Blade ICE G8000 manual Secure Shell, Configuring SSH features on the switch

Page 34

RackSwitch G8000 Application Guide

Secure Shell

Secure Shell (SSH) use secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing a G8000 does not provide a secure connection.

SSH is a protocol that enables remote administrators to log securely into the G8000 over a net- work to execute management commands.

The benefits of using SSH are listed below:

Authentication of remote administrators

Identifying the administrator using Name/Password

Authorization of remote administrators

Determining the permitted actions and customizing service for individual administrators

Encryption of management messages

Encrypting messages between the remote administrator and switch

Secure copy support

The Blade OS implementation of SSH supports both versions 1.0 and 2.0 and supports SSH client versions 1.5 - 2.x.

Configuring SSH features on the switch

Before you can use SSH commands, use the following commands to turn on SSH.

SSH is disabled by default.

Use the following command to enable SSH:

RS G8000 (config)# ssh enable

SSH encryption of management messages

The following encryption and authentication methods are supported for SSH:

Server Host Authentication:	Client RSA authenticates the switch at the beginning of
	every connection
Key Exchange:	RSA
Encryption:	3DES-CBC, DES
User Authentication:	Local password authentication

34 Chapter 1: Accessing the Switch

BMD00041, November 2008

Image 34

Contents Application Guide RackSwitch G8000 Application Guide Contents Ports and Trunking Quality of Service Appendix a Troubleshooting Figures RackSwitch G8000 Application Guide Tables RackSwitch G8000 Application Guide Preface Who Should Use This GuideWhat You’ll Find in This Guide Typographic Conventions Typographic ConventionsHow to Get Help Accessing the Switch Log on to the switch Enter IP interface mode Configuring an IP InterfaceConfigure the default gateway. Enable the gateway Using Telnet Configuring BBI access via Http Using the Browser-Based InterfaceConfiguring BBI access via Https RS G8000 config# access https import-certificate Snmp v1 Using SnmpDefault configuration SnmpUser configuration Privacy-password22 „ Accessing the Switch Configure an entry in the notify table Configuring Snmp Trap HostsSNMPv2 trap host configuration SNMPv1 trap hostSNMPv3 trap host configuration Securing Access to the Switch Radius Authentication and Authorization How Radius authentication worksConfiguring Radius Configure the Radius secret and enable the featureRadius authentication features in Blade OS Switch User Accounts Radius Attributes for G8000 user privilegesTACACS+ Authentication How TACACS+ authentication worksTACACS+ authentication features in Blade OS AuthorizationCommand authorization and logging AccountingConfiguring TACACS+ Authentication Configure the TACACS+ secret and second secretSecure Shell Configuring SSH features on the switchSSH encryption of management messages Generating RSA Host and Server Keys for SSH access SSH Integration with RADIUS/TACACS+ AuthenticationConsiderations for configuring End User Accounts End User Access ControlUser Access Control Listing current Users Logging into an End User accountRackSwitch G8000 Application Guide 38 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN 802.1X authentication process Port UnauthorizedEAPoL message exchange „ Authorized 802.1X port states„ Unauthorized „ Force UnauthorizedSupported Radius attributes Support for Radius AttributesConfiguration guidelines BMD00041, November VLANs Overview Vlan numbers VLANs and Port Vlan ID NumbersViewing VLANs Viewing and Configuring PVIDs Pvid numbersVlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan configuration rules Vlan Topologies and Design ConsiderationsMultiple VLANs with Tagging Adapters Component DescriptionVlan Enable tagging on uplink ports that support multiple VLANs Vlan configuration exampleConfigure the VLANs and their member ports Private VLANs Private Vlan portsConfiguration example Select a Vlan and define the Private Vlan type as primaryConfigure a secondary Vlan and map it to the primary Vlan Verify the configurationRackSwitch G8000 Application Guide 62 „ VLANs Ports and Trunking Built-In fault tolerance Statistical load distributionBefore you configure static trunks Static trunk group configuration rules66 „ Ports and Trunking Port Trunking Example Follow these steps on the G8000Repeat the process on the other switch Examine the trunking information on each switchConfigurable Trunk Hash Algorithm „ Source IP SIP + Destination IP DIPAdmin key Link Aggregation Control ProtocolRS G8000 # show lacp information Configuring Lacp Lacp configuration guidelinesSet the Lacp mode Spanning Tree 1Ports, Trunk Groups, and VLANs Bridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsSpanning Tree Group configuration guidelines Changing the Spanning Tree modeAssigning a Vlan to a Spanning Tree Group Rules for Vlan Tagged ports Creating a VlanAdding and removing ports from STGs RackSwitch G8000 Application Guide Rapid Spanning Tree Protocol Port state changesEdge Port Rstp configuration guidelinesPort Type and Link Type Link TypeRstp configuration example Configure Rapid Spanning TreeDefault Spanning Tree configuration Per Vlan Rapid Spanning TreeWhy do we need multiple Spanning Trees? 1Two VLANs on one Spanning Tree GroupConfiguring Pvrst Pvrst configuration guidelinesSet the Spanning-tree mode to PVRST+ Mstp Region Multiple Spanning Tree ProtocolCommon Internal Spanning Tree Mstp configuration guidelines Passing Vlan Blocking Vlan Configuring Multiple Spanning Tree Groups Configure Multiple Spanning Tree Protocol90 „ Spanning Tree Configuring Fast Uplink Convergence Fast Uplink ConvergenceRackSwitch G8000 Application Guide 92 „ Spanning Tree Quality of Service COS Using ACL Filters MAC Extended ACLsIP Standard ACLs IP Extended ACLs1Well-known protocol types Understanding ACL priority Assigning ACLs to a portUse the following command to view ACL statistics Viewing ACL statisticsExample ACL configuration examplesConfigure an Access Control List Assign the ACL to port100.10.1.0 Add the ACL to port Add the ACL to a portConfigure IP ACLs to deny all other traffic Configure a MAC ACL to deny all other trafficAssign the ACLs to a port Configuring storm control Using Storm Control FiltersBroadcast storms Using Dscp Values to Provide QoS Differentiated Services ConceptsRackSwitch G8000 Application Guide Per Hop Behavior Drop Class PrecedenceDefault QoS Service Levels QoS LevelsUse the following command to perform DSCP-to-802.1p mapping DSCP-to-802.1p mappingUsing 802.1p Priority to Provide QoS 3Layer 2 802.1q/802.1p Vlan tagged packetConfigure a port’s default 802.1p priority value to 802.1p configuration exampleQueuing and Scheduling Remote Monitoring OverviewConfigure the Rmon statistics on a port Configuring Rmon statisticsEnable Rmon on a port Rmon group 1-StatisticsRmon group 2-History History MIB Object IDConfigure the Rmon History parameters for a port Rmon group 3-AlarmsConfiguring Rmon History View Rmon History for the portAlarm MIB objects Configuring Rmon AlarmsConfigure the Rmon event parameters Configure Rmon eventsConfigure the Rmon Alarm parameters to track Icmp messages Rmon group 9-EventsBasic IP Routing IP Routing Benefits Routing Between IP Subnets 1The Router Legacy Network122 „ Basic IP Routing 2Switch-Based Routing Topology Example of Subnet RoutingUsing VLANs to segregate Broadcast Domains 1Subnet Routing Example IP Address AssignmentsAdd the switch ports to their respective VLANs 3Subnet Routing Example Optional Vlan PortsEnable IP routing Configure the default gateway to the routers’ addressesAssign a Vlan to each IP interface Dynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Basic IP Routing Igmp Igmp Snooping FastLeave IGMPv3 SnoopingEnable IGMPv3 Snooping optional Igmp Snooping configuration exampleConfigure Igmp Snooping Add VLANs to Igmp SnoopingView dynamic Igmp information RS G8000# show ip igmp groupsConfigure a Static Multicast Router Static Multicast RouterHigh Availability Uplink Failure Detection 1Uplink Failure Detection exampleSpanning Tree Protocol with UFD Configuration guidelines Failure Detection PairMonitoring UFD Configuring UFDTurn on Uplink Failure Detection UFD Troubleshooting Monitoring Ports Figure A-1Monitoring PortsView the current configuration Configuring Port MirroringEnable port mirroring Port Mirroring behaviorBMD00041, November Index NumericsIgmp TACACS+

Related manuals

Manual 28 pages 31.53 Kb