Blade ICE G8000 manual Command authorization and logging, Accounting

Page 32

RackSwitch G8000 Application Guide

If the remote user is successfully authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. The adminis- trator has an option to allow secure backdoor access via Telnet/SSH. Secure

backdoor provide switch access when the TACACS+ servers cannot be reached.

NOTE – To obtain the TACACS+ backdoor password for your G8000, contact

Technical Support.

Accounting

Accounting is the action of recording a user's activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting mes- sages sent out.

You can use TACACS+ to record and track software logins, configuration changes, and inter- active commands.

The G8000 supports the following TACACS+ accounting attributes:

protocol (console/Telnet/SSH/HTTP/HTTPS)

start_time

stop_time

elapsed_time

disc_cause

NOTE – When using the Browser-Based Interface, the TACACS+ Accounting Stop records are sent only if the Logout button on the browser is clicked.

Command authorization and logging

When TACACS+ Command Authorization is enabled, Blade OS configuration commands are sent to the TACACS+ server for authorization. Use the following command to enable TACACS+ Command Authorization:

RS G8000 (config)# tacacs-server command-authorization

32 Chapter 1: Accessing the Switch

BMD00041, November 2008

Image 32

Contents Application Guide RackSwitch G8000 Application Guide Contents Ports and Trunking Quality of Service Appendix a Troubleshooting Figures RackSwitch G8000 Application Guide Tables RackSwitch G8000 Application Guide Preface Who Should Use This GuideWhat You’ll Find in This Guide Typographic Conventions Typographic ConventionsHow to Get Help Accessing the Switch Configure the default gateway. Enable the gateway Configuring an IP InterfaceLog on to the switch Enter IP interface mode Using Telnet Configuring BBI access via Https Using the Browser-Based InterfaceConfiguring BBI access via Http RS G8000 config# access https import-certificate Using Snmp Default configurationSnmp v1 SnmpUser configuration Privacy-password22 „ Accessing the Switch Configuring Snmp Trap Hosts SNMPv2 trap host configurationConfigure an entry in the notify table SNMPv1 trap hostSNMPv3 trap host configuration Securing Access to the Switch Radius Authentication and Authorization How Radius authentication worksConfiguring Radius Configure the Radius secret and enable the featureRadius authentication features in Blade OS Switch User Accounts Radius Attributes for G8000 user privilegesTACACS+ Authentication How TACACS+ authentication worksTACACS+ authentication features in Blade OS AuthorizationCommand authorization and logging AccountingConfiguring TACACS+ Authentication Configure the TACACS+ secret and second secretSSH encryption of management messages Configuring SSH features on the switchSecure Shell Generating RSA Host and Server Keys for SSH access SSH Integration with RADIUS/TACACS+ AuthenticationUser Access Control End User Access ControlConsiderations for configuring End User Accounts Listing current Users Logging into an End User accountRackSwitch G8000 Application Guide 38 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN 802.1X authentication process Port UnauthorizedEAPoL message exchange 802.1X port states „ Unauthorized„ Authorized „ Force UnauthorizedSupported Radius attributes Support for Radius AttributesConfiguration guidelines BMD00041, November VLANs Overview Viewing VLANs VLANs and Port Vlan ID NumbersVlan numbers Viewing and Configuring PVIDs Pvid numbersVlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan configuration rules Vlan Topologies and Design ConsiderationsMultiple VLANs with Tagging Adapters Component DescriptionVlan Configure the VLANs and their member ports Vlan configuration exampleEnable tagging on uplink ports that support multiple VLANs Private VLANs Private Vlan portsConfiguration example Select a Vlan and define the Private Vlan type as primaryConfigure a secondary Vlan and map it to the primary Vlan Verify the configurationRackSwitch G8000 Application Guide 62 „ VLANs Ports and Trunking Built-In fault tolerance Statistical load distributionBefore you configure static trunks Static trunk group configuration rules66 „ Ports and Trunking Port Trunking Example Follow these steps on the G8000Repeat the process on the other switch Examine the trunking information on each switchConfigurable Trunk Hash Algorithm „ Source IP SIP + Destination IP DIPAdmin key Link Aggregation Control ProtocolRS G8000 # show lacp information Set the Lacp mode Lacp configuration guidelinesConfiguring Lacp Spanning Tree 1Ports, Trunk Groups, and VLANs Bridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsSpanning Tree Group configuration guidelines Changing the Spanning Tree modeAssigning a Vlan to a Spanning Tree Group Adding and removing ports from STGs Creating a VlanRules for Vlan Tagged ports RackSwitch G8000 Application Guide Rapid Spanning Tree Protocol Port state changesRstp configuration guidelines Port Type and Link TypeEdge Port Link TypeRstp configuration example Configure Rapid Spanning TreeDefault Spanning Tree configuration Per Vlan Rapid Spanning TreeWhy do we need multiple Spanning Trees? 1Two VLANs on one Spanning Tree GroupSet the Spanning-tree mode to PVRST+ Pvrst configuration guidelinesConfiguring Pvrst Common Internal Spanning Tree Multiple Spanning Tree ProtocolMstp Region Mstp configuration guidelines Passing Vlan Blocking Vlan Configuring Multiple Spanning Tree Groups Configure Multiple Spanning Tree Protocol90 „ Spanning Tree Configuring Fast Uplink Convergence Fast Uplink ConvergenceRackSwitch G8000 Application Guide 92 „ Spanning Tree Quality of Service COS Using ACL Filters MAC Extended ACLsIP Standard ACLs IP Extended ACLs1Well-known protocol types Understanding ACL priority Assigning ACLs to a portUse the following command to view ACL statistics Viewing ACL statisticsACL configuration examples Configure an Access Control ListExample Assign the ACL to port100.10.1.0 Add the ACL to port Add the ACL to a portConfigure IP ACLs to deny all other traffic Configure a MAC ACL to deny all other trafficAssign the ACLs to a port Broadcast storms Using Storm Control FiltersConfiguring storm control Using Dscp Values to Provide QoS Differentiated Services ConceptsRackSwitch G8000 Application Guide Per Hop Behavior Drop Class PrecedenceDefault QoS Service Levels QoS LevelsUse the following command to perform DSCP-to-802.1p mapping DSCP-to-802.1p mappingUsing 802.1p Priority to Provide QoS 3Layer 2 802.1q/802.1p Vlan tagged packetQueuing and Scheduling 802.1p configuration exampleConfigure a port’s default 802.1p priority value to Remote Monitoring OverviewConfiguring Rmon statistics Enable Rmon on a portConfigure the Rmon statistics on a port Rmon group 1-StatisticsRmon group 2-History History MIB Object IDRmon group 3-Alarms Configuring Rmon HistoryConfigure the Rmon History parameters for a port View Rmon History for the portAlarm MIB objects Configuring Rmon AlarmsConfigure Rmon events Configure the Rmon Alarm parameters to track Icmp messagesConfigure the Rmon event parameters Rmon group 9-EventsBasic IP Routing IP Routing Benefits Routing Between IP Subnets 1The Router Legacy Network122 „ Basic IP Routing 2Switch-Based Routing Topology Example of Subnet RoutingUsing VLANs to segregate Broadcast Domains 1Subnet Routing Example IP Address AssignmentsAdd the switch ports to their respective VLANs 3Subnet Routing Example Optional Vlan PortsAssign a Vlan to each IP interface Configure the default gateway to the routers’ addressesEnable IP routing Dynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Basic IP Routing Igmp Igmp Snooping FastLeave IGMPv3 SnoopingIgmp Snooping configuration example Configure Igmp SnoopingEnable IGMPv3 Snooping optional Add VLANs to Igmp SnoopingView dynamic Igmp information RS G8000# show ip igmp groupsConfigure a Static Multicast Router Static Multicast RouterHigh Availability Uplink Failure Detection 1Uplink Failure Detection exampleSpanning Tree Protocol with UFD Configuration guidelines Failure Detection PairTurn on Uplink Failure Detection UFD Configuring UFDMonitoring UFD Troubleshooting Monitoring Ports Figure A-1Monitoring PortsConfiguring Port Mirroring Enable port mirroringView the current configuration Port Mirroring behaviorBMD00041, November Index NumericsIgmp TACACS+

Related manuals

Manual 28 pages 31.53 Kb