Alcatel-Lucent 9000, 6800, 6850 user manual Authenticated Switch Access, Authenticated VLANs

Page 18

Software Supported

Authenticated Switch Access

Authenticated Switch Access (ASA) is a way of authenticating users who want to manage the switch. With authenticated access, all switch login attempts using the console or modem port, Telnet, FTP, SNMP, or HTTP require authentication via the local user database or via a third-party server. The type of server may be an authentication-only mechanism or an authentication, authorization, and accounting (AAA) mecha- nism.

AAAservers are able to provide authorization for switch management users as well as authentication. (They also may be used for accounting.) User login information and user privileges may be stored on the servers. In addition to the Remote Authentication Dial-In User Service (RADIUS) and Lightweight Direc- tory Access Protocol (LDAP) servers, using a Terminal Access Controller Access Control System (TACACS+) server is now supported with the 6.1.3.R01 release.

Authentication-only servers are able to authenticate users for switch management access, but authoriza- tion (or what privileges the user has after authenticating) are determined by the switch. Authentication- only servers cannot return user privileges to the switch. The authentication-only server supported by the switch is ACE/Server, which is a part of RSA Security’s SecurID product suite. RSA Security’s ACE/ Agent is embedded in the switch.

By default, switch management users may be authenticated through the console port via the local user database. If external servers are configured for other management interfaces but the servers become unavailable, the switch will poll the local user database for login information if the switch is configured for local checking of the user database. The database includes information about whether or not a user is able to log into the switch and what kinds of privileges or rights the user has for managing the switch.

Authenticated VLANs

Authenticated VLANs control user access to network resources based on VLAN assignment and a user log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another type of security is device authentication, which is set up through the use of port-binding VLAN policies or static port assignment.) The number of possible AVLAN users is 1048.

Layer 2 Authentication is different from Authenticated Switch Access, which is used to grant individual users access to manage the switch.

The Mac OS X 10.3.x is supported for AVLAN web authentication using JVM-v1.4.2.

Automatic VLAN Containment (AVC)

In an 802.1s Multiple Spanning Tree (MST) configuration, it is possible for a port that belongs to a VLAN, which is not a member of an instance, to become the root port for that instance. This can cause a topology change that could lead to a loss of connectivity between VLANs/switches. Enabling Automatic VLAN Containment (AVC) helps to prevent this from happening by making such a port an undesirable choice for the root.

When AVC is enabled, it identifies undesirable ports and automatically configures them with an infinite path cost value.

Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is highly recommended to ensure that there is not a loss of connectivity during any possible topology changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the root for an MSTI.

page 18

OmniSwitch 6800/6850/9000—Release 6.1.3.R01

Page 17 Page 19
Image 18
Page 17 Page 19
Contents Page OmniSwitch 6800 Series Getting Started guide Related DocumentationUpgrade Instructions for 6.1.3.R01 OmniSwitch 9000 Series OmniSwitch 6800 SeriesOmniSwitch 6850 Series Memory RequirementsNew Hardware Supported New Chassis Management Module CMM OS9800-CMMGigabit Ethernet Transceiver SFP MSA OmniSwitch 9000 OS-IP-SHELF PoE Power ShelfOmniSwitch 9600 Support for PS-510W AC/PS-360W AC Dual Speed Ethernet Transceivers100FX Ethernet Transceivers Supported Hardware/Software Combinations Module Type Part Number3.R01 Asic Physical New Software Features Feature Platform Software PackageVlan Range Support Software Supported BGP4PIM-SM 802.1Q 802.1W Rstp Default802.1x Device Classification Access Guardian 802.1Q 2005 MstpACL & Layer 3 Security Access Control Lists ACLsAccess Control Lists ACLs for IPv6 Source ipv6 destination ipv6 ipv6 Nh next header flow-labelACL Manager Authenticated Switch Access Authenticated VLANsAutomatic Vlan Containment AVC Basic IPv4 Routing BGP Graceful RestartDhcp Relay Command Line Interface CLIBpdu Shutdown Ports Dhcp Option-82 Relay Agent Information OptionDNS Client Dynamic Vlan Assignment MobilityEnd User Partitioning Eupm Generic UDP Relay HTTP/HTTPS Port ConfigurationEthernet Interfaces Health StatisticsInterswitch Protocol Amap IP Multicast Switching IpmsIP DoS Enhancements IP Multicast Switching Ipms Proxying IP Route Map RedistributionIPv6 NPD L2 MAC Address Table Size Enhancement IPX RoutingL2 Dhcp Snooping L2 Static Multicast AddressesLearned Port Security LPS Link Aggregation static & 802.3adMulticast Routing Multinetting NTP ClientOSPFv2/OSPFv3 Per-VLAN Dhcp Relay Partitioned Switch ManagementPolicy Based Routing Permanent Mode Policy Server ManagementPort Mapping Power over Ethernet PoEQuality of Service QoS Port MirroringRedirect Policies Port and Link Aggregate Router Discovery Protocol RDPRouting Protocol Preference Secure Shell SSH Secure Shell SSH Public Key AuthenticationSecure Copy SCP SSH Software Supported Operating SystemsServer Load Balancing SLB Smart Continuous Switching OmniSwitch 6800/OmniSwitchSmart Continuous Switching OmniSwitch SFlowSource Learning Software RollbackSpanning Tree Switch LoggingText File Configuration Syslog to Multiple HostsVlan Stacking and Translation User Definable Loopback InterfaceVlan Range Support VRRPv2/VRRPv3Web-Based Management WebView Supported Traps Trap Name Platforms DescriptionTrap Name Platforms Description Sion which was active on a slot cannot Trap Name Platforms Description Table gets dropped due to the overload Unsupported Software Features Unsupported CLI CommandsSoftware Feature Unsupported CLI Commands RIP Alcatel IND1Bgp Unsupported MIBsMIB Name Unsupported MIB variables Alcatel IND1AAA Alcatel IND1LAGMIB Name Unsupported MIB variables AlcatelIND1QoS AlcatelIND1SlbMIB Name Unsupported MIB variables AlcatelIND1VlanManagerIetfsnmp Open Problem Reports and Feature Exceptions Command Line Interface CLIProblem Reports Rmon SFlowFeature Exceptions Web-Based Management WebViewOpen Problem Reports and Feature Exceptions Open Problem Reports and Feature Exceptions Layer AutonegotiationBridging Ethernet Interfaces Open Problem Reports and Feature Exceptions IP Multicast Switching Ipms Group MobilityLink Aggregation Port Mirroring/MonitoringSource Learning Open Problem Reports and Feature Exceptions Open Problem Reports and Feature Exceptions Spanning Tree Open Problem Reports and Feature Exceptions Vlan Stacking Basic IP Routing Dhcp SnoopingIPv6 Open Problem Reports and Feature Exceptions Server Load Balancing SLB UDP RelayAdvanced Routing Dvmrp OSPFv3PIM Quality of Service includes ACLs GeneralPolicy Manager Security 802.1x Authenticated Switch Access Authenticated VLANs Policy Server ManagementSystem Open Problem Reports and Feature Exceptions Chassis Supervision Open Problem Reports and Feature Exceptions Power Over Ethernet Open Problem Reports and Feature Exceptions Hot Swap Time Limitations for OmniSwitch Redundancy / Hot SwapOpen Problem Reports and Feature Exceptions Technical Support Region Phone Number
Top Page Image Contents