Blade ICE manual Switch User Accounts, Radius Attributes for G8000 user privileges

Page 29

RackSwitch G8000 Application Guide

Switch User Accounts

The user accounts listed in Table 1-1can be defined in the RADIUS server dictionary file.

Table 1-1User Access Levels

User Account

Description and Tasks Performed

Password

 

 

 

User

The User has no direct responsibility for switch management.

user

 

He/she can view all switch status information and statistics but

 

 

cannot make any configuration changes to the switch.

 

 

 

 

Operator

The Operator manages all functions of the switch. The Operator

oper

 

can reset ports.

 

 

 

 

Administrator

The super-user Administrator has complete access to all com-

admin

 

mands, information, and configuration commands on the switch,

 

 

including the ability to change both the user and operator pass-

 

 

words.

 

 

 

 

RADIUS Attributes for G8000 user privileges

When the user logs in, the switch authenticates his/her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server.

If the remote user is successfully authenticated by the authentication server, the switch will verify the privileges of the remote user and authorize the appropriate access. The administrator has an option to allow secure backdoor access via Telnet/SSH. Secure backdoor provides switch access when the RADIUS servers cannot be reached.

NOTE To obtain the RADIUS backdoor password for your G8000, contact Technical Support.

All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor-dependent. The following RADIUS attributes are defined for G8000 user privileges levels:

Table 1-2Blade OS-proprietary Attributes for RADIUS

User Name/Access

User-Service-Type

Value

 

 

 

User

Vendor-supplied

255

 

 

 

Operator

Vendor-supplied

252

 

 

 

Admin

Vendor-supplied

6

 

 

 

BMD00041, November 2008

Chapter 1: Accessing the Switch „ 29

Page 28 Page 30
Image 29
Page 28 Page 30
Contents Application Guide RackSwitch G8000 Application Guide Contents Ports and Trunking Quality of Service Appendix a Troubleshooting Figures RackSwitch G8000 Application Guide Tables RackSwitch G8000 Application Guide Who Should Use This Guide PrefaceWhat You’ll Find in This Guide Typographic Conventions Typographic ConventionsHow to Get Help Accessing the Switch Configure the default gateway. Enable the gateway Configuring an IP InterfaceLog on to the switch Enter IP interface mode Using Telnet Configuring BBI access via Https Using the Browser-Based InterfaceConfiguring BBI access via Http RS G8000 config# access https import-certificate Default configuration Using SnmpSnmp v1 SnmpPrivacy-password User configuration22 „ Accessing the Switch SNMPv2 trap host configuration Configuring Snmp Trap HostsConfigure an entry in the notify table SNMPv1 trap hostSNMPv3 trap host configuration Securing Access to the Switch How Radius authentication works Radius Authentication and AuthorizationConfigure the Radius secret and enable the feature Configuring RadiusRadius authentication features in Blade OS Radius Attributes for G8000 user privileges Switch User AccountsHow TACACS+ authentication works TACACS+ AuthenticationAuthorization TACACS+ authentication features in Blade OSAccounting Command authorization and loggingConfigure the TACACS+ secret and second secret Configuring TACACS+ AuthenticationSSH encryption of management messages Configuring SSH features on the switchSecure Shell SSH Integration with RADIUS/TACACS+ Authentication Generating RSA Host and Server Keys for SSH accessUser Access Control End User Access ControlConsiderations for configuring End User Accounts Logging into an End User account Listing current UsersRackSwitch G8000 Application Guide 38 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN Port Unauthorized 802.1X authentication processEAPoL message exchange „ Unauthorized 802.1X port states„ Authorized „ Force UnauthorizedSupport for Radius Attributes Supported Radius attributesConfiguration guidelines BMD00041, November VLANs Overview Viewing VLANs VLANs and Port Vlan ID NumbersVlan numbers Pvid numbers Viewing and Configuring PVIDsVlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan Topologies and Design Considerations Vlan configuration rulesComponent Description Multiple VLANs with Tagging AdaptersVlan Configure the VLANs and their member ports Vlan configuration exampleEnable tagging on uplink ports that support multiple VLANs Private Vlan ports Private VLANsSelect a Vlan and define the Private Vlan type as primary Configuration exampleVerify the configuration Configure a secondary Vlan and map it to the primary VlanRackSwitch G8000 Application Guide 62 „ VLANs Ports and Trunking Statistical load distribution Built-In fault toleranceStatic trunk group configuration rules Before you configure static trunks66 „ Ports and Trunking Follow these steps on the G8000 Port Trunking ExampleExamine the trunking information on each switch Repeat the process on the other switch„ Source IP SIP + Destination IP DIP Configurable Trunk Hash AlgorithmLink Aggregation Control Protocol Admin keyRS G8000 # show lacp information Set the Lacp mode Lacp configuration guidelinesConfiguring Lacp Spanning Tree 1Ports, Trunk Groups, and VLANs Determining the Path for Forwarding BPDUs Bridge Protocol Data Units BPDUsChanging the Spanning Tree mode Spanning Tree Group configuration guidelinesAssigning a Vlan to a Spanning Tree Group Adding and removing ports from STGs Creating a VlanRules for Vlan Tagged ports RackSwitch G8000 Application Guide Port state changes Rapid Spanning Tree ProtocolPort Type and Link Type Rstp configuration guidelinesEdge Port Link TypeConfigure Rapid Spanning Tree Rstp configuration examplePer Vlan Rapid Spanning Tree Default Spanning Tree configuration1Two VLANs on one Spanning Tree Group Why do we need multiple Spanning Trees?Set the Spanning-tree mode to PVRST+ Pvrst configuration guidelinesConfiguring Pvrst Common Internal Spanning Tree Multiple Spanning Tree ProtocolMstp Region Mstp configuration guidelines Passing Vlan Blocking Vlan Configure Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Groups90 „ Spanning Tree Fast Uplink Convergence Configuring Fast Uplink ConvergenceRackSwitch G8000 Application Guide 92 „ Spanning Tree Quality of Service COS MAC Extended ACLs Using ACL FiltersIP Extended ACLs IP Standard ACLs1Well-known protocol types Assigning ACLs to a port Understanding ACL priorityViewing ACL statistics Use the following command to view ACL statisticsConfigure an Access Control List ACL configuration examplesExample Assign the ACL to port100.10.1.0 Add the ACL to a port Add the ACL to portConfigure a MAC ACL to deny all other traffic Configure IP ACLs to deny all other trafficAssign the ACLs to a port Broadcast storms Using Storm Control FiltersConfiguring storm control Differentiated Services Concepts Using Dscp Values to Provide QoSRackSwitch G8000 Application Guide Drop Class Precedence Per Hop BehaviorQoS Levels Default QoS Service LevelsDSCP-to-802.1p mapping Use the following command to perform DSCP-to-802.1p mapping3Layer 2 802.1q/802.1p Vlan tagged packet Using 802.1p Priority to Provide QoSQueuing and Scheduling 802.1p configuration exampleConfigure a port’s default 802.1p priority value to Overview Remote MonitoringEnable Rmon on a port Configuring Rmon statisticsConfigure the Rmon statistics on a port Rmon group 1-StatisticsHistory MIB Object ID Rmon group 2-HistoryConfiguring Rmon History Rmon group 3-AlarmsConfigure the Rmon History parameters for a port View Rmon History for the portConfiguring Rmon Alarms Alarm MIB objectsConfigure the Rmon Alarm parameters to track Icmp messages Configure Rmon eventsConfigure the Rmon event parameters Rmon group 9-EventsBasic IP Routing IP Routing Benefits 1The Router Legacy Network Routing Between IP Subnets122 „ Basic IP Routing Example of Subnet Routing 2Switch-Based Routing Topology1Subnet Routing Example IP Address Assignments Using VLANs to segregate Broadcast Domains3Subnet Routing Example Optional Vlan Ports Add the switch ports to their respective VLANsAssign a Vlan to each IP interface Configure the default gateway to the routers’ addressesEnable IP routing Dynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Basic IP Routing Igmp Igmp Snooping IGMPv3 Snooping FastLeaveConfigure Igmp Snooping Igmp Snooping configuration exampleEnable IGMPv3 Snooping optional Add VLANs to Igmp SnoopingRS G8000# show ip igmp groups View dynamic Igmp informationStatic Multicast Router Configure a Static Multicast RouterHigh Availability 1Uplink Failure Detection example Uplink Failure DetectionFailure Detection Pair Spanning Tree Protocol with UFD Configuration guidelinesTurn on Uplink Failure Detection UFD Configuring UFDMonitoring UFD Troubleshooting Figure A-1Monitoring Ports Monitoring PortsEnable port mirroring Configuring Port MirroringView the current configuration Port Mirroring behaviorBMD00041, November Numerics IndexIgmp TACACS+
Related manuals
Manual 28 pages 31.53 Kb
Top Page Image Contents