Manuel D’UtilisationTable des matièresContents3About This Document15Audience15Supported hardware and software15Brocade ICX 6650 slot and port numbering15How this document is organized16Document conventions17Text formatting17Command syntax conventions17Notes, cautions, and warnings17Notice to the reader18Related publications18Additional information19Brocade resources19Other industry resources19Getting technical help19Document feedback20Security Access21Securing access methods21Remote access to management function restrictions23ACL usage to restrict remote access23Defining the console idle time25Remote access restrictions26Restricting access to the device based on IP or MAC address27Defining the Telnet idle time28Changing the login timeout period for Telnet sessions28Specifying the maximum number of login attempts for Telnet access29Changing the login timeout period for Telnet sessions29Restricting remote access to the device to specific VLAN IDs29Designated VLAN for Telnet management sessions to a Layer 2 switch30Device management security31Disabling specific access methods32Passwords used to secure access33Setting a Telnet password33Setting passwords for management privilege levels34Recovering from a lost password36Displaying the SNMP community string36Specifying a minimum password length36Local user accounts37Enhancements to username and password37Local user account configuration41Creating a password option43Changing a local user password44TACACS and TACACS+ security44How TACACS+ differs from TACACS44TACACS/TACACS+ authentication, authorization, and accounting45TACACS authentication47TACACS/TACACS+ configuration considerations50Enabling TACACS51Identifying the TACACS/TACACS+ servers51Specifying different servers for individual AAA functions52Setting optional TACACS and TACACS+ parameters52Configuring authentication-method lists for TACACS and TACACS+54Configuring TACACS+ authorization56TACACS+ accounting configuration59Configuring an interface as the source for all TACACS and TACACS+ packets60Displaying TACACS/TACACS+ statistics and configuration information60RADIUS security61RADIUS authentication, authorization, and accounting61RADIUS configuration considerations64Configuring RADIUS65Brocade-specific attributes on the RADIUS server65Enabling SNMP to configure RADIUS67Identifying the RADIUS server to the Brocade device67Specifying different servers for individual AAA functions68RADIUS server per port68RADIUS server to individual ports mapping69RADIUS parameters70Setting authentication-method lists for RADIUS71RADIUS authorization73RADIUS accounting75Configuring an interface as the source for all RADIUS packets76Displaying RADIUS configuration information76Authentication-method lists78Examples of authentication-method lists78TCP Flags - edge port security80Using TCP Flags in combination with other ACL features81SSH2 and SCP83SSH version 2 overview83Tested SSH2 clients84SSH2 supported features84SSH2 unsupported features84SSH2 authentication types85Configuring SSH285Enabling and disabling SSH by generating and deleting host keys85Configuring DSA or RSA challenge-response authentication87Optional SSH parameters89Setting the number of SSH authentication retries90Deactivating user authentication90Enabling empty password logins91Setting the SSH port number91Setting the SSH login timeout value91Designating an interface as the source for all SSH packets91Configuring the maximum idle time for SSH sessions91Filtering SSH access using ACLs92Terminating an active SSH connection92Displaying SSH information92Displaying SSH connection information92Displaying SSH configuration information93Displaying additional SSH connection information94Secure copy with SSH295Enabling and disabling SCP95Secure copy configuration notes95Example file transfers using SCP95SSH2 client98Enabling SSH2 client98Configuring SSH2 client public key authentication98Using SSH2 client99Displaying SSH2 client information100Rule-Based IP ACLs101ACL overview102Types of IP ACLs103ACL IDs and entries103Numbered and named ACLs103Default ACL action104How hardware-based ACLs work104How fragmented packets are processed104Hardware aging of Layer 4 CAM entries104ACL configuration considerations105Configuring standard numbered ACLs106Standard numbered ACL syntax106Configuration example for standard numbered ACLs107Standard named ACL configuration107Standard named ACL syntax108Configuration example for standard named ACLs110Extended numbered ACL configuration110Extended numbered ACL syntax111Configuration examples for extended numbered ACLs115Extended named ACL configuration116Extended named ACL syntax117Applying egress ACLs to Control (CPU) traffic121Preserving user input for ACL TCP/UDP port numbers121ACL comment text management122Adding a comment to an entry in a numbered ACL122Adding a comment to an entry in a named ACL123Deleting a comment from an ACL entry123Viewing comments in an ACL123Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN124ACL logging125Configuration notes for ACL logging125Configuration tasks for ACL logging126Example ACL logging configuration126Displaying ACL Log Entries127Enabling strict control of ACL filtering of fragmented packets128Enabling ACL support for switched traffic in the router image129Enabling ACL filtering based on VLAN membership or VE port membership129Configuration notes for ACL filtering129Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)130Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)130ACLs to filter ARP packets131Configuration considerations for filtering ARP packets132Configuring ACLs for ARP filtering132Displaying ACL filters for ARP133Clearing the filter count133Filtering on IP precedence and ToS values133TCP flags - edge port security134QoS options for IP ACLs134Configuration notes for QoS options on Brocade ICX 6650135Using an IP ACL to mark DSCP values (DSCP marking)135DSCP matching137ACL-based rate limiting137ACL statistics138ACLs to control multicast features138Enabling and viewing hardware usage statistics for an ACL138Displaying ACL information139Troubleshooting ACLs139Policy Based Routing139Configuration considerations for policy-based routing140Configuring a PBR policy140Configuring the ACLs141Configuring the route map142Enabling PBR143Configuration examples for PBR144Setting the next hop144Setting the output interface to the null interface145Trunk formation with PBR policy146IPv6 ACLs147IPv6 ACL overview147IPv6 ACL traffic filtering criteria148IPv6 protocol names and numbers148IPv6 ACL configuration notes148Configuring an IPv6 ACL149Example IPv6 configurations149Default and implicit IPv6 ACL action151Creating an IPv6 ACL152Syntax for creating an IPv6 ACL152Enabling IPv6 on an interface to which an ACL will be applied157Applying an IPv6 ACL to an interface157Syntax for applying an IPv6 ACL158Applying an IPv6 ACL to a trunk group158Applying an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN158Adding a comment to an IPv6 ACL entry158Deleting a comment from an IPv6 ACL entry159Support for ACL logging159Displaying IPv6 ACLs159ACL-based Rate Limiting161ACL-based rate limiting overview161Types of ACL-based rate limiting161Traffic policies overview162Traffic policy structure162Configuration notes for traffic policies163Configuring fixed rate limiting163Configuring adaptive rate limiting164Marking Class of Service parameters in adaptive rate limiting165Handling packets that exceed the rate limit167Dropping packets167Permitting packets at low priority168Enabling and using ACL statistics168Enabling ACL statistics169Enabling ACL statistics with rate limiting traffic policies170Viewing ACL and rate limit counters170Clearing ACL and rate limit counters171Viewing traffic policies172802.1X Port Security173IETF RFC support173How 802.1X port security works174Device roles in an 802.1X configuration174Communication between the devices175Controlled and uncontrolled ports175Message exchange during authentication177Authenticating multiple hosts connected to the same port179802.1X port security and sFlow182802.1X accounting183802.1X port security configuration183Configuring an authentication method list for 802.1X184Setting RADIUS parameters184Dynamic VLAN assignment for 802.1X port configuration186Dynamically applying IP ACLs and MAC address filters to 802.1X ports190Enabling 802.1X port security194Setting the port control194Configuring periodic re-authentication195Re-authenticating a port manually196Setting the quiet period196Specifying the wait interval and number of EAP-request/ identity frame retransmissions from the Brocade device196Wait interval and number of EAP-request/ identity frame retransmissions from the RADIUS server197Specifying a timeout for retransmission of messages to the authentication server198Initializing 802.1X on a port198Allowing access to multiple hosts199MAC address filters for EAP frames202Configuring VLAN access for non-EAP-capable clients202802.1X accounting configuration202802.1X accounting attributes for RADIUS203Enabling 802.1X accounting203Displaying 802.1X information204Displaying 802.1X configuration information204Displaying 802.1X statistics207Clearing 802.1X statistics208Displaying dynamically assigned VLAN information208Displaying information about dynamically applied MAC address filters and IP ACLs209Displaying 802.1X multiple-host authentication information211Sample 802.1X configurations216Point-to-point configuration216Hub configuration217802.1X authentication with dynamic VLAN assignment218Multi-device port authentication and 802.1X security on the same port219MAC Port Security221MAC port security overview222Local and global resources used for MAC port security222Configuration notes and feature limitations for MAC port security222MAC port security configuration223Enabling the MAC port security feature223Setting the maximum number of secure MAC addresses for an interface224Setting the port security age timer224Specifying secure MAC addresses225Autosaving secure MAC addresses to the startup configuration225Specifying the action taken when a security violation occurs226Clearing port security statistics227Clearing restricted MAC addresses227Clearing violation statistics227Displaying port security information228Displaying port security settings228Displaying the secure MAC addresses228Displaying port security statistics229Displaying restricted MAC addresses on a port230MAC-based VLANs231MAC-based VLAN overview231Static and dynamic hosts231MAC-based VLAN feature structure232Dynamic MAC-based VLAN233Configuration notes and feature limitations for dynamic MAC-based VLAN233Dynamic MAC-based VLAN CLI commands233Dynamic MAC-based VLAN configuration example234MAC-based VLAN configuration235Using MAC-based VLANs and 802.1X security on the same port236Configuring generic and Brocade vendor-specific attributes on the RADIUS server236Aging for MAC-based VLAN237Disabling aging for MAC-based VLAN sessions238Configuring the maximum MAC addresses per port239Configuring a MAC-based VLAN for a static host239Configuring MAC-based VLAN for a dynamic host240Configuring dynamic MAC-based VLAN240Configuring MAC-based VLANs using SNMP241Displaying information about MAC-based VLANs241Displaying the MAC-VLAN table241Displaying the MAC-VLAN table for a specific MAC address242Displaying allowed MAC addresses242Displaying denied MAC addresses243Displaying detailed MAC-VLAN data244Displaying MAC-VLAN information for a specific interface245Displaying MAC addresses in a MAC-based VLAN246Displaying MAC-based VLAN logging247Clearing MAC-VLAN information247Sample MAC-based VLAN application247Multi-Device Port Authentication251How multi-device port authentication works251RADIUS authentication252Authentication-failure actions252Supported RADIUS attributes252Support for dynamic VLAN assignment253Support for dynamic ACLs253Support for authenticating multiple MAC addresses on an interface253Support for dynamic ARP inspection with dynamic ACLs253Support for DHCP snooping with dynamic ACLs254Support for source guard protection254Multi-device port authentication and 802.1X security on the same port254Configuring Brocade-specific attributes on the RADIUS server255Multi-device port authentication configuration256Enabling multi-device port authentication257Specifying the format of the MAC addresses sent to the RADIUS server258Specifying the authentication-failure action258Generating traps for multi-device port authentication259Defining MAC address filters259Configuring dynamic VLAN assignment259Dynamically applying IP ACLs to authenticated MAC addresses263Enabling denial of service attack protection265Enabling source guard protection266Clearing authenticated MAC addresses267Disabling aging for authenticated MAC addresses268Changing the hardware aging period for blocked MAC addresses269Specifying the aging time for blocked MAC addresses270Specifying the RADIUS timeout action270Multi-device port authentication password override271Limiting the number of authenticated MAC addresses272Displaying multi-device port authentication information272Displaying authenticated MAC address information272Displaying multi-device port authentication configuration information273Displaying multi-device port authentication information for a specific MAC address or port274Displaying the authenticated MAC addresses275Displaying the non-authenticated MAC addresses276Displaying multi-device port authentication information for a port276Displaying multi-device port authentication settings and authenticated MAC addresses277Example port authentication configurations280Multi-device port authentication with dynamic VLAN assignment280Examples of multi-device port authentication and 802.1X authentication configuration on the same port283DoS Attack Protection287Smurf attacks287Avoiding being an intermediary in a Smurf attack288Avoiding being a victim in a Smurf attack288TCP SYN attacks289TCP security enhancement290Displaying statistics about packets dropped because of DoS attacks291Rate Limiting and Rate Shaping293Port-based rate limiting293How port-based fixed rate limiting works294Rate limiting in hardware294Configuration notes for port-based fixed rate limiting295Configuring a port-based fixed rate limiting policy295Displaying the port-based fixed rate limiting configuration295Rate shaping296Configuration notes for rate shaping296Configuring outbound rate shaping for a port296Configuring outbound rate shaping for a specific priority297Configuring outbound rate shaping for a trunk port297Displaying rate shaping configurations297CPU rate-limiting297DHCP299Dynamic ARP inspection299ARP poisoning299Dynamic ARP Inspection300Configuration notes and feature limitations for DAI301Dynamic ARP inspection configuration302Displaying ARP inspection status and ports303Displaying the ARP table303DHCP snooping303How DHCP snooping works304System reboot and the binding database305Configuration notes and feature limitations for DHCP snooping305Configuring DHCP snooping305Clearing the DHCP binding database307Displaying DHCP snooping status and ports307Displaying the DHCP snooping binding database307Displaying DHCP binding entry and status307DHCP snooping configuration example308DHCP relay agent information308Configuration notes for DHCP option 82309DHCP option 82 sub-options309DHCP option 82 configuration311Viewing information about DHCP option 82 processing313IP source guard314Configuration notes and feature limitations for IP source guard315Enabling IP source guard on a port316Defining static IP source bindings316Enabling IP source guard per-port-per-VLAN317Enabling IP source guard on a VE317Displaying learned IP addresses317Limiting Broadcast, Multicast, and Unknown Unicast Traffic319Broadcast, unknown Unicast, and Multicast rate limiting319Configuration notes and feature limitations319Configuring rate limiting for BUM traffic319Viewing rate limits set on BUM traffic320Index323Taille: 3,8 MoPages: 332Language: EnglishOuvrir le manuel