Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell SmartFabric OS10 and SmartFabric Services Security Configuration Guide June 2023

PDF

Firewall settings

This section provides various configuration procedures to harden the switch.

Access rules

Configure secure access rules.

Enable only SSH for remote system access

By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not secure, Dell Technologies recommends that you do not enable the Telnet server.

NOTE:If you have disabled the SSH server, reenable it and disable the Telnet server. Always use SSH for remote system access. 
OS10(config)# ip ssh server enable
OS10(config)# ip ssh server max-auth-tries 4
OS10(config)# no ip telnet server enable
OS10(config)# exit
OS10# write memory

Enable SSH access control

Filter SSH connections to the switch using an access list. 

OS10(config)# ip access-list permit10
OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any
OS10(config-ipv4-acl)# exit
OS10(config)# line vty
OS10(config-line-vty)# ip access-class permit10
OS10(config-line-vty)# exit
OS10(config)# exit
OS10# write memory

Configure EXEC session timeout

By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout interval. 

OS10(config)# exec-timeout timeout-value
OS10(config)# exit
OS10# write memory

timeout-value—Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600).

Limit concurrent login sessions

To avoid an unlimited number of active sessions on a switch for the same user ID, limit the number of console and remote connections. 

OS10(config)# login concurrent-session limit-number
OS10(config)# exit
OS10# write memory

limit-number—Specify the number of concurrent sessions that any user can have on the console or virtual terminal lines (1 to 12).

Ensure user lockout

Configure the system to prevent the user from logging in to the system for a specific time after a specified number of failed login attempts. 

OS10(config)# password-attributes max-retry number lockout-period minutes
OS10(config)# exit
OS10# write memory
  • max-retry number—(Optional) Sets the maximum number of consecutive failed login attempts for a user before the user is locked out, from 0 to 16.
  • lockout-period minutes—(Optional) Sets the amount of time that a user ID is prevented from accessing the system after exceeding the maximum number of failed login attempts, from 0 to 43,200.

Enable login statistics

Enable login statistics to view user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login. After enabling login statistics, you can use the show login statistics {all | user} command to view user login information. 

OS10(config)# login-statistics enable
OS10(config)# exit
OS10# write memory

Loopback rules

Lookback interfaces are virtual interfaces and unlike physical interfaces, loopback interfaces do not go down unless they are manually removed. This property provides security and consistency for device identification and stability.

Configure a loopback interface

Configure a loopback interface which can be used for system multiple services. 

OS10(config)# interface loopback 0
OS10(config)# exit
OS10# write memory

Remove multiple loopback interfaces

Ensure that there is not more than one loopback interface configured. 

OS10(config)# no interface loopback loopback-instance
OS10(config)# exit
OS10# write memory

Bind AAA services to a loopback interface

AAA services are bound to a loopback interface so that the AAA services are not interrupted. 

OS10(config)# ip tacacs source-interface loopback 0
OS10(config)# exit
OS10# write memory

Bind the NTP service to a loopback interface

The NTP service is bound to a loopback interface so that the AAA services are not interrupted. 

OS10(config)# ntp source loopback 0
OS10(config)# exit
OS10# write memory

Restrict access to the CPU

Use control-plane ACLs to selectively restrict packets that are destined to the CPU, hence preventing flooding and DoS attacks. 

OS10# configure terminal
OS10(config)# control-plane
OS10(config-control-plane)# ip access-group acl_name in
OS10(config-control-plane)# end
OS10# write memory
NOTE:Define the necessary ACL rules before applying to the control plane.

Data plane rules

The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user data. Apply these rules on border-filtering devices that connect internal networks to external networks, such as the Internet.

Forbid private source addresses from external networks

Private IP addresses are meant to be used in internal networks, such as networks that connect workstations, printers, DMZ, and so on. These IP addresses are not routed to the Internet which uses public IP addresses. A private IP address originating from the Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should reside on the internal network, and apply them on the interface that connect to an external network.

CAUTION:Verify that multicast is not in use before blocking an address range. 
OS10(config)# ip access-list deny-private-external
OS10(config-ipv4-acl)# deny ip source-ip-address mask any log
OS10(config-ipv4-acl)# end
OS10# write memory

Forbid external source addresses on outbound traffic

Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization. 

OS10(config)# ip access-list deny-source-external
OS10(config-ipv4-acl)# permit ip internal-ip-address mask any
OS10(config-ipv4-acl)# exit
OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in
OS10(conf-if-eth1/1/1)# end
OS10# write memory

Port security

Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system:

  1. MAC address learning limit (MLL)
  2. Sticky MAC
  3. MAC address movement control

Configure the MAC address learning limit

Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device. After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.

  1. Enable port security on the system in CONFIGURATION mode. 
    OS10(config)# switchport port-security
  2. Enable port security on an interface in CONFIGURATION mode. 
    OS10(config)# switchport port-security
OS10(config)# no disable
  3. Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode: 
    mac-learn {limit | no-limit}

    For the limit keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword.

MAC address learning limit example 

OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security 
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# end
OS10# write memory

Configure MAC address learning limit violation actions

After the number of secure MAC addresses reaches the maximum configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.

Use the following commands in INTERFACE PORT SECURITY mode:

  • To display which MAC address causes a violation, use the log option. The system also drops the packet. 
    OS10(config-if-port-sec)#mac-learn limit violation log
  • To drop the packet when a MAC address learning limit violation occurs, use the drop option. 
    OS10(config-if-port-sec)#mac-learn limit violation drop
  • To forward the packet when a MAC address learning limit violation occurs, use the flood option. The system does not learn the MAC address. 
    OS10(config-if-port-sec)#mac-learn limit violation forward
  • To shut down an interface on a MAC address learning limit violation, use the shutdown option. 
    OS10(config-if-port-sec)#mac-learn limit violation shutdown

MAC address learning limit violation actions configuration example 

OS10# configure terminal
OS10(config)# interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security 
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# mac-learn limit violation shutdown
OS10(config-if-port-sec)# end
OS10# write memory

Configure sticky MAC addresses

When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again.

Enter the following command in INTERFACE PORT SECURITY mode: 

sticky
NOTE:Before enabling sticky MAC address learning, ensure that you restrict the number of MAC addresses that an interface can learn using the mac-learn limit command.

Sticky MAC addresses configuration example 

OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)#switchport port-security 
OS10(config-if-port-sec)#no disable
OS10(config-if-port-sec)#mac-learn limit 100
OS10(config-if-port-sec)#sticky
OS10(config-if-port-sec)# end
OS10# write memory

MAC address movement

A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system. Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.

Use the following command in INTERFACE PORT SECURITY mode: 
OS10(config-if-port-sec)#mac-move allow
OS10(config-if-port-sec)# end
OS10# write memory

MAC address movement configuration example 

OS10# configure terminal
OS10(config)# interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security 
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# mac-move allow
OS10(config-if-port-sec)# end
OS10# write memory

Configure MAC address movement violation actions

If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.

  • To display which MAC address causes a violation, use the log option. The system also drops the packet. 
    OS10(config-if-port-sec)#mac-move violation log
  • To drop the packet when a MAC address movement violation occurs, use the drop option. 
    OS10(config-if-port-sec)#mac-move violation drop
  • To shut down the original interface that learned the MAC address on a MAC movement violation, use the shutdown-original option. 
    OS10(config-if-port-sec)#mac-move violation shutdown-original
  • To shut down the interface that detected a MAC address that is already learned by another interface, use the shutdown-offending option. 
    OS10(config-if-port-sec)#mac-move violation shutdown-offending
  • To shut down both original and offending interfaces, use the shutdown-both option. 
    OS10(config-if-port-sec)#mac-move violation shutdown-both

Verify what port security features are enabled and running

Use the following command to verify if the port security is enabled on all interfaces. This command also shows information about the status of port security features. Specify specific interfaces to view details about individual interfaces. 

OS10# show switchport port-security interface ethernet 1/1/1
Global Port-security status       : Enabled

Interface name                    : ethernet1/1/1

Port Security                     : Enabled
Port Status                       : Up
Mac learn limit                   : 100
MAC-learn-limit-Violation action  : Log
Sticky                            : Disabled
Mac-move-allow                    : Not Allowed
Mac-move-violation action         : shutdown-both
Aging                             : Enabled
Total MAC Addresses               : 10
Secure static MAC Addresses       : 0
Sticky MAC Addresses              : 10
Secure Dynamic MAC addresses      : 0

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\