Brocade-communications-systems Brocade ICX 6650 6650 User Manual

53-1002601-0128 September 2012®Brocade ICX 6650 Security Configuration GuideSupporting FastIron Software Release 07.5.00

x Brocade ICX 6650 Security Configuration Guide53-1002601-01Dynamic MAC-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213C

80 Brocade ICX 6650 Security Configuration Guide53-1002601-01SSH2 clientBrocade# ssh 10.10.10.2To start an SSH2 client connection to an SSH2 server us

Brocade ICX 6650 Security Configuration Guide 8153-1002601-01Chapter3Rule-Based IP ACLs Table 15 and Table 16 list the Access Control List (ACL) featu

82 Brocade ICX 6650 Security Configuration Guide53-1002601-01ACL overviewThis chapter describes how Access Control Lists (ACLs) are implemented and co

Brocade ICX 6650 Security Configuration Guide 8353-1002601-01ACL overview• Virtual routing interfacesTypes of IP ACLsYou can configure the following t

84 Brocade ICX 6650 Security Configuration Guide53-1002601-01How hardware-based ACLs workDefault ACL actionThe default action when no ACLs are configu

Brocade ICX 6650 Security Configuration Guide 8553-1002601-01ACL configuration considerationsACL configuration considerations• See “ACL overview” on p

86 Brocade ICX 6650 Security Configuration Guide53-1002601-01Configuring standard numbered ACLs• You can apply an ACL to a port that has TCP SYN prote

Brocade ICX 6650 Security Configuration Guide 8753-1002601-01Standard named ACL configurationsignificant bits) and changes the non-significant portion

88 Brocade ICX 6650 Security Configuration Guide53-1002601-01Standard named ACL configurationStandard ACLs permit or deny packets based on source IP a

Brocade ICX 6650 Security Configuration Guide 8953-1002601-01Standard named ACL configurationNOTETo specify the host name instead of the IP address, t

Brocade ICX 6650 Security Configuration Guide xi53-1002601-01Multi-device port authentication configuration. . . . . . . . . . . . . . . .236Enabling

90 Brocade ICX 6650 Security Configuration Guide53-1002601-01Extended numbered ACL configurationConfiguration example for standard named ACLsTo config

Brocade ICX 6650 Security Configuration Guide 9153-1002601-01Extended numbered ACL configurationExtended numbered ACL syntaxSyntax: [no] access-list A

92 Brocade ICX 6650 Security Configuration Guide53-1002601-01Extended numbered ACL configurationThe destination-ip | hostname parameter specifies the

Brocade ICX 6650 Security Configuration Guide 9353-1002601-01Extended numbered ACL configuration• gt – The policy applies to TCP or UDP port numbers g

94 Brocade ICX 6650 Security Configuration Guide53-1002601-01Extended numbered ACL configuration• max-throughput or 4 – The ACL matches packets that h

Brocade ICX 6650 Security Configuration Guide 9553-1002601-01Extended numbered ACL configurationConfiguration examples for extended numbered ACLsTo co

96 Brocade ICX 6650 Security Configuration Guide53-1002601-01Extended named ACL configurationThe first entry in this ACL denies TCP traffic from the 1

Brocade ICX 6650 Security Configuration Guide 9753-1002601-01Extended named ACL configuration• Internet Control Message Protocol (ICMP)• Internet Grou

98 Brocade ICX 6650 Security Configuration Guide53-1002601-01Extended named ACL configurationIf you enable the software to display IP subnet masks in

Brocade ICX 6650 Security Configuration Guide 9953-1002601-01Extended named ACL configurationThe tcp/udp comparison operator parameter specifies a com

xii Brocade ICX 6650 Security Configuration Guide53-1002601-01Chapter 11 Rate Limiting and Rate ShapingPort-based rate limiting . . . . . . . . . . .

100 Brocade ICX 6650 Security Configuration Guide53-1002601-01Extended named ACL configuration• internet or 6 – The ACL matches packets that have the

Brocade ICX 6650 Security Configuration Guide 10153-1002601-01Applying egress ACLs to Control (CPU) trafficThe dscp-matching option matches on the pac

102 Brocade ICX 6650 Security Configuration Guide53-1002601-01ACL comment text managementThe following example shows how this feature works for a TCP

Brocade ICX 6650 Security Configuration Guide 10353-1002601-01ACL comment text managementFor ACL-num, enter the number of the ACL. The comment-text ca

104 Brocade ICX 6650 Security Configuration Guide53-1002601-01Applying an ACL to a virtual interface in a protocol- or subnet-based VLANThe following

Brocade ICX 6650 Security Configuration Guide 10553-1002601-01ACL loggingBrocade(config-vlan-1)# no vlan-dynamic-discovery Vlan dynamic discovery is

106 Brocade ICX 6650 Security Configuration Guide53-1002601-01ACL logging• ACL logging is not supported for dynamic ACLs with multi-device port authen

Brocade ICX 6650 Security Configuration Guide 10753-1002601-01ACL loggingThe above commands create ACL entries that include the log option, enable ACL

108 Brocade ICX 6650 Security Configuration Guide53-1002601-01Enabling strict control of ACL filtering of fragmented packetsSyntax: show logEnabling s

Brocade ICX 6650 Security Configuration Guide 10953-1002601-01Enabling ACL support for switched traffic in the router imageEnabling ACL support for sw

Brocade ICX 6650 Security Configuration Guide xiii53-1002601-01Chapter 13 Limiting Broadcast, Multicast, and Unknown Unicast TrafficBroadcast, unknown

110 Brocade ICX 6650 Security Configuration Guide53-1002601-01Enabling ACL filtering based on VLAN membership or VE port membershipApplying an IPv4 AC

Brocade ICX 6650 Security Configuration Guide 11153-1002601-01ACLs to filter ARP packetsUse this feature when you do not want the IPv4 ACLs to apply t

112 Brocade ICX 6650 Security Configuration Guide53-1002601-01ACLs to filter ARP packetsConfiguration considerations for filtering ARP packets• This f

Brocade ICX 6650 Security Configuration Guide 11353-1002601-01Filtering on IP precedence and ToS values• Allow the ACL ID to be inherited from the IP

114 Brocade ICX 6650 Security Configuration Guide53-1002601-01QoS options for IP ACLsThe first entry in this ACL denies TCP traffic from the 10.157.21

Brocade ICX 6650 Security Configuration Guide 11553-1002601-01QoS options for IP ACLs• dscp-matching – Matches on the packet DSCP value. This option d

116 Brocade ICX 6650 Security Configuration Guide53-1002601-01QoS options for IP ACLsCombined ACL for 802.1p markingBrocade devices support a simple m

Brocade ICX 6650 Security Configuration Guide 11753-1002601-01ACL-based rate limitingSyntax: access-list num(100-199) permit udp any any 802.1p-priori

118 Brocade ICX 6650 Security Configuration Guide53-1002601-01ACL statisticsNOTEBrocade devices support ACL-based rate limiting for inbound traffic. T

Brocade ICX 6650 Security Configuration Guide 11953-1002601-01Displaying ACL informationSyntax: show access-list hw-usage on | offSyntax: show access-

xiv Brocade ICX 6650 Security Configuration Guide53-1002601-01

120 Brocade ICX 6650 Security Configuration Guide53-1002601-01Policy Based RoutingYou can configure the Brocade device to perform the following types

Brocade ICX 6650 Security Configuration Guide 12153-1002601-01Policy Based Routing• Configure a route map that matches on the ACLs and sets the route

122 Brocade ICX 6650 Security Configuration Guide53-1002601-01Policy Based RoutingIf you prefer to specify the wildcard (mask value) in CIDR format, y

Brocade ICX 6650 Security Configuration Guide 12353-1002601-01Policy Based RoutingThe permit | deny parameter specifies the action the Brocade device

124 Brocade ICX 6650 Security Configuration Guide53-1002601-01Policy Based RoutingConfiguration examples for PBRThis section presents configuration ex

Brocade ICX 6650 Security Configuration Guide 12553-1002601-01Policy Based RoutingBrocade(config)# route-map test-route permit 50Brocade(config-routem

126 Brocade ICX 6650 Security Configuration Guide53-1002601-01Policy Based RoutingBrocade(config)# interface ethernet 1/3/1Brocade(config-if-e10000-1/

Brocade ICX 6650 Security Configuration Guide 12753-1002601-01Chapter4IPv6 ACLs Table 17 lists the IPv6 Access Control Lists (ACL) features supported

128 Brocade ICX 6650 Security Configuration Guide53-1002601-01IPv6 ACL configuration notesNOTEIPv6 ACLs are supported on inbound traffic and are imple

Brocade ICX 6650 Security Configuration Guide 12953-1002601-01Configuring an IPv6 ACL• IPv6 ACLs cannot be used with GRE• IPv6 ACLs cannot be employed

xiAbout This DocumentThe Brocade ICX 6650 is a ToR (Top of Rack) Ethernet switch for campus LAN and classic Ethernet data center environments.Audience

130 Brocade ICX 6650 Security Configuration Guide53-1002601-01Configuring an IPv6 ACLThe first condition permits ICMP traffic from hosts in the 2001:d

Brocade ICX 6650 Security Configuration Guide 13153-1002601-01Configuring an IPv6 ACLThe following commands apply the ACL “rtr” to the incoming traffi

132 Brocade ICX 6650 Security Configuration Guide53-1002601-01Creating an IPv6 ACLThe first permit statement permits ICMP traffic from hosts in the 20

Brocade ICX 6650 Security Configuration Guide 13353-1002601-01Creating an IPv6 ACLSyntax: permit | deny protocol ipv6-source-prefix/prefix-length | an

134 Brocade ICX 6650 Security Configuration Guide53-1002601-01Creating an IPv6 ACLTable 18 lists the syntax elements.TABLE 18 Syntax descriptionsIPv6

Brocade ICX 6650 Security Configuration Guide 13553-1002601-01Creating an IPv6 ACLipv6-source-prefix/prefix-length The ipv6-source-prefix/prefix-lengt

136 Brocade ICX 6650 Security Configuration Guide53-1002601-01Creating an IPv6 ACLICMP message configurations If you want to specify an ICMP message,

Brocade ICX 6650 Security Configuration Guide 13753-1002601-01Enabling IPv6 on an interface to which an ACL will be applied• renum-command• renum-resu

138 Brocade ICX 6650 Security Configuration Guide53-1002601-01Adding a comment to an IPv6 ACL entryThis example applies the IPv6 ACL “access1” to inco

Brocade ICX 6650 Security Configuration Guide 13953-1002601-01Deleting a comment from an IPv6 ACL entryThe comment-text can be up to 256 characters in

xiiBrocade ICX 6650 slot and port numbering• Slot 2 is located on the back of the Brocade ICX 6650 device and contains ports 1 through 3 on the top ro

140 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying IPv6 ACLsSyntax: show ipv6 access-listTo display a specific IPv6 ACL configur

Brocade ICX 6650 Security Configuration Guide 14153-1002601-01Chapter5ACL-based Rate LimitingTable 19 lists the ACL-based rate limiting features suppo

142 Brocade ICX 6650 Security Configuration Guide53-1002601-01Traffic policies overview• Adaptive rate limiting – Enforces a flexible bandwidth limit

Brocade ICX 6650 Security Configuration Guide 14353-1002601-01Configuring fixed rate limitingConfiguration notes for traffic policiesConsider the foll

144 Brocade ICX 6650 Security Configuration Guide53-1002601-01Configuring adaptive rate limitingSyntax: [no] traffic-policy TPD-name rate-limit fixed

Brocade ICX 6650 Security Configuration Guide 14553-1002601-01Configuring adaptive rate limitingIf a port receives more than the configured packet rat

146 Brocade ICX 6650 Security Configuration Guide53-1002601-01Configuring adaptive rate limiting3. Bind the ACL to an interface. Enter commands such a

Brocade ICX 6650 Security Configuration Guide 14753-1002601-01Handling packets that exceed the rate limit1. Create an adaptive rate limiting traffic p

148 Brocade ICX 6650 Security Configuration Guide53-1002601-01Enabling and using ACL statisticsThe above command creates an adaptive rate limiting pol

Brocade ICX 6650 Security Configuration Guide 14953-1002601-01Enabling and using ACL statisticsEnabling ACL statisticsThe procedure for enabling ACL s

Brocade ICX 6650 Security Configuration Guide xiii53-1002601-01Brocade ICX 6650 slot and port numberingDocument conventionsThis section describes text

150 Brocade ICX 6650 Security Configuration Guide53-1002601-01Enabling and using ACL statisticsEnabling ACL statistics with rate limiting traffic poli

Brocade ICX 6650 Security Configuration Guide 15153-1002601-01Enabling and using ACL statistics Port Region# Green Conformance Yellow Conformance

152 Brocade ICX 6650 Security Configuration Guide53-1002601-01Viewing traffic policiesThe TPD-name is the name of the traffic policy definition for wh

Brocade ICX 6650 Security Configuration Guide 15353-1002601-01Chapter6802.1X Port SecurityTable 24 lists 802.1X port security features that are suppor

154 Brocade ICX 6650 Security Configuration Guide53-1002601-01How 802.1X port security worksHow 802.1X port security worksThis section explains the ba

Brocade ICX 6650 Security Configuration Guide 15553-1002601-01How 802.1X port security worksClient/Supplicant – The device that seeks to gain access t

156 Brocade ICX 6650 Security Configuration Guide53-1002601-01How 802.1X port security worksFIGURE 3 Controlled and uncontrolled ports before and aft

Brocade ICX 6650 Security Configuration Guide 15753-1002601-01How 802.1X port security worksMessage exchange during authenticationFigure 4 illustrates

158 Brocade ICX 6650 Security Configuration Guide53-1002601-01How 802.1X port security worksNOTERefer to “EAP pass-through support” on page 159.• EAP-

Brocade ICX 6650 Security Configuration Guide 15953-1002601-01How 802.1X port security worksBrocade(config)# ip mtu 1500Syntax: [no] ip mtu num The nu

xivBrocade ICX 6650 slot and port numberingATTENTIONAn Attention statement indicates potential damage to hardware or data.CAUTIONA Caution statement a

160 Brocade ICX 6650 Security Configuration Guide53-1002601-01How 802.1X port security worksFIGURE 5 Multiple hosts connected to a single 802.1X-enab

Brocade ICX 6650 Security Configuration Guide 16153-1002601-01How 802.1X port security works5. If authentication for the Client is unsuccessful the fi

162 Brocade ICX 6650 Security Configuration Guide53-1002601-01How 802.1X port security works• 802.1X multiple-host authentication has the following ad

Brocade ICX 6650 Security Configuration Guide 16353-1002601-01802.1X port security configuration802.1X accountingWhen 802.1X port security is enabled

164 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationConfiguring an authentication method list for 802.1XTo

Brocade ICX 6650 Security Configuration Guide 16553-1002601-01802.1X port security configuration• NAS-IP-Address (4) – RFC 2865• NAS-Port (5) – RFC 28

166 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationRe-authenticate a userTo configure RADIUS timeout beha

Brocade ICX 6650 Security Configuration Guide 16753-1002601-01802.1X port security configurationIf one of the attributes in the Access-Accept message

168 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationDynamic multiple VLAN assignment for 802.1X portsWhen

Brocade ICX 6650 Security Configuration Guide 16953-1002601-01802.1X port security configurationWhen the RADIUS server returns a value specifying both

Brocade ICX 6650 Security Configuration Guide xv53-1002601-01Brocade ICX 6650 slot and port numbering• Brocade ICX 6650 Diagnostic Reference• Unified

170 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationDynamically applying IP ACLs and MAC address filtersto

Brocade ICX 6650 Security Configuration Guide 17153-1002601-01802.1X port security configurationDisabling and enabling strict security mode for dynami

172 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationSyntax: [no] global-filter-strict-securityTo disable s

Brocade ICX 6650 Security Configuration Guide 17353-1002601-01802.1X port security configurationNotes for dynamically applying ACLs or MAC address fil

174 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationEnabling 802.1X port security By default, 802.1X port

Brocade ICX 6650 Security Configuration Guide 17553-1002601-01802.1X port security configurationTo activate authentication on an 802.1X-enabled interf

176 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationThe re-authentication interval is a global setting, ap

Brocade ICX 6650 Security Configuration Guide 17753-1002601-01802.1X port security configurationFor example, to cause the Brocade device to wait 60 se

178 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationBrocade(config-dot1x)# supptimeout 45Syntax: supptimeo

Brocade ICX 6650 Security Configuration Guide 17953-1002601-01802.1X port security configurationAllowing access to multiple hostsBrocade devices suppo

Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved.Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, Fast

xviBrocade ICX 6650 slot and port numberingDocument feedbackQuality is our first concern at Brocade and we have made every effort to ensure the accura

180 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X port security configurationTo specify on an individual port that the authenticati

Brocade ICX 6650 Security Configuration Guide 18153-1002601-01802.1X port security configurationAs a shortcut, use the command [no] mac-session-aging

182 Brocade ICX 6650 Security Configuration Guide53-1002601-01802.1X accounting configurationMAC address filters for EAP framesYou can create MAC addr

Brocade ICX 6650 Security Configuration Guide 18353-1002601-01802.1X accounting configuration• The user MAC address• The authenticating physical port

184 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying 802.1X informationnone – Use no authentication. The client is automatically a

Brocade ICX 6650 Security Configuration Guide 18553-1002601-01Displaying 802.1X informationTo display information about the 802.1X configuration on an

186 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying 802.1X informationThe following additional information is displayed in the sh

Brocade ICX 6650 Security Configuration Guide 18753-1002601-01Displaying 802.1X informationDisplaying 802.1X statisticsTo display 802.1X statistics fo

188 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying 802.1X informationClearing 802.1X statisticsYou can clear the 802.1X statisti

Brocade ICX 6650 Security Configuration Guide 18953-1002601-01Displaying 802.1X informationThe show run command also indicates the VLAN to which the p

Brocade ICX 6650 Security Configuration Guide 153-1002601-01Chapter1Security Access Table 1 lists the security access features supported on Brocade IC

190 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying 802.1X informationSyntax: show dot1x mac-address-filter all | ethernet port T

Brocade ICX 6650 Security Configuration Guide 19153-1002601-01Displaying 802.1X informationSyntax: show dot1xDisplaying the status of strict security

192 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying 802.1X informationDisplaying 802.1X multiple-host configuration informationTh

Brocade ICX 6650 Security Configuration Guide 19353-1002601-01Displaying 802.1X informationSyntax: show dot1x config ethernet portSpecify the port var

194 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying 802.1X informationExample Syntax: show dot1x mac-sessionTable 37 lists the ne

Brocade ICX 6650 Security Configuration Guide 19553-1002601-01Displaying 802.1X informationDisplaying information about the ports in an 802.1X multipl

196 Brocade ICX 6650 Security Configuration Guide53-1002601-01Sample 802.1X configurationsSample 802.1X configurationsThis section illustrates a sampl

Brocade ICX 6650 Security Configuration Guide 19753-1002601-01Sample 802.1X configurationsBrocade(config)# interface ethernet 1/2/2Brocadeconfig-if-e1

198 Brocade ICX 6650 Security Configuration Guide53-1002601-01Sample 802.1X configurationsBrocade(config)#interface ethernet 1/2/1Brocade(config-if-e1

Brocade ICX 6650 Security Configuration Guide 19953-1002601-01Multi-device port authentication and 802.1X security on the same port auth-fail-vlanid 1

2 Brocade ICX 6650 Security Configuration Guide53-1002601-01Securing access methodsAccess to the Privileged EXEC and CONFIG levels of the CLINot secur

200 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication and 802.1X security on the same port

Brocade ICX 6650 Security Configuration Guide 20153-1002601-01Chapter7MAC Port SecurityTable 39 lists the Media Access Control (MAC) port security fea

202 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC port security overviewMAC port security overviewYou can configure the Brocade device

Brocade ICX 6650 Security Configuration Guide 20353-1002601-01MAC port security configuration• Brocade devices do not support the reserved-vlan-id num

204 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC port security configurationSetting the maximum number of secure MAC addresses for an

Brocade ICX 6650 Security Configuration Guide 20553-1002601-01MAC port security configurationSpecifying secure MAC addressesYou can configure secure M

206 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC port security configurationThe minutes variable can be from 15 through 1440 minutes.

Brocade ICX 6650 Security Configuration Guide 20753-1002601-01Clearing port security statisticsDisabling the port for a specified amount of timeYou ca

208 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying port security informationDisplaying port security information You can display

Brocade ICX 6650 Security Configuration Guide 20953-1002601-01Displaying port security informationNOTEAfter every switchover or failover, the MAC “Age

Brocade ICX 6650 Security Configuration Guide 353-1002601-01Remote access to management function restrictionsRemote access to management function rest

210 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying port security informationBrocade# show port security statistics 7Module 7: T

Brocade ICX 6650 Security Configuration Guide 21153-1002601-01Chapter8MAC-based VLANsTable 44 lists the MAC-based VLAN features that are supported on

212 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC-based VLAN overviewMAC-based VLAN feature structureThe MAC-based VLAN feature operat

Brocade ICX 6650 Security Configuration Guide 21353-1002601-01Dynamic MAC-based VLANDynamic MAC-based VLANWhen enabled, the dynamic MAC-based VLAN fea

214 Brocade ICX 6650 Security Configuration Guide53-1002601-01Dynamic MAC-based VLANDynamic MAC-based VLAN configuration exampleThe following example

Brocade ICX 6650 Security Configuration Guide 21553-1002601-01MAC-based VLAN configurationvlan 4004 by port mac-vlan-permit ethernet 1/1/1 to 1/1/3def

216 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC-based VLAN configurationUsing MAC-based VLANs and 802.1X securityon the same port On

Brocade ICX 6650 Security Configuration Guide 21753-1002601-01MAC-based VLAN configurationAging for MAC-based VLANThe aging process for MAC-based VLAN

218 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC-based VLAN configurationperiod begins and lasts for a fixed length of time (default

Brocade ICX 6650 Security Configuration Guide 21953-1002601-01MAC-based VLAN configurationDisabling the aging on interfacesTo disable aging on a speci

4 Brocade ICX 6650 Security Configuration Guide53-1002601-01Remote access to management function restrictionsConsider the following to configure acces

220 Brocade ICX 6650 Security Configuration Guide53-1002601-01MAC-based VLAN configuration6. To remove and disable the MAC-based VLAN configuration.Br

Brocade ICX 6650 Security Configuration Guide 22153-1002601-01Configuring MAC-based VLANs using SNMPNOTEIf the Dynamic MAC-based VLAN is enabled after

222 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying information about MAC-based VLANsDisplaying the MAC-VLAN table for a specific

Brocade ICX 6650 Security Configuration Guide 22353-1002601-01Displaying information about MAC-based VLANsDisplaying denied MAC addressesEnter the sho

224 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying information about MAC-based VLANsDisplaying detailed MAC-VLAN dataEnter the s

Brocade ICX 6650 Security Configuration Guide 22553-1002601-01Displaying information about MAC-based VLANsDisplaying MAC-VLAN information for a specif

226 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying information about MAC-based VLANsDisplaying MAC addresses in a MAC-based VLAN

Brocade ICX 6650 Security Configuration Guide 22753-1002601-01Clearing MAC-VLAN informationDisplaying MAC-based VLAN loggingEnter the show logging com

228 Brocade ICX 6650 Security Configuration Guide53-1002601-01Sample MAC-based VLAN applicationFIGURE 9 Sample MAC-based VLAN configurationHost A MAC

Brocade ICX 6650 Security Configuration Guide 22953-1002601-01Sample MAC-based VLAN applicationmac-authentication max-age 60mac-authentication hw-deny

Brocade ICX 6650 Security Configuration Guide 553-1002601-01Remote access to management function restrictionsThe num parameter specifies the number of

230 Brocade ICX 6650 Security Configuration Guide53-1002601-01Sample MAC-based VLAN application

Brocade ICX 6650 Security Configuration Guide 23153-1002601-01Chapter9Multi-Device Port AuthenticationTable 54 lists the multi-device port authenticat

232 Brocade ICX 6650 Security Configuration Guide53-1002601-01How multi-device port authentication worksThe multi-device port authentication feature i

Brocade ICX 6650 Security Configuration Guide 23353-1002601-01How multi-device port authentication works• Username (1) – RFC 2865• NAS-IP-Address (4)

234 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication and 802.1X security on the same portDAI is supported to

Brocade ICX 6650 Security Configuration Guide 23553-1002601-01Multi-device port authentication and 802.1X security on the same port4. If the Foundry-8

236 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationIf neither of these VSAs exist in a device

Brocade ICX 6650 Security Configuration Guide 23753-1002601-01Multi-device port authentication configuration• Clearing authenticated MAC addresses (op

238 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationSpecifying the format of the MAC addresses

Brocade ICX 6650 Security Configuration Guide 23953-1002601-01Multi-device port authentication configurationSyntax: [no] mac-authentication auth-fail-

6 Brocade ICX 6650 Security Configuration Guide53-1002601-01Remote access to management function restrictionsNOTEYou must enable AAA support for conso

240 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationIf one of the attributes in the Access-Acc

Brocade ICX 6650 Security Configuration Guide 24153-1002601-01Multi-device port authentication configuration• If an untagged port had previously been

242 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationConfiguration notes and limitations• This

Brocade ICX 6650 Security Configuration Guide 24353-1002601-01Multi-device port authentication configurationAutomatic removal of dynamic VLAN assignme

244 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationThe Brocade device uses information in the

Brocade ICX 6650 Security Configuration Guide 24553-1002601-01Multi-device port authentication configuration• Dynamic ACL filters are supported only f

246 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationTo limit the susceptibility of the Brocade

Brocade ICX 6650 Security Configuration Guide 24753-1002601-01Multi-device port authentication configuration• The MAC-to-IP mapping is checked against

248 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationTo clear the authenticated MAC address tab

Brocade ICX 6650 Security Configuration Guide 24953-1002601-01Multi-device port authentication configurationThe denied-only parameter prevents denied

Brocade ICX 6650 Security Configuration Guide 753-1002601-01Remote access to management function restrictionsRestricting SNMP access to a specific IP

250 Brocade ICX 6650 Security Configuration Guide53-1002601-01Multi-device port authentication configurationSpecifying the aging time for blocked MAC

Brocade ICX 6650 Security Configuration Guide 25153-1002601-01Multi-device port authentication configurationOnce the success timeout action is enabled

252 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying multi-device port authentication informationBrocade(config)# mac-authenticati

Brocade ICX 6650 Security Configuration Guide 25353-1002601-01Displaying multi-device port authentication informationDisplaying multi-device port auth

254 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying multi-device port authentication informationThe following table describes the

Brocade ICX 6650 Security Configuration Guide 25553-1002601-01Displaying multi-device port authentication informationDisplaying the authenticated MAC

256 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying multi-device port authentication informationDisplaying the non-authenticated

Brocade ICX 6650 Security Configuration Guide 25753-1002601-01Displaying multi-device port authentication informationDisplaying multi-device port auth

258 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying multi-device port authentication informationThe following table describes the

Brocade ICX 6650 Security Configuration Guide 25953-1002601-01Displaying multi-device port authentication information802.1X override Dynamic PVID Indi

8 Brocade ICX 6650 Security Configuration Guide53-1002601-01Remote access to management function restrictionsTo allow SSH access to the Brocade device

260 Brocade ICX 6650 Security Configuration Guide53-1002601-01Example port authentication configurationsExample port authentication configurationsThis

Brocade ICX 6650 Security Configuration Guide 26153-1002601-01Example port authentication configurationsFIGURE 10 Using multi-device port authenticat

262 Brocade ICX 6650 Security Configuration Guide53-1002601-01Example port authentication configurationsExample 1— Multi-device port authentication wi

Brocade ICX 6650 Security Configuration Guide 26353-1002601-01Example port authentication configurationsmac-authentication enablemac-authentication au

264 Brocade ICX 6650 Security Configuration Guide53-1002601-01Example port authentication configurationsFIGURE 12 Using multi-device port authenticat

Brocade ICX 6650 Security Configuration Guide 26553-1002601-01Example port authentication configurationsWhen the PC is authenticated using multi-devic

266 Brocade ICX 6650 Security Configuration Guide53-1002601-01Example port authentication configurationsSince there is no profile for the PC MAC addre

Brocade ICX 6650 Security Configuration Guide 26753-1002601-01Chapter10DoS Attack ProtectionTable 64 lists DoS protection features supported in Brocad

268 Brocade ICX 6650 Security Configuration Guide53-1002601-01Smurf attacksFor each ICMP echo request packet sent by the attacker, a number of ICMP re

Brocade ICX 6650 Security Configuration Guide 26953-1002601-01TCP SYN attacksSyntax: ip icmp burst-normal value burst-max value lockup secondsThe burs

Brocade ICX 6650 Security Configuration Guide 953-1002601-01Remote access to management function restrictionsSpecifying the maximum number of login at

270 Brocade ICX 6650 Security Configuration Guide53-1002601-01TCP SYN attacksBrocade(config)# interface ethernet 1/1/3Brocade(config-if-e10000-1/1/3)#

Brocade ICX 6650 Security Configuration Guide 27153-1002601-01TCP SYN attacksThe TCP security enhancement prevents and protects against the following

272 Brocade ICX 6650 Security Configuration Guide53-1002601-01TCP SYN attacksSyntax: show statistics dos-attackTo clear statistics about ICMP and TCP

Brocade ICX 6650 Security Configuration Guide 27353-1002601-01Chapter11Rate Limiting and Rate ShapingTable 65 lists the rate limiting and rate shaping

274 Brocade ICX 6650 Security Configuration Guide53-1002601-01Port-based rate limitingHow port-based fixed rate limiting worksFixed rate limiting coun

Brocade ICX 6650 Security Configuration Guide 27553-1002601-01Port-based rate limitingConfiguration notes for port-based fixed rate limiting• Rate lim

276 Brocade ICX 6650 Security Configuration Guide53-1002601-01Rate shapingRate shapingOutbound Rate Shaping is a port-level feature for shaping the ra

Brocade ICX 6650 Security Configuration Guide 27753-1002601-01CPU rate-limitingConfiguring outbound rate shaping for a specific priorityTo configure t

278 Brocade ICX 6650 Security Configuration Guide53-1002601-01CPU rate-limitingCPU rate limiting identifies the traffic type and assigns a maximum rat

Brocade ICX 6650 Security Configuration Guide 27953-1002601-01Chapter12DHCPTable 69 lists the Dynamic Host Configuration Protocol (DHCP) packet inspec

Brocade ICX 6650 Security Configuration Guide iii53-1002601-01ContentsAbout This DocumentAudience . . . . . . . . . . . . . . . . . . . . . . . . . .

10 Brocade ICX 6650 Security Configuration Guide53-1002601-01Remote access to management function restrictionsBrocade(config)# telnet server enable vl

280 Brocade ICX 6650 Security Configuration Guide53-1002601-01Dynamic ARP inspectionDynamic ARP InspectionDynamic ARP Inspection (DAI) allows only val

Brocade ICX 6650 Security Configuration Guide 28153-1002601-01Dynamic ARP inspection• DHCP-Snooping ARP – information collected from snooping DHCP pac

282 Brocade ICX 6650 Security Configuration Guide53-1002601-01Dynamic ARP inspectionDynamic ARP inspection configurationConfiguring DAI consists of th

Brocade ICX 6650 Security Configuration Guide 28353-1002601-01DHCP snoopingEnabling trust on a portThe default trust setting for a port is untrusted.

284 Brocade ICX 6650 Security Configuration Guide53-1002601-01DHCP snoopingHow DHCP snooping worksWhen enabled on a VLAN, DHCP snooping stands between

Brocade ICX 6650 Security Configuration Guide 28553-1002601-01DHCP snoopingClient IP-to-MAC address mappingsClient IP addresses need not be on directl

286 Brocade ICX 6650 Security Configuration Guide53-1002601-01DHCP snooping1. Enable DHCP snooping on a VLAN.Refer to “Enabling DHCP snooping on a VLA

Brocade ICX 6650 Security Configuration Guide 28753-1002601-01DHCP snoopingClearing the DHCP binding databaseYou can clear the DHCP binding database u

288 Brocade ICX 6650 Security Configuration Guide53-1002601-01DHCP relay agent informationDHCP snooping configuration example The following example co

Brocade ICX 6650 Security Configuration Guide 28953-1002601-01DHCP relay agent informationAs illustrated in Figure 19, the DHCP relay agent (the Broca

Brocade ICX 6650 Security Configuration Guide 1153-1002601-01Remote access to management function restrictionsNOTEIf you have already configured a def

290 Brocade ICX 6650 Security Configuration Guide53-1002601-01DHCP relay agent informationSub-option 1 – Circuit IDThe Circuit ID (CID) identifies the

Brocade ICX 6650 Security Configuration Guide 29153-1002601-01DHCP relay agent informationDHCP option 82 configurationWhen DHCP snooping is enabled on

292 Brocade ICX 6650 Security Configuration Guide53-1002601-01DHCP relay agent informationChanging the forwarding policyWhen the Brocade device receiv

Brocade ICX 6650 Security Configuration Guide 29353-1002601-01DHCP relay agent informationViewing information about DHCP option 82 processingUse the c

294 Brocade ICX 6650 Security Configuration Guide53-1002601-01IP source guardViewing the status of DHCP option 82 and the subscriber IDUse the show in

Brocade ICX 6650 Security Configuration Guide 29553-1002601-01IP source guardWhen IP Source Guard is first enabled, only DHCP packets are allowed and

296 Brocade ICX 6650 Security Configuration Guide53-1002601-01IP source guard• 64 rules per ACL• The number of configured ACL rules affect the rate at

Brocade ICX 6650 Security Configuration Guide 29753-1002601-01IP source guardThe [vlan vlannum] parameter is optional. If you enter a VLAN number, the

298 Brocade ICX 6650 Security Configuration Guide53-1002601-01IP source guard

Brocade ICX 6650 Security Configuration Guide 29953-1002601-01Chapter13Limiting Broadcast, Multicast, and Unknown Unicast TrafficThis chapter describe

12 Brocade ICX 6650 Security Configuration Guide53-1002601-01Remote access to management function restrictionsAllowing SNMP access to the Brocade devi

300 Brocade ICX 6650 Security Configuration Guide53-1002601-01Broadcast, unknown Unicast, and Multicast rate limitingThe num variable specifies the ma

Brocade ICX 6650 Security Configuration Guide 30153-1002601-01Broadcast, unknown Unicast, and Multicast rate limitinginterface ethernet 1/1/8 broadcas

302 Brocade ICX 6650 Security Configuration Guide53-1002601-01Broadcast, unknown Unicast, and Multicast rate limiting

Brocade ICX 6650 Security Configuration Guide 30353-1002601-01IndexNumerics802.1x port securityaccounting, 163accounting attributes for RADIUS, 183acc

304 Brocade ICX 6650 Security Configuration Guide53-1002601-01displaying IPv6, 139displaying log entries, 107DSCP matching, 117enabling and viewing ha

Brocade ICX 6650 Security Configuration Guide 30553-1002601-01enable aaa console, 55enable port-config-password, 14enable super-user-password, 14, 36e

306 Brocade ICX 6650 Security Configuration Guide53-1002601-01denial of service (DoS)avoiding being a victim in a Smurf attack, 268avoiding being an i

Brocade ICX 6650 Security Configuration Guide 30753-1002601-01ip icmp burst-normal burst-max lockup, 269ip mtu, 159ip policy route-map, 123ip tcp burs

308 Brocade ICX 6650 Security Configuration Guide53-1002601-01overview, 211policy-based classification, 212sample application, 227source MAC address a

Brocade ICX 6650 Security Configuration Guide 30953-1002601-0155configuring an interface as the source for all packets, 56configuring command authoriz

Brocade ICX 6650 Security Configuration Guide 1353-1002601-01Passwords used to secure accessWhen TFTP is disabled, you are prohibited from using the c

310 Brocade ICX 6650 Security Configuration Guide53-1002601-01show dot1x statistics, 187show interface, 188show ip access-list, 103show ip arp inspect

Brocade ICX 6650 Security Configuration Guide 31153-1002601-01configuration, 17VVLANip access-group, 110mac-vlan-permit, 220source-guard enable, 297

312 Brocade ICX 6650 Security Configuration Guide53-1002601-01

14 Brocade ICX 6650 Security Configuration Guide53-1002601-01Passwords used to secure accessSyntax: [no] telnet server suppress-reject-messageSetting

Brocade ICX 6650 Security Configuration Guide 1553-1002601-01Passwords used to secure accessSyntax: enable read-only-password textNOTEIf you forget yo

16 Brocade ICX 6650 Security Configuration Guide53-1002601-01Passwords used to secure access• bgp-router – BGP4 router level; for example, Brocade(con

Brocade ICX 6650 Security Configuration Guide 1753-1002601-01Local user accountsFor example, to specify that the Line, Enable, and Local passwords be

18 Brocade ICX 6650 Security Configuration Guide53-1002601-01Local user accounts• Users are locked out (disabled) if they fail to login after three at

Brocade ICX 6650 Security Configuration Guide 1953-1002601-01Local user accountsThis password was used earlier for same or different user, please choo

iv Brocade ICX 6650 Security Configuration Guide53-1002601-01Passwords used to secure access . . . . . . . . . . . . . . . . . . . . . . . . . . .13Se

20 Brocade ICX 6650 Security Configuration Guide53-1002601-01Local user accountsA username set-time configuration is removed when:• The username and p

Brocade ICX 6650 Security Configuration Guide 2153-1002601-01Local user accountsExample Syntax: username name enableSetting passwords to expireYou can

22 Brocade ICX 6650 Security Configuration Guide53-1002601-01Local user accountsNOTEYou must grant Super User level privilege to at least one account

Brocade ICX 6650 Security Configuration Guide 2353-1002601-01Local user accounts• At least two special charactersNOTEYou must be logged on with Super

24 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ securityChanging a local user passwordTo change a local user password

Brocade ICX 6650 Security Configuration Guide 2553-1002601-01TACACS and TACACS+ securityTACACS+ is an enhancement to the TACACS security protocol. TAC

26 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ securitykill consoleSyntax: kill console [all | unit]• all - logs out

Brocade ICX 6650 Security Configuration Guide 2753-1002601-01TACACS and TACACS+ securityTelnet connections (inbound): 1 closed 2 closed 3

28 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ security8. The password is validated in the TACACS+ server database.9.

Brocade ICX 6650 Security Configuration Guide 2953-1002601-01TACACS and TACACS+ securityAAA operations for TACACS/TACACS+The following table lists the

Brocade ICX 6650 Security Configuration Guide v53-1002601-01Chapter 2 SSH2 and SCPSSH version 2 overview . . . . . . . . . . . . . . . . . . . . . .

30 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ securityWhen you paste commands into the running-config, and AAA comma

Brocade ICX 6650 Security Configuration Guide 3153-1002601-01TACACS and TACACS+ securityEnabling TACACSTACACS is disabled by default. To configure TAC

32 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ securityThe auth-port parameter specifies the UDP (for TACACS) or TCP

Brocade ICX 6650 Security Configuration Guide 3353-1002601-01TACACS and TACACS+ securitySetting the TACACS+ keyThe key parameter in the tacacs-server

34 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ securityConfiguring authentication-method lists forTACACS and TACACS+Y

Brocade ICX 6650 Security Configuration Guide 3553-1002601-01TACACS and TACACS+ securityNOTEFor examples of how to define authentication-method lists

36 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ security• If the next method in the authentication method list is &quo

Brocade ICX 6650 Security Configuration Guide 3753-1002601-01TACACS and TACACS+ securityTo set a user privilege level, you can configure the “foundry-

38 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ securityExample user=bob { default service = permit member admin

Brocade ICX 6650 Security Configuration Guide 3953-1002601-01TACACS and TACACS+ security• Exec Authorization• Exec Accounting• Command authorization•

vi Brocade ICX 6650 Security Configuration Guide53-1002601-01Configuring standard numbered ACLs. . . . . . . . . . . . . . . . . . . . . . . .86Standa

40 Brocade ICX 6650 Security Configuration Guide53-1002601-01TACACS and TACACS+ security• 4 – Records commands available at the Port Configuration lev

Brocade ICX 6650 Security Configuration Guide 4153-1002601-01RADIUS securityRADIUS securityYou can use a Remote Authentication Dial In User Service (R

42 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS security4. The Brocade device sends a RADIUS Access-Request packet containing the

Brocade ICX 6650 Security Configuration Guide 4353-1002601-01RADIUS security2. The Brocade device checks its configuration to see if the event is one

44 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securityAAA security for commands pasted Into the running-configIf AAA security is

Brocade ICX 6650 Security Configuration Guide 4553-1002601-01RADIUS securityConfiguring RADIUSFollow the procedure given below to configure a Brocade

46 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securityTABLE 8 Brocade vendor-specific attributes for RADIUSAttribute name Attrib

Brocade ICX 6650 Security Configuration Guide 4753-1002601-01RADIUS securityEnabling SNMP to configure RADIUSTo enable SNMP access to RADIUS MIB objec

48 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securitySpecifying different servers for individual AAA functionsIn a RADIUS confi

Brocade ICX 6650 Security Configuration Guide 4953-1002601-01RADIUS security• RADIUS servers 10.10.10.105 and 10.10.10.106 will be used to authenticat

Brocade ICX 6650 Security Configuration Guide vii53-1002601-01ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securityRADIUS parametersYou can set the following parameters in a RADIUS configur

Brocade ICX 6650 Security Configuration Guide 5153-1002601-01RADIUS securitySetting the timeout parameterThe timeout parameter specifies how many seco

52 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securityThe command above causes RADIUS to be the primary authentication method fo

Brocade ICX 6650 Security Configuration Guide 5353-1002601-01RADIUS securityEntering privileged EXEC mode after a Telnet or SSH loginBy default, a use

54 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securityNOTEIf the aaa authorization exec default radius command exists in the con

Brocade ICX 6650 Security Configuration Guide 5553-1002601-01RADIUS securitySyntax: enable aaa consoleCAUTIONIf you have previously configured the dev

56 Brocade ICX 6650 Security Configuration Guide53-1002601-01RADIUS securityThe privilege-level parameter can be one of the following:• 0 – Records co

Brocade ICX 6650 Security Configuration Guide 5753-1002601-01RADIUS securityTABLE 10 Output of the show aaa command for RADIUSField DescriptionRadius

58 Brocade ICX 6650 Security Configuration Guide53-1002601-01Authentication-method listsAuthentication-method listsTo implement one or more authentica

Brocade ICX 6650 Security Configuration Guide 5953-1002601-01Authentication-method listsTo configure an authentication-method list for SNMP, enter a c

viii Brocade ICX 6650 Security Configuration Guide53-1002601-01Configuring adaptive rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . .

60 Brocade ICX 6650 Security Configuration Guide53-1002601-01TCP Flags - edge port securityThe method1 parameter specifies the primary authentication

Brocade ICX 6650 Security Configuration Guide 6153-1002601-01TCP Flags - edge port securityExample Brocade(config-ext-nACL)# permit tcp 10.1.1.1 0.0.0

62 Brocade ICX 6650 Security Configuration Guide53-1002601-01TCP Flags - edge port security

Brocade ICX 6650 Security Configuration Guide 6353-1002601-01Chapter2SSH2 and SCPTable 12 lists SSH2 and Secure Copy features supported on Brocade ICX

64 Brocade ICX 6650 Security Configuration Guide53-1002601-01SSH version 2 overview• SSH Fingerprint Format• SSH Protocol Assigned Numbers• SSH Transp

Brocade ICX 6650 Security Configuration Guide 6553-1002601-01SSH2 authentication typesSSH2 authentication typesThe Brocade implementation of SSH2 supp

66 Brocade ICX 6650 Security Configuration Guide53-1002601-01SSH2 authentication typesNOTEIf you have generated SSH keys on the switch, you should del

Brocade ICX 6650 Security Configuration Guide 6753-1002601-01SSH2 authentication typesThe generate keyword places an RSA host key pair in the flash me

68 Brocade ICX 6650 Security Configuration Guide53-1002601-01SSH2 authentication types1. The client sends its public key to the Brocade device.2. The

Brocade ICX 6650 Security Configuration Guide 6953-1002601-01Optional SSH parametersSyntax: ip ssh pub-key-file tftp tftp-server-ip-addr filename | re

Brocade ICX 6650 Security Configuration Guide ix53-1002601-01Displaying 802.1X information. . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

70 Brocade ICX 6650 Security Configuration Guide53-1002601-01Optional SSH parameters• Whether the Brocade device allows users to log in without supply

Brocade ICX 6650 Security Configuration Guide 7153-1002601-01Optional SSH parametersEnabling empty password loginsBy default, empty password logins ar

72 Brocade ICX 6650 Security Configuration Guide53-1002601-01Filtering SSH access using ACLsBrocade(config)# ip ssh idle-time 30 Syntax: ip ssh idle-t

Brocade ICX 6650 Security Configuration Guide 7353-1002601-01Displaying SSH informationSyntax: show ip ssh [begin expression | exclude expression | in

74 Brocade ICX 6650 Security Configuration Guide53-1002601-01Displaying SSH informationDisplaying additional SSH connection informationThe show who co

Brocade ICX 6650 Security Configuration Guide 7553-1002601-01Secure copy with SSH2Secure copy with SSH2Secure Copy (SCP) uses security built into SSH

76 Brocade ICX 6650 Security Configuration Guide53-1002601-01Secure copy with SSH2Copying a file to the startup configurationTo copy the configuration

Brocade ICX 6650 Security Configuration Guide 7753-1002601-01Secure copy with SSH2NOTEThe Brocade device supports only one SCP copy session at a time.

78 Brocade ICX 6650 Security Configuration Guide53-1002601-01SSH2 clientThe scp command can be used when TFTP access is unavailable or not permitted a

Brocade ICX 6650 Security Configuration Guide 7953-1002601-01SSH2 client• “Exporting client public keys” on page 79Generating and deleting a client DS