53-1002601-01 ® 28 September 2012 Brocade ICX 6650 Security Configuration Guide Supporting FastIron Software Release 07.5.00 Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, MLX, NetIron, SAN Health, ServerIron, TurboIron, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it. The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd. Brocade Communications Systems, Incorporated Corporate and Latin American Headquarters Asia-Pacific Headquarters Brocade Communications Systems, Inc. Brocade Communications Systems China HK, Ltd. 130 Holger Way No. 1 Guanghua Road San Jose, CA 95134 Chao Yang District Tel: 1-408-333-8000 Units 2718 and 2818 Fax: 1-408-333-8101 Beijing 100020, China E-mail: [email protected] Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: [email protected] European Headquarters Asia-Pacific Headquarters Brocade Communications Switzerland Sàrl Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Centre Swissair Citic Plaza Tour B - 4ème étage No. 233 Tian He Road North 29, Route de l'Aéroport Unit 1308 – 13th Floor Case Postale 105 Guangzhou, China CH-1215 Genève 15 Tel: +8620 3891 2000 Switzerland Fax: +8620 3891 2111 Tel: +41 22 799 5640 E-mail: [email protected] Fax: +41 22 799 5641 E-mail: [email protected] Document History Title Publication number Summary of changes Date Brocade ICX 6650 Security 53-1002601-01 Release 07.4.00 document September 2012 Configuration Guide updated with enhancements in Release 07.5.00 Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . .xi Brocade ICX 6650 slot and port numbering. . . . . . . . . . . . . . . . . . . .xi How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Text formatting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Notes, cautions, and warnings . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Related publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Chapter 1 Security Access Securing access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Remote access to management function restrictions . . . . . . . . . . . .3 ACL usage to restrict remote access . . . . . . . . . . . . . . . . . . . . . .3 Defining the console idle time . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Remote access restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Restricting access to the device based on IP or MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Defining the Telnet idle time. . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Changing the login timeout period for Telnet sessions. . . . . . . .8 Specifying the maximum number of login attempts for Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Changing the login timeout period for Telnet sessions. . . . . . . .9 Restricting remote access to the device to specific VLAN IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Designated VLAN for Telnet management sessions to a Layer 2 switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Device management security . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Disabling specific access methods. . . . . . . . . . . . . . . . . . . . . . .12 Brocade ICX 6650 Security Configuration Guide iii 53-1002601-01 Passwords used to secure access. . . . . . . . . . . . . . . . . . . . . . . . . . .13 Setting a Telnet password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Setting passwords for management privilege levels. . . . . . . . .14 Recovering from a lost password . . . . . . . . . . . . . . . . . . . . . . . .16 Displaying the SNMP community string. . . . . . . . . . . . . . . . . . .16 Specifying a minimum password length. . . . . . . . . . . . . . . . . . .16 Local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Enhancements to username and password . . . . . . . . . . . . . . .17 Local user account configuration. . . . . . . . . . . . . . . . . . . . . . . .21 Creating a password option. . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Changing a local user password. . . . . . . . . . . . . . . . . . . . . . . . .24 TACACS and TACACS+ security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 How TACACS+ differs from TACACS. . . . . . . . . . . . . . . . . . . . . . .24 TACACS/TACACS+ authentication, authorization, and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 TACACS/TACACS+ configuration considerations . . . . . . . . . . . .30 Enabling TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Identifying the TACACS/TACACS+ servers. . . . . . . . . . . . . . . . . .31 Specifying different servers for individual AAA functions . . . . .32 Setting optional TACACS and TACACS+ parameters . . . . . . . . .32 Configuring authentication-method lists for TACACS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Configuring TACACS+ authorization . . . . . . . . . . . . . . . . . . . . . .36 TACACS+ accounting configuration. . . . . . . . . . . . . . . . . . . . . . .39 Configuring an interface as the source for all TACACS and TACACS+ packets . . . . . . . . . . . . . . . . . . . . . . . . . .40 Displaying TACACS/TACACS+ statistics and configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 RADIUS security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 RADIUS authentication, authorization, and accounting . . . . . .41 RADIUS configuration considerations. . . . . . . . . . . . . . . . . . . . .44 Configuring RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Brocade-specific attributes on the RADIUS server . . . . . . . . . .45 Enabling SNMP to configure RADIUS . . . . . . . . . . . . . . . . . . . . .47 Identifying the RADIUS server to the Brocade device . . . . . . . .47 Specifying different servers for individual AAA functions . . . . .48 RADIUS server per port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 RADIUS server to individual ports mapping. . . . . . . . . . . . . . . .49 RADIUS parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Setting authentication-method lists for RADIUS . . . . . . . . . . . .51 RADIUS authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Configuring an interface as the source for all RADIUS packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Displaying RADIUS configuration information . . . . . . . . . . . . . .56 Authentication-method lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Examples of authentication-method lists. . . . . . . . . . . . . . . . . .58 TCP Flags - edge port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Using TCP Flags in combination with other ACL features . . . . .61 iv Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Chapter 2 SSH2 and SCP SSH version 2 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Tested SSH2 clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 SSH2 supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 SSH2 unsupported features. . . . . . . . . . . . . . . . . . . . . . . . . . . .64 SSH2 authentication types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Configuring SSH2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Enabling and disabling SSH by generating and deleting host keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Configuring DSA or RSA challenge-response authentication . .67 Optional SSH parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 Setting the number of SSH authentication retries . . . . . . . . . .70 Deactivating user authentication . . . . . . . . . . . . . . . . . . . . . . . .70 Enabling empty password logins. . . . . . . . . . . . . . . . . . . . . . . . .71 Setting the SSH port number . . . . . . . . . . . . . . . . . . . . . . . . . . .71 Setting the SSH login timeout value. . . . . . . . . . . . . . . . . . . . . .71 Designating an interface as the source for all SSH packets. . .71 Configuring the maximum idle time for SSH sessions . . . . . . .71 Filtering SSH access using ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 Terminating an active SSH connection . . . . . . . . . . . . . . . . . . . . . . .72 Displaying SSH information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 Displaying SSH connection information. . . . . . . . . . . . . . . . . . .72 Displaying SSH configuration information . . . . . . . . . . . . . . . . .73 Displaying additional SSH connection information. . . . . . . . . .74 Secure copy with SSH2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Enabling and disabling SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Secure copy configuration notes . . . . . . . . . . . . . . . . . . . . . . . .75 Example file transfers using SCP . . . . . . . . . . . . . . . . . . . . . . . .75 SSH2 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Enabling SSH2 client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Configuring SSH2 client public key authentication. . . . . . . . . .78 Using SSH2 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Displaying SSH2 client information . . . . . . . . . . . . . . . . . . . . . .80 Chapter 3 Rule-Based IP ACLs ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Types of IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 ACL IDs and entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 Numbered and named ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . .83 Default ACL action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84 How hardware-based ACLs work . . . . . . . . . . . . . . . . . . . . . . . . . . . .84 How fragmented packets are processed . . . . . . . . . . . . . . . . . .84 Hardware aging of Layer 4 CAM entries. . . . . . . . . . . . . . . . . . .84 ACL configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Brocade ICX 6650 Security Configuration Guide v 53-1002601-01 Configuring standard numbered ACLs. . . . . . . . . . . . . . . . . . . . . . . .86 Standard numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . .86 Configuration example for standard numbered ACLs. . . . . . . .87 Standard named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . . . .87 Standard named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . .88 Configuration example for standard named ACLs. . . . . . . . . . .90 Extended numbered ACL configuration. . . . . . . . . . . . . . . . . . . . . . .90 Extended numbered ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . .91 Configuration examples for extended numbered ACLs. . . . . . .95 Extended named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . . . .96 Extended named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Applying egress ACLs to Control (CPU) traffic . . . . . . . . . . . . . . . . .101 Preserving user input for ACL TCP/UDP port numbers. . . . . . . . . .101 ACL comment text management . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Adding a comment to an entry in a numbered ACL. . . . . . . . .102 Adding a comment to an entry in a named ACL. . . . . . . . . . . .103 Deleting a comment from an ACL entry. . . . . . . . . . . . . . . . . .103 Viewing comments in an ACL . . . . . . . . . . . . . . . . . . . . . . . . . .103 Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Configuration notes for ACL logging . . . . . . . . . . . . . . . . . . . . .105 Configuration tasks for ACL logging . . . . . . . . . . . . . . . . . . . . .106 Example ACL logging configuration. . . . . . . . . . . . . . . . . . . . . .106 Displaying ACL Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Enabling strict control of ACL filtering of fragmented packets. . . .108 Enabling ACL support for switched traffic in the router image . . .109 Enabling ACL filtering based on VLAN membership or VE port membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Configuration notes for ACL filtering. . . . . . . . . . . . . . . . . . . . .109 Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only). . . . . . . . . . . . . . . . . . . . . . . . . . .110 Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only) . . . . . . . . . . . . . . . . . . . . . . . .110 ACLs to filter ARP packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Configuration considerations for filtering ARP packets. . . . . .112 Configuring ACLs for ARP filtering. . . . . . . . . . . . . . . . . . . . . . .112 Displaying ACL filters for ARP . . . . . . . . . . . . . . . . . . . . . . . . . .113 Clearing the filter count. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Filtering on IP precedence and ToS values. . . . . . . . . . . . . . . . . . .113 TCP flags - edge port security . . . . . . . . . . . . . . . . . . . . . . . . . .114 QoS options for IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Configuration notes for QoS options on Brocade ICX 6650 . .115 Using an IP ACL to mark DSCP values (DSCP marking). . . . . .115 DSCP matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 ACL-based rate limiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 vi Brocade ICX 6650 Security Configuration Guide 53-1002601-01 ACL statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 ACLs to control multicast features. . . . . . . . . . . . . . . . . . . . . . . . . .118 Enabling and viewing hardware usage statistics for an ACL . . . . .118 Displaying ACL information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Policy Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 Configuration considerations for policy-based routing . . . . . .120 Configuring a PBR policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Configuring the ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Configuring the route map. . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Enabling PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Configuration examples for PBR. . . . . . . . . . . . . . . . . . . . . . . .124 Setting the next hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Setting the output interface to the null interface . . . . . . . . . .125 Trunk formation with PBR policy. . . . . . . . . . . . . . . . . . . . . . . .126 Chapter 4 IPv6 ACLs IPv6 ACL overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 IPv6 ACL traffic filtering criteria . . . . . . . . . . . . . . . . . . . . . . . .128 IPv6 protocol names and numbers. . . . . . . . . . . . . . . . . . . . . .128 IPv6 ACL configuration notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128 Configuring an IPv6 ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Example IPv6 configurations. . . . . . . . . . . . . . . . . . . . . . . . . . .129 Default and implicit IPv6 ACL action. . . . . . . . . . . . . . . . . . . . .131 Creating an IPv6 ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Syntax for creating an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . .132 Enabling IPv6 on an interface to which an ACL will be applied. . .137 Applying an IPv6 ACL to an interface. . . . . . . . . . . . . . . . . . . . . . . .137 Syntax for applying an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . .138 Applying an IPv6 ACL to a trunk group . . . . . . . . . . . . . . . . . . .138 Applying an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN. . . . . . . . . . . . . . . . . . .138 Adding a comment to an IPv6 ACL entry. . . . . . . . . . . . . . . . . . . . .138 Deleting a comment from an IPv6 ACL entry . . . . . . . . . . . . . . . . .139 Support for ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Displaying IPv6 ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Chapter 5 ACL-based Rate Limiting ACL-based rate limiting overview . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Types of ACL-based rate limiting. . . . . . . . . . . . . . . . . . . . . . . .141 Traffic policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Traffic policy structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Configuration notes for traffic policies. . . . . . . . . . . . . . . . . . .143 Configuring fixed rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Brocade ICX 6650 Security Configuration Guide vii 53-1002601-01 Configuring adaptive rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . .144 Marking Class of Service parameters in adaptive rate limiting145 Handling packets that exceed the rate limit . . . . . . . . . . . . . . . . . .147 Dropping packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Permitting packets at low priority. . . . . . . . . . . . . . . . . . . . . . .148 Enabling and using ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . .148 Enabling ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Enabling ACL statistics with rate limiting traffic policies. . . . .150 Viewing ACL and rate limit counters. . . . . . . . . . . . . . . . . . . . .150 Clearing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . .151 Viewing traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Chapter 6 802.1X Port Security IETF RFC support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 How 802.1X port security works . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Device roles in an 802.1X configuration . . . . . . . . . . . . . . . . .154 Communication between the devices . . . . . . . . . . . . . . . . . . .155 Controlled and uncontrolled ports . . . . . . . . . . . . . . . . . . . . . .155 Message exchange during authentication. . . . . . . . . . . . . . . .157 Authenticating multiple hosts connected to the same port . .159 802.1X port security and sFlow . . . . . . . . . . . . . . . . . . . . . . . .162 802.1X accounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 802.1X port security configuration . . . . . . . . . . . . . . . . . . . . . . . . .163 Configuring an authentication method list for 802.1X . . . . . .164 Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Dynamic VLAN assignment for 802.1X port configuration. . .166 Dynamically applying IP ACLs and MAC address filters to 802.1X ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Enabling 802.1X port security. . . . . . . . . . . . . . . . . . . . . . . . . .174 Setting the port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Configuring periodic re-authentication. . . . . . . . . . . . . . . . . . .175 Re-authenticating a port manually. . . . . . . . . . . . . . . . . . . . . .176 Setting the quiet period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Specifying the wait interval and number of EAP-request/ identity frame retransmissions from the Brocade device. . . .176 Wait interval and number of EAP-request/ identity frame retransmissions from the RADIUS server . . . .177 Specifying a timeout for retransmission of messages to the authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Initializing 802.1X on a port . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Allowing access to multiple hosts. . . . . . . . . . . . . . . . . . . . . . .179 MAC address filters for EAP frames . . . . . . . . . . . . . . . . . . . . .182 Configuring VLAN access for non-EAP-capable clients . . . . . .182 802.1X accounting configuration. . . . . . . . . . . . . . . . . . . . . . . . . . .182 802.1X accounting attributes for RADIUS . . . . . . . . . . . . . . . .183 Enabling 802.1X accounting. . . . . . . . . . . . . . . . . . . . . . . . . . .183 viii Brocade ICX 6650 Security Configuration Guide 53-1002601-01 Displaying 802.1X information. . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Displaying 802.1X configuration information . . . . . . . . . . . . .184 Displaying 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Clearing 802.1X statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Displaying dynamically assigned VLAN information . . . . . . . .188 Displaying information about dynamically applied MAC address filters and IP ACLs. . . . . . . . . . . . . . . . . . . . . . . .189 Displaying 802.1X multiple-host authentication information . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Sample 802.1X configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Point-to-point configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Hub configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 802.1X authentication with dynamic VLAN assignment. . . . .198 Multi-device port authentication and 802.1X security on the same port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Chapter 7 MAC Port Security MAC port security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Local and global resources used for MAC port security . . . . .202 Configuration notes and feature limitations for MAC port security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 MAC port security configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .203 Enabling the MAC port security feature . . . . . . . . . . . . . . . . . .203 Setting the maximum number of secure MAC addresses for an interface . . . . . . . . . . . . . . . . . . . . . . . .204 Setting the port security age timer. . . . . . . . . . . . . . . . . . . . . .204 Specifying secure MAC addresses . . . . . . . . . . . . . . . . . . . . . .205 Autosaving secure MAC addresses to the startup configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 Specifying the action taken when a security violation occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Clearing port security statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Clearing restricted MAC addresses. . . . . . . . . . . . . . . . . . . . . .207 Clearing violation statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Displaying port security information . . . . . . . . . . . . . . . . . . . . . . . .208 Displaying port security settings. . . . . . . . . . . . . . . . . . . . . . . .208 Displaying the secure MAC addresses. . . . . . . . . . . . . . . . . . .208 Displaying port security statistics. . . . . . . . . . . . . . . . . . . . . . .209 Displaying restricted MAC addresses on a port. . . . . . . . . . . .210 Chapter 8 MAC-based VLANs MAC-based VLAN overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 Static and dynamic hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 MAC-based VLAN feature structure . . . . . . . . . . . . . . . . . . . . .212 Brocade ICX 6650 Security Configuration Guide ix 53-1002601-01 Dynamic MAC-based VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Configuration notes and feature limitations for dynamic MAC-based VLAN. . . . . . . . . . . . . . . . . . . . . . . . . .213 Dynamic MAC-based VLAN CLI commands . . . . . . . . . . . . . . .213 Dynamic MAC-based VLAN configuration example . . . . . . . . .214 MAC-based VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Using MAC-based VLANs and 802.1X security on the same port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Configuring generic and Brocade vendor-specific attributes on the RADIUS server. . . . . . . . . . . . . . . . . . . . . . . .216 Aging for MAC-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . .217 Disabling aging for MAC-based VLAN sessions . . . . . . . . . . . .218 Configuring the maximum MAC addresses per port . . . . . . . .219 Configuring a MAC-based VLAN for a static host. . . . . . . . . . .219 Configuring MAC-based VLAN for a dynamic host. . . . . . . . . .220 Configuring dynamic MAC-based VLAN . . . . . . . . . . . . . . . . . .220 Configuring MAC-based VLANs using SNMP. . . . . . . . . . . . . . . . . .221 Displaying information about MAC-based VLANs . . . . . . . . . . . . . .221 Displaying the MAC-VLAN table. . . . . . . . . . . . . . . . . . . . . . . . .221 Displaying the MAC-VLAN table for a specific MAC address. .222 Displaying allowed MAC addresses . . . . . . . . . . . . . . . . . . . . .222 Displaying denied MAC addresses . . . . . . . . . . . . . . . . . . . . . .223 Displaying detailed MAC-VLAN data . . . . . . . . . . . . . . . . . . . . .224 Displaying MAC-VLAN information for a specific interface . . .225 Displaying MAC addresses in a MAC-based VLAN. . . . . . . . . .226 Displaying MAC-based VLAN logging . . . . . . . . . . . . . . . . . . . .227 Clearing MAC-VLAN information. . . . . . . . . . . . . . . . . . . . . . . . . . . .227 Sample MAC-based VLAN application. . . . . . . . . . . . . . . . . . . . . . .227 Chapter 9 Multi-Device Port Authentication How multi-device port authentication works. . . . . . . . . . . . . . . . . .231 RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 Authentication-failure actions. . . . . . . . . . . . . . . . . . . . . . . . . .232 Supported RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . . . . .232 Support for dynamic VLAN assignment . . . . . . . . . . . . . . . . . .233 Support for dynamic ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Support for authenticating multiple MAC addresses on an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Support for dynamic ARP inspection with dynamic ACLs . . . .233 Support for DHCP snooping with dynamic ACLs . . . . . . . . . . .234 Support for source guard protection. . . . . . . . . . . . . . . . . . . . .234 Multi-device port authentication and 802.1X security on the same port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Configuring Brocade-specific attributes on the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 x Brocade ICX 6650 Security Configuration Guide 53-1002601-01