic ARP inspection configuration............................................. |
334 |
Displaying ARP inspection status and ports..................................... |
335 |
Displaying the ARP table ................................................................. |
335 |
Multi-VRF support............................................................................. |
336 |
DHCP snooping............................................................................................ |
336 |
How DHCP snooping works.............................................................. |
337 |
System reboot and the binding database.......................................... |
338 |
Configuration notes and feature limitations for DHCP snooping....... |
338 |
Configuring DHCP snooping............................................................. |
339 |
Clearing the DHCP binding database............................................... |
340 |
Displaying DHCP snooping status and ports.................................... |
340 |
Displaying the DHCP snooping binding database............................ |
340 |
Displaying DHCP binding entry and status....................................... |
340 |
DHCP snooping configuration example ........................................... |
341 |
Multi-VRF support............................................................................. |
341 |
DHCP relay agent information ..................................................................... |
342 |
Configuration notes for DHCP option 82........................................... |
343 |
DHCP Option 82 sub-options............................................................ |
344 |
DHCP option 82 configuration........................................................... |
345 |
Viewing information about DHCP option 82 processing................... |
347 |
Configuring the source IP address of a DHCP-client packet on |
|
the DHCP relay agent.................................................................. |
349 |
IP source guard............................................................................................. |
349 |
Configuration notes and feature limitations for IP source guard....... |
349 |
Enabling IP source guard on a port................................................... |
351 |
Defining static IP source bindings..................................................... |
351 |
Enabling IP source guard per-port-per-VLAN................................... |
351 |
Enabling IP source guard on a VE.................................................... |
351 |
Enabling IP Source Guard to support a Multi-VRF instance............. |
352 |
Displaying learned IP addresses....................................................... |
352 |
DHCPv6................................................................................................................................ |
355 |
Supported DHCPv6 packet inspection and tracking features....................... |
355 |
Securing IPv6 address configuration............................................................ |
355 |
DHCPv6 snooping......................................................................................... |
355 |
How DHCPv6 snooping works.......................................................... |
356 |
Configuration notes and feature limitations for DHCPv6 snooping... |
357 |
Configuring DHCPv6 snooping......................................................... |
357 |
Clearing the DHCPv6 binding database........................................... |
358 |
Displaying DHCPv6 snooping status and ports ............................... |
358 |
Displaying the DHCPv6 snooping binding database ........................ |
359 |
DHCPv6 snooping configuration example ....................................... |
359 |
Multi-VRF support for DHCPv6 snooping......................................... |
359 |
IPv6 RA Guard....................................................................................................................... |
361 |
Supported platforms for the IPv6 RA guard feature...................................... |
361 |
Securing IPv6 address configuration............................................................ |
361 |
IPv6 RA guard overview................................................................................ |
361 |
RA guard policy................................................................................. |
362 |
Whitelist............................................................................................. |
362 |
Prefix list............................................................................................ |
362 |
Maximum preference........................................................................ |
362 |
Trusted, untrusted, and host ports.................................................... |
362 |
Configuration notes and feature limitations for IPv6 RA guard..................... |
363 |
Configuring IPv6 RA guard........................................................................... |
363 |
Example of configuring IPv6 RA guard......................................................... |
364 |
FastIron Ethernet Switch Security Configuration Guide |
11 |
53-1003088-03 |
|
Example: Configuring IPv6 RA guard on a device.......................... |
364 |
Example: Configuring IPv6 RA guard in a network......................... |
364 |
Example: Verifying the RA guard configuration.............................. |
366 |
Security Commands............................................................................................................ |
367 |
access-list enable accounting..................................................................... |
368 |
clear access-list accounting........................................................................ |
369 |
clear ipv6 raguard ...................................................................................... |
369 |
enable-accounting....................................................................................... |
371 |
logging ........................................................................................................ |
371 |
ipv6 raguard policy ..................................................................................... |
372 |
ipv6 raguard vlan ........................................................................................ |
372 |
ipv6 raguard whitelist ................................................................................. |
373 |
mac filter enable-accounting....................................................................... |
374 |
preference-maximum ................................................................................. |
374 |
prefix-list ..................................................................................................... |
375 |
raguard ....................................................................................................... |
375 |
show access-list accounting........................................................................ |
377 |
show ipv6 raguard ...................................................................................... |
380 |
show ipv6 raguard counts .......................................................................... |
380 |
ip bootp-use-intf-ip...................................................................................... |
382 |
whitelist ...................................................................................................... |
382 |
Index.................................................................................................................................. |
385 |
12 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
● Document conventions.................................................................................................... |
13 |
● Brocade resources.......................................................................................................... |
15 |
● Getting technical help...................................................................................................... |
15 |
● Document feedback........................................................................................................ |
16 |
The document conventions describe text formatting conventions, command syntax conventions, and important notice formats used in Brocade technical documentation.
Text formatting conventions such as boldface, italic, or Courier font may be used in the flow of the text to highlight specific words or phrases.
Format
bold text
italic text
Courier font
Description
Identifies command names
Identifies keywords and operands
Identifies the names of user-manipulated GUI elements Identifies text to enter at the GUI
Identifies emphasis
Identifies variables and modifiers
Identifies paths and Internet addresses
Identifies document titles
Identifies CLI output
Identifies command syntax examples
Bold and italic text identify command syntax components. Delimiters and operators define groupings of parameters and their logical relationships.
Convention |
Description |
bold text |
Identifies command names, keywords, and command options. |
italic text |
Identifies a variable. |
FastIron Ethernet Switch Security Configuration Guide |
13 |
53-1003088-03 |
|
Convention |
Description |
value |
In Fibre Channel products, a fixed value provided as input to a command |
|
option is printed in plain text, for example, --show WWN. |
[ ] |
Syntax components displayed within square brackets are optional. |
|
Default responses to system prompts are enclosed in square brackets. |
{ x | y | z }
x | y
< >
...
\
A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.
In Fibre Channel products, square brackets may be used instead for this purpose.
A vertical bar separates mutually exclusive elements.
Nonprinting characters, for example, passwords, are enclosed in angle brackets.
Repeat the previous element, for example, member[member...].
Indicates a “soft” line break in command examples. If a backslash separates two lines of a command input, enter the entire command at the prompt without the backslash.
Notes, cautions, and warnings
Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards.
NOTE
A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information.
ATTENTION
An Attention statement indicates potential damage to hardware or data.
CAUTION
A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
DANGER
A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
14 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
Brocade resources
Visit the Brocade website to locate related documentation for your product and additional Brocade resources.
You can download additional publications supporting your product at www.brocade.com.
•Adapter documentation is available on the Downloads and Documentation for Brocade Adapters page. Select your platform and scroll down to the Documentation section.
•For all other products, select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category.
To get up-to-the-minute information on Brocade products and resources, go to MyBrocade. You can register at no cost to obtain a user ID and password.
Release notes are available on MyBrocade under Product Downloads.
White papers, online demonstrations, and data sheets are available through the Brocade website.
You can contact Brocade Support 24x7 online, by telephone, or by e-mail.
For product support information and the latest information on contacting the Technical Assistance Center, go to http://www.brocade.com/services-support/index.html.
Use one of the following methods to contact the Brocade Technical Assistance Center.
Online |
Telephone |
|
|
|
|
Preferred method of contact for non- |
Required for Sev 1-Critical and Sev |
urgent issues: |
2-High issues: |
• My Cases through MyBrocade |
• Continental US: 1-800-752-8061 |
• Software downloads and licensing |
• Europe, Middle East, Africa, and |
tools |
Asia Pacific: +800-AT FIBREE |
• Knowledge Base |
(+800 28 34 27 33) |
|
• For areas unable to access toll |
|
free number: +1-408-333-6061 |
|
• Toll-free numbers are available in |
|
many countries. |
support@brocade.com
Please include:
•Problem summary
•Serial number
•Installation details
•Environment description
15
Document feedback
To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team.
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. You can provide feedback in two ways:
•Through the online feedback form in the HTML documents posted on www.brocade.com.
•By sending your feedback to documentation@brocade.com.
Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement.
16 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
● What’s new in this document ......................................................................................... |
17 |
● How command information is presented in this guide..................................................... |
17 |
This document includes the information from IronWare software release 08.0.10d. The following table lists the enhancements for FastIron release 08.0.10d.
TABLE 1 Summary of enhancements in FastIron release 08.0.10d
Feature |
Description |
Described in |
|
|
|
TTL enhancement |
The no-ttl-decrement option |
See Configuring the route map on page |
|
disables the TTL decrement |
147. |
|
and the packets will be |
|
|
forwarded without |
|
|
decrementing TTL for the |
|
|
traffic matched by the policy. |
|
|
|
|
For all new content, command syntax and parameters are documented in a separate command reference section at the end of the publication.
In an effort to provide consistent command line interface (CLI) documentation for all products, Brocade is in the process of preparing standalone Command References for the IP platforms. This process involves separating command syntax and parameter descriptions from configuration tasks. Until this process is completed, command information is presented in two ways:
•For all new content included in this guide, the CLI is documented in separate command pages. The new command pages follow a standard format to present syntax, parameters, usage guidelines, examples, and command history. Command pages are compiled in alphabetical order in a separate command reference chapter at the end of the publication.
•Legacy content continues to include command syntax and parameter descriptions in the chapters where the features are documented.
If you do not find command syntax information embedded in a configuration task, refer to the command reference section at the end of this publication for information on CLI syntax and usage.
FastIron Ethernet Switch Security Configuration Guide |
17 |
53-1003088-03 |
|
How command information is presented in this guide
18 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
● Supported security access features................................................................................ |
19 |
● Securing access methods............................................................................................... |
20 |
● Remote access to management function restrictions..................................................... |
23 |
● Passwords used to secure access.................................................................................. |
31 |
● Local user accounts........................................................................................................ |
35 |
● TACACS and TACACS+ security.................................................................................... |
42 |
● RADIUS security............................................................................................................. |
58 |
● SSL security.................................................................................................................... |
73 |
● Authentication-method lists............................................................................................. |
75 |
● TCP Flags - edge port security....................................................................................... |
78 |
Lists security access features supported on FastIron devices.
The following table lists the individual Brocade FastIron switches and the security access features they support. These features are supported in the Layer 2 and Layer 3 software images, except where explicitly noted.
Feature |
ICX 6430 |
ICX 6450 |
FCX |
ICX 6610 |
ICX 6650 |
FSX 800 |
ICX 7750 |
|
|
|
|
|
|
FSX 1600 |
|
|
|
|
|
|
|
|
|
Authentication, Authorization and |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
Accounting (AAA): RADIUS, TACACS |
|
|
|
|
|
|
|
ACACS+ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AAA support for console commands |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
Restricting remote access to |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
management functions |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabling TFTP access |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
Using ACLs to restrict remote access |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
Local user accounts |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
Local user passwords |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
SSL security |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
AAA authentication-method lists |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.10 |
|
|
|
|
|
|
|
|
Packet filtering on TCP flags |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
08.0.01 |
No |
08.0.10 |
|
|
|
|
|
|
|
|
This chapter explains how to secure access to management functions on a Brocade device.
FastIron Ethernet Switch Security Configuration Guide |
19 |
53-1003088-03 |
|
NOTE
Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.
NOTE
For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication.
Securing access methods
The following table lists the management access methods available on a Brocade device, how they are secured by default, and the ways in which they can be secured.
TABLE 2 Ways to secure management access to Brocade devices
Access method |
How the access method is |
Ways to secure the |
See page |
|
secured by default |
access method |
|
|
|
|
|
Serial access to the |
Not secured |
Establish passwords |
Setting passwords for |
CLI |
|
for management |
management privilege |
|
|
privilege levels |
levels on page 32 |
|
|
|
|
Access to the |
Not secured |
Establish a password |
Setting a Telnet |
Privileged EXEC and |
|
for Telnet access to |
password on page 32 |
CONFIG levels of the |
|
the CLI |
|
CLI |
|
|
|
|
Establish passwords |
Setting passwords for |
|
|
|
||
|
|
for management |
management privilege |
|
|
privilege levels |
levels on page 32 |
|
|
|
|
|
|
Set up local user |
Local user accounts on |
|
|
accounts |
page 35 |
|
|
|
|
|
|
Configure TACACS/ |
TACACS and TACACS+ |
|
|
TACACS+ security |
security on page 42 |
|
|
|
|
|
|
Configure RADIUS |
RADIUS security on page |
|
|
security |
58 |
|
|
|
|
Telnet access |
Not secured |
Regulate Telnet |
Using an ACL to restrict |
|
|
access using ACLs |
Telnet access on page |
|
|
|
23 |
|
|
|
|
Allow Telnet access |
Restricting Telnet access to a |
|
|
only from specific IP |
specific IP address on page 26 |
|
|
addresses |
|
|
|
Restrict Telnet access based on a client MAC address
Restricting access to the device based on IP orMAC address on page 26
20 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
Security Access
TABLE 2 Ways to secure management access to Brocade devices (Continued)
Access method |
How the access method is |
Ways to secure the |
See page |
|
secured by default |
access method |
|
|
|
|
|
Allow Telnet access |
Restricting Telnet access to a |
|
|
only from specific MAC |
specific VLAN on page 28 |
|
|
addresses |
|
|
|
|
|
|
|
Define the Telnet idle |
Defining the Telnet idle time on |
|
|
time |
page 27 |
|
|
|
|
|
|
Change the Telnet |
Changing the login timeout period |
|
|
login timeout period |
for Telnet sessions on page 28 |
|
|
|
|
|
|
Specify the maximum |
Specifying the maximum number of |
|
|
number of login |
login attemptsfor Telnet access on |
|
|
attempts for Telnet |
page 27 |
|
|
access |
|
|
|
|
|
|
|
Disable Telnet access |
Disabling Telnet access on page |
|
|
|
31 |
|
|
|
|
|
|
Establish a password |
Setting a Telnet password on page |
|
|
for Telnet access |
32 |
|
|
|
|
|
|
Establish passwords |
Setting passwords for management |
|
|
for privilege levels of |
privilege levels on page 32 |
|
|
the CLI |
|
|
|
|
|
|
|
Set up local user |
Local user accounts on page 35 |
|
|
accounts |
|
|
|
|
|
|
|
Configure TACACS/ |
TACACS and TACACS+ security |
|
|
TACACS+ security |
on page 42 |
|
|
|
|
|
|
Configure RADIUS |
RADIUS security on page 58 |
|
|
security |
|
|
|
|
|
|
|
Secure Shell (SSH) |
Not configured |
Configure SSH |
Refer to the Configuring |
access |
|
|
SSH2 section |
|
|
|
|
|
|
Regulate SSH access |
Using an ACL to restrict |
|
|
using ACLs |
SSH access on page |
|
|
|
24 |
|
|
|
|
|
|
Allow SSH access only |
Restricting SSH access |
|
|
from specific IP |
to a specific IP address |
|
|
addresses |
on page 26 |
|
|
|
|
|
|
Allow SSH access only |
Restricting access to the |
|
|
from specific MAC |
device based on IP |
|
|
addresses |
orMAC address on page |
|
|
|
26 |
|
|
|
|
|
|
Establish passwords |
Setting passwords for |
|
|
for privilege levels of |
management privilege |
|
|
the CLI |
levels on page 32 |
|
|
|
|
FastIron Ethernet Switch Security Configuration Guide |
21 |
53-1003088-03 |
|
Security Access
TABLE 2 Ways to secure management access to Brocade devices (Continued)
Access method |
How the access method is |
Ways to secure the |
See page |
|
secured by default |
access method |
|
|
|
|
|
|
|
Set up local user |
Local user accounts on |
|
|
accounts |
page 35 |
|
|
|
|
|
|
Configure TACACS/ |
TACACS and TACACS+ |
|
|
TACACS+ security |
security on page 42 |
|
|
|
|
|
|
Configure RADIUS |
RADIUS security on page |
|
|
security |
58 |
|
|
|
|
SNMP access |
SNMP read or read-write |
Regulate SNMP |
Using ACLs to restrict |
|
community strings and the |
access using ACLs |
SNMP access on page |
|
password to the Super User |
|
24 |
|
privilege level |
|
|
|
|
|
NOTE
SNMP read or read-write community strings are always required for SNMP access to the device.
Allow SNMP access |
Restricting SNMP access |
only from specific IP |
to a specific IP address |
addresses |
on page 26 |
|
|
Disable SNMP access |
Disabling SNMP access |
|
on page 31 |
|
|
Allow SNMP access |
Restricting SNMP access |
|
|
only to clients |
to a specific VLAN on |
|
|
connected to a specific |
page 28 |
|
|
VLAN |
|
|
|
|
|
|
|
Establish passwords to |
Setting passwords for |
|
|
management levels of |
management privilege |
|
|
the CLI |
levels on page 32 |
|
|
|
|
|
|
Set up local user |
Local user accounts on |
|
|
accounts |
page 35 |
|
|
|
|
|
|
Establish SNMP read |
TACACS and TACACS+ |
|
|
or read-write |
security on page 42 |
|
|
community strings |
|
|
|
|
|
TFTP access |
Not secured |
Allow TFTP access |
Restricting TFTP access |
|
|
only to clients |
to a specific VLAN on |
|
|
connected to a specific |
page 29 |
|
|
VLAN |
|
|
|
|
|
|
|
Disable TFTP access |
Disabling TFTP access |
|
|
|
on page 31 |
Access for Stacked |
Access to multiple consoles must |
Devices |
be secured after AAA is enabled |
Extra steps must be |
Configuring TACACS/ |
taken to secure |
TACACS+ for devices in |
multiple consoles in a |
a Brocade traditional |
traditional stack. |
stack on page 43 |
22 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
Remote access to management function restrictions
You can restrict access to management functions from remote sources, including Telnet and SNMP. The following methods for restricting remote access are supported:
•Using ACLs to restrict Telnet or SNMP access
•Allowing remote access only from specific IP addresses
•Allowing Telnet and SSH access only from specific MAC addresses
•Allowing remote access only to clients connected to a specific VLAN
•Specifically disabling Telnet or SNMP access to the device
NOTE
Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.
The following sections describe how to restrict remote access to a Brocade device using these methods.
You can use standard ACLs to control the following access methods to management functions on a Brocade device:
•Telnet
•SSH
•SNMP
Consider the following to configure access control for these management access methods.
1.Configure an ACL with the IP addresses you want to allow to access the device.
2.Configure a Telnet access group, SSH access group, and SNMP community strings. Each of these configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP addresses that can use the access method.
The following sections present examples of how to secure management access using ACLs. Refer to the Rule-Based IP ACLs chapter for more information on configuring ACLs.
To configure an ACL that restricts Telnet access to the device, enter commands such as the following.
device(config)#access-list 10 deny host 10.157.22.32 log device(config)#access-list 10 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 10 deny 10.157.24.0 0.0.0.255 log device(config)#access-list 10 deny 10.157.25.0/24 log device(config)#access-list 10 permit any device(config)#telnet access-group 10
device(config)#write memory
Syntax: telnet access-group num
The num parameter specifies the number of a standard ACL and must be from 1 - 99.
The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The device allows Telnet access to all IP addresses except those listed in ACL 10.
FastIron Ethernet Switch Security Configuration Guide |
23 |
53-1003088-03 |
|
To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL.
device(config)#access-list 10 permit host 10.157.22.32 device(config)#access-list 10 permit 10.157.23.0 0.0.0.255 device(config)#access-list 10 permit 10.157.24.0 0.0.0.255 device(config)#access-list 10 permit 10.157.25.0/24 device(config)#telnet access-group 10
device(config)#write memory
The ACL in this example permits Telnet access only to the IP addresses in the permit entries and denies Telnet access from all other IP addresses.
Using an ACL to restrict SSH access
To configure an ACL that restricts SSH access to the device, enter commands such as the following.
device(config)#access-list 12 deny host 10.157.22.98 log device(config)#access-list 12 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 12 deny 10.157.24.0/24 log device(config)#access-list 12 permit any
device(config)#ssh access-group 12 device(config)#write memory
Syntax: ssh access-group num
The num parameter specifies the number of a standard ACL and must be from 1 - 99.
These commands configure ACL 12, then apply the ACL as the access list for SSH access. The device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH access from all IP addresses.
NOTE
In this example, the command ssh access-group 10 could have been used to apply the ACL configured in the example for Telnet access. You can use the same ACL multiple times.
To restrict SNMP access to the device using ACLs, enter commands such as the following.
NOTE
The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and SSH using ACLs.
device(config)#access-list 25 deny host 10.157.22.98 log device(config)#access-list 25 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 25 deny 10.157.24.0 0.0.0.255 log device(config)#access-list 25 permit any device(config)#access-list 30 deny 10.157.25.0 0.0.0.255 log device(config)#access-list 30 deny 10.157.26.0/24 log device(config)#access-list 30 permit any device(config)#snmp-server community public ro 25 device(config)#snmp-server community private rw 30 device(config)#write memory
Syntax: snmp-server community string [ ro | rw ] num
The string parameter specifies the SNMP community string the user must enter to gain SNMP access.
24 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
The ro parameter indicates that the community string is for read-only ("get") access. The rw parameter indicates the community string is for read-write ("set") access.
The num parameter specifies the number of a standard ACL and must be from 1 - 99.
These commands configure ACLs 25 and 30, then apply the ACLs to community strings.
ACL 25 is used to control read-only access using the "public" community string. ACL 30 is used to control read-write access using the "private" community string.
NOTE
When snmp-server community is configured, all incoming SNMP packets are validated first by their community strings and then by their bound ACLs.
Defining the console idle time
By default, a Brocade device does not time out serial console sessions. A serial session remains open indefinitely until you close it. You can however define how many minutes a serial management session can remain idle before it is timed out.
NOTE
You must enable AAA support for console commands, AAA authentication, and Exec authorization in order to set the console idle time.
To configure the idle time for a serial console session, use the following command.
device(config)#console timeout 120
Syntax: [no] console timeout [ 0-240 ]
Possible values: 0 - 240 minutes
Default value: 0 minutes (no timeout)
NOTE
In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes.
By default, a Brocade device does not control remote management access based on the IP address of the managing device. You can restrict remote management access to a single IP address for the following access methods:
•Telnet access
•SSH access
•SNMP access
In addition, you can restrict all access methods to the same IP address using a single command.
The following examples show the CLI commands for restricting remote access. You can specify only one IP address with each command. However, you can enter each command ten times to specify up to ten IP addresses.
FastIron Ethernet Switch Security Configuration Guide |
25 |
53-1003088-03 |
|
Restricting Telnet access to a specific IP address
To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.
device(config)#telnet client 10.157.22.39
Syntax: [no] telnet client { ip-addr | ipv6-addr }
To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.
device(config)#ip ssh client 10.157.22.39
Syntax: [no] ip ssh client { ip-addr | ipv6-addr }
To allow SNMP access only to the host with IP address 10.157.22.14, enter the following command.
device(config)#snmp-client 10.157.22.14
Syntax: [no] snmp-client { ip-addr | ipv6-addr }
To allow Telnet and SNMP management access to the Brocade device only to the host with IP address 10.157.22.69, enter three separate commands (one for each access type) or enter the following command.
device(config)#all-client 10.157.22.69
Syntax: [no] all-client { ip-addr | ipv6-addr }
You can restrict remote management access to the Brocade device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address.
You can restrict Telnet connection to a device based on the client IP address or MAC address.
To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.
device(config)#telnet client 10.157.22.39 0000.000f.e9a0
Syntax: [no] telnet client { ip-addr | ipv6-addrmac-addr }
26 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
The following command allows Telnet access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0.
device(config)#telnet client any 0000.000f.e9a0
Syntax: [no] telnet client any mac-addr
Restricting SSH connection
You can restrict SSH connection to a device based on the client IP address or MAC address.
To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.
device(config)#ip ssh client 10.157.22.39 0000.000f.e9a0
Syntax: [no] ip ssh client { ip-addr | ipv6-addrmac-addr }
To allow SSH access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0, enter the following command.
device(config)#ip ssh client any 0000.000f.e9a0
Syntax: [no] ip ssh client any mac-addr
You can define how many minutes a Telnet session can remain idle before it is timed out. An idle Telnet session is a session that is still sending TCP ACKs in response to keepalive messages from the device, but is not being used to send data.
To configure the idle time for a Telnet session, use the following command.
device(config)#telnet timeout 120
Syntax: [no] telnet timeout minutes
For minutes enter a value from 0 - 240. The default value is 0 minutes (no timeout).
If you are connecting to the Brocade device using Telnet, the device prompts you for a username and password. By default, you have up to 4 chances to enter a correct username and password. If you do not enter a correct username or password after 4 attempts, the Brocade device disconnects the Telnet session.
You can specify the number of attempts a Telnet user has to enter a correct username and password before the device disconnects the Telnet session. For example, to allow a Telnet user up to 5 chances to enter a correct username and password, enter the following command.
device(config)#telnet login-retries 5
Syntax: [no] telnet login-retries number
You can specify from 0 - 5 attempts. The default is 4 attempts.
FastIron Ethernet Switch Security Configuration Guide |
27 |
53-1003088-03 |
|
NOTE
You need to configure telnet with the enable telnet authentication local command to enable only a certain number of telnet login attempts.
Changing the login timeout period for Telnet sessions
By default, the login timeout period for a Telnet session is 2 minutes. To change the login timeout period, use the following command.
device(config)#telnet login-timeout 5
Syntax: [no] telnet login-timeout minutes
For minutes , enter a value from 1 to 10. The default timeout period is 2 minutes.
You can restrict management access to a Brocade device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods:
•Telnet access
•SNMP access
•TFTP access
By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.
VLAN-based access control works in conjunction with other access control methods. For example, suppose you configure an ACL to permit Telnet access only to specific client IP addresses, and you also configure VLAN-based access control for Telnet access. In this case, the only Telnet clients that can access the device are clients that have one of the IP addresses permitted by the ACL and are connected to a port that is in a permitted VLAN. Clients who have a permitted IP address but are connected to a port in a VLAN that is not permitted still cannot access the device through Telnet.
To allow Telnet access only to clients in a specific VLAN, enter a command such as the following.
device(config)#telnet server enable vlan 10
The command in this example configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.
Syntax: [no] telnet server enable vlan vlan-id
To allow SNMP access only to clients in a specific VLAN, enter a command such as the following.
device(config)#snmp-server enable vlan 40
28 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |
The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] snmp-server enable vlan vlan-id
Restricting TFTP access to a specific VLAN
To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.
device(config)#tftp client enable vlan 40
The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] tftp client enable vlan vlan-id
All Brocade FastIron devices support the creation of management VLANs. By default, the management IP address you configure on a Layer 2 Switch applies globally to all the ports on the device. This is true even if you divide the device ports into multiple port-based VLANs.
If you want to restrict the IP management address to a specific port-based VLAN, you can make that VLAN the designated management VLAN for the device. When you configure a VLAN to be the designated management VLAN, the management IP address you configure on the device is associated only with the ports in the designated VLAN. To establish a Telnet management session with the device, a user must access the device through one of the ports in the designated VLAN.
You also can configure up to five default gateways for the designated VLAN, and associate a metric with each one. The software uses the gateway with the lowest metric. The other gateways reside in the configuration but are not used. To use one of the other gateways, modify the configuration so that the gateway you want to use has the lowest metric.
If more than one gateway has the lowest metric, the gateway that appears first in the running-config is used.
NOTE
If you have already configured a default gateway globally and you do not configure a gateway in the VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.
To configure a designated management VLAN, enter commands such as the following.
device(config)#vlan 10 by port device(config-vlan-10)#untag ethernet 1/1 to 1/4 device(config-vlan-10)#management-vlan device(config-vlan-10)#default-gateway 10.10.10.1 1 device(config-vlan-10)#default-gateway 10.20.20.1 2
These commands configure port-based VLAN 10 to consist of ports 1/1 - 1/4 and to be the designated management VLAN. The last two commands configure default gateways for the VLAN. Since the 10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in the configuration but is not used. You can use the other one by changing the metrics so that the 10.20.20.1 gateway has the lower metric.
Syntax: [no] default-gateway ip-addr metric
The ip-addr parameters specify the IP address of the gateway router.
FastIron Ethernet Switch Security Configuration Guide |
29 |
53-1003088-03 |
|
The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1 - 5. There is no default. The software uses the gateway with the lowest metric.
Device management security
By default, all management access is disabled. Each of the following management access methods must be specifically enabled as required in your installation:
•SSHv2
•SNMP
The commands for granting access to each of these management interfaces is described in the following.
To allow SSHv2 access to the Brocade device, you must generate a Crypto Key as shown in the following command.
device(config)#crypto key generate
Syntax: crypto key [ generate | zeroize ]
The generate parameter generates a dsa key pair.
The zeroize parameter deletes the currently operative dsa key pair.
In addition, you must use AAA authentication to create a password to allow SSHv2 access. For example the following command configures AAA authentication to use TACACS+ for authentication as the default or local if TACACS+ is not available.
device(config)#aaa authentication login default tacacs+ local
To allow SNMP access to the Brocade device, enter the following command.
device(config)#snmp-server
Syntax: [no] snmp server
You can specifically disable the following access methods:
•Telnet access
•SNMP access
•TFTP
NOTE
If you disable Telnet access, you will not be able to access the CLI except through a serial connection to the management module. If you disable SNMP access, you will not be able to use an SNMP-based management applications.
30 |
FastIron Ethernet Switch Security Configuration Guide |
|
53-1003088-03 |