53-1003035-02 09 December, 2013 Multi-Service IronWare Security Configuration Guide Supporting Multi-Service IronWare R05.6.
Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, My Brocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Supported software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web interface login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Creating an encrypted all-numeric password . . . . . . . . . . . . . . . . . . 26 Granting access by time of day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Configuring SSL security for the Web Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Enabling the SSL server on a Brocade device . . . . . . . . . . . . . .
Configuring AAA authentication-method lists for login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Configuring authentication-method lists . . . . . . . . . . . . . . . . . . . . . . 69 Configuration considerations for authentication-method lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Examples of authentication-method lists. . . . . . . . . . . . . . . . . . 70 Chapter 2 Layer 2 Access Control Lists Configuration rules and notes . . . . . .
Chapter 3 Access Control List How the Brocade device processes ACLs . . . . . . . . . . . . . . . . . . . . . 95 General configuration guidelines . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuration considerations for dual inbound ACLs on Brocade NetIron CES and Brocade NetIron CER devices. . . . . . . . . . . . . 96 Configuration considerations for IPv4 outbound ACLs on VPLS, VLL, and VLL-Local endpoints . . . . . . . . . . . . . . 96 Disabling outbound ACLs for switching traffic . . . . . . .
IP broadcast ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Configuration considerations for IP broadcast ACL . . . . . . . . .140 Configuring IP broadcast ACL and establishing the sequence of IP broadcast ACL commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configuration example for IP broadcast ACL . . . . . . . . . . . . . .142 Displaying accounting information for IP broadcast ACL. . . . .
Extended IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Configuration considerations for extended IPv6 layer 4 ACL .196 Unsupported features for Brocade NetIron CES and Brocade NetIron CER devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Configuration considerations for Layer 2 IPv6 ACLs . . . . . . . .204 ACL syntax . . . . . . . .
Chapter 5 Configuring Secure Shell and Secure Copy SSH server version 2 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Supported SSHv2 clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 Configuring SSH server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Generating a host key pair . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying multi-device port authentication information . . . . . . . .279 Displaying authenticated MAC address information . . . . . . . .279 Displaying multi-device port authentication configuration information 280 Displaying multi-device port authentication information for a specific MAC address or port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Displaying the authenticated MAC addresses . . . . . . . . . . . . .283 Displaying the non-authenticated MAC addresses . . . . . . . .
Configuring 802.1x port security . . . . . . . . . . . . . . . . . . . . . . . . . . .303 Configuring an authentication method list for 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .304 Configuring dynamic VLAN assignment for 802.1x ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 10 Securing SNMP Access Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . . .335 Encryption of SNMP community strings . . . . . . . . . . . . . . . . . .336 Adding an SNMP community string . . . . . . . . . . . . . . . . . . . . .336 Displaying the SNMP community strings . . . . . . . . . . . . . . . . .337 Using the User-Based Security model . . . . . . . . . . . . . . . . . . . . . . .337 Configuring your NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document In this chapter • Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Related publications . . . . . . . . .
In this chapter Supported hardware and software The following hardware platforms are supported by this release of this guide: TABLE 1 Supported devices Brocade NetIron XMR Series Brocade MLX Series NetIron CES 2000 and NetIron CER 2000 Series Brocade NetIron XMR 4000 Brocade MLX-4 Brocade NetIron CES 2024C Brocade NetIron XMR 8000 Brocade MLX-8 Brocade NetIron CES 2024F Brocade NetIron XMR 16000 Brocade MLX-16 Brocade NetIron CES 2048C Brocade NetIron XMR 32000 Brocade MLX-32 Brocade NetIr
In this chapter Document conventions This section describes text formatting conventions and important notice formats used in this document.
In this chapter Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only.
In this chapter Getting technical help or reporting errors To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
In this chapter xviii Multi-Service IronWare Security Configuration Guide 53-1003035-02
Chapter 1 Securing Access to Management Functions Table 2 displays the individual Brocade devices and the security features they support.
1 Securing Access to Management Functions TABLE 2 Supported Brocade security features Features supported Brocade NetIron XMR Series Brocade MLX Series Brocade NetIron CES 2000 Series BASE package Brocade NetIron CES 2000 Series ME_PREM package Brocade NetIron CES 2000 Series L3_PREM package Brocade NetIron CER 2000 Series Base package Brocade NetIron CER 2000 Series Advanced Services package Interactive multi-factor RADIUS security support (e.g.
Securing access methods 1 NOTE For the Brocade devices, RADIUS Challenge is supported for 802.1x authentication for login authentication. Also, multiple challenges are supported for TACACS+ and RADIUS login authentication. Securing access methods Table 3 lists the management access methods available on the Brocade devices, how they are secured by default, and the ways in which they can be secured.
1 Securing access methods TABLE 3 Ways to secure management access to the Brocade devices (Continued) Access method How the access method is secured by default Ways to secure the access method Secure Shell (SSH) access Not configured Configure DSA or RSA host keys Disable SSH server. For more information on SSH, refer to Multi-Service IronWare Switching Configuration Guide.
Securing access methods TABLE 3 1 Ways to secure management access to the Brocade devices (Continued) Access method How the access method is secured by default Ways to secure the access method SNMP (Brocade Network Advisor) access SNMP read or read-write community strings and the password to the Super User privilege level Regulate SNMP access using ACLs NOTE: SNMP read or read-write community strings are always required for SNMP access to the device. SNMP access is disabled by default.
1 Restricting remote access to management functions Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, SSH, the Web Management Interface, and SNMP. The following methods for restricting remote access are supported: • • • • • Using ACLs to restrict Telnet, SSH, Web Management Interface, or SNMP access. Allowing remote access only from specific IP addresses.
Restricting remote access to management functions 1 Using an ACL to restrict Telnet access To configure an ACL that restricts Telnet access to the device, enter commands such as the following: Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# access-list 10 deny host 10.157.22.32 access-list 10 deny 10.157.23.0 0.0.0.255 access-list 10 deny 10.157.24.0 0.0.0.255 access-list 10 deny 10.157.25.
1 Restricting remote access to management functions The ipv6-acl-name variable specifies the IPv6 access list name. These commands configure ACL 12, then apply the ACL as the access list for SSH access. The device denies SSH access from the IPv4 addresses listed in ACL 12 and permits SSH access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH access from all IP addresses.
Restricting remote access to management functions 1 Using ACLs to restrict SNMP access To restrict SNMP access to the device using ACLs, enter commands such as the following. NOTE The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet, SSH, and Web management access using ACLs.
1 Restricting remote access to management functions Possible values: 0 – 240 minutes Default value: 0 minutes (no timeout) NOTE The standard for the idle-timeout RADIUS attribute is for it to be implemented in seconds as opposed to the minutes that the Brocade device uses. If this attribute is used for setting idle time instead of this configuration, the value from the idle-timeout RADIUS attribute will be converted from seconds to minutes and truncated to the nearest minute.
Restricting remote access to management functions 1 Restricting Web management access to a specific IP address NOTE The Web Management Interface is only supported on the Brocade NetIron XMR and Brocade MLX series devices. To allow Web management access to the Brocade device only to the host with IP address 10.157.22.26, enter the following command. Brocade(config)# web client 10.157.22.
1 Restricting remote access to management functions Specifying the maximum login attempts for Telnet access If you are connecting to the Brocade device using Telnet, the device prompts you for a username and password. By default, you have up to 4 chances to enter a correct username and password. If you do not enter a correct username or password after 4 attempts, the Brocade device disconnects the Telnet session.
Restricting remote access to management functions 1 Restricting Web management access to a specific VLAN NOTE The Web Management Interface is only supported on the Brocade NetIron XMR and Brocade MLX series devices. To allow Web management access only to clients in a specific VLAN, enter a command such as the following. Brocade(config)# web-management enable vlan 10 The command configures the device to allow Web management access only to clients connected to ports within port-based VLAN 10.
1 Restricting remote access to management functions Enabling Telnet access Telnet access is disabled by default. You can use a Telnet client to access the CLI on the device over the network. To enable Telnet operation, enter the following command. Brocade(config)# telnet server If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device, enter the following command.
Restricting remote access to management functions 1 Syntax: [no] crypto-ssl certificate [generate | zeroize] Using the web-management command without the http or https option makes web management available for both. The generate parameter generates an ssl certificate. The zeroize parameter deletes the currently operative ssl certificate. To import a digital certificate issued by a third-party Certificate Authority (CA) and save it in the flash memory, use the following command.
1 Setting passwords Setting passwords Passwords can be used to secure the following access methods: • Telnet access can be secured by setting a Telnet password. Refer to “Setting a Telnet password”. • Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting passwords for management privilege levels. Refer to “Setting passwords for management privilege levels”.
Setting passwords 1 Setting passwords for management privilege levels You can set one password for each of the following management privilege levels: • Super User level – Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords. • Port Configuration level – Allows read-and-write access for specific ports but not for global (system-wide) parameters.
1 Setting passwords Syntax: enable super-user-password text Syntax: enable port-config-password text Syntax: enable read-only-password text NOTE If you forget your Super User level password, refer to “Recovering from a lost password”. NOTE When enable strict-password-enforcement is enabled, the user uses the enable super-user-password to log in, and the enable-super-user password command is used, the following prompt is displayed: Enter old password.
Setting passwords • • • • • • • • • • • • 1 configure – CONFIG level; for example, Brocade(config)# interface – Interface level; for example, Brocade(config-if-e10000-6)# virtual-interface – Virtual-interface level; for example, Brocade(config-vif-6)# rip-router – RIP router level; for example, Brocade(config-rip-router)# ospf-router – OSPF router level; for example, Brocade(config-ospf-router)# bgp-router – BGP4 router level; for example, Brocade(config-bgp-router)# port-vlan – Port-based VLAN level; fo
1 Setting up local user accounts The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup configuration file and running configuration. Enter the command at the global CONFIG level of the CLI.
Setting up local user accounts 1 If you configure local user accounts, you also need to configure an authentication-method list for Telnet access, Web management access, and SNMP access. Refer to “Configuring authentication-method lists”. For each local user account, you specify a user name which can have up to 48 characters.
1 Enabling strict password enforcement NOTE You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters. To display user account information, enter the following command. Brocade(config)# show users Syntax: show users Note about changing local user passwords The Brocade device stores not only the current password configured for a local user, but the previous two passwords configured for the user as well.
Enabling strict password enforcement 1 Strict password rules NOTE If enable strict-password-enforcement is enabled, when a user is logged in and is attempting to change their own user password, the following prompt is displayed: Enter old password. After validating the old password, the following prompt is displayed: Enter new password. Rules for passwords are different if the strict password enforcement is used.
1 Enabling strict password enforcement Also, if the user tries to configure a password that was previously configured, the local user account configuration is not allowed and the following message is displayed. Error - This password was used earlier, please choose a different password. When you create a password, the characters you type are masked. Example : To assign a password for a user account.
Enabling strict password enforcement 1 Syntax: [no] enable strict-password-enforcement expiration early-warning-period days The days variable specifies the number of days prior to password expiration of a user that a notification of password expiration is printed at user login. The default is 10 days, the minimum is 1 day, and maximum is 365 days.
1 Web interface login lockout Requirement to accept the message of the day If a message of the day (MOTD) is configured and the enable strict-password-enforcement command is enabled, user is required to press the Enter key before he or she can login. MOTD is configured using the banner motd command. Brocade(config)# banner motd require-enter-key Syntax: [no] banner motd require-enter-key Web interface login lockout The Web interface provides up to three login attempts.
Configuring SSL security for the Web Management Interface 1 The first instance of the hh:mm:ss variable specifies the start of the access time and the second instance of the hh:mm:ss variable specifies the end of the access time. Configuring SSL security for the Web Management Interface When enabled, the SSL protocol uses digital certificates and public-private key pairs to establish a secure connection to the Brocade device.
1 Configuring TACACS or TACACS+ security Importing digital certificates and RSA private key files To allow a client to communicate with the other Brocade device using an SSL connection, you configure a set of digital certificates and RSA public-private key pairs on the device. A digital certificate is used for identifying the server to the connecting client. It contains information about the issuing Certificate Authority, as well as a public key.
Configuring TACACS or TACACS+ security 1 • Web management access • Access to the Privileged EXEC level and CONFIG levels of the CLI NOTE You cannot authenticate Brocade Network Advisor (SNMP) access to a Brocade device using TACACS or TACACS+. The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a Brocade device and an authentication database on a TACACS or TACACS+ server.
1 Configuring TACACS or TACACS+ security TACACS authentication NOTE Also, multiple challenges are supported for TACACS+ login authentication. The following events occur when TACACS authentication takes place. 1. A user attempts to gain access to the Brocade device by doing one of the following: • Logging into the device using console, Telnet, SSH, or the Web Management Interface • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3.
Configuring TACACS or TACACS+ security 1 1. A user logs into the Brocade device using console, Telnet, SSH, or the Web Management Interface 2. The user is authenticated. 3. The Brocade device consults the TACACS+ server to determine the privilege level of the user. 4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level of the user. 5. The user is granted the specified privilege level.
1 Configuring TACACS or TACACS+ security User action Applicable AAA operations User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI Enable authentication: aaa authentication enable default method-list Exec authorization (TACACS+): aaa authorization exec default tacacs+ System accounting start (TACACS+): aaa accounting system default start-stop method-list User logs in using console, Telnet, or SSH Login authentication: aaa authentication login default method-list Exec auth
Configuring TACACS or TACACS+ security 1 AAA Security for commands pasted Into the running configuration If AAA security is enabled on a Brocade device, commands pasted into the running configuration are subject to the same AAA operations as if they were entered manually. When you paste commands into the running configuration, and AAA command authorization or accounting is configured on the device, AAA operations are performed on the pasted commands.
1 Configuring TACACS or TACACS+ security 5. Optionally configure TACACS+ authorization. Refer to “Configuring TACACS+ authorization”. 6. Optionally configure TACACS+ accounting. Refer to “Configuring TACACS+ accounting”. Enabling SNMP traps for TACACS To enable SNMP access to the TACACS MIB objects on a Brocade device, you must execute the enable snmp config-tacacs command as shown in the following.
Configuring TACACS or TACACS+ security 1 NOTE If you erase a tacacs-server command (by entering “no” followed by the command), make sure you also erase the aaa commands that specify TACACS or TACACS+ as an authentication method. (Refer to “Configuring authentication-method lists for TACACS or TACACS+”.) Otherwise, when you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS or TACACS+ enabled and you will not be able to access the system.
1 Configuring TACACS or TACACS+ security • 0 = the key string is not encrypted and is in clear text • 1 = the key string uses proprietary simple crytographic 2-way algorithm (only for Brocade NetIron CES and Brocade NetIron CER) • 2 = the key string uses proprietary base64 crytographic 2-way algorithm (only for Brocade NetIron XMR and Brocade MLX series) Setting optional TACACS or TACACS+ parameters You can set the following optional parameters in a TACACS or TACACS+ configuration: • TACACS+ key – This
Configuring TACACS or TACACS+ security 1 NOTE Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies how many times the Brocade device will resend an authentication request when the TACACS or TACACS+ server does not respond. The retransmit limit can be from 1 – 5 times. The default is 3 times.
1 Configuring TACACS or TACACS+ security The commands above cause TACACS or TACACS+ to be the primary authentication method for securing Telnet or SSH access to the CLI. If TACACS or TACACS+ authentication fails due to an error with the server, authentication is performed using local user accounts instead. To create an authentication-method list that specifies TACACS or TACACS+ as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Configuring TACACS or TACACS+ security 1 NOTE After successful key-authentication, the SSH session will be placed into the privileged EXEC mode. Example 3: Brocade (config) # aaa authentication login privilege-mode Brocade (config) # ip ssh permit-empty-passwd yes NOTE After successful key-authentication, the SSH session will be placed into the privileged EXEC mode.
1 Configuring TACACS or TACACS+ security • If the next method in the authentication method list is “enable”, the login prompt is skipped, and the user is prompted for the Enable password (that is, the password configured with the enable super-user-password command). • If the next method in the authentication method list is “line”, the login prompt is skipped, and the user is prompted for the Line password (that is, the password configured with the enable telnet password command).
Configuring TACACS or TACACS+ security 1 To set a user’s privilege level, you can configure the “foundry-privlvl” A-V pair for the Exec service on the TACACS+ server. Example user=bob { default service = permit member admin # Global password global = cleartext "cat" service = exec { foundry-privlvl = 0 } } In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user.
1 Configuring TACACS or TACACS+ security Example user=bob { default service = permit member admin # Global password global = cleartext "cat" service = exec { foundry-privlvl = 4 priv-lvl = 15 } } In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl = 15 A-V pair is ignored by the Brocade device. If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is grated to the user.
Configuring TACACS or TACACS+ security 1 Configuring TACACS+ accounting The Brocade device supports TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a Brocade device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
1 Configuring TACACS or TACACS+ security Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none Configuring an interface as the source for all TACACS or TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS or TACACS+ packets from the Brocade device.
Configuring TACACS or TACACS+ security 1 Displaying TACACS or TACACS+ statistics and configuration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device. Example Brocade# show aaa TACACS default key: ... TACACS retries: 3 TACACS timeout: 3 seconds TACACS+ Server: IP=10.20.80.20 Port=49 Usage=any Key=... opens=0 closes=0 timeouts=0 errors=0 packets in=0 packets out=0 Radius default key: ...
1 Configuring TACACS or TACACS+ security The show web command displays the privilege level of Web Management Interface users. Example Brocade#show web User set Privilege 0 IP address 192.168.1.234 Syntax: show web Validating TACACS+ reply packets The TACACS+ reply packets are validated for individual fields in the packet header and encrypted or unencrypted packet body to avoid any system failure due to processing invalid or corrupt reply packets.
Configuring TACACS or TACACS+ security 1 Following table lists all possible error conditions and corresponding messages for the authentication reply validation.
1 Configuring TACACS or TACACS+ security TABLE 8 Authorization reply validation Error warning message Error condition Warning: Invalid TACACS+ authorization reply packet body. check key value Invalid status field in the packet body.
Configuring RADIUS security TABLE 9 1 Accounting reply validation Error warning message Error condition Warning: Invalid server msg length in TACACS+ accounting reply The server message length specified is not within packet boundary Warning: Invalid server msg in TACACS+ accounting reply Invalid or null data found in server message Warning: Invalid data length in TACACS+ accounting reply The data length specified is not within packet boundary Warning: Invalid TACACS+ accounting reply.
1 Configuring RADIUS security 1. A user triggers RADIUS authentication by doing one of the following: • Logging in to the Brocade device using Telnet, SSH, or the Web Management Interface • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username and password. 3. The user enters a username and password. 4. The Brocade device sends a RADIUS Access-Request packet containing the username and password to the RADIUS server. 5.
Configuring RADIUS security 1 Telnet - 08-25-2010 -- 11:20:18 This is the message of the day Telnet - 08-25-2010 -- 11:20:18 Telnet - 08-25-2010 -- 11:20:18 User Access Verification Telnet - 08-25-2010 -- 11:20:18 Telnet - 08-25-2010 -- 11:20:38 Please Enter Login Name: pbikram3 Telnet - 08-25-2010 -- 11:20:58 Please Enter Password: Telnet - 08-25-2010 -- 11:21:01 Telnet - 08-25-2010 -- 11:21:06 Enter a new PIN having from 4 to 8 alphanumeric characters: Telnet -
1 Configuring RADIUS security • A system event occurs, such as a reboot or reloading of the configuration file 2. The Brocade device checks its configuration to see if the event is one for which RADIUS accounting is required. 3. If the event requires RADIUS accounting, the Brocade device sends a RADIUS Accounting Start packet to the RADIUS accounting server, containing information about the event. 4. The RADIUS accounting server acknowledges the Accounting Start packet. 5.
Configuring RADIUS security User action Applicable AAA operations User enters the command: [no] aaa accounting system default start-stop method-list Command authorization: aaa authorization commands privilege-level default method-list User enters other commands Command authorization: aaa authorization commands privilege-level default method-list 1 Command accounting: aaa accounting commands privilege-level default start-stop method-list System accounting start: aaa accounting system default start-st
1 Configuring RADIUS security • When a radius-server host is configured, a status-server request is sent automatically to determine the current status of the server. You must configure the radius-server key before entering the radius host command. The radius-server key may also be configured along with radius-server host command. Example 1: Brocade(config)# radius-server key key Brocade(config)# radius-server host a.b.c.d Example 2: Brocade(config)# radius-server host a.b.c.
Configuring RADIUS security 1 Configuring Brocade-specific attributes on the RADIUS server During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the Brocade, authenticating the user. Within the Access-Accept packet, the RADIUS server could send attribute “Vendor-Specific” whose value could inform the Brocade on the runtime environment for this session. The value of Brocade’s Vendor ID is 1991.
1 Configuring RADIUS security TABLE 10 Vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Description foundry-access-list 5 string Specifies the access control list to be used for RADIUS authorization. Enter the access control list in the following format. type=string, value=”ipacl.[e|s].[in|out] = [acl-name|acl-number] separator macfilter.in = [acl-name|acl-number] Where: separator can be a space, new line, semicolon, comma, or null character • ipacl.
Configuring RADIUS security 1 Enabling SNMP traps for RADIUS To enable SNMP traps for RADIUS on a Brocade device, you must execute the enable snmp config-radius command as shown in the following. Brocade(config)# enable snmp config-radius Syntax: [no] enable snmp [config-radius | config-tacacs] The config-radius parameter specifies that traps will be enabled for RADIUS. Generation of Radius traps is disabled by default. The config-tacacs parameter specifies that traps will be enabled for TACACS.
1 Configuring RADIUS security The acct-port number parameter specifies what port to use for RADIUS accounting. The default is 1813. Enter accounting-only if the server is used only for accounting. Enter authentication-only if the server is used only for authentication. Entering the default parameter causes the server to be used for all AAA RADIUS functions. NOTE To specify which RADIUS functions the server supports, you must first enter the authentication port and accounting port parameters.
Configuring RADIUS security 1 Global radius configuration The following global configurations are for all radius servers, and can be used to configure defaults. If the individual radius servers are configured, the instance value takes precedence. Health-check is disabled by default. Use the following command to globally enable health-check. Brocade(config)# radius-server enable-health-check Syntax: [no] radius-server enable-health-check Use the no version of the command to globally disable health-check.
1 Configuring RADIUS security Setting the RADIUS key The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the RADIUS server. The key length can be from 1 – 64 characters and cannot include any space characters. To specify a RADIUS server key, enter a command such as the following.
Configuring RADIUS security 1 Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
1 Configuring RADIUS security To configure the Brocade device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, enter the following command. Brocade(config)# aaa authentication enable implicit-user Syntax: [no] aaa authentication enable implicit-user Configuring RADIUS authorization The Brocade device supports RADIUS authorization for controlling access to management functions in the CLI.
Configuring RADIUS security 1 You enable RADIUS command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Brocade device to perform authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
1 Configuring RADIUS security Configuring RADIUS accounting The Brocade devices support RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on a Brocade device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring RADIUS security 1 Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none Configuring an interface as the source for all RADIUS packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the Brocade device.
1 Configuring RADIUS security Configuring an IPv6 interface as the source for all RADIUS packets Use the ipv6 radius source-interface command to specify the IPv6 address of the interface that is chosen for the NAS-IPv6-Attribute. This feature is applicable only if an IPv6 interface is configured and authentication happens through RADIUS.
Configuring AAA on the console 1 Syntax: show aaa The following table describes the RADIUS information displayed by the show aaa command. TABLE 11 Output of the show aaa command for RADIUS Field Description Radius default key The setting configured with the radius-server key command. At the Super User privilege level, the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is displayed instead of the text.
1 Configuring AAA authentication-method lists for login 3. Enter “exit” to display the following login prompt on the console window. "Press Enter key to login". 4. Press the Enter, key to begin the login process. The next prompt to appear is determined by the first method configured in the login authentication configuration. If it is not TACACS+, the default prompts are used.
Configuring authentication-method lists 1 The none option eliminates the requirement for any authentication method to grant access to the console. Configuring authentication-method lists To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted.
1 Configuring authentication-method lists NOTE If a user cannot be authenticated using local authentication, then the next method on the authentication methods list is used to try to authenticate the user. If there is no method following local authentication, then the user is denied access to the device.
Configuring authentication-method lists 1 To configure an authentication-method list for Brocade Network Advisor, enter a command such as the following. Brocade(config)# aaa authentication snmp-server default local This command configures the device to use the local user accounts to authenticate access attempts through any network management software, such as Brocade Network Advisor.
1 Configuring authentication-method lists TABLE 12 72 Authentication method values (Continued) Method parameter Description tacacs Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command. tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command. radius Authenticate using the database on a RADIUS server.
Chapter 2 Layer 2 Access Control Lists Table 13 displays the individual devices and the Layer 2 ACLs features they support.
2 Configuration rules and notes Layer-2 Access Control Lists (ACLs) filter incoming traffic based on Layer-2 MAC header fields in the Ethernet IEEE 802.3 frame. Specifically, Layer-2 ACLs filter incoming traffic based on any of the following Layer-2 fields in the MAC header: • • • • • Source Brocade NetIron CER MAC address and source MAC mask Destination MAC address and destination MAC mask VLAN ID Ethernet type 802.1p Layer-2 ACLs filter traffic at line-rate speed.
Configuration rules and notes 2 • You can bind multiple rate limiting policies to a single port. However, once a matching ACL clause is found for a packet, the device does not evaluate subsequent clauses in that rate limiting ACL and subsequent rate limiting ACLs. • Only numbered ACLs support rate limiting.
2 Configuration rules and notes There can be up to 500 named L2 ACLs. The maximum length of a named Layer-2 ACL is 255 characters. The Layer-2 ACL name cannot begin with digits 0 to 9 to avoid confusion with the numbered L2 ACLs. The device evaluates traffic coming into the port against each ACL clause. Once a matching entry is found, the device either forwards or drops the traffic, depending upon the action specified for the clause.
Creating a numbered Layer-2 ACL table 2 Creating a numbered Layer-2 ACL table You create a numbered Layer-2 ACL table by defining a Layer-2 ACL clause. To create a numbered Layer-2 ACL table, enter commands (clauses) such as the following at the Global CONFIG level of the CLI. Note that you can add additional clauses to the ACL table at any time by entering the command with the same table ID and different MAC parameters.
2 Creating a numbered Layer-2 ACL table In the above example, the first ACL entry will have default sequence number “10” assigned to it, the second ACL entry will have user defined sequence number “12”, and the third ACL entry will have a sequence number “20” assigned to it (smallest number divisible by 10 which is greater than 12), and the fourth ACL entry will be have a sequence number “30” assigned to it (smallest number divisible by 10 which is greater than 20), and the fifth ACL entry will have user
Creating a numbered Layer-2 ACL table 2 Deleting a numbered Layer-2 ACL entry You can delete an ACL filter rule by providing the sequence number or without providing the sequence number. To delete an ACL filter rule without providing a sequence number you must specify the filter rule attributes. To delete an ACL filter rule providing a sequence number you can provide the sequence number alone or the sequence number and the other filter rule attributes.
2 Creating a numbered Layer-2 ACL table The src-mac mask | any parameter specifies the source MAC address. You can enter a specific address and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using Fs and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000.
Creating a numbered Layer-2 ACL table 2 The priority option assigns outgoing traffic that matches the ACL to a hardware forwarding queue based on the incoming 802.1p value. If the incoming packet priority is lower than the specified value, the outgoing packet priority is set to the specified value. Should the incoming packet priority have a higher priority than the specified value, the priority is not changed. This option is applicable for inbound ACLs only.
2 Creating a numbered Layer-2 ACL table Brocade(config)# access-list 401 sequence 23 permit 0000.1111.1121 ffff.ffff.ffff any 23 etype any Inserting and deleting Layer-2 ACL clauses You can make changes to the Layer-2 ACL table definitions without unbinding and rebinding the table from an interface. For example, you can add a new clause to the ACL table, delete a clause from the table, delete the ACL table, etc.
Creating a numbered Layer-2 ACL table 2 Using the mask, you can make the access list apply to a range of addresses. For instance if you changed the mask in the previous example from 0012.3456.7890 to ffff.ffff.fff0, all hosts with addresses from 0000.0056.7890 to 0000.0056.789f would be blocked. This configuration for this example is shown in the following. Brocade(config)# access-list 401 deny 0000.0056.7890 ffff.ffff.fff0 0000.0033.4455 ffff.ffff.
2 Creating a numbered Layer-2 ACL table The Brocade NetIron CES and Brocade NetIron CER devices treat the drop-precedence (DP) value internally, and do not mark any packets on DP explicitly.
Creating a numbered Layer-2 ACL table 2 In the following example, access list 414 permits IPv4 packets from source mac 1425.0124.010c and any destination addresses from VLAN 14 having an 802.1p priority of 2 and marks the flow ID for load-balancing on LAG ports. Brocade(config)#access-list 414 permit 1425.0124.010c ffff.ffff.
2 Creating a named Layer-2 ACL table Creating a named Layer-2 ACL table To create for example a named Layer-2 ACL called example_l2_acl, enter the following commands. Brocade(config)#mac access-list example_l2_acl Brocade(config-mac-nacl)#deny 0000.0000.0001 ffff.ffff.ffff any Brocade(config-mac-nacl)#permit any 0000.0000.0002 ffff.ffff.ffff Brocade(config-mac-nacl)#exit Following is an example of how a named Layer-2 ACL “example_l2_acl” is displayed in the configuration file.
ACL accounting 2 ACL accounting Multi-Service devices may be configured to monitor the number of times an ACL is used to filter incoming or outgoing traffic on an interface. The show access-list accounting command displays the number of “hits” or how many times ACL filters permitted or denied packets that matched the conditions of the filters. For more detailed information about ACL accounting, please refer to “ACL accounting”.
2 Displaying Layer-2 ACLs For detailed information about ACL accounting considerations for Brocade NetIron CES and Brocade NetIron CER devices, please refer to “ACL accounting”. Displaying Layer-2 ACLs Use the show access-list command to display named and numbered Layer 2 (L2) ACL tables. To display the total number of Layer-2 and IPv4 access lists and the number of filters configured for each list, use the show access-list count command. Brocade(config)#show access-list count Total 4 ACLs exist.
2 Displaying Layer-2 ACLs 10: deny 0000.0030.0310 ffff.ffff.ffff 0000.0030.0010 ffff.ffff.ffff any etype 20: permit any any any etype any L2 MAC Access List mac-access-list-481-1234567890123456789012345678901234567890: 10: permit 0025.0113.0101 ffff.ffff.ffff 0021.3113.0101 ffff.ffff.ffff any etype any 20: permit any 0021.3121.0101 ffff.ffff.ffff any etype any 30: deny 0025.0122.010a ffff.ffff.
2 Displaying Layer-2 ACLs permit vlan 3000 ip any any Syntax: [no] display-config-format The [no] version of the display-config-format command will be present the show access-list command in standard form. There is an SNMP table that supports this command. Refer to the Unified IP MIB Reference for more information. Configuring ACL Deny Logging for Layer-2 inbound ACLs Configuring ACL Deny Logging for Layer-2 ACLs requires the following: • Enabling the Log Option on a filter.
Displaying Layer-2 ACLs 2 Displaying Layer-2 ACL statistics on Brocade NetIron CES and Brocade NetIron CER devices To display Layer 2 inbound ACL statistics on Brocade NetIron CES and Brocade NetIron CER devices, enter commands such as the following. (config-if-e10000-14/1)#show access-list acc eth 14/1 in l2 Collecting L2 ACL accounting for 400 on port 14/1 ... Completed successfully.
2 92 Displaying Layer-2 ACLs Multi-Service IronWare Security Configuration Guide 53-1003035-02
Chapter 3 Access Control List Table 14 displays the individual Brocade devices and the ACL features they support.
3 Access Control List TABLE 14 Supported Brocade ACL features (Continued) Features supported Brocade NetIron XMR Series Brocade MLX Series Brocade NetIron CES 2000 Series BASE package Brocade NetIron CES 2000 Series ME_PREM package Brocade NetIron CES 2000 Series L3_PREM package Brocade NetIron CER 2000 Series Base package Brocade NetIron CER 2000 Series Advanced Services package ACL CAM sharing for Inbound ACLs Yes Yes No No No No No CAM sharing Yes Yes No No No No No ACL Deny L
How the Brocade device processes ACLs 3 How the Brocade device processes ACLs The Brocade device processes traffic that ACLs filter in hardware. The Brocade device creates an entry for each ACL in the Content Addressable Memory (CAM) at startup or when the ACL is created. The Brocade device uses these CAM entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing.
3 How the Brocade device processes ACLs NOTE For all NetIron devices running any previous version than 5.5, you must remove the ACL bindings before adding a port to any VLAN and then re-apply the ACL bindings after VLAN is configured on the port. NOTE On any NetIron device, the ACLs configured on a physical or virtual interface cannot be removed by disabling or enabling the interfaces.
Disabling outbound ACLs for switching traffic 3 Disabling outbound ACLs for switching traffic By default, when an outbound ACL is applied to a virtual interface, the Brocade device always filters traffic that is switched from one port to another within the same virtual routing interface. Additional commands have been added that allow you to exclude switched traffic from outbound ACL filtering. This exclusion can be configured globally or on per-port basis. This feature applies to IPv4 and IPv6 ACLs only.
3 Default ACL action The ipv4 and ipv6 options are mutually exclusive within the same command. If you want to configure this command to exclude both IPv4 and IPv6 traffic, you must use two separate commands. Enabling outbound ACLS for switching traffic per port Configuring the if-acl-outbound exclude-switched-traffic command at the interface configuration level, allows you to exclude all switched traffic from outbound ACL filtering on a per-port basis.
Types of IP ACLs 3 Types of IP ACLs IP ACLs can be configured as standard or extended ACLs. A standard ACL permits or denies packets based on source IP address. An extended ACL permits or denies packets based on source and destination IP address and also based on IP protocol information. Standard or extended ACLs can be numbered or named. Standard numbered ACLs have an ID of 1 – 99. Extended numbered ACLs are numbered 100 – 199. IDs for standard or extended ACLs can be a character string.
3 ACL IDs and entries • ncopy tftp ip-addr from-name running-config In this case, the ACLs are added to the existing configuration. ACL editing and sequence numbers Multi-Service IronWare R05.6.00 supports ACL editing and ACL entry sequence numbers for Layer-2, IPv4 and IPv6 ACLs. This chapter describes the ACL editing feature applied to numbered and named IPv4 ACLs.
Configuring numbered and named ACLs 3 Syntax: [no] suppress-acl-seq The no version of this command turns suppress-acl-seq OFF. Configuring numbered and named ACLs When you configure IPv4 ACLs, you can refer to the ACL by a numeric ID or by an alphanumeric name. The commands to configure numbered ACLs are different from the commands for named ACLs: • If you refer to the ACL by a numeric ID, you can use 1 – 99 for a standard ACL or 100 – 199 for an extended ACL.
3 Configuring numbered and named ACLs sequence number generated by the system is the Smallest number divisible by 10 which is greater than the sequence number of the last ACL entry provisioned in the ACL table. Therefore, when you do not specify a sequence number, the rule is added to the end of the ACL table. The default sequence number assigned to the first ACL entry in the ACL table is “10”.
Configuring numbered and named ACLs 3 Deleting a standard numbered ACL entry You can delete an ACL filter rule by providing the sequence number or without providing the sequence number. To delete an ACL filter rule without providing a sequence number you must specify the filter rule attributes. To delete an ACL filter rule providing a sequence number you can provide the sequence number alone or the sequence number and the other filter rule attributes.
3 Configuring numbered and named ACLs host source-ip | hostname Specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. NOTE To specify the host name instead of the IP address, the DNS server must be configured using the ip dns server-address ip-addr command at the global configuration level. hostname Specifies the host name for the policy.
Configuring numbered and named ACLs 3 Parameters to bind standard ACLs to an interface Use the ip access-group command to bind the ACL to an inbound interface and enter the ACL number for num. Configuring extended numbered ACLs This section describes how to configure extended numbered IPv4 ACLs: • For configuration information on standard ACLs, refer to “Configuring standard numbered ACLs”. • For configuration information on named ACLs, refer to “Configuring standard or extended named ACLs”.
3 Configuring numbered and named ACLs Here is another example of commands for configuring an extended ACL and applying it to an interface. These examples show many of the syntax choices. Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# access-list access-list access-list access-list access-list access-list 102 102 102 102 102 102 perm icmp 10.157.22.0/24 10.157.21.0/24 deny igmp host rkwong 10.157.21.0/24 deny igrp 10.157.21.
Configuring numbered and named ACLs 3 The fifth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL. The following commands apply ACL 103 to the incoming and outgoing traffic on ports 2/1 and 2/2.
3 Configuring numbered and named ACLs access-list 100 permit icmp any any Extended ACL syntax This section presents the syntax for creating and re-sequencing an extended IPv4 ACL and for binding the ACL to an interface. Use the access-list regenerate-seq-num command to re-sequence the ACL table. Use the ip access-group command in the interface level to bind the ACL to an interface.
Configuring numbered and named ACLs 3 wildcard Specifies the portion of the source IP host address to match against. The wildcard is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the source-ip. Ones mean any value matches. For example, the source-ip and wildcard values 10.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 10.157.22.x match the policy.
3 Configuring numbered and named ACLs priority | priority-force | priority-mapping The Priority option assigns internal priority to traffic that matches the ACL. In addition to changing the internal forwarding priority, if the outgoing interface is an 802.1q interface, this option maps the specified priority to its equivalent 802.1p (QoS) priority and marks the packet with the new 802.1p priority. This option is applicable for inbound ACLs only.
Configuring numbered and named ACLs operator 3 Specifies a comparison operator for the TCP or UDP port number. You can enter one of the following operators: • eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
3 Configuring numbered and named ACLs Filtering traffic with ICMP packets Use the following parameters if you want to filter traffic that contains ICMP packets. These parameters apply only if you specified icmp as the ip-protocol value.
Configuring numbered and named ACLs 3 precedence name The precedence option for of an IP packet is set in a three-bit field following | num the four-bit header-length field of the packet’s header. NOTE This parameter is not supported on Brocade NetIron CES or Brocade NetIron CER devices. You can specify one of the following name or number: • critical or 5 – The ACL matches packets that have the critical precedence. If you specify the option number instead of the name, specify number 5.
3 Configuring numbered and named ACLs Using ACL QoS options to filter packets You can filter packets based on their QoS values by entering values for the following parameters: tos name | num Specify the IP ToS name or number. NOTE This parameter is not supported on Brocade NetIron CES or Brocade NetIron CER devices. You can specify one of the following: • max-reliability or 2 – The ACL matches packets that have the maximum reliability ToS. The decimal value for this option is 2.
Configuring numbered and named ACLs 3 value You can match based upon a specified IP Option value. Values between 1 - 255 can be used. keyword You can use the any keyword to match packets with IP Options or use the ignore keyword to match packets with or without IP Options. NOTE If you are configuring a filter to permit or deny rsvp or igmp packets, it will ignore IP options within the packet by default.
3 Configuring numbered and named ACLs Configuration example for standard ACL To configure a named standard ACL entry, enter commands such as the following. Brocade(config)# ip access-list standard Net1 Brocade(config-std-nacl-Net1)# deny host 10.157.22.26 Brocade(config-std-nacl-Net1)# deny 10.157.29.
Configuring numbered and named ACLs 3 3. Enter the show access-list command to display the updated list. Brocade(config)# ip show access-list name entry Standard IP access list entry 10: deny host 10.2.4.5 30: deny host 10.6.7.8 40: permit any NOTE If you try to delete an ACL filter rule using the sequence number, but the sequence number that you specify does not exist, the following error message will be displayed.
3 Configuring numbered and named ACLs NOTE The command prompt changes after you enter the ACL type and name. The “ext” in the command prompt indicates that you are configuring entries for an extended ACL. The “nacl” indicates that are configuring a named ACL.
Configuring numbered and named ACLs 3 Brocade(config)#show access-list 99 ACL configuration: ! Standard IP access list 10 10: access-list 99 deny host 10.10.10.1 20: access-list 99 permit any For a named ACL, enter a command such as the following. Brocade(config)#show access-list name entry Standard IP access list entry 10: deny host 5.6.7.8 20: deny host 192.168.12.
3 Simultaneous per VLAN rate limit and QoS This shall not affect CAM occupation, that is, a single entry Layer-2 ACL still take a CAM entry, even though system-max l2-acl-table-entries is configured to 256. The example in the above section configures Layer-2 ACL in 1399, the maximum number in Layer-2 ACL. VLAN Accounting VLAN accounting already exists in previous release. Now it works with the increased ACL infrastructure on NetIron CES and NetIron CER devices as well.
Modifying ACLs 3 Modifying ACLs When you configure any ACL, a sequence number is assigned to each ACL entry. If you do not specify the sequence number, the software assigns a sequence number to each entry. The default value is 10+ the sequence number of the last ACL entry provisioned in the ACL table. Therefore, when you do not specify a sequence number, the rule is added to the end of the ACL table. The default value for the first entry in an IPv4 ACL table is “10”.
3 Modifying ACLs Modify an ACL by configuring an ACL list on a file server. 1. Use a text editor to create a new text file. When you name the file, use 8.3 format (up to eight characters in the name and up to three characters in the extension). NOTE Make sure the Brocade device has network access to the TFTP server. 2. Optionally, clear the ACL entries from the ACLs you are changing by placing commands such as the following at the top of the file.
Modifying ACLs 3 Adding or deleting a comment You can add or delete comments to an IP ACL entry. Numbered ACLs: Adding a comment To add a comment to an ACL entry in a numbered IPv4 ACL, perform the tasks listed below. 1. Use the show access-list to display the entries in an ACL. Example Brocade(config-std-nacl)# show access-list 99 Standard IP access-list 99 deny host 10.2.4.5 permit host 10.6.7.8 2.
3 Modifying ACLs Complete the syntax by specifying any options you want for the ACL entry. Options you can use to configure standard or extended numbered ACLs are discussed in “Configuring standard or extended named ACLs”. Numbered ACLs: deleting a comment For example, if the remark “Permit all users” has been defined for ACL 99, remove the remark by entering the following command.
Applying ACLs to interfaces 3 Enter deny to deny the specified traffic or permit to allow the specified traffic. Complete the configuration by specifying options for the standard or extended ACL entry. Options you can use to configure standard or extended named ACLs are discussed in the section “Configuring standard or extended named ACLs”. Named ACLs: deleting a comment To delete a remark from a named ACL, enter the following command.
3 Applying ACLs to interfaces Brocade(config)# vlan 10 name IP-subnet-vlan Brocade(config-vlan-10)# untag ethernet 1/1 to 1/20 ethernet 2/1 to 2/12 Brocade(config-vlan-10)# router-interface ve 1 Brocade(config-vlan-10)# exit Brocade(config)# access-list 1 deny host 10.157.22.26 Brocade(config)# access-list 1 deny 10.157.29.
Enabling ACL duplication check mac access-list SampleACL permit any any 10 etype any ! Brocade(config)# show access-list bindings L4 configuration: ! interface ethe 2/1 mac access-group SampleACL in ! Brocade(config)#show cam l2acl SLOT/PORT Interface number Brocade(config)# sh cam l2acl 2/1 LP Index VLAN Src MAC Dest MAC Port Action (Hex) 2 0a3800 10 0000.0000.0000 0000.0000.0000 0 Pass 2 0a3802 0 0000.0000.0000 0000.0000.
3 Enabling ACL conflict check Syntax: [no] acl-duplication-check Enabling ACL conflict check If desired, you can enable software checking for conflicting ACL entries. To do so, enter the following command at the Global CONFIG level of the CLI. Brocade(config)# acl-conflict-check Brocade(config)# access-list 173 permit ip host 1.1.6.203 198.6.1.0 0.0.0.255 Brocade(config)# access-list 173 deny ip host 1.1.6.203 198.6.1.0 0.0.0.255 Warning: Conflicting entry in ACL 173: permit ip host 1.1.6.203 198.6.1.
Enabling ACL filtering of fragmented or non-fragmented packets 3 Named ACLs Brocade(config)# ip access-list extended entry Brocade(config-ext-nacl)# deny ip any any fragment Brocade(config)# int eth 1/1 Brocade(config-if-e10000-1/1)# ip access-group entry in Brocade(config)# write memory The first line in the example defines ACL entry to deny any fragmented packets. Other packets will be denied or permitted, based on the next filter condition.
3 Enabling ACL filtering of fragmented or non-fragmented packets This can be a particular problem for Deny ACLs because packets can be dropped that should be forwarded. For this reason, the conservative ACL fragment mode has been created to treat fragmented packets differently both when the fragmented keyword is and is not used.
Enabling ACL filtering of fragmented or non-fragmented packets TABLE 17 3 ACL entry with Layer-3 information only and fragment keyword in ACL Packet matches AND is either a non-fragmented or the 1st packet within a fragmented packet flow Packet matches AND is a non-initial packet within a fragmented packet flow permit No – Does not match because fragment keyword is in ACL and packet is either non-fragmented or the 1st packet within a fragmented packet flow.
3 Enabling ACL filtering of fragmented or non-fragmented packets TABLE 19 ACL entry with Layer-3 and Layer-4 information and fragment keyword in ACL Packet matches AND is either a non-fragmented or the 1st packet within a fragmented packet flow Packet matches AND is a non-initial packet within a fragmented packet flow permit No – Does not match because fragment keyword is in ACL and packet is either non-fragmented or the 1st packet within a fragmented packet flow.
Enabling ACL filtering of fragmented or non-fragmented packets 3 Non-fragmented packets will not match the first ACL entry because the fragment keyword is present. The packet will then match the second (deny) ACL entry and consequently will be dropped. ACL configuration example with fragment keyword and deny clause In the following example, ACL 101 is configured to process fragmented IP packets in Normal and Conservative ACL modes as described. Brocade(config)# access-list 101 deny tcp 10.1.0.0.0.0.0.
3 Enabling ACL filtering of fragmented or non-fragmented packets Brocade(config-if-e1000-3/1)# no spanning-tree Brocade(config-if-e1000-3/1)# exit Brocade(config)# access-list 102 deny ip any any fragment Brocade(config)# access-list 102 permit ip any any Behavior In Normal ACL Fragment Mode – In the normal Brocade device mode, fragmented and non-fragmented packets will be dropped or forwarded as described in the following: All IP fragments (both initial and subsequent fragments) will match the first ACL
ACL filtering for traffic switched within a virtual routing interface 3 Behavior In Conservative ACL Fragment Mode – If the Brocade device is configured for Conservative ACL Fragment mode using the acl-frag-conservative command, fragmented and non-fragmented packets will be dropped or forwarded as described in the following: The initial fragment will not match the first ACL entry because the fragment keyword is present.
3 Filtering and priority manipulation based on 802.1p priority • • • • 4 – qosp4 5 – qosp5 6 – qosp6 7 – qosp7 If a packet’s 802.1p value is forced to another value by its assignment to a lower value queue, it will retain that value when it is sent out through the outbound port. The default behavior on previous revisions of this feature was to send the packet out with the higher of two possible values: the initial 802.
ICMP filtering for extended ACLs 3 Brocade(config)# access-list 100 permit udp 10.1.1.0/24 10.75.34.0/24 priority-mapping 7 The priority-mapping parameter specifies one of the eight possible 802.1p priority values. Possible values are between 0 and 7. NOTE When the priority configured for a physical port and the 802.1p priority of an arriving packet differ, the higher of the two priorities is used.
3 ICMP filtering for extended ACLs The acl-name | acl-num parameter allows you to specify an ACL name or number. If using a name, specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The acl-num parameter allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 100 – 199 for extended ACLs.
Binding IPv4 inbound ACLs to a management port TABLE 20 3 ICMP message types and codes ICMP message type Type Code precedence-cutoff 3 15 protocol-unreachable 3 2 reassembly-timeout 11 1 redirect 5 x router-advertisement 9 0 router-solicitation 10 0 source-host-isolated 3 8 source-quench 4 0 source-route-failed 3 5 time-exceeded 11 x timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 unreachable 3 x NOTE: This includes all redirects.
3 IP broadcast ACL NOTE For IPv4 inbound ACL applied to management port, the user can log traffic matching both “permit” and “deny” ACL filters that have the log keyword. The command ip access-group enable-deny-logging is not be required to turn on logging on a management port. NOTE On Brocade NetIron CES or Brocade NetIron CER devices you can bind an ACL with accounting clauses to the management port. However, no ACL counters will be incremented by packets permitted or denied by those clauses.
IP broadcast ACL 3 • For LAG ports, all ports within the LAG are required to have the same IP broadcast ACL applied to them before the LAG is created. On deleting the LAG, the IP broadcast ACL binding is replicated on all individual LAG ports. • IP directed-broadcast ACL binding is not be permitted on VPLS and VLL endpoints. • For interface-level inbound IPv4 ACL or Rate Limiting-ACLs (RL-ACLs) - Traffic matching IP broadcast ACLs is not subject to interface-level ACLs or RL-ACLs.
3 IP broadcast ACL The no option is used to disable filtering of directed broadcast traffic on an individual interface. NOTE IP tunnel interfaces are not supported. NOTE Upon dynamically configuring or removing the ip broadcast-zero command, you must manually rebind the subnet broadcast ACLs. Configuration example for IP broadcast ACL Figure 1 illustrates how filtering of IP directed broadcast traffic is enabled on the Router 3 interface.
3 IP broadcast ACL Brocade(config-if-e1000-4/1)# show access-list subnet-broadcast accounting ethernet 4/1 Subnet broadcast ACL 120 0: permit udp host 10.10.10.1 host 10.20.20.255 Hit count: (1 sec) 0 (1 min) 0 (5 min) 0 (accum) 0 1: permit tcp host 10.10.10.1 host 10.20.20.
3 IP broadcast ACL CAM Syntax: show access-list subnet-broadcast accounting global Table 22 describes the output parameters of the show access-list subnet-broadcast accounting global command. TABLE 22 Output parameters of the show access-list subnet-broadcast accounting global command Field Description Subnet broadcast ACL ID The ID of the IP broadcast ACL. # The index of the IP broadcast ACL entry, starting with 0, followed by the permit or deny condition defined for that ACL entry.
IP broadcast ACL CAM 3 NOTE Hitless upgrade support for the IP broadcast ACL CAM entries is supported only on the Brocade NetIron XMR and Brocade MLX series devices.
3 IP receive ACLs Rebinding of IP broadcast ACL CAM entries To rebind IP broadcast ACL CAM entries, enter the following command. Brocade(config)# ip rebind-subnet-broadcast-acl Syntax: [no] ip rebind-subnet-broadcast-acl The no option is used to disable rebinding of IP broadcast ACL CAM entries. NOTE The ip rebind-subnet-broadcast-acl command is applicable only for Brocade NetIron XMR and Brocade MLX series devices.
IP receive ACLs 3 • deny icmp host 10.1.1.1 host 10.2.2.2 • deny icmp host 10.1.1.1 host 10.10.10.1 • deny icmp host 10.1.1.1 host 10.10.20.1 NOTE You must rebind an rACL whenever it is changed, as described in “Rebinding a rACL definition or policy-map”, otherwise now invalid entries will still be in CAM. NOTE For more information on configuring the acl-mirror-port command for IP Receive ACLs, refer to Multi-Service IronWare Switching Configuration Guide.
3 IP receive ACLs NOTE An implicit deny ip any any will be programmed at the end, after all other rACLs. This implicit clause will always be programmed to drop the matching traffic.
IP receive ACLs 3 Syntax: [no] ip receive access-list {acl-num | acl-name} sequence seq-num [policy-map policy-map-name [strict-acl]] By default, traffic matching the “permit” clause in the specified ACL is permitted and traffic matching the “deny” clause in the ACL is dropped.
3 IP receive ACLs NOTES: The following limitations apply when the number variable has a maximum limit of 16384. • The 16K Receive ACL CAM partition is not supported on the cam profiles such as IPv6, Multi-service 3, and Multi-service 4. • Depending on the configuration, any of the IPv4 ACL sub-partitions such as IP Source Guard, Broadcast ACL, IP Multicast, and Open Flow should be decreased to allow the creation of the 16K rACL partition.
3 IP receive ACLs Displaying accounting information for rACL To display rACL accounting information for ACL number “102”, use the following command. Brocade# show access-list receive accounting 102 To display rACL accounting information for the ACL named “acl_ext1”, use the following command.
3 ACL CAM sharing for inbound ACLs for IPv4 ACLs (Brocade NetIron XMR and Brocade MLX series devices only) ACL CAM sharing for inbound ACLs for IPv4 ACLs (Brocade NetIron XMR and Brocade MLX series devices only) ACL CAM sharing allows you to conserve CAM by sharing it between ports that are supported by the same packet processor (PPCR). If this feature is enabled globally, you can share CAM space that is allocated for inbound ACLs between instances on ports that share the same packet processor (PPCR).
Matching on TCP header flags for IPv4 ACLs 3 Matching on TCP header flags for IPv4 ACLs In this release, you can match packets for one additional TCP header flag using IPv4 ACLs. The following command implements the additional TCP parameter for IPv4 ACLs. Syntax: [no] access-list num permit | deny tcp any any syn The num parameter indicates the ACL number and must be from 1 - 99 for a standard ACL or from 100 - 199 for and extended ACL. The tcp parameter indicates that you are filtering the TCP header.
3 ACL deny logging • On Brocade NetIron CES and Brocade NetIron CER devices, ACL Deny Logging takes precedence over ACL Accounting. If the ip access-group enable-deny-logging command is configured on the interface, and both keywords (enable-accounting and log) are present in the same ACL clause, the statistics for that specific ACL clause are not collected.
ACL deny logging 3 filter 0: enable-deny-logging is enabled, the keyword log will create an entry in the syslog file, no redirection occurs. filter 1: redirect-deny-to-interf is enabled, filter does not contain keyword log, so matching packets will forwarded out interface e 1/8, no log entry is created, and statistics are collected.
3 ACL deny logging NOTE Using this command, ACL logging can be enabled and disabled dynamically and does not require you to rebind the ACLs using the ip rebind-acl command Configuring ACL Deny Logging for IP receive ACLs Since ACL Logging for IP Receive ACLs applies to all CPU bound traffic it is only required that you configure the following command globally as shown.
ACL accounting 3 Log example The following examples display typical log entries where the ACL Deny Logging feature is configured. [IPv4 Inbound ACL] Dec 16 12:12:29:I:list 102 denied tcp 10.10.10.1(1024)(Ethernet 3/1 0000.0000.0010) - 10.20.20.1(1025), 27298224 event(s) [L2 MAC ACL] Dec 16 12:12:29:I: MAC ACL 400 denied 1 packets on port 3/16 [SA:0000.0000.0020, DA:0000.0000.
3 ACL accounting ACL accounting on Brocade NetIron CES and Brocade NetIron CER devices The following special considerations affect how ACL accounting is configured on Brocade NetIron CES and Brocade NetIron CER devices. Enabling ACL accounting on Brocade NetIron CES and Brocade NetIron CER devices On Brocade NetIron CES and Brocade NetIron CER devices you enable ACL accounting explicitly in each clause of an ACL for which you want to gather statistics.
ACL accounting 3 ACL deny logging and ACL accounting On Brocade NetIron CES and Brocade NetIron CER devices, if ACL deny logging and ACL accounting are enabled on the same ACL clause deny logging takes precedence and ACL accounting statistics will not be available for that clause. ACL Accounting interactions between L2 ACLs and IP ACLs You can bind dual inbound ACLs (one L2 ACL and one IP ACL) to a single port on a Brocade NetIron CES and Brocade NetIron CER device.
3 ACL accounting Displaying statistics for an interface To display statistics for an interface, enter commands such as the following. Brocade (config)#show access-list accounting ve 1 in Collecting ACL accounting for VE 1 ... Completed successfully. ACL Accounting Information: Inbound: ACL 111 1: deny tcp any any Hit count: (1 sec) 237000 (1 min)12502822 (5 min) 87014178 (accum) 99517000 3: permit ip any any Hit count: (1 sec) 236961 (1 min) 13037569 (5 min) 0 (accum) 13037569 0: deny tcp 10.1.1.0 10.0.0.
Commands 3 The policy-based-routing parameter limits the display to policy-based routing accounting information. This option is only available for incoming traffic. The rate-limit parameter limits the display to rate limiting ACL accounting information.
3 clear access-list receive accounting clear access-list receive accounting Clears IPv4 receive access-control list (rACL) accounting statistics. Syntax clear access-list receive accounting {all | name acl-name} Command Default Parameters Command Modes all Specifies clearing accounting statistics for all configured IPv4 rACLs name acl-name Specifes the name of the IPv4 rACL to clear accounting statistics for.
ip receive access-list 3 ip receive access-list Configures an IPv4 access-control list as an IPv4 receive access-control list (rACL). The no form of the basic command removes the rACL. The no form of the command with the policy-map option specified removes both the policy-map and the strict-acl option: the rACL remains.
3 ip receive access-list History Release Command History Multi-Service IronWare R05.6.00 This command was modified to support named rACLs.
ip receive deactivate-acl-all 3 ip receive deactivate-acl-all Deactivates the IPv4 receive access-control list (rACL) configuration and removes all the rules from Content Addressable Memory (CAM). The no form of this command reactivates the rACL configuration.
3 ip receive delete-acl-all ip receive delete-acl-all Deletes IPv4 receive access-control list (rACL) rules from the system. Syntax ip receive delete-acl-all Command Default Parameters None. Command Modes Global configuration mode Usage Guidelines You must confirm that you wish to proceed with the deletion. In response to the prompt “Are you sure?, you must enter ‘y’ or ‘n’. Examples The following example deletes all IPv4 rACL rules from the system.
ip receive rebind-acl-all 3 ip receive rebind-acl-all Rebinds an IPv4 receive access-control list (rACL). Syntax ip receive rebind-acl-all Command Default Parameters None Command Modes Global configuration mode Usage Guidelines When access list rules are modified or a policy map associated with a rACL is changed, an explicit rebind must be performed to propogate the changes to the interfaces. Examples The following example rebinds an IPv4 rACL.
3 show access-list bindings show access-list bindings Displays all IPv4 access-lists bound to different interfaces. This includes both rule-based ACL and receive access-control list (rACL) information Syntax show access-list bindings Command Default Parameters Command Modes None User EXEC node Privileged EXEC mode Global configuration mode Usage Guidelines Examples The following example displays all IPv4 access-list bindings.
3 show access-list receive accounting show access-list receive accounting Displays accounting information for an IPv4 receive access-control list (rACL). Syntax show access-list receive accounting {acl-num | name acl-name} Command Default Parameters Command Modes acl-num Specifies a receive access-control list in number format. name acl-name Specifies a receive access-control list in name format.
3 suppress-acl-seq suppress-acl-seq Hides or suppresses the display and storage of sequence numbers for ACL entries. The no version of this command resets the configuration to the default value. Syntax suppress-seq-num no suppress-seq-num Command Default Parameters By default, suppress-seq-num is turned OFF. None Command Modes acl-policy subconfiguration mode Usage Guidelines Multi-Service IronWare R05.6.00 supports ACL entry sequence numbers.
Chapter 4 Configuring an IPv6 Access Control List Table 24 displays the individual Brocade devices and the IPv6 Access Control List features they support.
4 Configuring an IPv6 Access Control List Brocade devices support IPv6 access control lists (ACLs), which you can use for traffic filtering. You can configure up to 200 IPv6 ACLs. For details on Layer 2 ACLs, refer to “Layer 2 Access Control Lists”. For details on IPv4 ACLs, refer to “Access Control List”. An IPv6 ACL is composed of one or more conditional statements that identify an action (permit or deny) if a packet matches a specified source or destination prefix.
Configuring an IPv6 Access Control List 4 IPv6 ACLs also support the filtering of packets based on DSCP values. NOTE IPv6 ACLs are only applied to routed packets.This also includes mirror and deny-log actions. Configuration considerations for dual inbound ACLS on Brocade NetIron CES and Brocade NetIron CER devices You can bind an inbound L2 ACL and an inbound IP ACL to the same port on Brocade NetIron CES and Brocade NetIron CER devices. The IP ACL is applied first to incoming packets.
4 Configuring an IPv6 Access Control List • Remove the IPv6 outbound ACL from a VPLS, VLL, or VLL-local endpoint before removing the port from the VPLS, VLL, or VLL-local instance or corresponding VLAN. • Remove the IPv6 outbound ACL from a VPLS, VLL, or VLL-local endpoint before deleting the VPLS, VLL, or VLL-local instance or corresponding VLAN. • If the VPLS, VLL, or VLL-local endpoint is a LAG port, you must first remove the IPv6 outbound ACL from the primary LAG port before deleting the LAG.
Configuring an IPv6 Access Control List 4 The following example displays show access-list command output for IPv6 ACL “ip6_”when suppress-acl-seq is OFF.
4 Using IPv6 ACLs as input to other features remark-entry sequence 7 permit all ipv6 traffic for 1::3 remark-entry sequence 9 deny udp traffic for 1::2 deny udp host 1::2 any sequence 9 remark-entry sequence 10 permit all ipv6 traffic for 1::1 permit ipv6 host 1::1 any remark allow only sctp traffic for 1::10 permit sctp host 1::10 any sequence 12 remark-entry sequence 15 deny all tcp traffic for 1::9 remark-entry sequence 17 deny tcp traffic for 1::2 deny tcp host 1::2 any sequence 17 remark-entry sequen
Configuring an IPv6 ACL 4 • Control access to and from a Brocade device. Example configurations To configure an access list that blocks all Telnet traffic received on port 1/1 from IPv6 host 2000:2382:e0bb::2, enter the following commands.
4 Configuring an IPv6 ACL Brocade(config)# ipv6 access-list rtr Brocade(config-ipv6-access-list rtr)# 2001:1570:22::/24 Brocade(config-ipv6-access-list rtr)# Brocade(config-ipv6-access-list rtr)# Brocade(config-ipv6-access-list rtr)# deny tcp 2001:1570:21::/24 deny udp any range 5 6 2001:1570:22::/24 permit ipv6 any any write memory The first condition in this ACL denies TCP traffic from the 2001:1570:21::x network to the 2001:1570:22::x network.
Configuring an IPv6 ACL 4 Brocade(config)#access-list 101 deny ipv6 any any In the above example, the first ACL entry will have default sequence number “10” assigned to it, the second ACL entry will have user defined sequence number “12”, and the third ACL entry will have a sequence number “20” assigned to it (smallest number divisible by 10 which is greater than 12), and the fourth ACL entry will be have a sequence number “30” assigned to it (smallest number divisible by 10 which is greater than 20), an
4 Configuring an IPv6 ACL Brocade(config)# ipv6 access-list netw Brocade(config-ipv6-access-list-netw)# permit icmp 2000:2383:e0bb::/64 2001:3782::/64 Brocade(config-ipv6-access-list-netw)# deny icmp any any nd-na Brocade(config-ipv6-access-list-netw)# permit ipv6 any any The first permit statement permits ICMP traffic from hosts in the 2000:2383:e0bb::x network to hosts in the 2001:3782::x network. The deny statement denies ICMP neighbor discovery acknowledgement.
Configuring an IPv6 ACL 4 Deleting an IPv6 ACL entry You can delete an ACL filter rule by providing the sequence number or without providing the sequence number. To delete an ACL filter rule without providing a sequence number you must specify the filter rule attributes. To delete an ACL filter rule providing a sequence number you can provide the sequence number alone or the sequence number and the other filter rule attributes.
4 Configuring an IPv6 ACL TABLE 25 182 Syntax descriptions IPv6 ACL arguments Description ipv6 access-list ACL name Enables the IPv6 configuration level and defines the name of the IPv6 ACL. The ACL name can contain up to 199 characters and numbers, but cannot begin with a number and cannot contain any spaces or quotation marks. The string "test" is a reserved string and cannot be used to form creation of a named standard or extended ACL.
Configuring an IPv6 ACL 4 IPv6 ACL arguments Description source-ipv6_address The host source-ipv6-address parameters allow you specify a source host IPv6 address that a flow must match to be included in the display. any When specified instead of the ipv6-source-prefix/prefix-length or ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix and is equivalent to the IPv6 prefix::/0. host Allows you specify a host IPv6 address.
4 Configuring an IPv6 ACL IPv6 ACL arguments Description drop-precedence-force dp-value This keyword applies in situations where there are conflicting priority values for packets on an Ingress port, that conflict can be resolved by performing a priority merge (the default) or by using a force command to direct the router to use a particular value above other values. The drop precedenceforce keyword specifies that a drop precedence specified by an ACL will be used above other values.
Configuring an IPv6 ACL 4 The icmp protocol indicates the you are filtering ICMP packets. To specify an ICMP type, enter a value between 0–255 for the icmp-type parameter. To specify an ICMP code, enter a value between 0–255 for the icmp-code parameter.
4 Configuring an IPv6 ACL NOTE Refer to “Configuration considerations for IPv6 ACL and multicast traffic for 2X100GE modules installed on NetIron MLX and NetIron XMR devices” regarding 2x100 GE IPv6 ACL rule exceptions for multicast traffic. TABLE 26 186 Syntax descriptions IPv6 ACL arguments Description ipv6 access-list ACL name Enables the IPv6 configuration level and defines the name of the IPv6 ACL.
Configuring an IPv6 ACL 4 IPv6 ACL arguments Description any When specified instead of the ipv6-source-prefix/prefix-length or ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix and is equivalent to the IPv6 prefix::/0. host Allows you to specify a host IPv6 address. When you use this parameter, you do not need to specify the prefix length. A prefix length of all128 is implied.
4 Configuring an IPv6 ACL For TCP Syntax: [no] ipv6 access-list acl name Syntax: [no] permit | deny [ vlan vlan-id] tcp ipv6-source-prefix/prefix-length | any | host source-ipv6_address [tcp-udp-operator [source-port-number]] ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address [[tcp-udp-operator [source-port-number]] [ipv6-operator [value]] [tcp-operator [value]] [copy-sflow] | [drop-precedence dp-value] | [drop-precedence-force dp-value] | [dscp dscp-value] | [dscp-marking dscp-va
Configuring an IPv6 ACL TABLE 27 4 Syntax descriptions IPv6 ACL arguments Description ipv6 access-list ACL name Enables the IPv6 configuration level and defines the name of the IPv6 ACL. The ACL name can contain up to 199 characters and numbers, but cannot begin with a number and cannot contain any spaces or quotation marks. The string "test" is a reserved string and cannot be used to form creation of a named standard or extended ACL.
4 190 Configuring an IPv6 ACL IPv6 ACL arguments Description source-ipv6_address The host source-ipv6-address parameters allow you specify a source host IPv6 address that a flow must match to be included in the display. any When specified instead of the ipv6-source-prefix/prefix-length or ipv6-destination-prefix/prefix-length parameters, matches any IPv6 prefix and is equivalent to the IPv6 prefix::/0. host Allows you specify a host IPv6 address.
Configuring an IPv6 ACL 4 IPv6 ACL arguments Description tcp-udp-operator The tcp-udp-operator parameter can be one of the following: eq – The policy applies to the TCP or UDP port name or number you enter after eq. • gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt. Enter "?" to list the port names.
4 Configuring an IPv6 ACL IPv6 ACL arguments Description dscp-marking dscp-value Use the dscp-marking dscp-value parameter to specify a new QoS value to the packet. If a packet matches the filters in the ACL statement, this parameter assigns the DSCP value that you specify to the packet. Enter 0 – 63. mirror Allows you to mirror packets matching the ACL permit clause. priority-force value Allows you to force packets outgoing priority. You can specify a value from 0 through 7.
Configuring an IPv6 ACL TABLE 28 4 Syntax descriptions (Continued) IPv6 ACL arguments Description ipv6 access-list ACL name Enables the IPv6 configuration level and defines the name of the IPv6 ACL. The ACL name can contain up to 199 characters and numbers, but cannot begin with a number and cannot contain any spaces or quotation marks. The string "test" is a reserved string and cannot be used to form creation of a named standard or extended ACL.
4 Configuring an IPv6 ACL IPv6 ACL arguments Description host Allows you specify a host IPv6 address. When you use this parameter, you do not need to specify the prefix length. A prefix length of all128 is implied. tcp-udp-operator The tcp-udp-operator parameter can be one of the following: eq – The policy applies to the TCP or UDP port name or number you enter after eq.
Configuring an IPv6 ACL 4 Filtering packets based on DSCP values To filter packets based on DSCP values, enter commands such as the following.
4 Extended IPv6 ACLs Syntax: [no] ipv6 access-list name deny | permit routing-header-type type-value Enter a value from 0 - 255 for the routing-header-type type-value parameter to filter packets based on their IPv6 header type value. For more information on the syntax, refer to “ACL syntax”. NOTE The routing-header-type option is separate and independent of the routing option. The routing-header-type and routing options are mutually exclusive and cannot be used in the same filter.
Extended IPv6 ACLs 4 • The following actions are available for the ingress ACL: - Permit - Deny - Copy-sflow - Drop-precedence - Drop-precedence-force - Priority-force - Mirror The following actions are available for the egress ACL: • Permit • Deny Unsupported features for Brocade NetIron CES and Brocade NetIron CER devices The following features are not supported on the Brocade NetIron CES and Brocade NetIron CER devices: • ACL deny logging is not supported.
4 Extended IPv6 ACLs Syntax: [no] [sequence num] permit | deny protocol ipv6-source-prefix/prefix-length | any | host source-ipv6_address ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address [ipv6-operator [value]] [copy-sflow] | [drop-precedence dp-value] | [drop-precedence-force dp-value] | [dscp-marking number] | [dscp dscp-value] | [mirror] | [priority-force number] Syntax: regenerate-seq-num [num] The ipv6 access-list acl name parameter enables the IPv6 configuration level and
Extended IPv6 ACLs 4 • dscp – Applies to packets that match the traffic class value in the traffic class field of the IPv6 packet header. Allows you to filter traffic based on TOS or IP precedence. You can specify a value from 0 through 63. • fragments – Applies to fragmented packets that contain a non-zero fragment offset. NOTE This option is supported only when the protocol parameter is IPv6. This option is not applicable to filtering based on source or destination ports, TCP flags, and ICMP flags.
4 Extended IPv6 ACLs Syntax: [no] [sequence num] permit | deny [ vlan vlan-id] icmp ipv6-source-prefix/prefix-length | any | host source-ipv6_address ipv6-destination-prefix/prefix-length | any | host ipv6-destination-address [ipv6-operator [value]] [ [icmp-type][icmp-code] ] | [icmp-messge] | beyond-scope | destination-unreachable | echo-reply | echo-request | header | hop-limit | mld-query | mld-reduction | mld-report | nd-na | nd-ns | next-header | no-admin | no-route | packet-too-big | parameter-optio
Extended IPv6 ACLs • • • • • • • • • • • • 4 port-unreachable reassembly-timeout renum-command renum-result renum-seq-number router-advertisement router-renumbering router-solicitation routing sequence time-exceeded unreachable The following example shows a configuration to filter ICMP packets.
4 Extended IPv6 ACLs The tcp-udp-operator parameter can be one of the following: • eq – Applies to the TCP or UDP port name or number you enter after eq. • gt – Applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt. Enter “?” to list the port names. • lt – Applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt.
Extended IPv6 ACLs 4 Syntax: regenerate-seq-num [num] The udp protocol indicates the you are filtering the UDP packets. The vlan_id parameter is the VLAN ID for the VLAN that the ACL filter will be applied to match the traffic. The [no] version of the command removes the IPv4 or IPv6 ACL filter from the ACL definition. It needs an exact match of the command line and a existing filter in the ACL definition to successfully remove the filter.
4 Extended IPv6 ACLs Configuration considerations for Layer 2 IPv6 ACLs NOTE This feature is supported on Brocade NetIron CES and Brocade NetIron CER devices only. The following configuration considerations apply when configuring layer 2 IPv6 ACLs: • A layer 2 ACL supports two lookups in the ingress direction. When a layer 2 ACL configured with ether type IPv6 is bound to an ingress port, all other layer 2 ACLs are denied on the ingress port. • The egress direction supports only one lookup.
Displaying IPv6 ACL definitions 4 NOTE This example has accounting enabled, which is not required for Brocade NetIron XMR and Brocade MLX series devices. access-list 418 deny enable-accounting 2001.1000.1011 ffff.ffff.ffff 2002.1000.1011 ffff.ffff.ffff any etype ipv6 access-list 418 deny enable-accounting 2001.1000.1012 ffff.ffff.ffff 2002.1000.1012 ffff.ffff.ffff any etype ipv6 access-list 418 deny enable-accounting 2001.1000.1013 ffff.ffff.ffff 2002.1000.1023 ffff.ffff.
4 CAM partitioning ipv6 10: 20: 30: access-list rtr: 3 entries permit ipv6 host 3000::2 any deny udp any any deny ipv6 any any Syntax: show ipv6 access-list { count | access-list-name } The count parameter specifies displaying the total number of IPv6 access lists and the number of filters configured for each list. The access-list-name variable specifies displaying information for a specific IPv6 ACL. CAM partitioning Brocade NetIron CES and Brocade NetIron CER devices support CAM partitioning.
Applying an IPv6 ACL 4 Brocade(config)# interface ethernet 3/1 Brocade(config-if-e100-3/1)# ipv6 traffic-filter access1 in This example applies the IPv6 ACL “access1” to incoming IPv6 packets on Ethernet interface 3/1. As a result, Ethernet interface 3/1 denies all incoming packets from the site-local prefix fec0:0:0:2::/64 and the global prefix 2001:100:1::/48 and permits all other incoming packets.
4 Applying an IPv6 ACL When an IPv6 VRF is dynamically configured on an interface port, all IPv6 addresses on that interface are deleted. IPv6 ACL binding on the interface is not be cleared because IPv6 ACL programming is independent of the VRF membership of the interface. To apply an IPv6 ACL, for example “access1”, to a VRF interface, enter commands such as the following.
Adding a comment to an IPv6 ACL entry 4 Adding a comment to an IPv6 ACL entry You can optionally add a comment to describe entries in an IPv6 ACL. The comment appears in the output of show commands that display ACL information. You can add a comment by entering the remark command immediately preceding an ACL entry, or specify the ACL entry to which the comment applies. For example, to enter comments for preceding an ACL entry, enter commands such as the following.
4 Adding a comment to an IPv6 ACL entry • Once the default remark gets associated with a filter: • It gets the same sequence number as the filter. • You can provision another default remark which may be used by another filter. To apply a comment to a specific ACL entry, specify the ACL’s entry number with the remark-entry sequence command. Use the show ipv6 access-list command to list ACL entry number. Enter commands such as the following.
ACL CAM sharing for inbound IPv6 ACLs 4 The following example shows the comment text for the ACL named “rtr” in a show ipv6 access-list display.
4 Filtering and priority manipulation based on 802.1p priority • This feature cannot co-exist with IP Multicast Routing or IP Multicast Traffic Reduction. Configuring ACL CAM sharing for IPv6 ACLs When enabled, ACL CAM sharing for IPv6 inbound ACLs is applied across all ports in a system. To apply ACL CAM sharing for IPv6 ACLs globally on a Brocade device, use the following command.
ACL accounting 4 ACL accounting Multi-Service devices monitor the number of times an ACL is used to filter incoming or outgoing traffic on an interface. The show ipv6 access-list accounting command displays the number of “hits” or how many times ACL filters permitted or denied packets that matched the conditions of the filters. NOTE ACL accounting does not tabulate nor display the number of implicit denials by an ACL. Counters, stored in hardware, keep track of the number of times an ACL filter is used.
4 ACL accounting • You can enable ACL accounting at the filter level by adding an enable-accounting keyword in each clause of an IPv6 ACL for which you want to gather statistics. • IPv6 ACL rate limiting and IPv6 deny logging are not supported. • CAM resources are shared on the devices between Layer 2, IPv4, and IPv6 ACL accounting. This limits the number of ACL accounting instances available on the system.
ACL accounting 4 Displaying statistics for IPv6 ACL accounting To display statistics for IPv6 accounting, enter commands such as the following. Brocade# show ipv6 access-list accounting brief Collecting IPv6 ACL accounting summary for 1/26 ... Completed successfully. Collecting IPv6 ACL accounting summary for 1/25 ... Completed successfully.
4 ACL accounting Table 31 describes the output parameters of the show ipv6 access-list accounting ethernet command. TABLE 31 Output of the show ipv6 access-list accounting ethernet command Field Description IPv6 ACL Shows the name of the IPv6 traffic filter for the collected statistics. Collecting IPv6 ACL accounting for interface Shows the interface for which the ACL accounting information is collected and specifies whether or not the collection is successful.
IPv6 receive ACLs 4 IPv6 receive ACLs This section discusses the following topics: • IPv6 receive ACLs overview • IPv6 receive ACLs configuration considerations • IPv6 receive ACL prerequisites • IPv6 receive ACL: basic configuration • IPv6 receive ACL: additional configuration • Syslog messages for IPv6 rACLs • Displaying accounting information for IPv6 rACLs IPv6 receive ACLs overview The IPv6 receive access-control list feature (rACL) provides hardware-based filtering capability for IPv6 traffic, des
4 IPv6 receive ACLs • After an upgrade to Multi-Service IronWare R05.6.00, the sub-partition size for IPv6 rACL will be “0”. Refer to “Specifiying the maximum number of rACLs supported in CAM” on page 218 for more information about changing the default value. • After a downgrade to a previous release, all configured IPv6 rACLs will be lost.
IPv6 receive ACLs 4 NOTE You must write this command to memory and perform a system reload for this command to take effect. Setting IPv6 Receive ACL to 2048 decreases the size of the Rule ACL sub-partition so that the IPv6 session CAM partition profile is now: [IPV6 Session] 16384(size), :IPv6 Multicast: 1024(size), :Receive ACL: 2048(size), :Rule ACL: 13312(size), 16384(free), 000.00%(used) 1024(free), 000.00%(used) 2048(free), 000.00%(used) 13312(free), 000.
4 IPv6 receive ACLs TABLE 32 Maximum supported size of IPv6 Receive ACLs in CAM profiles Profile Supported IPv6 rACL size Rule ACL Size IPv6 Multicast Default Y 1024 3072 0 IPv4 Optimized N IPv6 Optimized Y 8192 16384 0 MPLS VPN Optimized N MPLS VPLS Optimized N L2 Metro Optimized N L2 Metro Optimized #2 N MPLS VPN Optimized #2 N 2048 6144 0 8192 16384 0 MPLS VPLS Optimized #2 N Multi-Service Y MPLS VPN+VPLS N IPv4 + VPN N IPv6 + IPv4 Y IPv4 + VPLS N IPv4 + Ipv
IPv6 receive ACLs 4 Brocade(config)# system-max ipv6-receive-cam 1024 Reload required. Please write memory and then reload or power cycle the system. Failure to reload could cause system instability on failover. Newly configured system-max will not take effect during hitless-reload. Checking for available space when changing the CAM profile The system will check if there is enough space for the IPv6 Receive ACL sub-partition before changing the CAM profile.
4 IPv6 receive ACLs Creating a policy-map To create a policy map “m1” to rate-limit traffic: Brocade(config)# policy-map m1 Brocade(config-policymap m1)# cir 1000000 cbs 2000000 Brocade(config-policymap m1)# exit Applying an IPv6 rACL To configure IPv6 rACL to apply IPv6 access-list “b1” with a sequence number “15” to all interfaces within the default VRF for all CPU-bound traffic, enter the following command: Brocade(config)# ipv6 receive access-list b1 sequence 15 To configure IPv6 rACL to apply IPv6
IPv6 receive ACLs 4 Brocade(config)# show ipv6 access-list bindings ! ipv6 receive access-list b1 sequence 11 ipv6 receive access-list b2 sequence 12 ! Syntax:show ipv6 access-list bindings Deactivating the IPv6 rACL configuration To deactivate the IPv6 rACL configuration and remove all the rules from CAM, enter the following command. Brocade(config)# ipv6 receive deactivate-acl-all Syntax: [no] ipv6 receive deactivate-acl-all The no form of this command reactivates the IPv6 rACL configuration.
4 IPv6 receive ACLs Brocade(config-ipv6-access-list b1)# permit ipv6 any any Brocade(config-ipv6-access-list b1)# exit Specifying the destination mirror port for physical ports In the following example, ports “ethernet 3/1” and “ethernet 3/2” belong to the same PPCR.
4 IPv6 receive ACLs SYSLOG: <14>Jun session. 6 10:38:14 FWD14 IPv6-rACL: Activated by operator from console 4. ipv6 receive delete-acl-all SYSLOG: <13>Jun 6 10:39:45 FWD14 IPv6-rACL: Deleting IPv6 Receive ACLs. 5.
4 Commands Syntax: clear ipv6 access-list receive ( all | name acl-name } The all parameter specifies clearing accounting statistics for all configured IPv6 rACLs. The name acl-name variable specifies clearing accounting statistics for the named rACL.
clear ipv6 access-list receive 4 clear ipv6 access-list receive Clears IPv6 receive access-control list (rACL) accounting statistics. Syntax clear ipv6 access-list receive {all | name acl-name} Command Default Parameters Command Modes all Specifies clearing accounting statistics for all IPv6 rACLs name acl-name Specifies clearing accounting statistics for a named IPv6 rACL. The maximum length of an IPv6 access-control list name is 256 characters.
4 ipv6 receive access-list ipv6 receive access-list Configures an IPv6 access-control list as an IPv6 receive access-control list (rACL). The no form of the basic command removes the rACL. The no form of the command with the policy-map option specified removes both the policy-map and the strict-acl option: the rACL remains.
ipv6 receive access-list 4 History Release Command History Multi-Service IronWare R05.6.00 This command was introduced.
4 ipv6 receive deactivate-acl-all ipv6 receive deactivate-acl-all Deactivates the IPv6 receive access-control list (rACL) configuration and removes all rules from Content Addressable Memory (CAM). The no form of this command re-activates the rACL configuration.
ipv6 receive delete-acl-all 4 ipv6 receive delete-acl-all Deletes IPv6 receive access-control list (rACL) rules from the system. Syntax ipv6 receive delete-acl-all Command Default Parameters None. Command Modes Global configuration mode Usage Guidelines You must confirm that you wish to proceed with the deletion. Enter ‘y’ or ‘n’ in response to the prompt “Are you sure?. Examples The following example deletes all IPv6 rACL rules from the system.
4 ipv6 receive rebind-acl-all ipv6 receive rebind-acl-all Rebinds an IPv6 receive access-control list (rACL). Syntax ipv6 receive rebind-acl-all Command Default Parameters None Command Modes Global configuration mode Usage Guidelines When access list rules are modified or a policy map associated with a rACL is changed, an explicit rebind must be performed to propagate the changes to the interfaces. Examples The following example rebinds an IPv6 rACL.
show ipv6 access-list bindings 4 show ipv6 access-list bindings Displays all IPv6 access-lists bound to different interfaces. This includes both rule-based ACL and receive access-control list (rACL) information Syntax show ipv6 access-list bindings Command Default Parameters Command Modes None User EXEC node Privileged EXEC mode Global configuration mode Usage Guidelines Examples The following example displays all IPv6 access-list bindings.
4 show ipv6 access-list receive accounting show ipv6 access-list receive accounting Displays accounting information for an IPv6 receive access-control list (rACL). Syntax show ipv6 access-list receive accounting {brief | name acl-name} Command Default Parameters Command Modes brief Displays IPv6 rACL accounting information in brief name acl-name Specifies the name of a receive access-control list.
show ipv6 access-list receive accounting 4 system-max ipv6-receive-cam Multi-Service IronWare Security Configuration Guide 53-1003035-02 235
4 system-max ipv6-receive-cam system-max ipv6-receive-cam Configures the number of IPv6 rACL entries in CAM. The no form of this command removes the configured limit and restores the default value. Syntax system-max ipv6-receive-cam num [no] system-max ipv6-receive-cam num Command Default Parameters Command Modes num Configures the number of IPv6 rACL entries in CAM. The valid range is from 0 through 8192. The default value is 0.
Chapter 5 Configuring Secure Shell and Secure Copy Table 33 displays the individual devices and the Secure Shell features they support.
5 SSH server version 2 support TABLE 33 Supported Secure Shell features (Continued) Features supported Brocade NetIron XMR Series Brocade Brocade MLX Series NetIron CES 2000 Series BASE package Brocade NetIron CES 2000 Series ME_PREM package Brocade NetIron CES 2000 Series L3_PREM package Brocade NetIron CER 2000 Series Base package Brocade NetIron CER 2000 Series Advanced Services package 3DES as the encryption algorithm Yes Yes Yes Yes Yes Yes Yes AES as the encryption algorithm Yes Y
SSH server version 2 support 5 • SSH server Protocol Assigned Numbers • SSH server Transport Layer Encryption Modes • SCP or SFTP or SSH server URI Format If you are using redundant management modules, you can synchronize the DSA host key pair and RSA Host key pair between the active and standby modules by entering the sync-standby command at the Privileged EXEC level of the CLI. By default these keys are synced to standby. The user can do force sync using the sync-standby command.
5 SSH server version 2 support • • • • • • • • • Data integrity is ensured with the hmac-sha1 algorithm. Supported authentication methods are Password and publickey. Sixteen inbound SSH server connections at one time are supported. One outbound SSH server Outbound SSH clients Compression is not supported. TCP or IP port forwarding, X11 forwarding, and secure file transfer are not supported. SSH server version 1 is not supported. SCP supports AES encryption.
SSH server version 2 support Brocade# show ip ssh config SSH server : SSH port : Host Key : Encryption : Permit empty password : Authentication methods : Authentication retries : Login timeout (seconds) : Idle timeout (minutes) : Strict management VRF : SCP : SSH IPv4 clients : SSH IPv6 clients : SSH IPv4 access-group : SSH IPv6 access-group : SSH Client Keys : Brocade# 5 Enabled tcp\22 DSA 1024, RSA 2048 AES-256, AES-192, AES-128, 3-DES No Password, Public-key, Interactive 3 120 0 Disabled Enabled 10.
5 SSH server version 2 support TABLE 34 show ip ssh config command output information. Field Description SSH server Whether the SSH server is enabled or disabled. SSH server port SSH server port number Encryption The encryption used for the SSH server connection. The following values are displayed when AES only is enabled: • AES-256, AES-192, and AES-128 indicate the different AES methods used for encryption. • 3-DES indicates 3-DES algorithm is used for encryption.
SSH server version 2 support 5 The host DSA key pair is stored in the device’s system-config file. Only the public key is readable. The public key should be added to a “known hosts” file (for example, $HOME/.ssh/known_hosts on OpenSSH Linux & UNIX systems) on the clients who want to access the device. Some SSH client programs add the public key to the known hosts file automatically; in other cases, you must manually create a known hosts file and place the device’s public key in it.
5 SSH server version 2 support Enabling and disabling SSH server by generating and deleting host keys To enable SSH server, you must generate a public and private DSA or RSA host key pair on the device. The SSH server on the Brocade device uses this host DSA or RSA key pair, along with a dynamically generated server DSA or RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it.
SSH server version 2 support 5 Deleting DSA and RSA key pairs To delete DSA and RSA key pairs from the flash memory, enter the following command: FastIron(config)#crypto key zeroize Syntax: crypto key zeroize The zeroize keyword deletes the host key pair from the flash memory. This disables SSH server. Providing the public key to clients The host DSA or RSA key pair is stored in the system-config file of the Brocade device. Only the public key is readable.
5 SSH server version 2 support Collect one public key of each key type (DSA and/or RSA) from each client to be granted access to the Brocade device and place all of these keys into one file. This public key file may contain up to 32 keys.
SSH server version 2 support 5 Configuring DSA public key authentication With DSA public key authentication, a collection of clients’ public keys are stored on the device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH server.
5 SSH server version 2 support NOTE When one public-key file already exists, downloading a second public-key file will cause the second public-key file to overwrite the existing one. Downloading a public-key file when a public-key file already exists also erases currently loaded public-keys in the active configuration and loads only keys in the newly downloaded file. To cause a public key file called pkeys.
SSH server version 2 support 5 Setting optional parameters You can adjust the following SSH server settings on the device: • • • • • • • • Number of SSH server authentication retries User authentication method the device uses for SSH server connections Whether or not the device allows users to log in without supplying a password Port number for SSH server connections SSH server login timeout value A specific interface to be used as the source for all SSH server traffic from the device Maximum idle time
5 SSH server version 2 support The default is “yes”. Enabling empty password logins By default, empty password logins are not allowed. This means that users with an SSH client are always prompted for a password when they log into the device. To gain access to the device, each user must have a user name and password. Without a user name and password, a user is not granted access. Refer to “Setting up local user accounts” for information on setting up user names and passwords on the device.
SSH server version 2 support 5 Designating an interface as the source for all SSH server packets You can designate a loopback interface, virtual interface, or Ethernet port as the source for all SSH server packets from the device. The software uses the IP address with the numerically lowest value configured on the port or interface as the source IP address for SSH server packets originated by the device.
5 SSH server version 2 support Filtering SSH server access using ACLs You can permit or deny SSH server access to the device using ACLs. To configure an ACL that restricts SSH server access to the device, enter commands such as the following. Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# Brocade(config)# access-list 12 deny host 10.157.22.98 access-list 12 deny 10.157.23.0 10.0.0.255 access-list 12 deny 10.157.24.
SSH server version 2 support Brocade# show ip ssh Session Encryption Inbound: Outbound: 17 aes256-cbc HostKey Username IP Address ssh-dss labuser 10.37.73.155 5 SSH session type codes: N - Netconf, S – Scp SSH-v2.0 disabled Syntax: show ip ssh [| begin expression | exclude expression | include expression ] This display shows the following information about the active SSH server connections. TABLE 36 SSH server connection information This field... Displays...
5 SSH server version 2 support The show who command also displays information about SSH server connections. Example Brocade#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 10.43.2.4, user is hanuma 1 minutes 16 seconds in idle 2 established, client ip address 10.50.3.
SSH server version 2 support 5 • Public Key authentication • • • • Message Authentication Code (MAC) algorithm: hmac-sha1 Key exchange algorithm: diffie-hellman-group1-sha1 Compression algorithms are not supported. The client session can be established through either in-band or out-of-band management ports. • The client session can be established through IPv4 or IPv6 protocol access. • The client session can be established to a server listening on a non-default SSH server port.
5 SSH server version 2 support To delete the RSA host key pair, enter the following command. Brocade(config)#crypto key client zeroize rsa Syntax: crypto key client generate | zeroize rsa [modulus modulus-size] The generate keyword places an RSA host key pair in the flash memory. The zeroize keyword deletes the RSA host key pair from the flash memory. The optional [modulus modulus-size] parameter specifies the modulus size of the RSA key pair, in bits. The valid values for modulus-size are 1024 or 2048.
SSH server version 2 support 5 To start an SSH2 client connection to an SSH2 server using public key authentication, enter a command such as the following: Brocade# ssh 10.10.10.2 public-key dsa Syntax: ssh [ipv6] [vrf vrf] ipv4-addr|ipv6-addr| host-name[port] [outgoing-interface {ethernet|ve}][public-key {dsa|rsa}] To make IPv6 connections to SSH server, use parameter [ipv6] followed by IPv6 address. SSH requests will be initiated only from the ports belonging to the specified vrf.
5 Using Secure Copy Using Secure Copy Secure Copy (SCP) uses security built into SSH server to transfer files between hosts on a network, providing a more secure file transfer method than Remote Copy (RCP), FTP, or TFTP. SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH server. For example, if password authentication is enabled for SSH server, the user is prompted for a user name and password before SCP allows a file to be transferred.
Using Secure Copy 5 To copy and append a configuration file (c:\cfg\brocadehp.cfg) to the running configuration file on a device at 192.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client. C:\> scp c:\cfg\brocadehp.cfg terry@192.168.1.50:runConfig If you are copying the configuration file from the device to a PC or another machine (outbound), the command saves the running configuration file to the PC.
5 Using Secure Copy Secure Copy Feature for Brocade NetIron XMR The following encryption cipher algorithms are supported on the Brocade NetIron XMR. They are listed in order of preference: • • • • aes256-cbc: AES in CBC mode with 256-bit key aes192-cbc: AES in CBC mode with 192-bit key aes128-cbc: AES in CBC mode with 128-bit key 3des-cbc: Triple-DES Outbound commands: The following is the list of outbound SCP command options supported (Upload from device to host).
Using Secure Copy 5 Syntax: scp file-name user@IP Address:Destination:file-name[:additional-options] The last two tokens file-name and additional-options can be abbreviated. The others cannot be abbreviated. Auxiliary flash command option To download a file and store it in a Auxiliary flash (Slot 1 or Slot 2), enter the following command (not applicable to the CES or CER).
5 Using Secure Copy • cspf-group • bypass-lsp For backward compatibility, the following syntax is also supported for this command. C:> scp @:runConfig Startup configuration command options To download a configuration file and replace startup configuration, enter the following command. C:> scp @:config:start This command transfers config-file to the device and replaces the startup configuration in flash.
Using Secure Copy 5 This command downloads image-file and replaces the mbridge image on the flash. Switch fabric options NOTE SCP switch fabric options are not applicable to the CES or CER. To download and replace switch fabric file to a single SNM or all in MP, enter the following command. C:> scp @:snm:sbridge: This command downloads image-file and replaces sbridge image on the specified SNM.
5 Using Secure Copy To download and over-write the LP secondary image on one LP or all LPs, enter the following commands. C:> scp @:lp:secondary: This command transfers lp-secondary-file to the device and replaces LP Secondary image in the specified LP slot. C:> scp @:lp:secondary:all This command transfers lp-secondary-file to the device and replaces the LP Secondary image in all the LP slots.
Using Secure Copy 5 To download and over-write PBIF FPGA image, enter the following command. C:> scp @:lp:fpga-pbif: This command downloads fpga-pbif-file and replaces the FPGA PBIF image on the specified LP. C:> scp @:lp:fpga-pbif:all This command downloads fpga-pbif-file and replaces FPGA PBIF image on all the LPs. To download and force over-write PBIF FPGA image, enter the following command.
5 Using Secure Copy NOTE If force-overwrite is present in the command, the command skips compatibility checks and forcibly replaces the FPGA image, otherwise the command checks for compatibility of the FPGA image and if the check fails, the FPGA image is not replaced and error message is returned to the SCP client. To download and over-write XGMAC FPGA image, enter the following commands.
Using Secure Copy 5 Delete old file first option NOTE The delete file first option only applies to inbound SCP commands; its purpose is make room in the MP flash by deleting old image files prior to an image download. An option “delete-first” is provided in the third or fourth token position in the following commands.
5 268 Using Secure Copy Multi-Service IronWare Security Configuration Guide 53-1003035-02
Chapter 6 Configuring Multi-Device Port Authentication Table 37 displays the individual Brocade devices and the Multi-Device Port Authentication features they support.
6 How multi-device port authentication works How multi-device port authentication works The multi-device port authentication feature is a mechanism by which incoming traffic originating from a specific MAC address is switched or forwarded by the device only if the source MAC address is successfully authenticated by a RADIUS server.
How multi-device port authentication works 6 Supported RADIUS attributes The Brocade devices support the following RADIUS attributes for multi-device port authentication: • • • • • • • Username (1) – RFC 2865 FilterId (11) – RFC 2865 Vendor-Specific Attributes (26) – RFC 2865 Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 3579 Tunnel-Private-Group-Id (81) – RFC 2868 Dynamic VLAN and ACL assignments The multi-device port authentication feature supports dynamic VLAN
6 Configuring multi-device port authentication Support for multi-device port authentication and 802.1x on the same interface On the Brocade devices, multi-device port authentication and 802.1x security can be enabled on the same port. However, only one of them can authenticate a MAC address or 802.1x client. If an 802.1x client responds, the software assumes that the MAC should be authenticated using 802.1x protocol mechanisms and multi-device port authentication for that MAC is aborted.
Configuring multi-device port authentication 6 Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate Clients. The Brocade device supports RADIUS authentication with 802.1x port security. To use RADIUS authentication with 802.1x port security, you create an authentication method list for 802.1x and specify RADIUS as an authentication method, then configure communication between the device and the RADIUS server.
6 Configuring multi-device port authentication • • • • • Vendor-Specific Attributes (26) – RFC 2865 Tunnel-Type (64) – RFC 2868 Tunnel-Medium-Type (65) – RFC 2868 EAP Message (79) – RFC 2579 Tunnel-Private-Group-Id (81) – RFC 2868 Specifying the format of the MAC addresses sent to the RADIUS server When multi-device port authentication is configured, the device authenticates MAC addresses by sending username and password information to a RADIUS server.
Configuring multi-device port authentication 6 Brocade(config)# interface e 3/1 Brocade(config-if-e100-3/1)# mac-authentication auth-fail-action block-traffic Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled. Defining MAC address filters You can specify MAC addresses that do not have to go through multi-device port authentication.
6 Configuring multi-device port authentication If a previous authentication attempt for a MAC address failed, and as a result the port was placed in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port. By default, the device moves the port out of the restricted VLAN and into the RADIUS-specified VLAN.
Configuring multi-device port authentication 6 You can optionally specify an alternate VLAN to which to move the port when the MAC session for the address is deleted. For example, to place the port in the restricted VLAN, enter commands such as the following.
6 Configuring multi-device port authentication Syntax: mac-authentication clear-mac-session mac-address This command removes the Layer 2 CAM entry created for the specified MAC address. If the device receives traffic from the MAC address again, the MAC address is authenticated again.
Displaying multi-device port authentication information 6 To change the length of the software aging period for blocked MAC addresses, enter a command such as the following. Brocade(config)# mac-authentication max-age 180 Syntax: [no] mac-authentication max-age seconds You can specify from 1 – 65535 seconds. The default is 120 seconds.
6 Displaying multi-device port authentication information Displaying multi-device port authentication configuration information To display a summary of multi-device port authentication that have been configured on the device, enter the following command. Brocade# show auth-mac configuration Feature enabled : Yes Global Fail-VLAN Id : None Username/Password format : xxxx.xxxx.
Displaying multi-device port authentication information TABLE 39 6 Output from the show auth-mac-address configuration command (Continued) This field... Displays... MAC-filter Whether a MAC filter has been applied to this port to specify pre-authenticated MAC addresses. DOS Enable Denial of Service status. This column will always show “No” since DOS is not supported. Protection Limit This is not applicable to the device, but the output always show “512”.
6 Displaying multi-device port authentication information TABLE 40 Output from the show authenticated-mac-address command (Continued) This field... Displays... DOS attack protection Whether denial of service attack protection has been enabled for multi-device port authentication, limiting the rate of authentication attempts sent to the RADIUS server. Accepted MAC Addresses The number of MAC addresses that have been successfully authenticated.
Displaying multi-device port authentication information 6 Displaying the authenticated MAC addresses To display the MAC addresses that have been successfully authenticated, enter the following command. Brocade# show auth-mac-addresses authorized-mac MAC TABLE --------------------------------------------MAC Address Port VLAN Access Age --------------------------------------------00A1.0010.2000 1/18 1 Allowed 0 00A1.0010.2001 1/18 1 Allowed 120 00A1.0010.
6 284 Displaying multi-device port authentication information Multi-Service IronWare Security Configuration Guide 53-1003035-02
Chapter 7 Using the MAC Port Security Feature Table 42 displays the individual Brocade devices and the MAC Port Security features they support.
7 Configuring the MAC port security feature The secure MAC addresses are not flushed when an interface is disabled and brought up again. The secure addresses can be kept secure permanently (the default), or can be configured to age out, at which time they are no longer secure. You can configure the device to automatically save the list of secure MAC addresses to the startup-config file at specified intervals, allowing addresses to be kept secure across system restarts.
Configuring the MAC port security feature 7 Enabling the MAC port security feature By default, the MAC port security feature is disabled on all interfaces. You can enable or disable the feature globally on all interfaces or on an individual interface. To enable the feature globally, first go to the level for global port security and then enter enable, as follows.
7 Configuring the MAC port security feature To set the port security age timer to 10 minutes on all interfaces, first go to the level for global security. Brocade(config)# global-port-security Brocade(config-global-port-security)# age 10 Syntax: global-port-security Syntax: [no] age minutes The default is 0 (never age out secure MAC addresses). To set the port security age timer to 10 minutes on a specific interface, go to the interface level and then the port security level for that interface.
Configuring the MAC port security feature 7 You can configure the delete-dynamic-learn command at the global level. To enable the delete-dynamic-learn command, enter a command such as the following. Brocade(config)# global-port-security Brocade(config-port-security)# delete-dynamic-learn Syntax: global-port-security Syntax: [no] delete-dynamic-learn By default, delete-dynamic-learn is disabled.
7 Configuring the MAC port security feature Denying MAC addresses globally To deny a specific MAC address globally, enable the violation deny mode, then specify the MAC address to be denied. Brocade(config)# global-port-security Brocade(config-port-security)# violation deny Brocade(config-port-security)# deny-mac-address 0000.0000.0001 2 Global denied secure MAC addresses are denied system-wide.
Configuring the MAC port security feature 7 In addition to the new processing of packets from denied MAC addresses, these packets can now be logged in the Syslog. And to prevent the Syslog from being overwhelmed with messages for denied packets, you can specify how many messages will be logged per second, based on a packet’s IP address.
7 Displaying port security information Displaying port security information You can display the following information about the port security feature: • The secure MAC addresses that have been saved to the startup-config file by the autosave feature • The port security settings for an individual port or for all the ports on a specified module • The secure MAC addresses configured on the device • Port security statistics for an interface or for a module Displaying port security settings You can display
Displaying port security information 7 Displaying the secure MAC addresses on the device To list the secure MAC addresses configured on the device, enter the following command. Brocade(config)# show port security mac Port Num-Addr Secure-Src-Addr Resource Age-Left Shutdown/Time-Left ----- -------- --------------- -------- --------- -----------------7/11 1 0050.da18.747c Local 10 no Syntax: show port security mac This command displays the following information.
7 Displaying port security information Brocade# show port security statistics 7 Module 7: Total ports: 0 Total MAC address(es): 0 Total violations: 0 Total shutdown ports 0 Syntax: show port security statistics module TABLE 46 294 Output from the show port security statistics module command This field... Displays... Total ports: The number of ports on the module. Total MAC address(es): The total number of secure MAC addresses on the module.
Chapter 8 Configuring 802.1x Port Security Table 47 displays the individual devices and the 802.1x Port Security features they support. TABLE 47 Supported 802.1x port security features Features supported Brocade NetIron XMR Series Brocade MLX Series Brocade NetIron CES 2000 Series BASE package Brocade NetIron CES 2000 Series ME_PREM package Brocade NetIron CES 2000 Series L3_PREM package Brocade NetIron CER 2000 Series Base package Brocade NetIron CER 2000 Series Advanced Services package 802.
8 Overview of 802.1x port security TABLE 47 Supported 802.
How 802.1x port security works 8 How 802.1x port security works This section explains the basic concepts behind 802.1x port security, including device roles, how the devices communicate, and the procedure used for authenticating clients. Device roles in an 802.1x configuration The 802.1x standard defines the roles of client or Supplicant, Authenticator, and Authentication Server in a network. The client (known as a Supplicant in the 802.
8 How 802.1x port security works Authentication server – The device that validates the client and specifies whether or not the client may access services on the device. The device supports Authentication Servers running RADIUS. Communication between the devices For communication between the devices, 802.1x port security uses the Extensible Authentication Protocol (EAP), defined in RFC 2284. The 802.1x standard specifies a method for encapsulating EAP messages so that they can be carried over a LAN.
How 802.1x port security works 8 Supplicant PAE – The Supplicant PAE supplies information about the client to the Authenticator PAE and responds to requests from the Authenticator PAE. The Supplicant PAE can also initiate the authentication procedure with the Authenticator PAE, as well as send logoff messages. Controlled and uncontrolled ports A physical port on the device used with 802.1x port security has two virtual access points: a controlled port and an uncontrolled port.
8 How 802.1x port security works By default, all controlled ports on the device are placed in the authorized state, allowing all traffic. When authentication is activated on an 802.1x-enabled interface, the controlled port on the interface is placed initially in the unauthorized state. When a client connected to the port is successfully authenticated, the controlled port is then placed in the authorized state until the client logs off. Refer to “Enabling 802.1x port security” for more information.
How 802.1x port security works 8 If a client does not support 802.1x, authentication cannot take place. The device sends EAP-Request or Identity frames to the client, but the client does not respond to them. When a client that supports 802.1x attempts to gain access through a non-802.1x-enabled port, it sends an EAP start frame to the device. When the device does not respond, the client considers the port to be authorized, and starts sending normal traffic.
8 How 802.1x port security works By default, traffic from clients that cannot be authenticated by the RADIUS server is dropped in hardware. You can optionally configure the device to assign the port to a “restricted” VLAN if authentication of the client is unsuccessful. How 802.1x multiple client authentication works When multiple clients are connected to a single 802.1x-enabled port on a router (as in Figure 6), 802.1x authentication is performed in the following ways. 1. One of the 802.
802.1x port security and sFlow 8 • If a client has been denied access to the network (that is, the client’s dot1x-mac-session is set to “access-denied”), then you can cause the client to be re-authenticated by manually disconnecting the client from the network, or by using the clear dot1x mac-session command. Refer to “Clearing a dot1x-mac-session for a MAC address” for information on this command.
8 Configuring 802.1x port security NOTE Multi-Device Port Authentication and 802.1x authentication can both be enabled on a port; however only one of them can authenticate a MAC address or 802.1x client. Refer to “Support for multi-device port authentication and 802.1x on the same interface”. Configuring an authentication method list for 802.1x To use 802.1x port security, you must specify an authentication method to be used to authenticate clients. The device supports RADIUS authentication with 802.
Configuring 802.1x port security 8 Supported RADIUS attributes Many IEEE 802.1x Authenticators will function as RADIUS clients. Some of the RADIUS attributes may be received as part of IEEE 802.1x authentication. The device supports the following RADIUS attributes for IEEE 802.
8 Configuring 802.1x port security • If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have the values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client will not become authorized. • When the device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks whether the vlan-name string matches the name of a VLAN configured on the device.
Configuring 802.1x port security 8 When strict security mode is enabled: • If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the client will not be authenticated, regardless of any other information in the message (for example, if the Tunnel-Private-Group-ID attribute specifies a VLAN to which to assign the port).
8 Configuring 802.1x port security Dynamically applying existing ACLs or MAC address filter When a port is authenticated using 802.1x security, an IP ACL or MAC address filter that exists in the running configuration on the device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the IP ACL or MAC address filter.
Configuring 802.1x port security 8 • Multiple IP ACLs and MAC address filters can be specified in the Filter ID attribute, allowing multiple address filters to be simultaneously applied to an 802.1x authenticated port. Use commas, semicolons, or carriage returns to separate the address filters (for example: ip.3.in,mac.402.in). • If 802.1x is enabled on a VE port, ACLs, dynamic (802.1x assigned) or static (user configured), cannot be applied to the port.
8 Configuring 802.1x port security Enabling 802.1x port security By default, 802.1x port security is disabled on devices. To enable the feature on the device and enter the dot1x configuration level, enter the following command. Brocade(config)# dot1x-enable Brocade(config-dot1x)# Syntax: [no] dot1x-enable At the dot1x configuration level, you can enable 802.1x port security on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to enable 802.
Configuring 802.1x port security 8 When an interface’s control type is set to auto, its controlled port is initially set to unauthorized, but is changed to authorized when the connecting client is successfully authenticated by an Authentication Server. The port control type can be one of the following: force-authorized – The port’s controlled port is placed unconditionally in the authorized state, allowing all traffic. This is the default state for ports on the device.
8 Configuring 802.1x port security The re-authentication interval is a global setting, applicable to all 802.1x-enabled interfaces. If you want to re-authenticate clients connected to a specific port manually, use the dot1x re-authenticate command. Refer to “Re-authenticating a port manually”. Re-authenticating a port manually When periodic re-authentication is enabled, by default the device re-authenticates clients connected to an 802.
Configuring 802.1x port security 8 Specifying the number of EAP-request or identity frame retransmissions If the device does not receive a EAP-response or identity frame from a client, the device waits 30 seconds (or the amount of time specified with the timeout tx-period command), then retransmits the EAP-request or identity frame. By default, the device retransmits the EAP-request or identity frame a maximum of two times.
8 Configuring 802.1x port security Initializing 802.1x on a port To initialize 802.1x port security on a port, or to flush all of its information on that port and start again, enter a command such as the following. Brocade# dot1x initialize e 3/1 Syntax: dot1x initialize portnum Allowing multiple 802.1x clients to authenticate If there are multiple clients connected to a single 802.1x-enabled port, the device authenticates each of them individually. When multiple clients are connected to the same 802.
Displaying 802.1x information 8 Brocade(config-dot1x)# auth-fail-max-attempts 2 Syntax: [no] auth-fail-max-attempts attempts By default, the device makes 3 attempts to authenticate a client. You can specify between 1 – 10 authentication attempts. Display commands The show port security global-deny command lists all the configured global deny MAC addresses. The show port security denied-macs command lists all the denied MAC addresses in the system.
8 Displaying 802.1x information The following table describes the information displayed by the show dot1x command. TABLE 49 316 Output from the show dot1x command This field... Displays... PAE Capability The Port Access Entity (PAE) role for the device. This is always “Authenticator Only”. system-auth-control Whether system authentication control is enabled on the device. The dot1x-enable command enables system authentication control on the device.
Displaying 802.1x information TABLE 49 8 Output from the show dot1x command (Continued) This field... Displays... Mac Session max-age The configured software aging time for dot1x-mac-sessions. Maximum Failed Attempts The number of failed authentication attempts, if the authentication-failure action shows Restricted VLAN, To display information about the 802.1x configuration on an individual port, enter a command such as the following.
8 Displaying 802.1x information Displaying 802.1x statistics To display 802.1x statistics for an individual port, enter a command such as the following.
Displaying 802.1x information 8 Clearing 802.1x statistics You can clear the 802.1x statistics counters on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to clear the 802.1x statistics counters on all interfaces on the device, enter the following command. Brocade# clear dot1x statistics all Syntax: clear dot1x statistics all To clear the 802.1x statistics counters on interface e 3/11, enter the following command.
8 Displaying 802.1x information Displaying dynamically assigned VLAN information The show interface command displays the VLAN to which an 802.1x-enabled port has been dynamically assigned, as well as the port from which it was moved (that is, the port’s default VLAN). The following is an example of the show interface command indicating the port’s dynamically assigned VLAN. Information about the dynamically assigned VLAN is shown in bold type.
Displaying 802.1x information 8 Port 1/1 MAC Address Filter information: 802.1x dynamic MAC Filter (user defined) : mac access-list 401 in Port default MAC Filter : mac access-list 400 in The “Port default MAC Filter” appears if a default MAC filter has been configured on the port. This default MAC filter is the MAC filter that will be applied to the port once the dynamically assigned MAC filter is removed. If a default MAC filter has not been configured, the message “No Port default MAC is displayed.
8 Displaying 802.1x information Displaying information about the dot1x-mac-sessions on each port To display information about the dot1x-mac-sessions on each port on the device, enter the following command. Brocade# show dot1x mac-session Port MAC Username VLAN Auth State ACL|MAC Age i|o|f ------------------------------------------------------------------------------1/1 0050.da0b.8cd7 Mary M 1 DENIED n|n|n 0 1/2 0050.da0b.8cb3 adminmorn 4094 PERMITTED y|n|n 0 1/3 0050.da0b.
Sample 802.
8 Sample 802.1x configurations RADIUS Server (Authentication Server) 192.168.9.22 NetIron Device (Authenticator) e2/1 e2/2 e2/3 Clients/Supplicants running 802.1X-compliant client software The following commands configure the device in Figure 7. Brocade(config)# aaa authentication dot1x default radius Brocade(config)# radius-server host 192.168.9.
Sample 802.1x configurations 8 Hub configuration Figure 8 illustrates a configuration where three 802.1x-enabled clients are connected to a hub, which is connected to a port on the device. The configuration is similar to that in Figure 7, except that 802.1x port security is enabled on only one port, and the multiple-hosts command is used to allow multiple clients on the port. FIGURE 8 Sample 802.1x configuration using a hub RADIUS Server (Authentication Server) 192.168.9.
8 326 Sample 802.
Chapter 9 Protecting against Denial of Service Attacks Table 54 displays the individual devices and the Denial of Service (DoS) attack features they support.
9 Protecting against smurf attacks The attacker sends an ICMP echo request packet to the broadcast address of an intermediary network. The ICMP echo request packet contains the spoofed address of a victim network as its source. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary network. The hosts on the intermediary network then send ICMP replies to the victim network.
Protecting against smurf attacks 9 The burst-max value can be from 1 – 100000. The lockup value can be from 1 – 10000. The number of incoming ICMP packets per second are measured and compared to the threshold values, as follows: • If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped. • If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of seconds specified by the lockup value.
9 Protecting against TCP SYN attacks Multicast Router Discovery messages: • Multicast router advertisement (Type 151) • Multicast router solicitation (Type 152) • Multicast router termination (Type 153) Section 4.
Protecting against TCP SYN attacks 9 The number of incoming TCP SYN packets per second is measured and compared to the threshold values as follows: • If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped. • If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.
9 Protecting against TCP SYN attacks Protecting against a blind TCP reset attack using the SYN bit For a blind TCP reset attack, the attacker tries to guess the SYN bits to terminate an active TCP session.To protect against this type of attack, the SYN bit is subject to the following rules during arrival of TCP segments: • If the SYN bit is set and the sequence number is outside the expected window, the device sends an ACK to the peer.
Protecting against TCP SYN attacks 9 The burst-max value can be from 1 – 100000. The lockup value can be from 1 – 10000. The no option removes the configuration and UDP rate limiting is disabled. The number of incoming UDP packets per second is measured and compared to the threshold values as follows:apply to the individual service • If the number of UDP packets exceeds the burst-normal value, the excess UDP packets are dropped.
9 Displaying statistics from a DoS attack Displaying statistics from a DoS attack You can display statistics about ICMP and TCP SYN packets that were dropped, passed, or blocked because burst thresholds were exceeded using the show statistics dos-attack command. Brocade# show statistics dos-attack Collecting local DOS attack statistic for slot 1... Completed successfully. Collecting local DOS attack statistic for slot 2... Completed successfully. Collecting local DOS attack statistic for slot 3...
Chapter 10 Securing SNMP Access Table 56 displays the individual Brocade devices and the SNMPv3 features they support.
10 Establishing SNMP community strings • The default read-only community string is “public”. Use this community string for any SNMP Get, GetNext, or GetBulk request. • By default, you cannot perform any SNMP Set operations since a read-write community string is not configured. You can configure as many additional read-only and read-write community strings as you need. The number of strings you can configure depends on the memory on the device. There is no practical limit.
Using the User-Based Security model 10 Brocade(config)# snmp-s community myread ro view sysview The command in this example associates the view “sysview” to the community string named “myread”. The community string has read-only access to “sysview”. For information on how create views, refer to the section “Defining SNMP views”. The standard-acl-name | standard-acl-id | ipv6 ipv6-acl-name parameter is optional. It allows you to specify which ACL is used to filter the incoming SNMP packets.
10 Using the User-Based Security model Configuring your NMS To be able to use the SNMP version 3 features. 1. Make sure that your Network Manager System (NMS) supports SNMP version 3. 2. Configure your NMS agent with the necessary users. 3. Configure the SNMP version 3 features in the device. Configuring SNMP version 3 on the device To configure SNMP version 3 on the device, perform the tasks listed below. 1.
Using the User-Based Security model 10 NOTE Since the current implementation of SNMP version 3 does not support Notification, remote engine IDs cannot be configured at this time. The hex-string variable consists of 11 octets, entered as hexadecimal values. Each octet has two hexadecimal characters. The engine ID should contain an even number of hexadecimal characters.
10 Using the User-Based Security model The auth | noauth parameter determines whether authentication is required for accessing the supported views. If auth is selected, then only authenticated packets are allowed to access the view specified for the user group. Selecting noauth means that no authentication is required to access the specified view. Selecting priv means that an authentication password is required from the users.
Using the User-Based Security model 10 NOTE The SNMP group to which the user account will be mapped should be configured before creating the user accounts; otherwise, the group will be created without any views. Also, ACL groups must be configured before configuring user accounts. The v3 parameter is required. The access standard-acl-id parameter is optional. It indicates that incoming SNMP packets are filtered based on the ACL attached to the user account.
10 Using the User-Based Security model The engine ID identifies the source or destination of the packet. The engine boots represents the number of times that the SNMP engine reinitialized itself with the same engine ID. If the engineID is modified, the boot count is reset to 0. The engine time represents the current time with the SNMP agent. Displaying SNMP groups To display the definition of an SNMP group, enter a command such as the following.
Using the User-Based Security model 10 Interpreting varbinds in report packets If an SNMP version 3 request packet is to be rejected by an SNMP agent, the agent sends a report packet that contains one or more varbinds. The varbinds contain additional information, showing the cause of failures. An SNMP manager application decodes the description from the varbind. The following table presents a list of varbinds supported by the SNMP agent. Varbind object identifier Description 1. 3. 6. 1. 6. 3. 11. 2. 1.
10 Defining SNMP views Defining SNMP views SNMP views are named groups of MIB objects that can be associated with user accounts to allow limited access for viewing and modification of SNMP statistics and system configuration. SNMP views can also be used with other commands that take SNMP views as an argument. SNMP views reference MIB objects using object names, numbers, wildcards, or a combination of the three. The numbers represent the hierarchical location of the object in the MIB tree.
SNMP v3 configuration examples 10 SNMP v3 configuration examples The examples below shows how to configure SNMP v3.
10 346 SNMP v3 configuration examples Multi-Service IronWare Security Configuration Guide 53-1003035-02
Appendix ACL Editing and Sequence Numbers A This appendix presents functional information about the ACL editing feature introduced in Multi-Service IronWare R05.6.00 and detailed in Chapter 2, “Layer 2 Access Control Lists”, Chapter 3, “Access Control List” and Chapter 4, “Configuring an IPv6 Access Control List”. Background Prior to Multi-Service IronWare R05.6.00, the limitations described below applied when adding new entries to an existing ACL table.
A Sequence Numbers permit 1.1.1.1 0.0.0.0 permit 2.2.2.2 0.0.0.0 permit 3.3.3.3 0.0.0.0 deny any This method might work for small ACLs, but was impractical for ACLs containing many entries. IPv6 ACLs • You could specify a sequence number to insert a new filter at a desired position in the ACL table. • However, you could not insert a new filter between filters having adjacent sequence numbers.
Creating an ACL filter A Internal and User Specified With the ACL editing feature, a sequence number is assigned to each ACL entry and ACL rules are applied in the order of lowest to highest sequence number. Sequence numbers may be assigned by the system or user specified. The optional sequence parameter in the ACL filter command allows you to specify a sequence number for a new ACL entry and to thereby insert the filter at a desired position in an ACL table.
A Re-generating ACL sequence numbers Brocade(config)#show access-list name v4_acl 10: 20: 21: 30: permit 1.1.1.1 0.0.0.0 permit 2.2.2.2 0.0.0.0 sequence 21 permit 3.3.3.3 0.0.0.0 deny any Re-generating ACL sequence numbers You can create space between sequence numbers of adjacent filters by regenerating the sequence numbers for ACL table entries. This allows new ACL entries be inserted between ACL entries that previously had consecutive sequence numbers.
Backward compatibility with earlier releases A Brocade(config)# show access-list name v4_acl 10: 20: 21: 30: permit 1.1.1.1 0.0.0.0 permit 2.2.2.2 0.0.0.0 sequence 21 permit 3.3.3.3 0.0.0.0 deny any Brocade(config)# ip access-list standard v4_acl Brocade(config-std-nacl-v4_acl)# no sequence 20 Brocade(config-std-nacl-v4_acl)# exit Brocade(config)# show access-list name v4_acl 10: permit 1.1.1.1 0.0.0.0 21: sequence 21 permit 3.3.3.3 0.0.0.
A Backward compatibility with earlier releases Extended IP access list 191 : 4 entries 11111: sequence 11111 permit ip host 1.191.1.1 198.19.1.0 0.0.0.255 12115: sequence 12115 deny ip host 1.191.1.11 198.19.1.0 0.0.0.255 29195: sequence 29195 deny ip host 1.191.1.249 198.19.1.0 0.0.0.
