Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4820T » Manual Viewer

Dell PowerSwitch S4820T Configuration Guide for the S4820T System 9.112.1P1 - Page 786

Protection from TCP Tiny and Overlapping Fragment Attacks, Enabling SCP and SSH

View all Dell PowerSwitch S4820T manuals

Add to My Manuals
Save this manual to your list of manuals

Page 786 highlights

Certain TACACS+ servers do not authenticate the device if you use the aaa authorization commands level default local tacacs+ command. To resolve the issue, use the aaa authorization commands level default tacacs+ local command. Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries - denying TCP port-specific traffic - is bypassed and traffic is sent to its destination although denied by the ACL. RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is configured into the line cards and enabled by default. Enabling SCP and SSH Secure shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. Dell Networking OS is compatible with SSH versions 1.5 and 2, in both the client and server modes. SSH sessions are encrypted and use authentication. SSH is enabled by default. For details about the command syntax, refer to the Security chapter in the Dell Networking OS Command Line Interface Reference Guide. Dell Networking OS SCP, which is a remote file copy program that works with SSH. NOTE: The Windows-based WinSCP client software is not supported for secure copying between a PC and a Dell Networking OS-based system. Unix-based SCP client software is supported. To use the SSH client, use the following command. • Open an SSH connection and specify the hostname, username, port number,encryption cipher,HMAC algorithm and version of the SSH client. EXEC Privilege mode ssh {hostname} [-l username | -p port-number | -v {1 | 2}| -c encryption cipher | -m HMAC algorithm hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). • SSH V2 is enabled by default on all the modes. • Display SSH connection information. EXEC Privilege mode show ip ssh Specifying an SSH Version The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192- ctr,aes256-ctr. SSH server macs : hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac- sha2-256-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1- sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption HMAC Remote IP Dell(conf)# 786 Security

Section	Page
Dell Configuration Guide for the S4820T System 9.11(2.1P1)	3
About this Guide	35
Audience	35
Conventions	35
Related Documents	35
Configuration Fundamentals	36
Accessing the Command Line	36
CLI Modes	36
Navigating CLI Modes	38
The do Command	41
Undoing Commands	41
Obtaining Help	42
Entering and Editing Commands	42
Command History	43
Filtering show Command Outputs	43
Example of the grep Keyword	43
Multiple Users in Configuration Mode	44
Getting Started	45
Console Access	46
Serial Console	46
Accessing the CLI Interface and Running Scripts Using SSH	47
Entering CLI commands Using an SSH Connection	47
Executing Local CLI Scripts Using an SSH Connection	47
Default Configuration	48
Configuring a Host Name	48
Accessing the System Remotely	48
Accessing the System Remotely	48
Configure the Management Port IP Address	48
Configure a Management Route	49
Configuring a Username and Password	49
Configuring the Enable Password	49
Configuration File Management	50
Copy Files to and from the System	50
Mounting an NFS File System	51
Save the Running-Configuration	52
Configure the Overload Bit for a Startup Scenario	53
Viewing Files	53
Managing the File System	54
Enabling Software Features on Devices Using a Command Option	54
View Command History	55
Upgrading Dell Networking OS	55
Using HTTP for File Transfers	55
Verify Software Images Before Installation	56
Management	58
Configuring Privilege Levels	58
Creating a Custom Privilege Level	59
Removing a Command from EXEC Mode	59
Moving a Command from EXEC Privilege Mode to EXEC Mode	59
Allowing Access to CONFIGURATION Mode Commands	59
Allowing Access to Different Modes	59
Applying a Privilege Level to a Username	61
Applying a Privilege Level to a Terminal Line	61
Configuring Logging	61
Audit and Security Logs	62
Configuring Logging Format	64
Display the Logging Buffer and the Logging Configuration	64
Setting Up a Secure Connection to a Syslog Server	65
Log Messages in the Internal Buffer	66
Configuration Task List for System Log Management	66
Disabling System Logging	66
Sending System Messages to a Syslog Server	66
Configuring a UNIX System as a Syslog Server	67
Track Login Activity	67
Restrictions for Tracking Login Activity	67
Configuring Login Activity Tracking	67
Display Login Statistics	68
Limit Concurrent Login Sessions	69
Restrictions for Limiting the Number of Concurrent Sessions	69
Configuring Concurrent Session Limit	69
Enabling the System to Clear Existing Sessions	70
Enabling Secured CLI Mode	71
Changing System Logging Settings	71
Display the Logging Buffer and the Logging Configuration	72
Configuring a UNIX Logging Facility Level	72
Synchronizing Log Messages	73
Enabling Timestamp on Syslog Messages	74
File Transfer Services	74
Configuration Task List for File Transfer Services	75
Enabling the FTP Server	75
Configuring FTP Server Parameters	75
Configuring FTP Client Parameters	76
Terminal Lines	76
Denying and Permitting Access to a Terminal Line	76
Configuring Login Authentication for Terminal Lines	77
Setting Timeout for EXEC Privilege Mode	78
Using Telnet to get to Another Network Device	79
Lock CONFIGURATION Mode	79
Viewing the Configuration Lock Status	79
Recovering from a Forgotten Password	80
Recovering from a Forgotten Enable Password	81
Recovering from a Failed Start	82
Restoring the Factory Default Settings	82
Important Points to Remember	82
Restoring Factory Default Environment Variables	83
802.1X	85
Port-Authentication Process	87
EAP over RADIUS	87
Configuring 802.1X	88
Related Configuration Tasks	88
Important Points to Remember	88
Enabling 802.1X	89
Configuring MAC addresses for a do1x Profile	90
Configuring Request Identity Re-Transmissions	91
Configuring a Quiet Period after a Failed Authentication	91
Forcibly Authorizing or Unauthorizing a Port	92
Re-Authenticating a Port	93
Configuring Timeouts	94
Configuring Dynamic VLAN Assignment with Port Authentication	95
Guest and Authentication-Fail VLANs	96
Configuring a Guest VLAN	96
Configuring an Authentication-Fail VLAN	96
Configuring dot1x Profile	97
Configuring the Static MAB and MAB Profile	98
Configuring Critical VLAN	99
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)	100
Optimizing CAM Utilization During the Attachment of ACLs to VLANs	100
Guidelines for Configuring ACL VLAN Groups	101
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters	101
Viewing CAM Usage	103
Allocating FP Blocks for VLAN Processes	104
Access Control Lists (ACLs)	106
IP Access Control Lists (ACLs)	107
CAM Usage	108
Implementing ACLs on Dell Networking OS	108
IP Fragment Handling	110
IP Fragments ACL Examples	110
Layer 4 ACL Rules Examples	110
Configure a Standard IP ACL	111
Configuring a Standard IP ACL Filter	112
Configure an Extended IP ACL	113
Configuring Filters with a Sequence Number	113
Configuring Filters Without a Sequence Number	114
Configure Layer 2 and Layer 3 ACLs	115
Assign an IP ACL to an Interface	116
Applying an IP ACL	116
Counting ACL Hits	117
Configure Ingress ACLs	117
Configure Egress ACLs	117
Applying Egress Layer 3 ACLs (Control-Plane)	118
IP Prefix Lists	119
Implementation Information	119
Configuration Task List for Prefix Lists	119
ACL Resequencing	123
Resequencing an ACL or Prefix List	123
Route Maps	125
Implementation Information	125
Important Points to Remember	125
Configuration Task List for Route Maps	125
Configuring Match Routes	127
Configuring Set Conditions	129
Configure a Route Map for Route Redistribution	130
Configure a Route Map for Route Tagging	130
Continue Clause	131
Logging of ACL Processes	131
Guidelines for Configuring ACL Logging	132
Configuring ACL Logging	132
Flow-Based Monitoring Support for ACLs	133
Behavior of Flow-Based Monitoring	133
Enabling Flow-Based Monitoring	134
Bidirectional Forwarding Detection (BFD)	136
How BFD Works	136
BFD Packet Format	137
BFD Sessions	138
BFD Three-Way Handshake	139
Session State Changes	141
Important Points to Remember	141
Configure BFD	141
Configure BFD for Physical Ports	142
Configure BFD for Static Routes	143
Configure BFD for OSPF	146
Configure BFD for OSPFv3	150
Configure BFD for IS-IS	153
Configure BFD for BGP	156
Configure BFD for VRRP	162
Configuring Protocol Liveness	165
Troubleshooting BFD	165
Border Gateway Protocol IPv4 (BGPv4)	167
Autonomous Systems (AS)	167
Sessions and Peers	169
Establish a Session	169
Route Reflectors	170
BGP Attributes	171
Best Path Selection Criteria	171
Weight	173
Local Preference	173
Multi-Exit Discriminators (MEDs)	174
Origin	175
AS Path	176
Next Hop	176
Multiprotocol BGP	176
Implement BGP with Dell Networking OS	177
Additional Path (Add-Path) Support	177
Advertise IGP Cost as MED for Redistributed Routes	177
Ignore Router-ID in Best-Path Calculation	178
Four-Byte AS Numbers	178
AS4 Number Representation	178
AS Number Migration	180
BGP4 Management Information Base (MIB)	181
Important Points to Remember	181
Configuration Information	182
BGP Configuration	182
Enabling BGP	183
Configuring AS4 Number Representations	186
Configuring Peer Groups	188
Configuring BGP Fast Fall-Over	190
Configuring Passive Peering	192
Maintaining Existing AS Numbers During an AS Migration	192
Allowing an AS Number to Appear in its Own AS Path	193
Enabling Graceful Restart	194
Enabling Neighbor Graceful Restart	195
Filtering on an AS-Path Attribute	195
Regular Expressions as Filters	197
Redistributing Routes	198
Enabling Additional Paths	199
Configuring IP Community Lists	199
Configuring an IP Extended Community List	200
Filtering Routes with Community Lists	201
Manipulating the COMMUNITY Attribute	202
Changing MED Attributes	203
Changing the LOCAL_PREFERENCE Attribute	203
Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes	204
Changing the WEIGHT Attribute	205
Enabling Multipath	205
Filtering BGP Routes	205
Filtering BGP Routes Using Route Maps	207
Filtering BGP Routes Using AS-PATH Information	207
Configuring BGP Route Reflectors	208
Aggregating Routes	209
Configuring BGP Confederations	209
Enabling Route Flap Dampening	210
Changing BGP Timers	212
Enabling BGP Neighbor Soft-Reconfiguration	212
Enabling or disabling BGP neighbors	213
Route Map Continue	215
Enabling MBGP Configurations	215
Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor	216
BGP Regular Expression Optimization	216
Debugging BGP	216
Storing Last and Bad PDUs	217
Capturing PDUs	218
PDU Counters	219
Sample Configurations	219
Content Addressable Memory (CAM)	226
CAM Allocation	226
Test CAM Usage	228
View CAM Profiles	228
View CAM-ACL Settings	229
View CAM Usage	231
CAM Optimization	231
Troubleshoot CAM Profiling	231
QoS CAM Region Limitation	231
Control Plane Policing (CoPP)	232
Configure Control Plane Policing	233
Configuring CoPP for Protocols	234
Configuring CoPP for CPU Queues	236
CoPP for OSPFv3 Packets	237
Configuring CoPP for OSPFv3	240
Displaying CoPP Configuration	240
Data Center Bridging (DCB)	243
Ethernet Enhancements in Data Center Bridging	243
Priority-Based Flow Control	244
Enhanced Transmission Selection	245
Data Center Bridging Exchange Protocol (DCBx)	246
Data Center Bridging in a Traffic Flow	247
Enabling Data Center Bridging	247
DCB Maps and its Attributes	248
Data Center Bridging: Default Configuration	249
Configuring Priority-Based Flow Control	249
Configuring Lossless Queues	250
Configuring PFC in a DCB Map	251
PFC Configuration Notes	251
PFC Prerequisites and Restrictions	252
Applying a DCB Map on a Port	252
Configuring PFC without a DCB Map	253
Configuring Lossless QueuesExample:	253
Priority-Based Flow Control Using Dynamic Buffer Method	255
Pause and Resume of Traffic	255
Buffer Sizes for Lossless or PFC Packets	255
Behavior of Tagged Packets	256
Configuration Example for DSCP and PFC Priorities	256
Using PFC to Manage Converged Ethernet Traffic	257
Configure Enhanced Transmission Selection	257
ETS Prerequisites and Restrictions	257
Creating an ETS Priority Group	257
ETS Operation with DCBx	259
Configuring Bandwidth Allocation for DCBx CIN	259
Configuring ETS in a DCB Map	260
Hierarchical Scheduling in ETS Output Policies	261
Using ETS to Manage Converged Ethernet Traffic	262
Applying DCB Policies in a Switch Stack	262
Configure a DCBx Operation	262
DCBx Operation	262
DCBx Port Roles	263
DCB Configuration Exchange	264
Configuration Source Election	264
Propagation of DCB Information	265
Auto-Detection and Manual Configuration of the DCBx Version	265
DCBx Example	266
DCBx Prerequisites and Restrictions	266
Configuring DCBx	266
Verifying the DCB Configuration	270
Sample DCB Configuration	278
PFC and ETS Configuration Command Examples	280
QoS dot1p Traffic Classification and Queue Assignment	280
Configuring the Dynamic Buffer Method	281
Dynamic Host Configuration Protocol (DHCP)	283
DHCP Packet Format and Options	283
Assign an IP Address using DHCP	285
Implementation Information	286
Configure the System to be a DHCP Server	286
Configuring the Server for Automatic Address Allocation	287
Specifying a Default Gateway	288
Configure a Method of Hostname Resolution	288
Using DNS for Address Resolution	288
Using NetBIOS WINS for Address Resolution	289
Creating Manual Binding Entries	289
Debugging the DHCP Server	289
Using DHCP Clear Commands	290
Configure the System to be a Relay Agent	290
Configure the System to be a DHCP Client	292
DHCP Client Operation with Other Features	292
DHCP Client on a Management Interface	293
Configure the System for User Port Stacking (Option 230)	294
Configure Secure DHCP	294
Option 82	294
DHCP Snooping	295
Configuring the DHCP secondary-subnet	298
Drop DHCP Packets on Snooped VLANs Only	298
Dynamic ARP Inspection	299
Configuring Dynamic ARP Inspection	300
Source Address Validation	301
Enabling IP Source Address Validation	301
DHCP MAC Source Address Validation	302
Enabling IP+MAC Source Address Validation	302
Viewing the Number of SAV Dropped Packets	303
Clearing the Number of SAV Dropped Packets	303
Equal Cost Multi-Path (ECMP)	304
ECMP for Flow-Based Affinity	304
Configuring the Hash Algorithm	304
Enabling Deterministic ECMP Next Hop	304
Configuring the Hash Algorithm Seed	305
Link Bundle Monitoring	305
Managing ECMP Group Paths	306
Creating an ECMP Group Bundle	306
Modifying the ECMP Group Threshold	306
RTAG7	307
Flow-based Hashing for ECMP	308
FIP Snooping	311
Fibre Channel over Ethernet	311
Ensure Robustness in a Converged Ethernet Network	311
FIP Snooping on Ethernet Bridges	313
FIP Snooping in a Switch Stack	315
Using FIP Snooping	315
FIP Snooping Prerequisites	315
Important Points to Remember	315
Enabling the FCoE Transit Feature	316
Enable FIP Snooping on VLANs	317
Configure the FC-MAP Value	317
Configure a Port for a Bridge-to-Bridge Link	317
Configure a Port for a Bridge-to-FCF Link	317
Impact on Other Software Features	317
FIP Snooping Restrictions	318
Configuring FIP Snooping	318
Displaying FIP Snooping Information	319
FCoE Transit Configuration Example	324
FIPS Cryptography	326
Configuration Tasks	326
Preparing the System	326
Enabling FIPS Mode	327
Generating Host-Keys	327
Monitoring FIPS Mode Status	327
Disabling FIPS Mode	328
Force10 Resilient Ring Protocol (FRRP)	329
Protocol Overview	329
Ring Status	330
Multiple FRRP Rings	330
Important FRRP Points	331
Important FRRP Concepts	332
Implementing FRRP	333
FRRP Configuration	333
Creating the FRRP Group	333
Configuring the Control VLAN	334
Configuring and Adding the Member VLANs	335
Setting the FRRP Timers	336
Clearing the FRRP Counters	336
Viewing the FRRP Configuration	336
Viewing the FRRP Information	336
Troubleshooting FRRP	337
Configuration Checks	337
Sample Configuration and Topology	337
FRRP Support on VLT	338
Example Scenario	339
Important Points to Remember	340
GARP VLAN Registration Protocol (GVRP)	341
Important Points to Remember	341
Configure GVRP	342
Related Configuration Tasks	342
Enabling GVRP Globally	343
Enabling GVRP on a Layer 2 Interface	343
Configure GVRP Registration	343
Configure a GARP Timer	344
RPM Redundancy	344
High Availability (HA)	346
Component Redundancy	346
RPM Redundancy	346
Automatic and Manual Stack Unit Failover	348
Support for RPM Redundancy by Dell Networking OS Version	349
Synchronization between Management and Standby Units	349
Configuring RPM Redundancy	349
Online Insertion and Removal	350
RPM Online Insertion and Removal	350
Linecard Online Insertion and Removal	351
Hitless Behavior	352
Graceful Restart	352
Software Resiliency	353
Software Component Health Monitoring	353
System Health Monitoring	353
Failure and Event Logging	353
Hot-Lock Behavior	354
Process Restartability	354
Enabling Process Restartability	354
Internet Group Management Protocol (IGMP)	356
IGMP Implementation Information	356
IGMP Protocol Overview	356
IGMP Version 2	356
IGMP Version 3	358
Configure IGMP	361
Related Configuration Tasks	361
Viewing IGMP Enabled Interfaces	362
Selecting an IGMP Version	362
Viewing IGMP Groups	362
Adjusting Timers	363
Adjusting Query and Response Timers	363
Enabling IGMP Immediate-Leave	364
IGMP Snooping	364
IGMP Snooping Implementation Information	364
Configuring IGMP Snooping	364
Removing a Group-Port Association	365
Disabling Multicast Flooding	365
Specifying a Port as Connected to a Multicast Router	366
Configuring the Switch as Querier	366
Fast Convergence after MSTP Topology Changes	367
Egress Interface Selection (EIS) for HTTP and IGMP Applications	367
Protocol Separation	367
Enabling and Disabling Management Egress Interface Selection	368
Handling of Management Route Configuration	369
Handling of Switch-Initiated Traffic	370
Handling of Switch-Destined Traffic	370
Handling of Transit Traffic (Traffic Separation)	371
Mapping of Management Applications and Traffic Type	371
Behavior of Various Applications for Switch-Initiated Traffic	372
Behavior of Various Applications for Switch-Destined Traffic	373
Interworking of EIS With Various Applications	374
Designating a Multicast Router Interface	374
Interfaces	376
Basic Interface Configuration	376
Advanced Interface Configuration	376
Interface Types	377
View Basic Interface Information	377
Resetting an Interface to its Factory Default State	379
Enabling Energy Efficient Ethernet	380
View EEE Information	380
Clear EEE Counters	384
Enabling a Physical Interface	385
Physical Interfaces	385
Configuration Task List for Physical Interfaces	386
Overview of Layer Modes	386
Configuring Layer 2 (Data Link) Mode	386
Configuring Layer 2 (Interface) Mode	387
Configuring Layer 3 (Network) Mode	387
Configuring Layer 3 (Interface) Mode	388
Egress Interface Selection (EIS)	388
Important Points to Remember	388
Configuring EIS	389
Management Interfaces	389
Configuring Management Interfaces	389
Configuring a Management Interface on an Ethernet Port	391
VLAN Interfaces	391
Loopback Interfaces	392
Null Interfaces	393
Port Channel Interfaces	393
Port Channel Definition and Standards	393
Port Channel Benefits	393
Port Channel Implementation	393
Interfaces in Port Channels	394
Configuration Tasks for Port Channel Interfaces	394
Creating a Port Channel	395
Adding a Physical Interface to a Port Channel	395
Reassigning an Interface to a New Port Channel	397
Configuring the Minimum Oper Up Links in a Port Channel	397
Adding or Removing a Port Channel from a VLAN	398
Assigning an IP Address to a Port Channel	399
Deleting or Disabling a Port Channel	399
Load Balancing Through Port Channels	399
Changing the Hash Algorithm	400
Bulk Configuration	401
Interface Range	401
Bulk Configuration Examples	401
Defining Interface Range Macros	403
Define the Interface Range	403

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081
1,082
1,083
1,084
1,085
1,086
1,087
1,088
1,089
1,090
1,091
1,092
1,093
1,094
1,095
1,096
1,097
1,098
1,099
1,100
1,101
1,102
1,103
1,104

Match case Limit results 1 per page

Certain TACACS+ servers do not authenticate the device if you use the

aaa authorization commands

level

default local

tacacs+

command. To resolve the issue, use the

aaa authorization commands

level

default tacacs+ local

command.

Protection from TCP Tiny and Overlapping Fragment

Attacks

Tiny and overlapping fragment attack is a class of attack where

conﬁgured

ACL entries — denying TCP

port-speciﬁc

traﬃc

— is bypassed

and

traﬃc

is sent to its destination although denied by the ACL.

RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is

conﬁgured

into the line cards and enabled by

default.

Enabling SCP and SSH

Secure shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. Dell Networking OS

is compatible with SSH versions 1.5 and 2, in both the client and server modes. SSH sessions are encrypted and use authentication. SSH is

enabled by default.

For details about the command syntax, refer to the

Security

chapter in the

Dell Networking OS Command Line Interface Reference Guide

Dell Networking OS SCP, which is a remote

ﬁle

copy program that works with SSH.

NOTE:

The Windows-based WinSCP client software is not supported for secure copying between a PC and a Dell Networking

OS-based system. Unix-based SCP client software is supported.

To use the SSH client, use the following command.

•

Open an SSH connection and specify the hostname, username, port number,encryption cipher,HMAC algorithm and version of the SSH

client.

EXEC Privilege mode

ssh {

hostname

} [-l

username

| -p

port-number

| -v {1 | 2}| -c encryption cipher | -m HMAC

algorithm

hostname

is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D).

•

SSH V2 is enabled by default on all the modes.

•

Display SSH connection information.

EXEC Privilege mode

show ip ssh

Specifying an SSH Version

The following example uses the

ip ssh server version 2

command to enable SSH version 2 and the

show ip ssh

command to

conﬁrm

the setting.

Dell(conf)#ip ssh server version 2

Dell(conf)#do show ip ssh

SSH server

: enabled.

SSH server version

: v2.

SSH server vrf

: default.

SSH server ciphers

: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-

ctr,aes256-ctr.

SSH server macs

: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-

sha2-256-96.

SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1-

sha1,diffie-hellman-group14-sha1.

Password Authentication

: enabled.

Hostbased Authentication

: disabled.

RSA

Authentication

: disabled.

Vty

Encryption

HMAC

Remote IP

Dell(conf)#

786

Security